Later this month, China’s President Xi Jinping will travel to the United States for a weeklong visit that will include meetings with President Obama and the United Nations. The visit comes at a time of some turbulence in the bilateral relationship whose waters have been roiled recently by multiple incidents, “from China’s activities in the South China Sea to cyberespionage.”

Optimists contend that the two presidents can and should focus on the issues upon which the United States and China can find common ground and opportunities for cooperation, notwithstanding other important and existing areas of divergence and dispute. The approach harkens back to the dictum: “opposition where necessary, cooperation where possible.” Recent volatility in the stock markets and the larger knock-on effects of this instability would seem to offer one area of mutual interest and potentially convergent ideas.

ADVERTISEMENT

But where is opposition necessary? The arena of economic cyber-espionage offers one example. Chinese actors have persistently targeted U.S. companies for their intellectual property, trade secrets, and other valuable assets. Yet, even when caught with their hands in the cookie jar, the country’s officials have remained defiant and disclaimed responsibility.​

The status quo, in which U.S. companies have the deck stacked against them—in the form of the full panoply of Chinese cyber capabilities, including the tools and resources of the country’s national intelligence services, aimed at U.S. businesses—is simply not acceptable. The playing field is uneven and stands in contrast to the OPM hack which matched state against state and even earned China the grudging respect of the U.S. Director of National Intelligence.

This month’s summit must not allow economic cyberespionage to be the gorilla in the room that lurks ominously in the corner but without explicit mention. As always however, the devil is in the details and the toughest question is what type(s) of action could and should be pursued in order to achieve a constructive outcome.

Among the chattering classes, there is talk that the White House may impose sanctions against the Chinese perpetrators of egregious economic cyberespionage, in advance of the meeting of the two countries’ presidents. The buzz has been loud enough to generate comment from China’s ambassador to Washington, who suggested that such a move would be “counterproductive”.  To date, however, Chinese actors have experienced little to no costs or consequences for their actions—a situation that the United States cannot afford to continue.   ​

​While a national conversation on the subject of economic cyberespionage is well past due on the U.S. side, the good news is that it has finally begun. Perhaps that is an upside of the summer of 2015, when China ate America’s lunch in the cyber domain. But where do we go from here: should the U.S. pursue an imitation game or seek a third way?

Some would argue that the United States should reverse its current practice of abstaining from placing its intelligence community directly in the service of U.S. corporations. The argument in favor is that it is past time to take off the gloves and meet fire with fire. The instinct to punch back and hard is easy to grasp, especially when there is so much as stake.

Not so fast, though, say defenders of current practice. To their mind, modeling U.S. policy and practice on China’s own would create a moral equivalence between the two countries. To adopt the Chinese approach in this context is to concede the moral high ground and abandon honored principles that have served the United States well over time.  

However, Chinese skeptics might question how much, if any, moral high ground remains in the wake of recent disclosures, particularly when the nuances of the cyberespionage debate are lost on the average citizen. Yet there is a distinct and fundamental difference between the two countries—and it is not at all clear how the Chinese approach could even work in the United States. Which companies would be the beneficiaries? Choosing between and among them is tantamount to picking winners and losers, which is antithetical to a genuine free-market economy. In any case, the polar positions in this debate are deeply felt and strongly held, to be sure. But perhaps there is another way forward, incorporating multiple strands of approach.

One element of such a strategy could and should be the concept of active defense. The idea is to empower U.S. companies to better protect themselves from determined and sophisticated foreign cyber-intruders who are intent on engaging in behavior that results in significant damage to U.S. national and economic security.

Care would have to be taken to create a framework which sets out appropriate parameters for private business in terms of prevention and response operations and measures, without spurring a new Wild West replete with cyber-vigilantes. But the basic idea that companies on the frontlines should have robust means of defense deserves serious thought. The current approach of building higher walls and bigger locks is just not sustainable.

Changes to both law and policy may be required by the proposed course, and the difficulty of enacting them should not be underestimated. By the same token, something is surely amiss when U.S. companies are having their clocks cleaned. Let’s put China (and others) on notice by surprising them with our capacity—and willingness—to act. 

Cilluffo is director of the George Washington University Center for Cyber and Homeland Security (CCHS) and served as special assistant to the president for Homeland Security.  Cardash is associate director of CCHS and served as security policy adviser to Canada’s minister of Foreign Affairs.