China's anti-hacking pledge put to the test

China's anti-hacking pledge put to the test
© Getty

Cyber experts are debating the effectiveness of an anti-hacking pledge struck by President Obama and Chinese President Xi Jinping.

A pair of high-profile reports recently claimed that China has curtailed its online espionage against U.S. interests, which many hailed as a win for Obama's diplomacy.

But others say Chinese hacking hasn’t decreased at all — Beijing has simply gotten better at targeting its quarry and covering its tracks.

ADVERTISEMENT

The agreement — which prohibits either country from hacking businesses to benefit its own companies — has faced continual skepticism from lawmakers who believe it is too toothless to force China to keep its word.

The debate over the deal flared again this week after a top Obama administration official confirmed that the U.S. government has, in fact, seen a drop in Chinese hacking.

“It seems like there has been a change in activity,” U.S. Assistant Attorney General John Carlin told a crowd at a Center for Strategic and International Studies (CSIS) event. “There is a debate as to how long-lasting it might be, but there has been a change.”

It was the most definitive statement the administration has made to date defending the effectiveness of the agreement.

Until now, the White House said only that it was monitoring the deal's implementation.

As recently as early June, the State Department’s top cyber official said it was too soon to determine if the agreement was “working.”

Carlin’s admission also came on the heels of a paper from the well-known security firm FireEye that reported a steep decline in Chinese intrusions onto American networks.

The company observed only a handful of break-ins attributed to Chinese groups in April of this year — down from more than 60 in February of 2013.

But the deal's role in bringing that decline is far from settled. Most cyber experts seem to agree that the deal played some role, but are unsure of the extent.

Those who say China signed the agreement in good faith point to similar deals the country struck with the U.K., Germany and the G20.

“My hunch is it will work because the Chinese would not have agreed to the G20 if they hadn’t been serious,” said James Lewis, an international cybersecurity expert at CSIS.

FireEye, in its report, attributes the change to a confluence of domestic factors within China — not just the anti-hacking pledge.

For example, military reforms within the Chinese government played a key role, the firm says. Since taking power in late 2012, Xi has implemented a series of significant military reforms aimed at centralizing China’s cyber forces.

The company also reports that the 2014 indictment of five People’s Liberation Army (PLA) officers on hacking charges may have also contributed to the decline.

But security analysts say that when the Justice Department levied those charges, Beijing merely shifted its commercial espionage efforts from the army to China’s civilian spy agency, the Ministry of State Security.

Some argue the reported decline in intrusions is less of a diplomatic achievement and more a sign that Chinese hackers are simply getting better at what they do.

The FireEye report notes that the threat “is less voluminous but more focused, calculated, and still successful in compromising corporate networks.”

“I think it’s still up in the air about, ‘is the drop in part a reflection of improved tradecraft on the Chinese side?’ We’re not seeing as many attacks, but attacks are still happening,” said Adam Segal, a cyber policy specialist and senior fellow at the Council on Foreign relations.

Others are more bullish on the value of the agreement.

“It's certainly a win for the political and diplomatic process,” wrote Jason Healey, a director at the Atlantic Council who has worked on cyber defenses at the White House, in a recent op-ed.

“The U.S. unilaterally took a stand against international commercial cyberespionage and by some miracle (and hard diplomacy) got... the G-20 to agree. Even China's head of state jumped in... In diplomacy, that's a result.

“FireEye reported [a drop of] more than 90 percent," he added. "What other solution have we ever implemented for such success at so little cost?”

Lewis says that the real test for the agreement isn't the number of hacking attempts — it’s whether it cuts down on productive economic espionage.

The agreement doesn’t prohibit traditional spycraft against other countries' governments or militaries, just the targeting of commercially valuable information to aid domestic companies.

According to FireEye, Chinese hackers are still targeting some private-sector U.S. firms — but that data could be considered “dual use,” meaning that it has military applications, not just commercial ones. This makes it harder to tell if the intrusions are traditional intelligence-gathering missions or economic espionage.

“The thing to look for [to determine the success of the agreement] would be the commercial effect,” Lewis told The Hill. “Ultimately until we see whether those competing products that are derived from hacking — from stolen IP — if those go away, we’ll know it’s working.”

In the meantime, the jury is still out.

FireEye notes that there is a lag time in its research, meaning that it’s possible the trend has reversed since it completed its review in April. But Jordan Berry, FireEye’s principal threat intelligence analyst, said that’s not what he expects to see.

Onlookers anticipate the White House will keep striking a cautious tone, praising any improvement and holding back from hailing the agreement as a victory.

But for now, the agreement seems to be holding.

The decline in intrusions, said Segal, “is one data point that seems to point to some support for the agreement.”