U.S. readies sanctions against China for cyber-spying
The sanctions will impose costs for economic cyber-spying and not government-to-government intelligence activities. As a result, the incidents the package will cover do not include the Office of Personnel Management breach from earlier this year, because that attack was deemed to be part of traditional intelligence.
Instead, the sanctions are primarily in response to Chinese companies that have been accused over the past few months of breaking into American companies and stealing intellectual property, client lists, trade secrets, and other sensitive information in order to gain an economic advantage in the marketplace.
"It sends a signal to Beijing that the administration is going to start fighting back on economic espionage, and it sends a signal to the private sector that we're on your team," an administration official told the Washington Post. "It tells China, enough is enough."
The sanctions follow the president's Executive Order from April, which gave the U.S. Department of Treasury the authority to freeze assets and bar other financial transactions of entities engaged in destructive cyber-attacks. The order targeted individuals and groups outside the United States that use cyber-attacks to threaten U.S. foreign policy, national security or economic stability. This doesn't mean, however, that the government will abandon diplomatic channels, trade policy tools, and law enforcement actions to go after individuals and entities engaged in malicious activity.
"Sanctions will be more symbolic in nature as it won't actually deter them [Chinese] from doing what they are really good at," said George Kurtz, president and CEO of Crowdstrike.
China has consistently denied taking part in economic cyber-espionage, despite mounting evidence to the contrary. The latest figures from the Federal Bureau of Investigation showed that economic espionage cases jumped 53 percent in the past year, and that China accounted for a bulk of those cases. Even if the sanctions don't stop the attacks, they represent a step in the right direction because they "force everyone to the table and have a conversation behind closed doors about cyber-espionage," Kurtz said.
In the past, the U.S. government has been reluctant to be vocal about cyber-espionage activities originating from China to avoid disrupting political and economic ties with the country. That has been gradually changing. In May 2014, U.S. prosecutors unsealed indictments on economic spying charges against five Chinese military personnel. The indictment alleged the five individuals breached computer systems of major American steel and other companies to profit Chinese firms.
"China's electronic espionage efforts have been ongoing for so long, I fear that any diplomatic or trade response is too little, too late," said Bobby Kuzma, a systems engineer with Core Security. Sanctions would need to be "sufficiently painful" to be an effective deterrent.
To have actual impact, the sanctions would need to block individual companies from being allowed to work with American companies or compete in the market, Kurtz said, noting that may be too harsh as the first step. It's more likely the government would be starting gradually and increasing the penalties over time.
The Washington Post did not provide any details about the actual package under discussion, but cited an official who said the targeted Chinese firms would be "large and multinational."
Whether or not the sanctions will be issued is still unknown, but a final decision is expected soon, the Washington Post reported, and cited unnamed administration officials who hinted it could happen "even within the next two weeks." The timing is sensitive as it could overlap with the first state visit by President Xi Jinping of China.
Even if the sanctions don't have any teeth, they will continue to shine a spotlight on China's activities, which is essential, Kurtz said. "There's too much IP at stake," he said.