DOJ sanctions two Chinese hackers, accuses China of harboring ‘cyber criminals’

Foreign Affairs

The Department of Justice indictments seem played up to maximum political effect, noting that the hackers allegedly tried to steal COVID-19 research, even as the fine print tells a more complicated story.

Assistant Attorney General for National Security John C. Demers at a July 21 press conference

Last Tuesday, the U.S. Department of Justice (DOJ) unsealed a federal indictment charging two Chinese hackers with a “global computer intrusion campaign” that targeted the intellectual property and confidential business information of persons or entities in at least 11 countries.

The unsealing of the indictment represents the latest salvo in the Justice Department’s China Initiative, a wide-ranging effort to better combat Chinese commercial espionage and trade secrets theft.

That initiative was launched in 2018 after an investigation by the Office of the U.S. Trade Representative found China’s trade practices “unreasonable,” though the initiative has recently come under criticism for encouraging aggressive and potentially discriminatory prosecutions.

The announcement on Tuesday will not diminish concerns of politicization.

At the Tuesday morning press conference announcing the indictment, Assistant Attorney General for National Security John C. Demers bucked the boilerplate language that typically accompanies Justice Department press conferences in favor of the strident rhetoric that has recently been in vogue with the Trump Administration.

“China has now taken its place, alongside Russia, Iran, and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state,” Demers said.

According to the indictment, the alleged criminals served as part-time contractors to the government, hacking both “for their own personal financial gain” and for “the benefit of the Chinese Ministry of State Security and other Chinese government agencies.”

They are accused of stealing hundreds of millions of dollars’ worth of trade secrets and other valuable business information over a period of 10 years.

An unusual indictment

Though U.S. legal indictments are theoretically insulated from domestic or foreign political considerations, the act of indicting a foreign agent is inherently political insofar as it involves exposing the wrongdoing of foreign governments.

Yet more so than prior indictments, Tuesday’s seemed calibrated for maximum political effect.

The indictment and the accompanying press conference played up the hackers’ efforts to steal COVID-19 research. That accusation found its way into the headline of the press release even as the fine print of the indictment told a more complicated story.

According to the indictment, the hackers pilfered data from more than 100 entities, 25 of which are described (but not named) in the indictment. Because the indictment dates back 10 years, most of those victims — and thus the most serious charges levied — do not pertain to COVID-19.

Nor did the hackers successfully steal COVID-19 research. On four occasions described in the indictment, the hackers “researched vulnerabilities” in the computer networks of firms that had recently announced they were conducting research related to COVID-19. Of those firms, two were conducting research into vaccines, one on antiviral treatments, and one on testing.

The sparse language of the indictment offers little detail on how determined those efforts were, yet the timeline provided in the indictment suggests that all four attempts lasted between one to two days.

While that is theoretically enough time to execute a breach, most cyberattacks go on far longer. According to research by the cybersecurity firm FireEye, the median time that hackers spent within a system in 2019 was 55 days.

Those were not the only curious features of the charges unsealed Tuesday.

The indictment described 11 foreign companies from whom the hackers had stolen significant amounts of data, broke those firms into a table, and listed their country of origin: Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom

It also detailed potential human rights abuses by the hackers, who allegedly stole private account information from several Chinese dissidents and then passed it to the Ministry of State Security.

Those actions are objectionable, yet neither clearly pertains to U.S. federal law. Both made it into the first paragraph of the press release.

Efforts to steal precious public health research. Attacks against third parties who may not have known better. Human rights abuses: The emphasis on the most inflammatory yet legally tenuous aspects of the indictment raises questions about how the charges were presented to the public, even if the underlying case remains strong.

Indicting hackers

Indicting foreign hackers to advance U.S. foreign policy is not new. Nonetheless, Tuesday’s indictment shows how far that strategy has departed from its original purposes.

The first time the United States Justice Department charged foreign individuals with computer espionage was in 2014, when the Obama Administration unsealed an indictment against five members of China’s People’s Liberation Army.

At the time, the decision to bring criminal charges against foot soldiers in a foreign nation raised questions about the possible misapplication of U.S. domestic law to a realm it did not belong — foreign policy.

The Obama Administration embraced that logic in service of a norm: it used the indictment to pressure President Xí Jìnpíng 习近平 to sign a pledge recognizing the distinction between cyber-enabled espionage for national security purposes, which was permissible, and cyber-enabled espionage for commercial benefit, which was not.

Over the next several years, the indictments continued but the deal fell apart.

One theory for the collapse of the agreement is that China, which continued to conduct commercial espionage, never really accepted the distinction to begin with.

That may be changing, just not in the way the Obama Administration intended. Now, it is the United States that appears to be coming around to China’s perspective.

In a speech last Friday at the Gerald R. Ford Presidential Museum, Attorney General Barr lambasted American industry for “kowtowing” to China.

“American companies must understand the stakes,” Barr warned. “If Disney and other American corporations continue to bow to Beijing, they risk undermining both their own future competitiveness and prosperity, as well as the classical liberal order that has allowed them to thrive.”