nytimes.com
After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology
12-15 minutes
Image
General Electric Aviation’s factory in Cincinnati. A Chinese intelligence official is accused of trying to obtain trade secrets from the company.CreditCreditLuke Sharrett/Bloomberg
WASHINGTON — Three years ago, President Barack Obama struck a deal with China that few thought was possible: President Xi Jinping agreed to end his nation’s yearslong practice of breaking into the computer systems of American companies, military contractors and government agencies to obtain designs, technology and corporate secrets, usually on behalf of China’s state-owned firms.
The pact was celebrated by the Obama administration as one of the first arms-control agreements for cyberspace — and for 18 months or so, the number of Chinese attacks plummeted. But the victory was fleeting.
Soon after President Trump took office, China’s cyberespionage picked up again and, according to intelligence officials and analysts, accelerated in the last year as trade conflicts and other tensions began to poison relations between the world’s two largest economies.
The nature of China’s espionage has also changed. The hackers of the People’s Liberation Army — whose famed Unit 61398 tore through American companies until its operations from a base in Shanghai
were exposed in 2013 — were forced to stand down, some of them indicted by the United States. But now, the officials and analysts say, they have begun to be replaced by stealthier operatives in the country’s intelligence agencies.
The new operatives have intensified their focus on America’s commercial and industrial prowess, and on technologies that the Chinese believe can give them a military advantage.
That, in turn, has prompted a flurry of criminal cases, including
the extraordinary arrest and extradition from Belgium of a Chinese intelligence official in October. Trump administration officials said the arrest reflected a more determined counterattack against a threat that has infuriated some of the country’s most powerful corporations.
“We have certainly seen the behavior change over the past year,” said Rob Joyce, Mr. Trump’s former White House cybercoordinator, speaking at the Aspen Cyber Summit in San Francisco this month.
Mr. Trump and administration officials often suggest that all technology-acquisition efforts by China amount to theft. In doing so, they are blurring the line between stealing technology and negotiated deals in which corporations agree to transfer technology to Chinese manufacturing or marketing partners in return for access to China’s market — a practice American companies often view as a form of corporate blackmail but one distinct from outright theft.
The stealing of industrial designs and intellectual property — from blueprints for power plants or high-efficiency solar panels, or the F-35 fighter jet — is a long-running problem. The United States trade representative published a report this month detailing old and new examples. But the administration has never said whether cracking down on theft and cyberattacks is part of the negotiations or simply a demand that China cease activity that Beijing has already acknowledged, in the Obama years, was illegitimate.
But as Mr. Trump and Mr. Xi
prepare to meet at the Group of 20 gathering in Argentina this weekend, China’s corporate espionage has once again emerged as a core American grievance.
Whatever the reason for the renewed hacking, it is a cautionary tale as Mr. Trump tries to use tariffs and threats of more restrictions to strike a new trade deal with Mr. Xi, one that presumably would address, once again, the Chinese practices that Mr. Obama thought he had halted.
American trade and intelligence officials, as well as experts from private cybersecurity firms, all acknowledged that the previous agreement had completely fallen apart.
And that, they agreed, has made it still more difficult to imagine how any new agreement struck between Mr. Trump and Mr. Xi would become a permanent solution to a problem that reaches back years, and seems rooted in completely different views of what constitutes reasonable competition.
“Our two systems are so dissimilar that I think there was never real hope that crafting an agreement like this would last that long anyway,” said Matthew Brazil, a former government official who now runs Madeira Security Consulting, a firm in San Jose, Calif.
Why the espionage has spiked again is a matter of debate. Some officials and analysts call it a cause of the worsening trade relationships, others a symptom. Still others argued that the tightening of American export controls in critical industries like aerospace and rules on Chinese investment in Silicon Valley — which China sees as part of a “containment” strategy to blunt its industrial and geopolitical rise — has led the Chinese once again to try to steal what they cannot buy.
The impetus for the 2015 accord was one of the most blatant espionage operations ever conducted by the Chinese government: the removal, over a period of more than a year, of 22 million security-clearance files on American officials, military personnel, contractors and American intelligence officers.
The Obama administration, partly out of embarrassment, said little about the breach, never naming the Chinese publicly — except by mistake when the director of national intelligence blurted out the truth.
Privately, American intelligence officials concluded that the Chinese were assembling a giant database of who worked with whom, and on what, in the American national security sphere, and were applying “big data” techniques to analyze the information. The C.I.A. could not move some officers to China, for fear their cover had been blown. Publicly, Obama administration officials offered millions of Americans credit protection for a few years in the wake of the data breach — as if Mr. Xi’s agents were looking for credit card numbers.
Image
Chinese cyberattacks plunged after a 2015 deal between President Barack Obama and President Xi Jinping of China. But the victory was fleeting.CreditDoug Mills/The New York Times
But Mr. Obama used the episode, and the threat of sanctions, to force Mr. Xi into what he called a “common understanding” that neither the United States nor China should engage in state-sponsored cyberintrusions to poach intellectual property, and that they would together seek “
international rules of the road for appropriate conduct in cyberspace.”
All that was forgotten after Mr. Obama left office. Mr. Trump has never referred publicly to the 2015 agreement.
Michael Kovrig, a former Canadian diplomat who is now a China analyst for the International Crisis Group, said that China had a fundamentally different understanding of what was acceptable in espionage. While the Central Intelligence Agency, say, would not act to help a private company gain a competitive advantage over a foreign competitor, he said, China’s Communist Party, which has control over practically all aspects of policy there, would make no such distinction.
“If you view economic growth as an existential pillar of your party’s political legitimacy and in fact your national security, it follows that you would do anything possible to maintain that competitive edge,” he said.
Indeed, the latest spike in corporate espionage cases — including some not yet made public — has focused on industries critical to Mr. Xi’s Made in China 2025 program.
That is a plan to jump ahead of the United States and others in cutting-edge industries like aerospace, automation, artificial intelligence and quantum computing.
“We are seeing it in high tech, in law firms, in insurance companies,” said Dmitri Alperovitch, one of the founders of CrowdStrike, who early in his career was one of the first to identify the teams of state-run Chinese hackers aiming at the United States, and who tracked their retreat after the 2015 pledge.
With the arrest of the intelligence officer in Belgium in October, the Trump administration claimed it had exposed what the assistant F.B.I. director, Bill Priestap, called “the Chinese government’s direct oversight of economic espionage against the United States.”
That case involves Xu Yanjun, a deputy division director in the Jiangsu branch of the Ministry of State Security, China’s main intelligence agency.
According to a secret criminal complaint filed in Ohio in March but not unsealed until October, Mr. Xu tried to recruit an employee of General Electric Aviation and entice him to provide proprietary information about jet fan blade designs.
Instead the employee alerted the company, which went to the F.B.I. and organized a sting. Mr. Xu flew from China to Belgium in April on the hope he would be able to copy the employee’s computer hard drive. He was arrested on April 1 when he arrived in Brussels and was extradited to the United States on Oct. 9, the day before the Justice Department made the case public.
China’s Foreign Ministry denounced the criminal case as “pure fabrication,” but it has neither confirmed nor denied that Mr. Xu was an intelligence officer. China’s relatively muted reaction could be an effort to minimize attention on an embarrassing intelligence failure and leave room for quiet negotiations for an exchange.
Mr. Xu’s was the most high profile of several recent cases, including two others that had links to the Ministry of State Security’s branch in Jiangsu Province, which extends north from Shanghai.
In September, the Justice Department
announced the arrest of Ji Chaoqun, a 27-year-old graduate student who had joined the Army Reserves under a special waiver for foreigners.
The F.B.I. affidavit in the case said that Mr. Ji’s handler — presumably Mr. Xu — had been arrested, allowing the bureau to send an undercover officer to meet the student in April. Mr. Ji, the affidavit said, had been recruited to gather background information about eight potential recruits for the Jiangsu branch.
Mr. Xu, who went by at least two aliases, often claimed to represent the Jiangsu Association for International Science and Technology Cooperation and Nanjing University of Aeronautics and Astronautics, both based in the provincial capital, Nanjing.
The reasons Jiangsu has become a hotbed of China’s cyberespionage are not entirely clear, though it is an important manufacturing center, with many foreign investments, and is thus one of China’s richest provinces.
In 2016, the director of the Jiangsu intelligence branch, Liu Yang, declared that “the national security departments should actively cooperate and promote enterprises” in their efforts to expand and compete globally, according to
a report from the Suzhou General Chamber of Commerce. In January, Mr. Liu was promoted and is now the vice governor of the province.
Another American criminal case of espionage in the same region of China was announced Oct. 30. The Justice Department accused two other intelligence officers from that branch, as well as five hackers and two employees of a French aerospace company in Suzhou. The target was Safran, which operates a joint venture, CFM International, that builds jet engines with General Electric.
The hackers were accused of using a variety of sophisticated techniques and tools against the Suzhou plant, and against other companies. But as in the cases the Obama administration brought, the suspects are believed to still be in China and thus beyond the reach of American law enforcement.
David E. Sanger reported from Washington, and Steven Lee Myers from Beijing.