The U.S. could consider criminal charges or sanctions against China if the U.S. determines hackers there are violating an agreement not to conduct economic cyber espionage on American industry, a senior Justice Department official said Tuesday.
The remarks by John Carlin, the Obama administration’s top national security attorney, came amid continuing skepticism about the effectiveness of the September agreement to curb cyber espionage and may signal a warning toward China despite what has been widely criticized as weak U.S. responses to years of hacking blamed on China.
The administration has described its new agreement with China as an historic and important step acknowledging hacking and labeling it as illegal theft. The government has filed criminal indictments against specific Chinese military hackers in a previous case, and it can impose trade sanctions against foreign government officials and agencies it believes are responsible.
“It was great we agreed to this norm, but that’s all the more reason when we agreed to this norm, why, when people violate that and you catch them, there’s a price to pay, be it criminal or through sanctions,” said Carlin, speaking at a think-tank event.
But only weeks in, California-based company CrowdStrike Inc. said it detected at least seven Chinese cyberattacks against U.S. technology and pharmaceutical companies that appear clearly aimed at theft of intellectual property and trade secrets.
“I haven’t seen any notable decline in intrusions affiliated with China,” said Dmitri Alperovitch, co-founder of CrowdStrike. The company wrote one of the first public accounts of commercial cyberespionage linked to China in 2011. Alperovitch urged organizations to remain vigilant until there was more information about how the administration intends to enforce the agreement.
Chinese Embassy spokesman Zhu Haiquan said in an email that China is a “staunch advocate” for cybersecurity and also a victim of attacks.
“The Chinese government opposes all forms of cyberattacks and commercial espionage, and will neither encourage companies to carry out cyber theft for commercial secrets nor take part in such activities,” he said. “Cybersecurity is a global challenge that requires more dialogue and cooperation between China and the U.S. on the basis of mutual respect and mutual trust.”
The U.S.-China agreement does not prohibit cyber spying for national security purposes, which would ostensibly include the theft of personal information for 21 million Americans when the Office of Personnel Management was hacked in what the U.S. believes was a Chinese espionage operation. The OPM hack was the most serious known cyber breach in U.S. history.
The Obama administration has avoided publicly blaming China or taking any public action in retaliation. Intelligence officials have said the data was a fair target and the U.S. would have stolen the same information on China if possible. Carlin said U.S. trade sanctions imposed against North Korea over hacking Sony Pictures Entertainment Inc. helped drive the China agreement.
“At the end of the day the status quo is unacceptable,” Carlin said. “We need to keep increasing the costs until the costs outweigh the benefits and we see a change in behavior.”