Mieke Eoyang is director of the National Security Program and Ed Gerwin is senior fellow for Trade and Global Economic Policy at Third Way.
Last week, the Pentagon came out and said it: Cyberintrusions on Defense Department computer systems, as well as economic and defense industrial base sectors are "directly attributable to the Chinese government and military." China's cyberintrusions are a serious matter. But why does China's hacking strike everyone as beyond the pale?
Of course China wants to steal our secrets – after all, espionage is considered the second oldest profession. It's also hardly surprising that China is cyberspying on America's defense industrial base to gain military advantage. Governments, no doubt including ours, do this all the time.
No, the real affront here is that the Chinese government is using all the cybertools of the state to break into private sector companies and steal information and ideas for purely commercial advantage. Given that half of China's economy is owned or effectively controlled by the Chinese government, China has a particular incentive to share ill-gotten secrets with its extensive roster of state-owned enterprises and national champion companies. Beijing is providing them with significant – and highly unfair – advantages over their global commercial competitors.
American companies have been seeing intrusions from China for years that go well beyond the defense industrial base and the contest for military advantage. In 2010, Google announced that it had been the victim of a sophisticated cyberattack from China. While less well-publicized, China-based efforts have struck other energy, critical infrastructure and information technology firms. These efforts were, among other things, designed to steal "competitive bids, architectural plans, project definition documents, functional operational aspects to use in competitive bid situations."
In addition to being illegal and odious on a number of levels, China's behavior also defies key international trade norms and undermines the goal of a level playing field that underpins all international trade rules and agreements. China already provides its companies with a dizzying array of unfair and illegal trade subsidies that violate international trade rules. These include: massive cash grants; discounted raw materials; below-cost land, electricity, and water; preferential loans, tax incentives and rebates.
Providing China's companies with pilfered intellectual property is and should be no less unfair and illegal under the norms of international trade. Indeed, the fact that China illegally obtains this valuable information makes this conduct all the more offensive. Providing cash grants or free land might be an illegal subsidy under international trade rules even if China's laws allow it. In the cyber case, by gaining unauthorized access to these computer systems, Beijing is sneaking into computer systems, stealing data, and then providing the ill-gotten fruits of the intrusion for competitive advantage against global competitors.
China's cyberattacks are just a continuation of these unfair trade practices and a further indication Beijing is not playing by international rules. So how does the international community convince China to give up its cyberattacks?
To stop China's commercial cyberspying, we need international norms that reflect the reality of an Internet-based economy. Specifically, the international community needs to identify this form of cyberspying as an unfair trade practice. Countries should expressly include language in international trade agreements that explicitly states this behavior violates global trade rules. Governments should underscore they do not conduct espionage for commercial gain and that they expect their trading partners to do likewise.
The coming year will provide multiple opportunities to enshrine this important principle in international agreements. In 2014, China will host the Asia-Pacific Economic Cooperation summit, a forum which promotes regional open trade and economic cooperation. Establishing a trade norm on industrial cyberespionage should be on the agenda. Moreover, the United States and like-minded countries should include this key principle in multilateral agreements, like the Trans-Pacific Partnership and the Transatlantic Trade and Investment Partnership, as well as in bilateral trade deals.
Absent international consensus to stop government-sponsored cyberespionage, companies around the world will be left to defend themselves. The volume of attacks, the evolving nature of technology and human vulnerability means that some number of attacks will be successful.
Defending the Internet firewall can only do so much. It's much more effective to try to convince the attacker to stop.