Business as Usual?


The rollercoaster ride that represents cyber negotiations between the U.S. and China reached both new heights and lows Monday as the U.S. Department of Justice (DOJ) indicted five members of China’s People’s Liberation Army (PLA) Unit 61398 for committing cyber espionage against several U.S. corporations. The landmark indictment was the first time criminal charges have been filed against known state actors for hacking. Accompanying the public announcement of the indictment, the U.S. Federal Bureau of Investigation (FBI) changed the top five profiles of its well-known 10 Cyber Most Wanted List to represent the five defendants in the case.

While both the indictment and change to the Most Wanted List are largely symbolic (it is unlikely the defendants will ever have to answer for their crimes in a U.S. court given they remain in China and China’s stance towards the accusations remains unapologetic), it represents a serious step toward showing solidarity between private U.S. companies and federal law enforcement efforts. It is easy to forget how long the road has been to get to this point. Some of the first reports of the hacking activity mentioned in the indictment, which CrowdStrike identifies as COMMENT PANDA, date back to 2006 and are just now being formally charged in 2014. What is important is that the floodgates have been opened, paving the way for future indictments; and there will likely be plenty more to come in the future. Some people are no doubt asking, “What good are these indictments if they are merely symbolic and do not result in concrete arrests?”

In this particular case, to say that the symbolism matters more than actual action is an understatement. Within several hours of U.S. Attorney General Holder publicly decrying the economic and cyber espionage that led to the indictment, the Chinese Ministry of Foreign Affairs (MFA) released an official statement condemning the indictment and suspending participation in the China-U.S. Cyber Working Group, which was set up in April 2013 to provide a framework for open dialogue on cyber security in both countries. Several commentators have already lamented that the indictment silenced any potential communication between the two countries about cyber security, however, the reality is that it has once again refocused the issue, which was already derailed by the Snowden leaks. Though the indictment seemed symbolic in nature, it has already had a strong impact on how the two countries will talk about cyber espionage in the future, and remarkably it was spurred to this point by private security company investigations working in concert with federal intelligence agencies and law enforcement.

Those saying that the suspension of the cyber working group will have a negative impact on the dialogue between the two countries are not seeing the full picture. The working group’s goals were vague at best. The group’s initial efforts to establish a running dialogue on cyber espionage were first hampered by the Snowden leaks, which gave China enough leverage to rebut the U.S. argument that China had been committing cyber espionage against the U.S. for years. The U.S. response, which is central to the current indictment case, is that China uses cyber enabled economic espionage to gain an unfair advantage over its U.S. competitors. Differing from the U.S. cyber espionage programs, which only spy for national security purposes and do not share information gleaned with U.S. private companies.

Providing evidence of China’s use of cyber espionage to make significant commercial gains was a natural step to delineate the two countries extensive cyber espionage apparatuses and hold China responsible for its actions, even if it appears to hamper constructive dialogue in the short term. From China’s perspective, backing out of the talks was the only way to save face after what it perceives to be a major insult against its government. Given China’s rhetoric of being a victim of hacking, it has endured what it sees as U.S. hypocrisy for alleging massive cyber espionage only to have its own massive surveillance programs revealed.

Given the intertwined nature of Sino-U.S. economic ties, neither country can afford to completely walk away from the negotiating table. China is unlikely to cease any cyber espionage operations designed to glean an economic advantage; the benefits have far outweighed the repercussions thus far as they allow China to keep making “leapfrog” technologic and economic advancements at breakneck speed without fear of punitive measures. This being said, China also cannot afford to alienate itself from U.S. companies that often see China as an emerging market for their technology and goods.

Those worried about retaliation against U.S. companies doing business in China forget that the reason China is often committing such rampant cyber-enabled economic espionage is because their indigenous tech companies still often lack the necessary capabilities to be completely independent and allow China to be a self-sufficient producer of innovative technology. Cisco’s continued presence in China is a perfect example given the recent uproar over supposed photos of NSA employees installing backdoors into Cisco routers. Despite the relative domestic success of indigenous telecom companies such as Huawei, China is still dependent on Cisco for some of it’s telecom needs. Holding China responsible for this type of cyber espionage before that independence is completely established and U.S. intellectual property (IP) is dried up is crucial to leveling the playing field again.

An increase in the number of indictments, raising public awareness of the Chinese companies connected to cyber espionage campaigns, and providing better security and intelligence to the U.S. victims can help raise the cost of cyber espionage for China, which provides a more concrete deterrent. It may not bring the Chinese back to the cyber working group immediately, but the results will still be favorable: better prepared American companies who receive support from both private sector cyber security companies and the federal government.

An interesting notion that would provide a solid follow-up to the events that unfolded would be a further indictment against the Chinese State-Owned Enterprises (SOEs) alluded to in the case, which, based on substantial evidence from CrowdStrike and other private cyber security firms, were likely the direct beneficiaries of the cyber espionage campaigns carried out against U.S. companies: #1 – State Nuclear Power Technology Corp (国家核电技术公司), #2 – Baosteel Group Corp (宝钢集团), #3 – Aluminum Corp of China (中国铝业公司).

Getting China back to the negotiating table would take some work at this point as it is, but shielding the SOEs involved in the case from public eyes does little to dissuade business from changing their tactics when engaging with these companies who are by extension stealing U.S. companies’ intellectual property. Although it risks further diplomatic fallout, the damage has already been done; the least that can come out of it is clear delineations for who U.S. companies should be cautious doing business with in the future. An indictment against the SOEs would be not only a powerful symbolic one-two punch, but a move that possesses real consequences to the Chinese companies potentially driving and benefiting from this espionage by endangering any assets those SOEs have in the U.S. Although this outcome seems unlikely, the threat of it goes beyond symbolism and pushes for results.

CrowdStrike Intelligence provides customers with actionable threat intelligence about adversaries such as those indicted, please contact: and inquire about Falcon Intelligence, our Cyber Threat Intelligence subscription.

CrowdStrike Falcon Free Trial

Adam Kozy

Security Researcher Adam Kozy came to CrowdStrike, bringing forward several years of experience in security and threat intelligence analysis from the government sector where he conducted research at both a tactical and strategic level. He is a recognized cultural, political, and security pundit on East Asia and speaks Japanese and Mandarin.

He has delivered presentations and research findings to a variety of key cybersecurity influencers, including senior government officials and private-sector CEOs. He has also been a guest lecturer at several universities on cyber intelligence and recently presented at BlackHat USA on Chinese cyber weapons and monitoring capabilities.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial