19 May A Post-Snowden world? Criminalizing Chinese cyberespionage
Three quick (and thus tentative) thoughts on the BIG news out of the Justice Department a few minutes ago, announcing criminal charges against five officers of the Chinese People’s Liberation Army for hacking various U.S. industries, including Westinghouse and US Steel. The Justice Department offered fairly detailed descriptions of how the hackers obtained information that had direct economic consequences for US companies, whether in terms of stealing design specs or pricing plans. As a result, I don’t have much doubt that the evidence establishes behavior violating U.S. cyber crime laws as written. That said, this is still, as Holder himself admitted, an unprecedented move. It’s not every day the U.S. government charges military officers with criminal behavior that was presumptively authorized by the foreign government itself. Doing so suggests, not too subtly, that the real criminal here was China:
When a foreign nation uses military or intelligence resources and tools against an American executive or corporation to obtain trade secrets or sensitive business information for the benefit of its state-owned companies, we must say, ‘enough is enough.’ This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market. This case should serve as a wake-up call to the seriousness of the ongoing cyberthreat. These criminal charges represent a groundbreaking step forward in addressing that threat.
For more background, you can watch the press conference here or read the prepared statements by Holder and others.
My first reaction was that these charges aren’t really about prosecuting the named officers, but of signaling to the world that the United States wants to change the status quo when it comes to State-sponsored cyber-exploitation. The fact that States engage in cyberexploitation has long been widely known, but so far, the prevailing response has been a shrug of the shoulders — the theory being that spying cannot be regulated away so why bother trying. These charges suggest a political effort, however, to do just that — i.e., to try and change the volume or nature of State-sponsored cyber-exploitations at least when it comes to impacts on private commercial actors. I say a “political effort” since I very much doubt these charges will amount to much within the U.S. legal system. Simply put, these five officers are not going to appear in a US courtroom to face the charges against them. I suppose it’s possible (although implausible) that China could express surprise at the U.S. evidence and announce its own investigation with some lip service about shutting rogue actors down or holding accountable those responsible. But, even in such a case, I can’t see China handing them over to the United States. Much more likely, I suspect will be Chinese protestations of “trumped-up” charges or “false” evidence by the U.S. Government. As such, assuming they don’t vacation abroad, these officers are unlikely to face any negative consequences; on the contrary, I’d bet they’ll probably be lionized in some ways at home.
My second reaction was that of a law professor, asking in a hypothetical world where these officers somehow did end up before a U.S. court, what would happen then? I assume there’d be a claim by the defendants of sovereign immunity and, for the reasons stated above, I doubt the Chinese government would dispute such immunity. This would, in turn, raise interesting questions about whether the Foreign Sovereign Immunities Act would grant immunity from prosecution to these officers or whether the Justice Department could successfully invoke one of the statute’s exceptions. Based on the repeated references in this morning’s press conference to the ‘commercial’ nature of the Chinese cyberexploits, I’d guess DOJ’s theory is that it can proceed under the FSIA’s commercial activities exception, which affords federal jurisdiction to cases “in which the action is based upon a commercial activity carried on in the United States by the foreign state; or upon an act performed in the United States in connection with a commercial activity of the foreign state elsewhere; or upon an act outside the territory of the United States in connection with a commercial activity of the foreign state elsewhere and that act causes a direct effect in the United States.” I know many of our readers are expert in sovereign immunity issues, so I’d be interested in your reactions — do these officers have a legitimate claim for sovereign immunity? Or, might they invoke some other status-based immunities and with what likely results?
My third reaction was that these charges represent the official start of a Post-Snowden era. For the better part of a year, Snowden’s revelations have dominated almost all discussions of cyber activities involving the United States. To be sure, the United States has tried to rebut some of the allegations or recast others in a more positive light, with pretty mixed (some might say poor) results. Indeed, every time, the United States tried to move on, there was some “new” revelation waiting in the wings to forestall that effort. In recent weeks, however, Snowden-related disclosures have slowed, while at the same time the United States has had some diplomatic successes (see, e.g., the NETmundial final statement ). Thus, there’s certainly space today that wasn’t present a few months ago for the United States to try and refocus the conversation. I wonder if this explains the timing of these charges. After all, U.S. complaints against China were a central plank in U.S. cyber-policy pre-Snowden, so it’s not surprising they’ve been looking for an opportunity to get back on the offensive when the circumstances were ripe for it. Whether this offensive will be successful remains, of course, to be seen. It’ll bear close watching how China responds to these charges, both publicly (i.e., in defending its officers or launching counter-charges against US officials) and privately (will there by an escalation of cyber operations by China or others). But whatever China does, I suspect we’re going to witness renewed attention to the question of whether all cyber-espionage is really the same (i.e., can we distinguish, as the U.S. urges, between State-sponsored hacking for national security interests vs. State-sponsored hacking for economic gain). I’d hope, moreover, that part of that conversation will involve the question of what role law can play, if any, in regulating cyber-espionage, whether as a matter of domestic or international law.
The U.S. has prescriptive jurisdiction under the objective territorial principle. However, the U.S. Supreme Court has already ruled that individuals are not covered by the FSIA, so their claims to sovereign immunity would be dismissed. Yet, they might claim “act of state” immunity. However, two necessary elements must be met: (1) the acts must be “public” or “official” acts of the PRC [which would be interesting to consider in a U.S. court], and (2) they must be completed within the territory of the PRC. Clearly, the latter element cannot be met. The hacking and theft were transnational in several respects, with consequences occurring within the U.S. Moreover, the acts might not be lawful acts, but is hacking a violation of international law?
p.s. the continuing act rationale or fiction plus the innocent agent rationale or fiction allows one to recognize that conduct attributable to the accused occurred within the U.S.
Jordan – great point re S.Ct (I assume you’re referring to Samantar?). Still seems there’d be immunity issues for any prosecution but on reflection, I’d concur it wouldn’t be the FSIA.
Great post, Duncan. China’s reaction is, as you predicted, is not calm. “Absurd!” is the word they’ve used.
http://www.latimes.com/nation/nationnow/la-na-nn-china-cyber-spying-20140519-story.html
Also, if I read your comment correctly, wouldn’t the only immunity they could get be drawn from the common law immunity recognized in Samantar, and which requires a certain amount of support from the executive branch (presumably not forthcoming in this case)?
Forgive me for sticking my nose into places it probably doesn’t belong. Nonetheless, when I read your piece here, and the information in the supporting links which you provided, my mind processed this information quite differently from you, and differently from those who have posted comments so far. To me, this is a Dog and Pony show by the United States to set a precedence – as follows: The massive spying being done by the United States against Governments, individuals, and Corporations worldwide (as exposed by the Snowden Leaks) would lead many people to wonder why the United States does not prosecute individuals at the keyboards at NSA, CIA, FBI, etc for hacking into data systems not belonging to the United States Government. The United States Government knows that China will never deliver these Chinese Military officers to the United States for prosecution. The United States will then use China’s refusal – as a precedent. The United States will say, “See? China won’t hand over their Government sponsored hackers to us for prosecution, so we won’t hand over OUR Government sponsored hackers to anyone else for prosecution either!”. Of course, if China was smart they would send those Military Officers… Read more »
[…] A Post-Snowden world? Criminalizing Chinese cyberespionage – Opinio Juris […]