19 May A Post-Snowden world? Criminalizing Chinese cyberespionage
Three quick (and thus tentative) thoughts on the BIG news out of the Justice Department a few minutes ago, announcing criminal charges against five officers of the Chinese People’s Liberation Army for hacking various U.S. industries, including Westinghouse and US Steel. The Justice Department offered fairly detailed descriptions of how the hackers obtained information that had direct economic consequences for US companies, whether in terms of stealing design specs or pricing plans. As a result, I don’t have much doubt that the evidence establishes behavior violating U.S. cyber crime laws as written. That said, this is still, as Holder himself admitted, an unprecedented move. It’s not every day the U.S. government charges military officers with criminal behavior that was presumptively authorized by the foreign government itself. Doing so suggests, not too subtly, that the real criminal here was China:
When a foreign nation uses military or intelligence resources and tools against an American executive or corporation to obtain trade secrets or sensitive business information for the benefit of its state-owned companies, we must say, ‘enough is enough.’ This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market. This case should serve as a wake-up call to the seriousness of the ongoing cyberthreat. These criminal charges represent a groundbreaking step forward in addressing that threat.
My first reaction was that these charges aren’t really about prosecuting the named officers, but of signaling to the world that the United States wants to change the status quo when it comes to State-sponsored cyber-exploitation. The fact that States engage in cyberexploitation has long been widely known, but so far, the prevailing response has been a shrug of the shoulders — the theory being that spying cannot be regulated away so why bother trying. These charges suggest a political effort, however, to do just that — i.e., to try and change the volume or nature of State-sponsored cyber-exploitations at least when it comes to impacts on private commercial actors. I say a “political effort” since I very much doubt these charges will amount to much within the U.S. legal system. Simply put, these five officers are not going to appear in a US courtroom to face the charges against them. I suppose it’s possible (although implausible) that China could express surprise at the U.S. evidence and announce its own investigation with some lip service about shutting rogue actors down or holding accountable those responsible. But, even in such a case, I can’t see China handing them over to the United States. Much more likely, I suspect will be Chinese protestations of “trumped-up” charges or “false” evidence by the U.S. Government. As such, assuming they don’t vacation abroad, these officers are unlikely to face any negative consequences; on the contrary, I’d bet they’ll probably be lionized in some ways at home.
My second reaction was that of a law professor, asking in a hypothetical world where these officers somehow did end up before a U.S. court, what would happen then? I assume there’d be a claim by the defendants of sovereign immunity and, for the reasons stated above, I doubt the Chinese government would dispute such immunity. This would, in turn, raise interesting questions about whether the Foreign Sovereign Immunities Act would grant immunity from prosecution to these officers or whether the Justice Department could successfully invoke one of the statute’s exceptions. Based on the repeated references in this morning’s press conference to the ‘commercial’ nature of the Chinese cyberexploits, I’d guess DOJ’s theory is that it can proceed under the FSIA’s commercial activities exception, which affords federal jurisdiction to cases “in which the action is based upon a commercial activity carried on in the United States by the foreign state; or upon an act performed in the United States in connection with a commercial activity of the foreign state elsewhere; or upon an act outside the territory of the United States in connection with a commercial activity of the foreign state elsewhere and that act causes a direct effect in the United States.” I know many of our readers are expert in sovereign immunity issues, so I’d be interested in your reactions — do these officers have a legitimate claim for sovereign immunity? Or, might they invoke some other status-based immunities and with what likely results?
My third reaction was that these charges represent the official start of a Post-Snowden era. For the better part of a year, Snowden’s revelations have dominated almost all discussions of cyber activities involving the United States. To be sure, the United States has tried to rebut some of the allegations or recast others in a more positive light, with pretty mixed (some might say poor) results. Indeed, every time, the United States tried to move on, there was some “new” revelation waiting in the wings to forestall that effort. In recent weeks, however, Snowden-related disclosures have slowed, while at the same time the United States has had some diplomatic successes (see, e.g., the NETmundial final statement ). Thus, there’s certainly space today that wasn’t present a few months ago for the United States to try and refocus the conversation. I wonder if this explains the timing of these charges. After all, U.S. complaints against China were a central plank in U.S. cyber-policy pre-Snowden, so it’s not surprising they’ve been looking for an opportunity to get back on the offensive when the circumstances were ripe for it. Whether this offensive will be successful remains, of course, to be seen. It’ll bear close watching how China responds to these charges, both publicly (i.e., in defending its officers or launching counter-charges against US officials) and privately (will there by an escalation of cyber operations by China or others). But whatever China does, I suspect we’re going to witness renewed attention to the question of whether all cyber-espionage is really the same (i.e., can we distinguish, as the U.S. urges, between State-sponsored hacking for national security interests vs. State-sponsored hacking for economic gain). I’d hope, moreover, that part of that conversation will involve the question of what role law can play, if any, in regulating cyber-espionage, whether as a matter of domestic or international law.