Two years ago, the Obama administration announced a new strategy to curb online espionage.
The five-point strategy came after a 2013 article in The New York Times about how the newspaper had been breached by Chinese hackers. The Times, working with a security company, also concluded that thousands of other American companies had been hacked by a Chinese military unit in Shanghai.
The White House said it would increase public awareness of the threat, encourage the private sector to increase its defenses, focus diplomacy on protecting trade secrets overseas, improve trade secret theft legislation and make investigations and prosecutions of corporate and state-sponsored trade secret theft a top priority.
Since then, public awareness is up and so is spending. But the hacking continues.
The private sector spent $665 million on data loss prevention last year, according to the technology research firm Gartner, with a 15 percent increase expected this year. On the legislative front, Congress strengthened penalties for those convicted under the Economic Espionage Act, raising the maximum fine for individuals convicted to $5 million from $500,000. And in terms of law enforcement, the F.B.I. lists digital crime, including intrusions that result in trade secret theft, as its third priority, just behind terrorism and counterintelligence. The agency reported a 60 percent increase in trade secret investigations from 2009 through 2013.
But diplomatic efforts to engage China on the topic have largely failed. China’s response has simply been that it, too, is a victim of online attacks. And online espionage shows little sign of abating. Last year, 18 percent of the 1,598 confirmed breaches analyzed by Verizon were used for online espionage, compared with 22 percent of 1,367 attacks in 2013. Senator Sheldon Whitehouse, Democrat of Rhode Island, told a Senate Judiciary Committee hearing last year that 1 to 3 percent of United States gross domestic product was still lost, every year, through trade secret theft.
“There hasn’t been any change,” said James A. Lewis, a digital security expert at the Center for Strategic and International Studies in Washington. “There’s a lot more we can do. But we haven’t reached our pain point for taking more drastic steps on cyberespionage, and the Chinese haven’t reached their pain point for stopping it.”
The Justice Department is under significant pressure to bring more trade secret cases under the Economic Espionage Act. But it is incredibly difficult to bring cases against sophisticated hackers, who are not only smart enough to cover their tracks but also smart enough to live outside the United States. It is equally difficult to serve court summonses to the Chinese corporations that investigators say they believe are benefiting from stolen trade secrets.
In 2013, the Justice Department brought several indictments that charged Chinese nationals with stealing trade secrets for the benefit of corporations in China, but none of the cases involved trade secrets obtained through online attacks. All the indictments involved either employees or former employees accused of passing their employer’s trade secrets to a company in China, or people who paid an employee to do so.
The story was similar in 2014. During the first nine months of the year, the Justice Department reported 20 new prosecutions under the Economic Espionage Act — a 33 percent increase from 2013 — and several convictions, but only two of the indictments involved trade secrets theft via digital intrusions.
One, the landmark indictment filed last year against five members of the People’s Liberation Army for hacking United States companies, was largely symbolic given that the United States has no jurisdiction in China.
In another, in August, a federal grand jury in California indicted a Chinese businessman on charges of conspiring to steal military secrets by hacking into Boeing and other United States companies. The defendant, Su Bin, is awaiting extradition in Canada.
The Justice Department’s biggest success last year was when prosecutors obtained the first-ever federal jury conviction for economic espionage charges against two Americans and a corporation accused of selling DuPont trade secrets to a state-owned company in China.
But that was not a hacking case. The two were charged with stealing trade secrets the old-fashioned way, by poaching former DuPont employees. And in that case too, the Justice Department’s efforts to bring charges against two Chinese citizens who played a central role in the theft, and the Chinese state-owned companies that benefited from them, have stalled.
A look at two cases the Justice Department did bring against one Chinese-American and another Chinese citizen living in the United States suggests that the agency has found it difficult to constructively respond to online espionage. Those two cases suggest the pressure to bring such cases may be doing more harm than good.
In Ohio, the Justice Department pursued a Chinese-American hydrologist for potential violations of the Economic Espionage Act, court documents show, but failed to find evidence and still tried to prosecute her for lesser charges that could have added up to 25 years in prison. After a review of her case revealed she was hardly a Chinese spy, the government dropped charges just before it was set to go to trial in March.
And in Philadelphia, a Chinese citizen who has permanent residency status in the United States has been held in a federal detention center since September 2012, after he was accused of damaging a corporate server computer to cover up trade secret theft. There, too, the government did not find violations of the Economic Espionage Act, but has aggressively pursued lesser charges, including intentionally causing harm to a protected computer system. His trial is scheduled for November.
Trying another tack, President Obama signed a new executive order in April that established the first sanctions aimed at curbing foreign cyberespionage. The order authorized financial and travel sanctions against anyone participating in online attacks that posed a threat to the “national security, foreign policy, or economic health or financial stability of the United States.”
Until those sanctions are exercised, experts say the only option for curbing digital espionage may be patient diplomacy.
“They don’t live here, so we can’t arrest them, and we’re not going to go to war over this,” Mr. Lewis said. “So the key is consistent persuasion and pressure. It may be slow and it may not work. But there is no other alternative.”