The U.S. government is reportedly set to accuse China’s state-run hacking groups of attacking U.S. research institutions and pharmaceutical companies to steal novel coronavirus data, treatments and vaccines. This ought to be a wake-up call. The truth is that the United States has yet to use its strongest tools to punish and deter China from its widespread and continuing use of state-sponsored cybercrime.
The mere fact the Chinese government is attempting to steal coronavirus information should make clear that the blame for the lack of U.S.-China cooperation on the pandemic lies primarily on the Chinese side. China has restricted its own researchers from sharing coronavirus research and has refused to hand over early virus samples. Chinese research institutions have even tried to copy and patent leading U.S. drugs sent to China for trials.
Now, China is trying to steal coronavirus data from inside U.S. institutions through hacking and “nontraditional actors,” according to a draft notice prepared by the FBI and the Department of Homeland Security (and seen by the New York Times). Assistant Attorney General for National Security John C. Demers didn’t confirm the report, but he talked about the threat Monday on CNBC.
“It would be crazy to think that right now the Chinese were not behind some of the cyber activity that we’re seeing targeting U.S. pharmaceutical companies and targeting research institutes around the country that are doing coronavirus research, treatments and vaccines,” he said. “This is the holy grail of biomedical research right now, [and has] tremendous value both commercially and geopolitically.”
Some argue science should be open and shared — especially during a worldwide pandemic — but Beijing clearly doesn’t see it that way. The Chinese leadership knows that stealing research can net huge gains. China isn’t the only country playing this game, but it is by far the worst offender.
That’s why officials and experts are wondering why the U.S. government won’t deploy its most powerful weapon for fighting cybercrime — U.S. Treasury Department sanctions — against Chinese entities the way it does for criminals in Russia, North Korea and Iran.
The Justice Department has indicted 38 Chinese companies or individuals for cyber-related economic or political espionage — but only two of them have faced Treasury Department sanctions, and those were for money laundering related to North Korea, according to new research published by the Foundation for the Defense of Democracies (FDD), a Washington-based conservative think tank. Compare that to 77 Russian, 30 Iranian and six North Korean entities sanctioned for the same crimes.
“The greatest disparity in Washington’s use of sanctions and indictments against different adversaries is the infrequency with which the United States employs sanctions to combat Chinese hackers,” the report states.
Treasury already has the authority to go after other Chinese criminals. President Barack Obama issued an executive order on this very topic in April 2015. Obama and Chinese President Xi Jinping signed an agreement at their September 2015 summit to cease all cyberespionage related to intellectual property theft, but Beijing has largely ignored its commitments.
The Justice Department under President Trump has ramped up prosecutions of Chinese cybercrimes and attempts to steal biomedical research. In January, the department arrested the head of Harvard’s chemistry department for hiding his financial relationship with the Chinese government’s Thousand Talents recruitment program; and a Chinese researcher was arrested at Boston Logan International Airport after he was caught with 21 vials of biomedical research samples stuffed in a sock in his luggage.
But the Justice Department can only get at the thieves who are actually in the United States. Their corporate or government bosses are going unpunished. In an April online event hosted by Future in Review, a consulting and research firm, Demers suggested that sanctions were needed to really stop the abuses.
“The goal here has to be to provide economic pain for economic pain,” he said. “We have to use different tools across the government to really make sure we are denying the thief the benefit of his theft.”
The problem goes well beyond biomedical research. The Justice Department has indicted Huawei, four of its subsidiaries and its chief financial officer for a long list of crimes, including evading U.S. sanctions on Iran, but there are no U.S. Treasury sanctions on Huawei. Comac, the Chinese state-owned airliner manufacturer, stole egregiously to build the plane it now sells to compete with Airbus and Boeing. But yet, no sanctions.
Trevor Logan, the co-author of the FDD report, said sanctions are effectively the only way we can deter many Chinese entities that are outside the reach of U.S. law enforcement. By holding back on sanctions, we are signaling to Beijing that it need not uphold the agreements it signs.
“Either we don’t take a stand at all and those agreements are not worth the paper they are written on. Or we actually enforce our agreements in cyberspace,” Logan said.
To be sure, sanctions carry costs and risks and should not be used flippantly. The U.S.-China economic relationship is complex, and our trade agreement with Beijing is still being tested. But China’s attempts to hack our coronavirus research bring urgency to the need to show Beijing that it can’t steal its way to economic dominance. As of now, China is clearly not getting the message.
Josh Rogin is a columnist for the Global Opinions section of The Washington Post. He writes about foreign policy and national security. Rogin is also a political analyst for CNN. He previously worked for Bloomberg View, the Daily Beast, Foreign Policy, Congressional Quarterly, Federal Computer Week and Japan's Asahi Shimbun newspaper