Xi’s Broken Promises on Cybersecurity

In September 2015, President Barack Obama hosted China’s Xi Jinping for a two-day summit in Washington. The leaders of the world’s two largest economies had much to discuss, from the war in Afghanistan, to nuclear security and military relations, to the prospect of cooperating on environmental and humanitarian issues. One of the most pressing issues at the time was cybersecurity. And the pair agreed they would work together to limit the damage done by cybercriminals.

“The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” a White House fact sheet prepared at the conclusion of Xi’s state visit reads.

It’s clear now, if it wasn’t before, that Xi had no intention of honoring his commitment.

Nearly six years later, the Biden administration has been forced to confront a range of cybercrimes carried out under the auspices of Xi’s Chinese Communist Party (CCP).

On Monday, Secretary of State Anthony Blinken openly accused the Chinese government’s Ministry of State Security (MSS) of “foster[ing] an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”

Blinken added that America’s “allies and partners” had joined the State Department in “formally” blaming the MSS for a massive hack of the Microsoft Exchange Server, an intrusion that “indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims.”

That same day, the Department of Justice released a previously sealed indictment charging four Chinese nationals with overseeing a prolific and ambitious campaign of economic espionage. That campaign began circa 2011—four years before Xi’s state visit. It continued throughout 2015, with some of the allegations pointing to crimes committed within weeks of the Obama-Xi sit down. And it continued for years after, with the charges pointing to crimes committed as recently as 2018.

Of course, the indictment is made up of allegations that have yet to hold up in court. But it’s clear that the FBI and other U.S. counterintelligence officials have been tracking this Chinese network for some time.

Three Chinese nationals serving as intelligence officers for the Hainan State Security Department (HSSD) are at the heart of the alleged conspiracy. They are Ding Xiaoyang, Cheng Qingmin and Zhu Yunmin. A fourth man, Wu Shurong, is accused of working for them as a hacker.

Hainan is an island province in the southernmost part of China’s territory. The HSSD is the provincial arm of the MSS. The MSS is tasked with shoring up the CCP’s regime, so it spies on Chinese citizens and carries out other functions in the name of maintaining political security. As U.S. federal prosecutors point out in the indictment, the MSS is also responsible for “non-military foreign intelligence.” In the present context, that means spying on and stealing from Americans.

The HSSD’s men set up a “front company” named Hainan Xiandun Technology Development Co. Ltd., which marketed itself as an innovative, high-tech security firm. The company’s hackers allegedly targeted at least seven American universities, three American companies, and a research facility based in California and Florida. Outside the U.S., the hackers went after targets in at least 11 other countries. According to the indictment, the FBI has uncovered a worldwide campaign that was directly intended to benefit the Chinese economy.

Directly contradicting Xi’s 2015 pledge to Obama, the HSSD/MSS’s cyberthieves allegedly sought and stole sensitive intellectual property and trade secrets that would assist Chinese “state-owned and sponsored instrumentalities.” The hackers allegedly went after a wide range of industries, including “aviation, defense, education, government, health care, biopharmaceutical and maritime.” The hackers’ mandate included everything from “proprietary genetic-sequencing technology and data” to technologies used in submarines and “autonomous vehicles” to “infectious-disease research.”

The hackers were not without a sense of humor. They used a technique called steganography, in which stolen bits of data are hidden inside images with the hope of avoiding detection. Two of the images used are reproduced in the indictment. One is of a generic koala bear. The other is of Donald Trump.

There’s much more to this story. But the details we know already highlight some of the challenges ahead.

First, the Biden administration has yet to determine what actions, if any, will be taken to punish the Chinese beyond criminal charges and public shaming. The Biden team sanctioned the Russian government in the wake of the SolarWinds hack, but has yet to announce any similar measures targeting the Chinese.

Second, the latest revelations show just how difficult it will be for the U.S. and China to agree to play by the same rules. Both the Trump and Biden administrations have said that America should seek to work with the Chinese government where it can. And the Biden administration seeks to establish cyber boundaries with both Russia and China. But President Obama already tried that specifically with respect to cybercrimes, and Xi obviously didn’t take his pledge seriously.

As part of the 2015 agreement between Obama and Xi, the MSS was supposed to work with the U.S. to combat cybercrime—not commit the crimes itself. Back in 2015, the U.S. and China agreed “to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.” The MSS was named as one of the Chinese state agencies that would “participate in the dialogue,” with the aim of stifling cyber criminals. That obviously didn’t work.

Third, this week’s revelations demonstrate, once again, why business dealings with China often come with hidden costs. President Biden has welcomed fair competition with the Chinese. But the CCP doesn’t share his concept of fairness, as it is willing to steal whatever technologies are necessary for state-owned and state-backed companies to get a leg up. And it’s not just businesses that are impacted—so, too, are American universities.

Federal prosecutors allege in the indictment that state-controlled universities in China have directly contributed their human capital to the HSSD/MSS’s espionage campaign. Chinese professors are accused of holding competitions for their students to determine which ones are the most effective hackers. The best and brightest are selected to work for the HSSD/MSS’s front company. In addition, there’s no telling how many American academics were fooled into thinking that they were responding via email to legitimate inquiries from Chinese peers, only to have their computers compromised by malware developed by sophisticated hackers.