Last year, President Barack Obama and Chinese President Xi Jinping signed an agreement to prevent hacking between the countries focused on the theft of intellectual property, otherwise known as economic espionage. During a panel at the 2016 RSA Conference in San Francisco, current and former federal officials made a distinction between hacking for economic purposes as opposed to more traditional espionage between nations.
“All countries are going to gather information and intelligence to protect their citizens,” said Christopher Painter, cybersecurity coordinator for the State Department, admitting that some level of espionage between nations is accepted as an international norm. “But if you’re targeting trade secrets and intellectual property to benefit your commercial sector, that really is out of bounds and something that we don’t do.”
When asked, Painter declined to comment on whether the massive breach of the Office of Personnel Management last year — widely attributed to Chinese state actors — should be considered intelligence gathering under international norms.
In that instance, hackers broke into OPM databases and stole personnel records on tens of millions of current, former and prospective federal employees. The conventional wisdom is that China took this information in order to find U.S. spies within their country and potentially compromise feds using their personal information.
Paul Rosenzweig, founder of Red Branch Consulting and former deputy assistant secretary for policy at the Department of Homeland Security, said it isn’t clear that the hack was intended for espionage purposes but it is “close enough.”
“The purpose is not to do economic [espionage] but rather to get information about me,” he said, adding that he got a letter stating his information was compromised in the breach. “They got my file and if there’s anything bad they’ll use it to force me — if I got a job in another administration — to do what they want.”
“The term ‘traditional espionage’ is a term of art,” said Jessica Malekos Smith, a student studying cybersecurity issues at the University of California Davis School of Law. “It refers to a whole host of subcategories of information. Intelligence that relates to military, political, economic, social, cultural, health and environmental. It really does run the gamut.”
While the OPM hack might be not technically illegal at the international level, these types of activities pose a danger to national security and the government should be prepared.
In cases of “traditional intelligence gathering” there are still things the government can do, Painter said.
“You need to harden your targets and have that deterrence by denial in place,” he said, offering a few options. “We don’t fight traditional espionage but we have to make sure we take steps to keep it from happening.”