Department of Justice Announces Indictments Against PLA Officials
Lawfare's biweekly roundup of U.S.-China technology policy news.
Published by The Lawfare Institute
in Cooperation With
Department of Justice Announces Indictments Against PLA Officials for 2017 Equifax Hack
The Department of Justice has announced indictments against four members of China’s People’s Liberation Army (PLA) for a 2017 breach of Equifax’s system, in which the hackers gained access to the personal data of nearly 150 million Americans. The stolen data included names, addresses, Social Security and driver's license numbers, and other personal information. The PLA members are also accused of stealing intellectual property, including database designs, from Equifax.
The Justice Department’s statement notes that the hackers exploited a vulnerability in Apache Struts, an open-source framework that Equifax used to create Java web applications. Apache, the creator of the software, reported and patched the vulnerability in March 2017, more than two months before hackers used it to enter Equifax’s system. But Equifax did not immediately update its Apache Struts to the patched version, leaving the system vulnerable to a known problem. In 2019, the Federal Trade Commission fined Equifax $575 million for failing to update its version of Apache Struts. As a Government Accountability Office report explains, hackers remained in Equifax’s system for more than 70 days, exfiltrating data in small increments and disguising their activity. The four indicted PLA members are not currently in the United States and are unlikely to appear before an American court.
Attorney General William Barr said that the attack “fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China” that have targeted personal data, intellectual property, and defense technology on American commercial and government servers. In 2015, the federal government acknowledged that Chinese hackers infiltrated the Office of Personnel Management (OPM) database, gathering personal and employment data on millions of federal government employees. In 2017-2018, China breached the servers of a suite of contractors providing research and technology for the Navy. In 2018, China infiltrated Marriott servers and collected data on hundreds of millions of consumers.
Beijing’s aims in acquiring American defense technology and intellectual property are clear enough: China can use the fruits of its espionage to strengthen its military and otherwise close technological gaps between the U.S. and China. Similarly, China’s intention in the OPM hack is well understood: Beijing can use the information to identify intelligence officials and better understand the inner workings of the U.S. federal government.
But the objectives of China’s campaign to collect data on private American citizens, through moves like the Equifax breach, are less clear-cut. Analysts argue that in the era of big data and machine learning, mass troves of data on the behavior of American citizens could provide national security advantages to China. Beijing’s plan may simply be to collect as much data as possible and analyze it for valuable insights.
The indictment against the PLA officers comes as tensions run high between Washington and Beijing over technology. For more than a year, the Trump administration has pursued a campaign to convince allies to exclude Chinese telecommunications giant Huawei from their development of 5G technologies, over concerns that Beijing could use Huawei technology for espionage. Attorney General Barr also recently suggested that the U.S. government should acquire a controlling stake in Nokia and Ericsson, European telecommunications firms considered to be Huawei’s chief rivals. FBI Director Christopher Wray has also recently said that the bureau has more than 1,000 open cases involving China’s efforts to acquire U.S. research and technology.
The indictments may also be the latest indication of the deterioration of a 2015 commitment on norms in cyberspace between President Xi Jinping and then-President Obama. As part of the deal, the two sides agreed that they would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” In 2016, reports from U.S. cybersecurity firms noted an apparent drop in commercial cyberespionage from China. But in November 2018 the White House publicly accused China of violating the agreement, saying that Chinese attacks had continued. And in 2019, U.S. cybersecurity firms noted a dramatic uptick in cyberespionage. The latest Justice Department indictments, which emphasize that Equifax’s data were economically valuable “confidential, proprietary business information,” may reflect the department’s view that this breach falls under the umbrella of the type of espionage that China had agreed to stay away from when it made the 2015 committment.
U.S. Attorney General Says American Buyer Should Take Control of Nokia, Ericsson
Warning listeners that America’s “economic future is at stake,” Attorney General Barr advocated in a Feb. 6 speech that the U.S. invest in European telecom companies Nokia and Ericsson in order to better position the U.S. to counter Chinese firms’ global 5G market share. Barr recommended, in particular, that the U.S. government or American companies purchase a “controlling stake” in one or both of the European firms. Barr noted that Chinese companies Huawei and ZTE account for 40 percent of the global 5G market. Nokia, a Finnish firm, and Ericsson, a Swedish company, are Huawei’s strongest rivals in 5G telecommunications hardware, a domain where U.S. companies have encountered significant obstacles. Barr also stated—and reporting later confirmed—that Trump officials have already discussed proposals to incentivize private investment in Nokia and Ericsson.
Barr’s comments emerge amid strong suspicion of, and hostility toward, Huawei in U.S. policymaking circles. On Feb. 13, the Department of Justice released a superseding indictment charging Huawei with conspiring to steal trade secrets and with violating U.S. sanctions on Iran and North Korea, among other charges. Because of Huawei’s ties to Beijing, the U.S. government fears that China could compel the company to assist in spying on countries that use its cellular technology—compromising U.S. national security. These concerns drove Trump, U.S. lawmakers and other U.S. officials to oppose the U.K.’s decision last month to use Huawei technology in constructing the country’s own 5G network. They also led Trump to impose a partially implemented ban on exporting U.S.-made components to Huawei in May 2019.
It remains to be seen whether the U.S. will take the measures that Barr prescribed. Not all government leaders are on board with his vision. The day after Barr’s speech, Vice President Pence rebuffed the attorney general’s recommendation. Maintaining that the U.S. can accomplish its goals “by using the power of the free market and American companies,” Pence stated that the Trump administration does not support public investment in Huawei’s competitors. National Economic Council Director Larry Kudlow expressed similar sentiments. Officials’ remarks in the wake of Barr’s speech evince significant dissent within Washington over how to address Huawei and China’s expanding role in 5G technology.
Generally, analysts have expressed skepticism—largely due to Republicans’ ideological opposition to public 5G ownership—that the U.S. government will purchase Nokia or Ericsson. However, even if the government stops short of this action, many observers believe that Barr’s comments presage federal policies aimed at aiding these two companies, or at facilitating their purchase by a U.S. firm. (After Barr’s comments, Nokia and Ericsson stocks each appreciated more than 4 percent on Feb. 7.) Support for policies designed to support Nokia and Ericsson are already gaining traction in Congress. A bipartisan group of senators recently introduced a bill, the Utilizing Strategic Allied Telecommunications Act, that would allocate more than $1 billion to companies developing 5G technologies in competition with Huawei.
The U.S. has already taken steps to support the domestic 5G industry. On the day of Barr’s speech, Federal Communications Commission Chairman Ajit Pai announced that the U.S. will subsidize satellite companies in order to induce them to auction off swaths of the radio spectrum for cellular development. And the Trump administration has begun collaborating with companies like Microsoft, Dell and AT&T to develop advanced 5G software. The goal of this private-sector collaboration is to enable U.S. technology to power all major domestic 5G infrastructure. (This is another item of disagreement among Trump administration officials. Barr in his speech critiqued this approach as inadequate—claiming it “would take many years to get off the ground.”)
In private, Trump officials have also expressed interest in involving the federal government even more directly in developing 5G in the United States. Members of Trump’s National Security Council and his reelection team have variously proposed that the government build or manage a forthcoming U.S. 5G network. (Trump has since repudiated this notion.) According to reporting from the Financial Times, members of Trump’s administration have considered helping Nokia and Ericsson compete with Huawei by offering them lines of credit to help the companies offer more competitive pricing.
Should Washington act along the lines that Barr suggests, U.S.-Chinese technological competition and Huawei-related disputes could grow more heated. Such tensions are already ratcheting up: An official statement from the Chinese embassy in Paris said that Nokia, Ericsson and other European companies may receive unequal treatment in China if European countries discriminate against Huawei. China’s warning comes in response to France’s decision, contra the U.K., to exclude Huawei from its 5G networks. It may also signal increased willingness in Beijing to counteract efforts by countries like the U.S. to support Huawei’s corporate competitors.
A Whistleblower Doctor Dies as the Coronavirus Toll Rises
Li Wenliang, a Chinese doctor who tried to warn colleagues about the novel coronavirus in its early stages and later acquired the disease while treating patients, died on Feb. 7. As the novel coronavirus epidemic worsens—surpassing the fatalities caused by the 2002-2003 SARS epidemic—Li’s death and the ensuing public reaction have become a lens through which to understand the pitfalls of the Chinese Communist Party’s (CCP’s) approach to information control.
In December 2019, after noticing a cluster of infections in his home city of Wuhan, Li shared information about a fast-moving virus with medical colleagues via WeChat, a Chinese social media platform. Screenshots of Li’s message spread quickly through other WeChat groups. Then, in early January, Chinese authorities contacted Li to discuss his message. They eventually forced him to sign a statement saying that he had spread rumors and thus engaged in “illegal behavior.” A few weeks later, after President Xi finally addressed the virus—saying that China would “resolutely curb the spread of the epidemic”—the Chinese Supreme People’s Court published a WeChat message declaring that Li and other whistleblowers had been absolved of wrongdoing. By then, Li had already contracted the coronavirus after treating patients who had the disease. On Feb. 6, a reputable Chinese news outlet, Caixin, as well as the CCP mouthpiece, Global Times, announced that Li had died. News about Li’s death began to go viral on Chinese social media, but then the stories reporting his death vanished. Li’s employer, a hospital in Wuhan, confirmed his death later that night at 2:58 a.m.
Chinese regulators seemed unprepared for what came next. Online, Chinese citizens posted about Li in such high volume that the CCP’s censorship apparatus was briefly overwhelmed. For hours, the hashtag “I want freedom of speech” emerged as a trending topic on Weibo and drew 1.8 million views, as commenters said the doctor’s death demonstrated the need to allow citizens to speak freely. When that topic was shut down, commenters switched to “we demand free speech” and continued to criticize the way the CCP has controlled information during the epidemic. Some commenters invoked Article 35 of China’s Constitution, which nominally provides free speech for all citizens. Other comments alleged that the Chinese government had withdrawn the news of Li’s death and deliberately republished it late at night, when most users would be offline.
The outcry over Li’s passing may reflect broader anger from a public that has felt left in the dark by its government in a moment of crisis. Analysts have noted that China may have missed its chance to contain the epidemic by only beginning to respond to the coronavirus weeks after Li and other doctors had sounded the alarm. During that delay, the government played down the threat to the public, leading citizens to go about their routine as usual and giving the virus time to spread. The government’s information control policies and governance structures also created incentives for local officials to withhold important information for fear of upsetting higher-ups.
Chinese officials have promised investigations: China’s National Supervision Commission, the country’s top anti-corruption body, said that it would look into what happened to Li, according to Xinhua, China’s official state news agency. Beijing has also fired high-ranking provincial health officials for their mismanagement of the response to the virus. But analysts have argued that the investigations may be part of a broader strategy to blame mismanagement of the crisis on the local government in Wuhan, leaving the image of leadership in Beijing untarnished.
Meanwhile, the epidemic continues to spread. More than 1,000 people have died from the coronavirus and more than 60,000 cases have been confirmed. The United States has declared a public health emergency and has temporarily banned non-U.S.-citizen travelers who have recently visited China. At the end of January, President Trump created a 12-person coronavirus task force, which will report to the National Security Council. The president said he had spoken with President Xi recently about the virus’s spread and noted that President Xi expressed optimism about China’s capacity to defeat the virus.
Commentary
In Foreign Affairs, Elizabeth Economy argues that the coronavirus crisis exposes weaknesses in President Xi’s governance model. In the Atlantic, Robert D. Williams critiques the U.S. response to the Equifax data breach. In the New York Times, Charlie Warzel warns that the existence of large data brokers like Equifax inherently endangers national security. Also in the Times, Yifu Dong discusses Chinese censorship during the coronavirus outbreak—concluding that local officials have little leeway to disobey censorship orders. For the Council on Foreign Relations, Lauren Dudley and Adam Segal explore how Chinese tech companies have responded to the coronavirus outbreak.
The editorial board of the Financial Times contends that China needs to adopt a more transparent governance style, as highlighted by its handling of the coronavirus. For the Mercator Institute for China Studies, Lucrezia Poggetti analyzes how China-Europe relations might evolve in the year ahead. In the Wall Street Journal, Thomas J. Duesterberg advocates turning away from a hardware-based telecommunications services model as an alternative to Huawei, and Michael Taube examines the U.S. and Canada’s united position on extraditing Huawei chief financial officer Meng Wanzhou from Canada to the United States.
For Lawfare, Lisa Monaco discusses why China’s coronavirus outbreak shows that the U.S. must address pandemic diseases as national security threats. Tom Bollyky and Samantha Kiernan advocate international cooperation in response to the coronavirus challenge. Robert Chesney explains U.S. quarantine laws in light of the coronavirus situation. And Graham Webster examines the implications of the Department of Justice’s indicting PLA officials in the Equifax case.