Prospects for U.S.-China Cybercrime Cooperation: The Road Thus Far

While transnational cybercrime has played a part in the U.S-China relationship for some time, the issue assumed a high profile during the September 2015 U.S.-China summit discussions that led to the U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues. The third dialogue took place in December 2016 and, as described in the joint summary, the scope of that discussion included “the investigation of cybercrime and malicious cyber activities emanating from China or the United States,” including cooperation in investigation and the timely sharing of leads and information.

In advance of the fourth round of the annual dialogue, expected to take place in 2017, this post provides a summary of other cooperative efforts that predate or in practical respects intersect with these high-level discussions.

In January 2014, the FBI concluded an investigation focusing on so-called “hack-for-hire” websites that, for a fee, phished for victims’ emails. According to the FBI’s press release on the takedown of its investigation, the investigation led to discovery of unlawful websites worldwide, and the FBI coordinated its investigation with China’s Ministry of Public Security (MPS), resulting in the arrest of an unlawful website operator who had compromised 300 email accounts. [Note: I handled the prosecution of this investigation as a federal prosecutor; the discussion here is based solely on public information.]

In turn, a case initiated through assistance from China’s MPS resulted in the arrest and conviction of a man in Flushing, New York, who operated 18 Chinese-language membership websites, a number of which offered child pornography. In conjunction with the arrest, the FBI announced that it had also seized two servers in Texas that supported both the websites and related online payment processes. According to the FBI’s press release on the sentencing, the defendant was sentenced to 210 months’ imprisonment.

Perhaps with prior successes like these in mind, the joint summary of the third Joint Dialogue identified online distribution of child pornography and unlawful Darkweb sales of synthetic drugs and firearms as areas of U.S.-China cooperation. And indeed, it would appear that there are broad areas for potential bilateral law enforcement cooperation. There has been no shortage of transnational fraud cases, including business email compromises and access device fraud affecting U.S. victims and online call center fraud affecting Chinese victims.

Nevertheless, progress has been, at best, incremental. Cooperation in cybercrime cases, as with any other criminal case, is subject to existing legal structures. In the case of China and the United States those structures do not include an extradition treaty, but they do include the U.S.-China Agreement on Mutual Legal Assistance in Criminal Affairs, which is primarily used for evidence requests. The time required to obtain evidence under that structure, however, can be lengthy, and the Agreement is not well suited for cybercrime investigations, in which data must be preserved and traced quickly to determine the source of compromise or attack. There is no prohibition, of course, against so-called direct “cop-to-cop” contacts, but those contacts are a function of relationships that take time to develop.

In the meantime, the U.S. and China have each proposed other mechanisms to foster increased cooperation. The U.S. has promoted the Convention on Cybercrime, known as the “Budapest Convention,” which establishes certain basic criminal law standards for computer crime and principles regarding international cooperation, including preservation of data and access to stored data.

China, however, has not joined the Convention and instead has promoted another multilateral mechanism that takes a different approach to cybercrime and cyberspace issues generally. In its Strategy for International Cooperation in Cyberspace (available here in English and here in Chinese), released last week, China has recommended adoption of the International Code of Conduct for Information Security, issued by the Shanghai Cooperation Organisation (SCO) without mention of the Budapest Convention.

Founded in 2001, the SCO comprises China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan. Its primary areas of focus include military and counterterrorism cooperation. The SCO Code of Conduct adopts an approach similar to that of China in its cyberspace regulation, such as the goal expressed in China’s National Security Law to maintain a “secure and controllable Internet.” The Code of Conduct discourages the use of information and communications technologies or networks to “interfere in the internal affairs of other States” and seeks to curb information that “incites terrorism, separatism or extremism.” NATO’s Cooperative Cyber Defence Centre of Excellence has stated that, while the SCO members “believe that content is a potential security threat and should be regulated, the ‘Western consensus’ considers this level of content regulation to be a threat to fundamental human rights.”

It is probable that, at least for the time being, U.S.-China law enforcement cooperation regarding cybercrime will develop outside of these multilateral mechanisms. Whatever differences of opinion there may be on broader cyberspace issues, however, do not necessarily preclude law enforcement cooperation. For example, China’s Cooperation Strategy generally promotes international law enforcement cooperation and does not raise the Code of Conduct as a form of condition for doing so.

In many ways, cooperation is inevitable. We continue to see large flows of capital out of China to other countries, including the U.S., employing sophisticated methods such as the use of fintech domestically. Moreover, the growth of China’s social media industry is resulting in the generation and collection of sizeable amounts of information that can be useful in a law enforcement investigation. Given these trends, investigators on both sides have a keen interest in ensuring that mutually recognized best practices are applied to this important area.

The opinions expressed in this article do not necessarily reflect the views of O'Melveny or its clients, and should not be relied upon as legal advice.