Table of Contents

When cybersecurity firm Mandiant released its bombshell report “APT1: Exposing One of China's Cyber Espionage Units” in February 2013, it was perhaps the earliest and most high-profile case of public cyber attribution in China-U.S. relations.1 More than one year later, the U.S. Justice Department’s indictment of five Chinese army officers for their alleged involvement in the economic espionage exposed in the Mandiant report marked a major escalation in the fight between the two great powers over cyber theft.2

Since then, publicly accusing China for purported cyber activities that threaten U.S. economic interests and national security has become a U.S. policy priority. Federal departments, cybersecurity firms, industry groups, think tanks, and media outlets have all released their accounts of Beijing’s so-called malicious cyber operations, portraying the different aspects of a threat that is growing in scale and scope. In stark contrast, to date, China’s government has not launched or engaged in any public cyber attribution, except in the case of the Edward Snowden revelations, when Beijing joined others to condemn Washington’s extensive government surveillance scheme.

Washington’s increased use of public attribution and Beijing’s relative passivity reflect their differing perceptions of the divisive issue. A closer examination of the factors driving the two great powers’ different approaches will deepen our understanding of public attribution as a foreign policy instrument and its implications for the broader bilateral relationship. A better understanding of the issue may also help move Beijing and Washington closer to some consensus or norms regarding cyber stability.

Public Attribution: An Emerging International Security Issue

Public attribution, as it relates to cyberspace, is a recent phenomenon whose purposes, effectiveness, and consequences are the subject of heated debate. Most countries—including those with formidable cyber capabilities like China, France, and Russia—have refrained from explicitly and publicly attributing cyber attacks to specific foreign state-affiliated actors. Many of the most high-profile public accusations by governments have so far been made by the U.S.-led Five Eyes intelligence alliance (comprising Australia, Canada, New Zealand, the UK, and the United States) against major ideological adversaries like China, Russia, Iran, and North Korea.3 Though public attributions of cyber intrusions have increased in the last decade, calling out foreign cyber actors and holding their governments accountable remains a limited policy tool preferred only by a small number of countries because the attribution process is fraught with problems.

Lu Chuanying
Lu Chuanying is the director of and a senior fellow at the Research Center for Global Cyberspace Governance, SIIS.

First, besides the accusing and the accused parties, public attribution involves multiple cyber actors whose roles, motivations, and behavioral patterns are difficult to ascertain. As a new contested issue in great power competition, public attribution has drawn a significant amount of popular and media attention. Initiators of public attribution can be either government entities or nongovernmental actors that specialize in cyber affairs. Government agencies make accusations against other governments or their proxies for what is described as a state-sponsored malicious cyber intrusion. Nongovernmental accusers may include cybersecurity companies, media outlets, think tanks, or victims of cyber attacks who make attributions for their own reasons or on public interest grounds. On the receiving end of public attribution could be nation-state governments, state-backed hackers, or cyber-criminal gangs. Indiscriminate treatment of the diverse actors involved in public attribution has generated considerable discord and cast the effectiveness of the practice into question.

Government-initiated attributions are more serious and rigorous processes involving considerable amounts of technical and operational information. If public attributions are followed by criminal charges, governments will release even more details to buttress the evidence. In some cases, the accused may raise legitimate questions about evidentiary integrity when the accuser chooses to withhold key information to protect its intelligence sources and methods.

Nongovernmental attributions are more problematic. Cybersecurity companies usually rely on threat intelligence, technical releases, and databases to bolster their cases. Some of them may be capable and prudent, but the less reputable ones may also exaggerate to advertise their attribution capabilities. Accusations initiated by the media and think tanks are generally less convincing as these entities are less technically capable and may need to rely on data or claims provided by others. In some instances, the evidence they’ve produced has been flawed and misleading.4 (That said, some think tanks and journalists have become adept at open-source intelligence analysis, and journalists have sometimes conducted valuable on-the-ground investigations.)

Second, there is little agreement on evidentiary standards between the attributor and the accused. The search for perfect proof is futile for a number of reasons. To begin with, cyber forensics is much more difficult than real-world investigations because cyber crimes are virtual and, in many cases, transnational. From the accused state’s point of view, the prevailing model of public attribution—associating a cyber intrusion with a state-sanctioned hacking group—has not been convincing enough. When the attributor withholds critical details to protect sources, the accusations invite doubt.

Then there is the problem of legitimacy and credibility. Unlike in real-world court trials, where cross-checking and cross-examination are possible, public attributions of cyber attacks are usually a one-way street; the effective plaintiff’s accusations are met with the defendant’s resistance and denial. The accused will invariably question the validity of whatever allegedly impeccable evidence the accuser presents.

Public attribution, whether to governments or hacking groups, imposes reputational costs on the accused. Like a defendant in court, the accused will scrutinize every piece of information along the chain of evidence for any possible flaws. If public attribution implicates a foreign state’s intelligence agency, the government on the receiving end of the accusation will likely not admit to the charges no matter how compelling the evidence may be. No country has ever acknowledged their intelligence services’ involvement in any kind of cyber attack. Washington has never admitted responsibility for the infamous Stuxnet and Flame cyber operations that are widely understood to be part of a broader collaborative effort, known as Operation Olympic Games, between the United States and Israel.5 In the early days of the PRISM scandal, the U.S. National Security Agency’s director downplayed the nature and scope of the government surveillance program at a congressional hearing.6

Last but not least, power asymmetry also creates differing perceptions of public attribution. Western attributors—particularly the United States—lead the world in terms of intelligence and internet capabilities. Washington is able to bolster its cases with information and services provided by internet companies, domain name system organizations, and financial agencies within its territory. The accused state, with no ready access to such information and services, may come to a different conclusion. The attributor may call out the accused for the latter’s hypocrisy as the accuser believes that the presentation of evidence, no matter how convincing or how substantial, does not change the factual reality of the intrusions and the culpability of the accused. In some cases, the accused would deny the accusation but quietly stop the cyber operations. But presenting persuasive evidence is still necessary—if evidence becomes optional, the threshold for public attribution will be lowered, making it no different from nongovernmental attribution. Audiences will need to learn which attributors are more trustworthy and which attributors are less trustworthy.

Third, the accused has difficulty in fathoming the motives behind public attribution. Compared with the accuser, the accused lags behind in attribution capabilities and experience, and may struggle to understand why the accuser has chosen to go public when existing open channels of communication could be used to express the accuser’s concerns. As the accused sees it, public attribution is an exercise in coercive diplomacy, a calculated move to name and shame the accused government. This perception may further undermine the accused state’s confidence in bilateral dialogue on cyber issues.

Moreover, the accused may wonder if there are ulterior motives behind the public attributions. As there are no widely agreed international norms of cyber operations, why would the United States accuse others of conducting cyber intelligence activities that Washington has never renounced? While the U.S. government may choose to attribute cyber intrusions that it describes as threatening U.S. national security, news outlets tend to portray cyber operations as irresponsible and illicit followed by moralistic lecturing.

Chinese-U.S. Divergences on Public Attribution

Beijing is also struggling to understand Washington’s strategic rationale for public attribution. The United States is the world’s leading proponent and practitioner of public attribution but, as Beijing sees it, Washington lacks both consistency and clarity in purpose and tactics.

Three motivations seemingly drive the U.S. public attribution campaign against China. First, Washington aims to establish cyber norms of acceptable behavior—for example, certain targets should be off-limits for cyber intrusions. Beijing and Washington agreed in 2015 that cyber operations should not be conducted to gain commercial advantage.7 Developing cyber norms also means making cyber operations more professional, as some American cyber experts proposed to reduce backdoors in cyber operations after the Microsoft Exchange hack.8 Second, Beijing thinks that U.S. public attributions are a prelude to follow-up measures such as indictments and sanctions against alleged Chinese perpetrators. Third, Washington may choose to make public accusations for political purposes. For example, the Office of the Director of National Intelligence has warned of possible Chinese and Russian influence operations in the run-up to U.S. elections.9

As Beijing sees it, the above three motivations are contradictory and create confusion. When it comes to developing cyber norms, Beijing insists that it has adhered to the bilateral consensus; U.S. accusations, in some cases, have amounted to a unilateral stretch of the consensus regarding cyber norms. Beijing hopes to sign a more extensive agreement that commits both to refrain from cyber operations against each other.10 But Washington views cyber operations as a sovereign right it will never renounce, leading Beijing to believe that Washington wants to circumscribe China’s cyber operations while preserving its own freedom of action in cyberspace.

Public attribution on domestic legal grounds is also problematic. States conduct cyber operations to collect intelligence not for criminal purposes. In practice, the United States cites domestic laws to justify legal actions against intelligence-gathering cyber operations. For example, when the Justice Department indicted five Chinese soldiers on cyber espionage charges, it cited such U.S. legal provisions as 18 U.S.C. § 1030 (a)(2)(c), 1030 (a)(5)(A), and 1030 (b), which concern computer fraud, theft of personal identities, economic espionage, and theft of trade secrets.11 In international law, cyber espionage is considered legally dubious while mainstream views maintain that it is acceptable.12 Cyber operations conducted under the so-called responsible state behavior framework may not be in line with U.S. domestic law but are not inconsistent with international obligations. U.S. accusations that China has violated bilateral consensus are seen in China as unjustified and the United States’ moralistic lecturing only exposes its cyber double standard, as Washington engages in cyber operations of a similar nature.

As for public attribution as a kind of prewarning, Beijing regards it as even more irresponsible and counterproductive. The U.S. Office of the Director of National Intelligence released two reports in the run-up to the 2020 presidential election. The first one warned of possible Chinese interference through cyber operations,13 while the second one recanted the first’s claims.14 As Beijing sees it, irresponsible U.S. actions have tarnished China’s international image. In another example, the U.S. Justice Department claimed that China had stolen U.S. data on COVID-19 vaccines. In fact, the alleged evidence it presented only revealed that certain Chinese hackers had been probing the computer networks of U.S. vaccine makers for possible bugs.15 The glaring inconsistency between charges and evidence exaggerated China’s cyber threat, imposed enormous reputational costs, and undermined Beijing’s confidence in bilateral cooperation amid the coronavirus pandemic.

Nongovernmental attribution creates even greater confusion. Nongovernmental actors like cybersecurity firms and news outlets feel even less constrained in making public accusations against China. The motivations that drive their attributions are even more complicated and diverse, making the process even more flawed. The media tends to broaden public attribution into a smear campaign using naming and shaming tactics. It also tries to sway public opinion and government policy by portraying Beijing as a growing malicious cyber actor. Chinese observers believe cybersecurity firms usually exaggerate cyber threats in public attribution to market their capabilities for commercial gains.

Nongovernmental attributions are also fraught with problems. U.S. print and online media have published no shortage of threat assessments that associate Chinese hackers with cyber activities backed by the Chinese government. A report by the Center for Strategic and International Studies examined over 800 cyber incidents and described more than 200 of them as China-related.16 A number of these news reports made public accusations without presenting any evidence; some are pure hearsay and do not stand up to scrutiny. A Bloomberg article in October 2018 reported that China had planted spyware in Supermicro products to facilitate cyber intrusions.17 This widely circulated article later turned out to be built on disputed claims, as one of Supermicro’s business partners, Apple, wrote a letter to the U.S. Congress, calling the story false.18

Though these accusations may not have been sanctioned by the U.S. government, they have hurt China’s reputation nonetheless by dragging Beijing into a dilemma of sorts. If China chooses to refute and debunk every unfair charge against it, it would have to devote considerable attention and resources. If it chooses to ignore them, the accusers may feel emboldened and double down on public attribution. China’s international discursive power lags far behind that of the United States and other Western countries. Continued Western public accusations, many of which are flawed and ill-grounded, will only deepen bilateral strategic distrust and the Chinese public’s disapproval of Western media.

As some Chinese analysts see it, even if the U.S. government did not support nonofficial public attributions, it has acquiesced to them. For example, sometimes media attributions have cited government officials to bolster their cases. In many high-profile accusations, government actions followed media revelations, like the indictment of the five officers in the wake of the 2013 Mandiant report.19 In another example, the U.S. government forged a partnership with the private sector in the run-up to the 2020 election to guard against possible external interference. Nonofficial public attribution may put the accusing government in a bind, forcing it to take more robust actions to push back against purported Chinese offensive cyber operations. If nongovernmental attributions become a major tool to tarnish China’s image, it will further undermine Beijing’s willingness to conduct bilateral cybersecurity dialogue for consensus building because China’s good-faith engagement will have little to no effect on the intensity of nonofficial public attribution campaigns.

Recommendations for Chinese-U.S. Dialogue on Public Attribution

Beijing and Washington rarely see eye to eye on public attribution, but it is an increasingly prominent issue in the bilateral relationship. As the initiator of many high-profile accusations, the United States seeks to derive strategic benefits from public attribution and chooses to turn a blind eye to many of its downsides. China has been on the receiving end of public attributions, many of which it thinks are unfair and unjustified. Beijing tends to set a high threshold for making public accusations and to put each case under a microscope.

Information asymmetry can make a case that appears convincing to the United States look deeply flawed from Beijing’s perspective. And in the absence of substantive communication on technical specifics, divergences of opinion only increase. Perceptional gaps and structural problems have only amplified bilateral discord over the issue. Moreover, politicization, interest groups’ influence, and the lack of evidentiary standards have made public attribution a major hurdle to Chinese-U.S. cooperation in cyberspace. The following recommendations would help lessen the tensions and foster greater cyber strategic stability.

  1. Reconsider the effectiveness of public attribution and its wider implications for bilateral relations. Past practices have proven that intergovernmental cooperation is the cornerstone of cyber strategic stability between Beijing and Washington, but irresponsible public attribution has undermined this stability and thrown bilateral cyber interaction into greater uncertainty. Chinese-U.S. cyber relations should not be defined by disputes over public attribution. Instead, both sides should increase government-to-government dialogue to build a more comprehensive framework to address broader cybersecurity issues.
  2. If public attributions must continue, conduct them prudently and in line with agreed-upon standards. Public attribution should not be used as a tool for geostrategic competition to add another layer of uncertainty to great power rivalry. The United States should consider allowing for a buffer period before attributions go public, during which Washington and Beijing can increase communication to build trust. It should also guide and limit counterproductive nonofficial public accusations and establish clear evidentiary standards to reduce politicization and internationalization of public attribution.
  3. Establish a multilateral and multiparty regime for public attribution within the United Nations framework. The regime could be modeled after the International Atomic Energy Agency to mobilize international resources and skills to strengthen the legality, legitimacy, and effectiveness of public attribution and deter truly harmful cyberattacks.
  4. Increase dialogue and communication on public attribution. As mentioned earlier in this chapter, public attribution is an emerging international security issue over which Beijing and Washington have contested for many years, with each insisting on their own positions and approaches. Continued engagement on the issue both at the policymaker and scholarly levels could help narrow some of the gaps and stabilize bilateral cyber relations.

Notes

1 Dan McWhorter, “APT1: Exposing One of China’s Cyber Espionage Units,” Mandiant, February 2013, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.

2 Michael S. Schmidt and David Sanger, “5 in China Army Face U.S. Charges of Cyberattacks,” New York Times: May 19, 2014, https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html.

3 Garrett Derian-Toth et al., “Opportunities for Public and Private Attribution of Cyber Operations,” NATO Cooperative Cyber Defence Centre of Excellence, 2021, https://ccdcoe.org/uploads/2021/08/Tallinn_Papers_Attribution_18082021.pdf.

4 Jordan Robertson and Michael Riley, “New Evidence of Hacked Supermicro Hardware Found in US Telecom,” Bloomberg, October 9, 2018, https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.

5 Some officials, speaking on the condition of anonymity, admitted such actions were firstly developed during the George W. Bush administration. See: Ellen Nakashima and Joby Warrick, “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,” Washington Post, June 2, 2012, https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html.

6 Byron Acohido, “NSA Chief Alexander Defends PRISM, Deflects Hecklers,” USA Today, accessed December 3, 2021, https://www.usatoday.com/story/cybertruth/2013/07/31/nsas-alexanders-defends-prism-deflects-hecklers/2604533/.

7 Gary Brown and Christopher D. Yung, “Evaluating the US-China Cybersecurity Agreement, Part 1: The US Approach to Cyberspace,” Diplomat, January 19, 2017, accessed December 3, 2021, https://thediplomat.com/2017/01/evaluating-the-us-china-cybersecurity-agreement-part-1-the-us-approach-to-cyberspace/.

8 James A Lewis, “Toward a More Coercive Cyber Strategy,” Center for Strategic and International Studies, 2021, https://www.csis.org/analysis/toward-more-coercive-cyber-strategy.

9 Philip Ewing, “Election Security Boss: Threats to 2020 Are Now Broader, More Diverse,” NPR, January 22, 2020, https://www.npr.org/2020/01/22/798186093/election-security-boss-threats-to-2020-are-now-broader-more-diverse.

10 Chen Dongxiao, Lu Chuanying, Sun Haiyong, and Jiang Xudong, “Competition Without Catastrophe: A New China-U.S. Cybersecurity Agenda,” SIIS, February 2021, http://www.siis.org.cn/Report/3656.jhtml.

11 “18 U.S. Code § 1030 - Fraud and Related Activity in Connection With Computers,” Legal Information Institute, accessed March 3, 2022, https://www.law.cornell.edu/uscode/text/18/1030.

12 James Crawford and Simon Olleson, The Nature and Forms of International Responsibility (Oxford, UK: Oxford University Press, 2003), 415–449.

13 James A. Lewis, “Toward a More Coercive Cyber Strategy,” Center for Strategic and International Studies, 2021, https://www.csis.org/analysis/toward-more-coercive-cyber-strategy.

14 “Foreign Threats to the 2020 US Federal Elections,” National Intelligence Council, March 10, 2021, https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf.

15 “Congressional-Executive Commission on China, Annual Report, 2020,” U.S. Department of Justice, December 2020, https://www.justice.gov/eoir/page/file/1366421/download.

16 “Significant Cyber Incidents,” Center for Strategic and International Studies, November 5, 2021, https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents.

17 Jordan Robertson and Michael Riley, “New Evidence of Hacked Supermicro Hardware Found in US Telecom,” Bloomberg, October 9, 2018, https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom.

18 Sebastian Moss, “Apple Denies Chinese Spy Chip Claims in a Letter to US Congress,” Data Centre Dynamics, October 8, 2018, https://www.datacenterdynamics.com/en/news/apple-denies-chinese-spy-chip-claims-letter-us-congress/.

19 Schmidt and Sanger, “5 in China Army Face U.S. Charges of Cyberattacks.”