Most of the attention generated by the report by Chairman Mike Rogers and Ranking Member C. A. Dutch Ruppersberger of the House Select Committee on Intelligence (HSCI) has focused on the issues of trade, trust, and Huawei’s and ZTE’s future access to the U.S. market. The report, however, should also be seen as another step in the effort to construct a coherent foreign policy response to cyber espionage.
The domestic agenda has revolved around three debates: the government’s role in setting security standards for the private sector; how the government and private sector should share threat information; and the respective roles of DHS and NSA in defending the private sector. The foreign policy component has been more difficult. Deterrence statements that the United States reserves the right to respond to a cyberattack through kinetic means are not credible in the case of espionage. The call for norms of behavior and rules of the road in cyberspace are applicable to the use of force and acts of war, but not spying. Moreover, the U.S. position, especially in regard to China, is basically that it should be able to continue what it is good at—political and military spying—while Beijing ceases something Washington prohibits by law—economic espionage.
The public foreign policy response to Chinese cyber espionage has been naming and shaming, and raising the issue at high level bilateral meetings. After months if not years of limiting themselves to saying that state-based actors were behind an attack without specifying which state, U.S. officials are no longer shy about calling out China, Russia, and others as being the culprits. The Office of the National Counterintelligence Executive called Chinese actors the “world’s most active and persistent perpetrators of economic espionage.” High level meetings, such as Secretary Clinton’s meeting with Foreign Minister Yang Jiechi and Secretary Panetta’s discussion with Defense Minister General Liang Guangjie, are now used to express American unhappiness with Chinese attacks.
These have not had the desired effect yet; Rear Admiral Samuel Cox, Cyber Command’s intelligence chief, recently said that attempts by Chinese hackers to steal corporate secrets have been growing. Now the HSCI report has suggested two additional steps: penalizing individual entities and increased intelligence community (IC) involvement in monitoring foreign private sector actors. The report is about Huawei and ZTE, but is also signaling to Chinese entities that if there is enough* open source and classified intelligence to suggest attacks on U.S. economic interests, then the U.S. government will respond. In this instance, Rogers and Ruppersberger suggest limiting access to the domestic market, but future options could include financial, travel, or other sanctions directed not just at companies but also universities or individual hackers.
The report also hints at, but does not discuss directly, the possibility that Chinese companies will come under (greater?) scrutiny from the intelligence community. The report notes that the investigation involved two connected elements: a review of Huawei and ZTE and an effort to “ascertain whether the IC is appropriately prioritizing and resourced for supply chain risk evaluation.” This is not publicly discussed—footnote three mentions a classified annex with “information about the resources and priorities of the IC”—but I assume it means counterintelligence against Chinese collection efforts.
The question of what is enough or appropriate evidence is going to be difficult for the United States moving ahead. Many will find U.S. government assurances that it has the goods unbelievable, and the report itself is thin on details, with the majority of evidence being nothing direct but rather the Chinese firms refusal to answer questions or giving contradictory and confusing responses.
Most of the threats the report identifies as being characteristic of Huawei—unsecured supply chains in China, vulnerability of middle managers to recruitment by intelligence agents, government access to networks for state security—could be said to afflict any telecommunications company in the world. These are real threats and the solution promoted by many, including Huawei, is a transparent process of inspections that could be scaled globally (a process Huawei agreed to in the United Kingdom). The report dismisses Huawei’s suggestions as insufficient and the process as too complicated. Both may be true, but Rogers and Ruppersberger could have made more of an effort to describe a process that would work. Here the report missed an opportunity to address its own credibility issues, broaden the problem, and build a coalition.