America’s Hopelessly Anemic Response to One of the Largest Personal-Data Breaches Ever – By Robert D. Williams (The Atlantic) / Feb 13 2020
The government has indicted four members of China’s People’s Liberation Army for hacking into the credit-reporting agency Equifax. The question is why.
The Justice Department raised eyebrows on Monday when it unveiled charges against four members of China’s People’s Liberation Army for hacking into the credit-reporting agency Equifax and stealing sensitive information on 147 million Americans. The charges are the latest in a campaign of indictments against Chinese-government-linked hackers that dates to 2014 but has ramped up considerably since 2017, the year the Equifax breach took place. Like the defendants in several prior hacking indictments, the men whose identities were revealed to the world this week are based in China and almost certainly will never appear in a U.S. court to stand trial. Taken alone, the indictments are a hopelessly anemic response to one of the largest personal-data breaches ever recorded.
The bigger picture doesn’t look much better. As the Harvard law professor Jack Goldsmith and I have argued before, if deterrence is the measure of success, the United States’ Chinese-hacking indictment strategy has all the earmarks of a spectacular failure. A raft of media and government reports suggests that China’s state-sponsored cybertheft has not meaningfully diminished in response to the U.S. indictment campaign. This shouldn’t come as a surprise: The costs to China of being “named and shamed” are almost certainly dwarfed by the billions of dollars of value obtained from pilfering U.S. technologies and the untold intelligence benefits of cultivating a massive database on American citizens.
If not deterrence, what might be the purpose of these indictments instead?
Some have argued that one aim of the indictment strategy is to enforce a norm against state-sponsored theft of intellectual property carried out to support a nation’s commercial firms. The norm was articulated in President Barack Obama’s September 2015 meeting with Chinese President Xi Jinping, with each country agreeing that it would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” (This commitment was later endorsed by the G20.) The cyber agreement followed on the heels of the first ever U.S. indictment of Chinese People’s Liberation Army hackers, in 2014; many at the time credited the indictments with facilitating the establishment of the norm. In hindsight, however, the fact that China and other countries have continued their theft of U.S. commercial secrets with little penalty suggests that the cybertheft norm is not much of a norm at all.