How the U.S. Is Trying to Shape Norms in Cyberspace

Commentary | July 23, 2015

Washington appears to be serious about upholding the distinction between commercial versus traditional cyber espionage.

The Obama administration had decided against publicly “naming and shaming” Chinese hackers despite convincing evidence that Beijing is behind cyberattacks on the networks of the U.S. Office of Personnel Management (OPM) that compromised personal information of more than 4 million former and current federal employees, the Washington Post’s Ellen Nakashima reports.

While one senior administration official in an interview with Nakashima  argued that this is partially due to a reluctance to reveal the United States’ own cyberespionage capabilities by making public what they know, the more interesting justification might be found on the cyber diplomacy front and Washington’s attempt to shape norms or rules of the road in cyberspace–in particular the United States’ quest to draw a distinction between commercial versus traditional cyber espionage. According to Nakashima:

The response to penetrations targeting government-held data has been more restrained, in part because U.S. officials regard such breaches as within the traditional parameters of espionage. Director of National Intelligence James R. Clapper Jr. and others have even expressed grudging admiration for the OPM hack, saying U.S. spy agencies would do the same against other governments.

Economic espionage occupies a separate category — supposedly off-limits to U.S. spy agencies and seen as deserving of a forceful response when committed by foreign adversaries.

Back in May 2014, a State Department employee  summarized the United States’ official stance on this distinction by stating that “one of the fundamental differences is on this question of the acceptability of cyber-enabled economic espionage, which the United States Government does not conduct, and we need to come to a clear understanding with the Chinese about that norm” “[A]s a general rule, as the president has stated in his Presidential Policy Directive, we do not take information from other people’s companies to provide it to our own companies,” U.S. Assistant Attorney General, John Carlin, additionally elaborated on May 22, 2014.

However, ever since the Snowden revelations, the United States found it difficult to advance this unwritten norm as a new modus vivendi in dealing with adversaries in cyberspace. The Chinese in particular accused the United States’ government to apply double standards after some previously unknown U.S. cyberespionage activities were made public.

For example, evidence emerged back in April 2015 that the United States has been engaged in some form of economic espionage in Europe. One analyst, writing for the Washington Post, notes that this new incident “will be moderately embarrassing for the United States, which is currently trying to build international norms against economic espionage.”

He continues:

It isn’t at all clear that the United States was committing economic espionage by its own definition (it argues that it can legitimately conduct espionage against economic targets such as businesses as long as it is for strategic purposes, and the information is not passed along to U.S. firms). However, it certainly greatly complicates the story that the United States is trying to tell.

Consequently, we can assume that the Obama administration’s reluctance to “name and shame” China as a culprit in the OPM hack is partially connected to the Snowden leaks and the loss of U.S. legitimacy as a fair arbiter of norms. It is meant to signal to the Chinese that the United States is indeed serious about drawing a distinction between commercial versus traditional cyber espionage despite having lost the moral high ground in cyberspace.

To read this article published by The Diplomat, click here.