US v. China: Who Gets to Define the Terms of Hacking?

On March 11, 2013, Thomas Donilon, President Barack Obama’s national-security adviser, gave a speech at the Asia Society on Manhattan’s Upper East Side. Much of it was boilerplate: a recitation of the administration’s policy of “rebalancing its global posture” away from the battles of the Middle East and toward the “dynamic” region of Asia-Pacific as a force for growth and prosperity. But about two-thirds of the way through the speech, Donilon broke new diplomatic ground. After listing a couple of “challenges” facing US-China relations, he said, “Another such issue is cybersecurity,” adding that Chinese aggression in this realm had “moved to the forefront of our agenda.” American corporations, he went on, were increasingly concerned “about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber-intrusions emanating from China on an unprecedented scale.” Then Donilon raised the stakes higher. “From the president on down,” he said, “this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private-sector property.”

The Obama Administration, he said, wanted Beijing to do two things: first, to recognize “the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry, and to our overall relations”; second, to “take serious steps to investigate and put a stop to these activities.” The first demand was a borderline threat: Change your ways or risk a rupture of our relations. The second was an attempt to give Chinese leaders a face-saving way out, an opportunity for them to blame the hacking on hooligans and “take serious steps” to halt it.