US official says China should pay price if it breaks deal to curb economic cyber espionage

WASHINGTON – The U.S. could consider criminal charges or sanctions against China if the U.S. determines hackers there are violating an agreement not to conduct economic cyber espionage on American industry, a senior Justice Department official said Tuesday.

The remarks by John Carlin, the Obama administration’s top national security attorney, came amid continuing skepticism about the effectiveness of the September agreement to curb cyber espionage and may signal a warning toward China despite what has been widely criticized as weak U.S. responses to years of hacking blamed on China. The Chinese Embassy declined to comment.

The administration has described its new agreement with China as an historic and important step acknowledging hacking and labeling it as illegal theft. The government has filed criminal indictments against specific Chinese military hackers in a previous case, and it can impose trade sanctions against foreign government officials and agencies it believes are responsible.

Related: Report by cybersecurity firm points to continued hacking on US companies despite China pledge

“It was great we agreed to this norm, but that’s all the more reason when we agreed to this norm, why, when people violate that and you catch them, there’s a price to pay, be it criminal or through sanctions,” said Carlin, speaking at a think-tank event.

But only weeks in, California-based company CrowdStrike Inc. said it detected at least seven Chinese cyberattacks against U.S. technology and pharmaceutical companies that appear clearly aimed at theft of intellectual property and trade secrets.

Related: Report by cybersecurity firm points to continued hacking on US companies despite China pledge

“I haven’t seen any notable decline in intrusions affiliated with China,” said Dmitri Alperovitch, co-founder of CrowdStrike. The company wrote one of the first public accounts of commercial cyberespionage linked to China in 2011. Alperovitch urged organizations to remain vigilant until there was more information about how the administration intends to enforce the agreement.

The agreement does not prohibit cyber spying for national security purposes, which would ostensibly include the theft of personal information for 21 million Americans when the Office of Personnel Management was hacked in what the U.S. believes was a Chinese espionage operation. The OPM hack was the most serious known cyber breach in U.S. history.

Related: Massive data breach could affect every federal agency; China based hackers suspected

The Obama administration has avoided publicly blaming China or taking any public action in retaliation. Intelligence officials have said the data was a fair target and the U.S. would have stolen the same information on China if possible. Carlin said U.S. trade sanctions imposed against North Korea over hacking Sony Pictures Entertainment Inc. helped drive the China agreement.

“At the end of the day the status quo is unacceptable,” Carlin said. “We need to keep increasing the costs until the costs outweigh the benefits and we see a change in behaviour.”