Who Has The Chinese Government Arrested For Hacking OPM? Possibly No One.

On December 1st, Attorney General Loretta E. Lynch and Department of Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues.

On December 2nd, China’s official news agency Xinhua reported on the meeting and dropped a bombshell: “Among the cases discussed included the one related to the alleged theft of data of the U.S. Office of Personnel Management by Chinese hackers. Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the U.S. side has previously suspected.”

The Washington Post’s Ellen Nakashima was the first to write an article about the Xinhua announcement and other news media quickly followed suit. The fact is that the Chinese government has not provided any details about the OPM hackers’ arrests. It’s hard to fathom why China’s Minister of Public Security State Councilor Guo Shengkun, who was part of the China delegation (depicted in the picture below), didn’t provide any details during the ministerial meetings. It certainly wasn’t mentioned in the U.S. Dept. of Justice’s press release.

It’s not that the Chinese government hasn’t been arresting hackers. The Ministry of Public Security (MPS) has been very busy doing just that for most of this year according to the Legal Daily, a State-owned newspaper that covers legal developments. According to the Legal Daily, China’s thirteenth five year plan (which hasn’t yet been formally released) emphasizes the following network security related issues:
  • Improved network security
  • Purify the Internet environment (gambling, pornography, drugs, etc.)
  • Strengthen multilateral and bilateral coordination
  • Participation in global network security initiatives

To combat criminal hackers, the MPS launched a six-month special action. As of November, the MPS opened 400 criminal cases against 900 individuals including cyber criminals and hackers. Those arrests occurred between May and November for crimes including gambling, extortion, hacking, drug sales, and pornography.

China has made commitments to the U.S. that it will not engage in acts of cyber espionage for commercial gain and it may have every intention to keep those commitments — partly because there are many other legal ways that it can acquire the information it wants, partly to avoid possible U.S. economic sanctions, and partly because it has made incredible technological progress over the past 20 years so stealing is less of a requirement than it used to be.

Arresting the OPM hackers and providing the details to the FBI would seem to be an easy way to gain credibility for its earlier promise. Perhaps the MPS will indeed provide the details that the Dept. of Justice is most likely asking for ever since the Xinhua article appeared on Dec 2nd. Otherwise, this entire affair will keep getting weirder and weirder.

Recommended Reading:

Graham Webster for The Diplomat: “Has U.S. Cyber Pressure Worked On China?
Peter Mattis for The Jamestown Foundation: “Three Scenarios for Understanding Changing PLA Activity in Cyberspace

This article is cross-posted from my article on Medium.