COMMERCIAL CYBER ESPIONAGE AND BARRIERS TO DIGITAL TRADE IN CHINA HEARING BEFORE THE U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION MONDAY, JUNE 15, 2015 Printed for use of the United States-China Economic and Security Review Commission Available via the World Wide Web: www.uscc.gov UNITED STATES-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION WASHINGTON: 2015 U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION Hon. WILLIAM A. REINSCH, Chairman Hon. DENNIS C. SHEA, Vice Chairman Commissioners: CAROLYN BARTHOLOMEW DANIEL M. SLANE PETER BROOKES SEN. JAMES TALENT ROBIN CLEVELAND DR. KATHERINE C. TOBIN JEFFREY L. FIEDLER MICHAEL R. WESSEL SEN. CARTE P. GOODWIN DR. LARRY M. WORTZEL MICHAEL R. DANIS, Executive Director The Commission was created on October 30, 2000 by the Floyd D. Spence National Defense Authorization Act for 2001 § 1238, Public Law No. 106-398, 114 STAT. 1654A-334 (2000) (codified at 22 U.S.C. § 7002 (2001), as amended by the Treasury and General Government Appropriations Act for 2002 § 645 (regarding employment status of staff) & § 648 (regarding changing annual report due date from March to June), Public Law No. 107-67, 115 STAT. 514 (Nov. 12, 2001); as amended by Division P of the “Consolidated Appropriations Resolution, 2003,” Pub L. No. 108-7 (Feb. 20, 2003) (regarding Commission name change, terms of Commissioners, and responsibilities of the Commission); as amended by Public Law No. 109- 108 (H.R. 2862) (Nov. 22, 2005) (regarding responsibilities of Commission and applicability of FACA); as amended by Division J of the “Consolidated Appropriations Act, 2008,” Public Law Nol. 110-161 (December 26, 2007) (regarding responsibilities of the Commission, and changing the Annual Report due date from June to December); as amended by the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015, P.L. 113-291 (December 19, 2014) (regarding responsibilities of the Commission). The Commission’s full charter is available at www.uscc.gov. iii September 01, 2015 The Honorable Orrin Hatch President Pro Tempore of the Senate, Washington, D.C. 20510 The Honorable John A. Boehner Speaker of the House of Representatives, Washington, D.C. 20515 DEAR SENATOR HATCH AND SPEAKER BOEHNER: We are pleased to notify you of the Commission’s June 15, 2015 public hearing on “Commercial Cyber Espionage and Barriers to Digital Trade in China.” The Floyd D. Spence National Defense Authorization Act (amended by Pub. L. No. 109-108, section 635(a) and amended by Pub. L. No. 113-291, Section 1259 B) provides the basis for this hearing. At the hearing, the Commissioners received testimony from the following witnesses: Samm Sacks, China Analyst, Eurasia Group; Matthew Schruers, Vice President for Law & Policy, Computer & Communications Industry Association; Paul M. Tiao, Partner, Hunton & Williams; Dennis F. Poindexter, author of The Chinese Information War, Espionage, Cyberwar, Communications Control and Related Threats to United States Interests; and Jen Weedon, Manager, Threat Intelligence and Strategic Analysis, FireEye and Mandiant, Inc. The hearing examined China’s use of standards, regulation, and censorship as a market-entry barrier. It also examined China’s use of cyber espionage to gather information for commercial purposes, including turning over U.S. intellectual property to competing Chinese state-owned enterprises. Lastly, the Commission also heard expert witnesses address the OPM breach and related hacking of federal agencies. We note that prepared statements for the hearing, the hearing transcript, and supporting documents submitted by the witnesses are available on the Commission’s website at www.USCC.gov. Members and the staff of the Commission are available to provide more detailed briefings. We hope these materials will be helpful to the Congress as it continues its assessment of U.S.-China relations and their impact on U.S. security. The Commission will examine in greater depth these issues, and the other issues enumerated in its statutory mandate, in its 2015 Annual Report that will be submitted to Congress in November 2015. Should you have any questions regarding this hearing or any other issue related to China, please do not hesitate to have your staff contact Communications Director and Congressional Liaison, Anthony Demarino, at (202) 624-1496 or via email at [email protected]. Sincerely yours, Hon. William A. Reinsch Hon. Dennis C. Shea Chairman Vice Chairman iv CONTENTS MONDAY, JUNE 15, 2015 COMMERCIAL CYBER ESPIONAGE AND BARRIERS TO DIGITAL TRADE IN CHINA Opening Statement of Vice Chairman Dennis C. Shea (Hearing Co-Chair) .......................................................................................................02 Opening Statement of Commissioner Carte P. Goodwin (Hearing Co-Chair) .......................................................................................................04 Panel I: Barriers to Digital Trade and Costs to U.S. Firms Panel I Introduction by Commissioner Carte P. Goodwin (Hearing Co-Chair) .......................................................................................................05 Statement of Matthew Schruers Vice President for Law & Policy Computer & Communications Industry Association .....................................................06 Prepared Statement .........................................................................................................08 Statement of Samm Sacks China Analyst, Eurasia Group ........................................................................................18 Prepared Statement .........................................................................................................20 Panel I: Question and Answer............................................................................................28 Panel II: Commercial Cyber Espionage Panel II Introduction by Vice Chairman Dennis C. Shea (Hearing Co-Chair) .......................................................................................................46 Statement of Paul M. Tiao Partner, Hunton & Williams ..........................................................................................47 Prepared Statement .........................................................................................................50 Statement of Dennis F. Poindexter author of The Chinese Information War, Espionage, Cyberwar, Communications Control and Related Threats to United States Interests ..................................................55 Prepared Statement .........................................................................................................57 Statement of Jen Weedon Manager, Threat Intelligence and Strategic Analysis, FireEye and Mandiant, Inc. .......62 Prepared Statement .........................................................................................................65 Panel II: Question and Answer ..........................................................................................73 2 COMMERCIAL CYBER ESPIONAGE AND BARRIERS TO DIGITAL TRADE IN CHINA MONDAY, JUNE 15, 2015 U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION Washington, D.C. The Commission met in Room 608 of the Dirksen Senate Office Building in Washington, DC at 9:00 a.m., Commissioner Carte P. Goodwin and Vice Chairman Dennis Shea (Hearing Co- Chairs), presiding. OPENING STATEMENT OF VICE CHAIRMAN DENNIS C. SHEA HEARING CO-CHAIR VICE CHAIRMAN SHEA: Well, good morning, everyone, and thank you for being here today. Before I go any further, I'd like to thank Senate Budget Committee Chairman Mike Enzi for the use of this hearing room and also thank the staff of the Senate Budget Committee for helping make this possible. This morning's hearing is the last of seven in our 2015 Annual Report cycle. We have an excellent line-up of witnesses on a very important and I must say timely topic. Our hearing today concerns cyber espionage and barriers to digital trade in China. I thank the witnesses for their written testimony submitted in advance for the record and now posted on our Web site at uscc.gov. Only two months ago President Obama declared a national emergency as a result of the quote, "increasing prevalence and severity of malicious cyber-enabled" attacks that "constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States." And only two weeks ago the nation learned that an attack on the Office of Personnel Management resulted in the theft of the personal information of four million current and former federal workers and retirees. Especially worrisome is the fact that the attackers apparently obtained the records of federal workers who have received security clearances from the OPM, which conducts about 80 percent of the security investigations and clearances for the federal workforce. This intrusion indicates a high degree of planning and sophistication. It followed a pattern that has become all too familiar: the use of zero-day malware that eluded commercial anti-spyware detection and servers or routing indicators located in China. And, of course, the standard denials from the government in Beijing that it does not conduct espionage on the United States because that would be illegal. I would like to ask the panelists to please keep to our seven-minute rule, seven minutes to summarize your written testimony. This provides us the time for an in-depth question and answer period--and we're not bashful about asking