Sanctions against China for cyberattacks on the U.S. private sector could come as early as next week, U.S. officials told CNN Friday.
The package of penalties on individuals and commercial entities believed to be responsible for the attacks has been in the works for months, and a government official familiar with the process confirmed to CNN earlier this week that they were getting a serious look.
Still, the officials emphasized Friday, no final decision has been reached.
Conventional wisdom had been that the sanctions would not come until after Chinese President Xi Jinping’s state visit to Washington at the end of the month. Experts believed the White House was looking to gain leverage by the credible threat of sanctions to bring the Chinese to the negotiating table on the unrelenting stream of cyberespionage coming from Beijing.
The potential sanctions package comes amid increased tensions between the two nations, including over Beijing’s increasingly assertive national security posture.
For years, the U.S. has spoken out against Chinese hacking of U.S. businesses to steal intellectual property, which has ramped up since last year. In May 2014, the Justice Department indicted five Chinese military officials for allegedly stealing trade secrets from companies based in the U.S.
President Barack Obama has also previously confronted Xi about the cyberespionage, including in face-to-face talks in 2013.
Though the sanctions would deal with economic espionage, the move would also come in the shadow of the massive hack of the Office of Personnel Management that stole more than 21 million sensitive files of government employees — which U.S. officials have blamed on the Chinese.
But the sanctions would bring the debate to a new level and be the first time the U.S. has imposed a tangible penalty on China for the hacks tied back to Beijing itself.
The sanctions authority that would be invoked comes from an executive order signed by Obama in April, which gives the administration the ability to sanction entities worldwide for engaging in cyberattacks against U.S. targets.
The U.S. has sanctioned Chinese entities in the past for a range of offenses, including narcotics and support terrorism, and has levied penalties against North Korea under a pre-existing sanctions regime in response to the crippling hack of Sony Pictures Entertainment.
The nascent executive order, however, has yet to be used — and going after China for the first use of the power would send a message that the U.S. intends to aim it at the highest targets rather than low-level offenders.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, was one of the insiders who suspected the sanctions wouldn’t come until after the Xi visit — although leaking them early was a strategic move on the White House’s part.
“It lets [the Chinese] know that there’s a cost to doing this, which is something they didn’t have to think before,” he said on Monday. “It helps reframe the debate.”
He continued, “It’s not like Xi’s going to come in and say, ‘I’m sorry, you’re right. It’ll never happen again.’ But it does tell the Chinese: ‘You’re not going to be able to try to pretend (cyberespionage) didn’t happen.'”
China has repeatedly denied involvement in cyberattacks on the United States, even as the United States has placed greater pressure on China to fess up.
“The position of the Chinese government on cybersecurity is consistent and clear-cut. China is steadfast in upholding cybersecurity,” Foreign Ministry spokesman Qin Gang said in a statement responding to the 2014 indictments. “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cybertheft of trade secrets. The U.S. accusation against Chinese personnel is purely ungrounded with ulterior motives.”
Xi’s visit is scheduled for September 24 and 25.
