In short, sanctions would not damage only China. “If the U.S. imposes sanctions, China has the ability to affect the growth of our economy through the manipulation of their currency or manufacturing,” Crowder said. “It is a very difficult task given the relationships of our two countries.”
It is not just a matter of economic codependency either. “Sanctions are unlikely,” Dennis said. “China has far more to gain monetarily from corporate espionage than losses due to sanctions, given the ease by which attribution can be skirted, and the fact that government sector espionage, not addressed by the agreement, is so intertwined with commercial interests.”
Also, Harvey noted that the catastrophic breach of the U.S. Office of Personnel Management (OPM), in which the personal information of about 21 million current and former federal employees was compromised, was attributed to China, which would give it some leverage if the U.S. threatens sanctions.
Munroe added that the Chinese military oversees the notorious Deep Panda cyber warfare team, “while telling the ruling party they are not. The Chinese have trained a large number of hackers who have since moved on onto the dark web, giving the military a valid cover that these hackers and not the military are actually carrying out the attacks.”
The bottom line, experts say, is that organizations can’t rely on an agreement between the two governments to protect their IP – it is up to them.
Dennis said any company that does business with China or is viewed as a competitor should expect to be attacked. He said a primary attack technique is spear phishing, “so educating end users is critical, as has been said over and over again.”
Alperovitch added that security executives, “should focus on gaining full visibility into their environment and adapting their capabilities to detect all attacks, including even those that don't involve any malware.”
Harvey said if the U.S. reduced its economic reliance on China through investments in other countries like Mexico, Brazil, Philippines, Vietnam, India and others, “then we could impose sanctions without destroying our own economy.”
He also recommended focusing on human intelligence, “to conduct real-world espionage operations against the People’s Liberation Army units responsible for these attacks.
But Munroe said until U.S. companies invest more in security, it will be, “cheap and easy for China to steal our data. U.S. investment in security products and training is between 10% and 15% of IT spend for an average company,” he said.
“When we start making it really difficult and costly for the Chinese to steal data, the problem will start to subside. It will never go away, but it can be managed to reasonable levels.”
Sign up for CIO Asia eNewsletters.