In the weeks before President Xi Jinping’s visit to Washington in September 2015, there was little reason to think that the United States and China would be able to narrow the growing gap between the two sides in cyberspace. Washington and Beijing had recently clashed over policies designed to secure supply chains and information and communication technology equipment, the global governance of cyberspace and, most conspicuously, cyber attacks and espionage. In fact, as more details about the theft of data, allegedly by Chinese hackers, from the Office of Personnel Management were revealed, the public demand for some type of reaction against Beijing grew, including calls for cancelling the summit or downgrading it to a working meeting. The White House leaked stories that it was considering sanctioning Chinese individuals or entities that benefit from cyber theft, and President Barack Obama told a meeting of the Business Roundtable eight days before a scheduled dinner with President Xi, “We are preparing a number of measures that will indicate to the Chinese that this
is not just a matter of us being mildly upset, but is something that will put significant strains on the bilateral relationship if not resolved, and that we are prepared to some countervailing actions in order to get their attention.”<1>
Despite all the build up, however, a breakthrough appears to have occurred. Many analysts had argued that China would not accept the US efforts to distinguish between political or military espionage (‘good hacking’) and theft of intellectual property (‘bad hacking’). China saw all hacking as supporting comprehensive national power and—given National Security Agency (NSA) contractor Edward Snowden’s revelations of reported NSA attacks on Swiss banks, Chinese telecoms, European trade negotiators and Petrobras, the Brazilian energy company—was unlikely to believe the US did not conduct economic espionage. Yet, at a joint press conference in the White House Rose Garden, President Obama announced that the two sides had agreed that “neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
Washington and Beijing would also provide timely responses to requests for assistance in cyber crime investigations; cooperate in conducting investigations and collecting evidence; identify and endorse norms of behaviour in cyberspace; and establish two high-level working groups and a hotline between the two sides.<2> After the announcement with the US, China reached a similar agreement with the United Kingdom, and Germany will sign a deal with China sometime in 2016.<3> In November 2015, China, Brazil, Russia, US and other members of the G20 accepted the norm against conducting or supporting the cyber-enabled theft of intellectual property.<4>
The two sides also “welcomed” the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security, which addresses the norms of behaviour in cyberspace. The 2015 GGE report reaffirmed the findings of a 2013 GGE report that international law, and in particular the Charter of the United Nations, applies to cyberspace. The 2015 report accepted three new peace-time norms proposed by the US: no country should intentionally damage the critical infrastructure of another state; prevent another country’s computer security incident response team (CSIRT) from responding to cyber incidents or use CSIRTs for malicious activity; and countries should cooperate with requests from others to investigate cybercrimes and mitigate malicious cyber activity emanating from their territory.<5>
While the cyber espionage announcement attracted most media attention, China and the US also committed to addressing some of the economic issues that have emerged around cybersecurity. Washington, worried about the use of communication technologies by the Islamic State in Iraq and Syria (ISIS) and by so-called ‘lone-wolf’ attackers — individuals radicalised by extremist content on the web — is considering the insertion of “backdoors” or methods for law or intelligence agencies to bypass encryption or other security measures. Beijing, both in response to Snowden’s revelations of US cyber espionage and mass surveillance and a desire to spur indigenous innovation, has said that technologies used in government networks must be “secure and controllable”. Beijing has introduced banking provisions, the national security law, and a draft cybersecurity law in pursuit of this objective.<6>
At the summit, China and the US agreed that measures designed to ensure cybersecurity in commercial sectors “should be consistent with WTO agreements, be narrowly tailored, take into account international norms, be nondiscriminatory, and not impose nationality-based conditions or restrictions.”<7> In December 2015, China passed a new anti-terrorism law that did not require foreign companies to provide backdoors or store their data locally, but did mandate that they provide “technical interfaces, decryption and other technical support assistance to public security organs and state security organs.”<8> The most recent draft of China’s proposed cybersecurity law contains similar language.<9>
The question is whether the sum of all these announcements represents a significant narrowing in the US and Chinese positions. Did President Xi’s statement signal a change in Chinese behaviour, a tactical manoeuvre to avoid the bite of sanctions, or something else? Not surprisingly, given China has always denied that it conducts any type of cyber operation, the announcement was greeted with scepticism. Only days after President Xi had left Washington, Director of US National Intelligence James Clapper, asked by Senator John McCain whether he was optimistic about the agreement, responded, “I personally am somewhat of a sceptic. It will be our responsibility to look for the presence or absence of their purloining of intellectual property and other information.”<10> President Obama himself asserted, “the question now is, are words followed by actions? And we will be watching carefully to make an assessment as to whether progress has been made in this area.”<11>
The evaluation of China’s intent is difficult at several levels. There was positive follow-up in the first round of cyber talks between the US Department of Homeland Security (DHS) and Chinese Ministry of Public Security (MPS) in December 2015. The two sides agreed on the guidelines for requesting assistance on cyber crime or other malicious cyber activities as well as to conduct "tabletop exercises" in spring 2016 and to define procedures for use of the hotline. Washington said it would consider Beijing’s proposal for a seminar on combatting misuse of technology and communications by terrorists; Beijing, meanwhile, said it would study the US’ proposal on inviting experts to conduct network protection exchanges.<12>
A subsequent meeting of the DHS-MPS dialogue in June 2016 affirmed that the spring 2016 tabletop exercise had been a success, and that both sides would continue collaborating on network protection, information sharing, and investigating and prosecuting cyber-enabled crime. And in August, the Ministry of Public Security reported that the hotline between DHS and MPS was up and running.<13>
Initial reports about whether Chinese cyber attacks have decreased were mixed. Counterintelligence chief Bill Evanina told reporters in November 2015 there was “no indication” from the US private sector "that anything has changed" in the extent of Chinese espionage.<14> Yet, some cybersecurity firms noted they had seen an overall drop in the level of attacks, or at least a shift in the source of attacks from the People’s Liberation Army (PLA) to hackers affiliated with the Ministry of State Security (MSS).<15> In June 2016, US cybersecurity firm FireEye reported a steep decline in Chinese cyber espionage against organizations in the US and 25 other countries. The number of network compromises by 72 suspected China-based groups dropped from 60 in February 2013 to less than 10 by May 2016. US Assistant Attorney General John Carlin subsequently confirmed the company’s findings that attacks were less voluminous but more focused and calculated.<16> This shift, if it has indeed occurred, would accord with the recent reforms of the PLA, including reorganisation of the military regions and cuts of 300,000 troops. These and other measures are designed to bolster the PLA’s preparedness to fight and win wars, to which economic espionage makes no notable contribution to.<17>
Even if American firms say they are detecting a decline in cyber attacks, it may be because Chinese hackers have become stealthier and not that they have reduced the volume of their activities, which FireEye noted in its June 2016 report. The Washington Post reported in November 2015 that China had arrested hackers responsible for the theft of intellectual property, though the actions have not been confirmed by the US government nor were reported in the Chinese press.<18> This could be a one-time symbolic measure meant to divert US attention and pressure.
Definitional issues could also continue to divide the two sides. Much of the intellectual property that hackers steal is dual-use. It may serve national security interests as well as create commercial advantage to not be covered by the agreement. The phrase “knowingly support” may result in the hacking being shifted to criminal gangs or other proxies rather than be conducted by hackers in the PLA or MSS.
Beijing’s embrace of the norm against cyber-enabled theft of intellectual property may also be less than what it first appeared. In December 2015, China hosted the second annual World Internet Conference. In his opening speech, President Xi mentioned the norm against the cyber-enabled theft of trade secrets but in the context of other cyber crimes, cyber attacks and “cyber surveillance”. He also called out double standards and stressed that no one country should define ‘acceptable’ norms in cyber behaviour. Beijing may intend to use the condemnation of cyber-enabled theft as an opportunity to criticise the US, especially since Beijing has never admitted conducting any type of cyber operations, while Washington has said cyber operations in search of military or political secrets are legitimate.<19>
Also, the apparent consensus reached by Washington and Beijing on cyberspace and international law masks significant differences. The 2013 and 2015 GGE documents refer to sovereign equality, the peaceful settlement of disputes, the prohibition on the use of force, non-intervention and the respect for human rights and fundamental freedoms, but provide no guidance on how they should be implemented. Moreover, while US diplomats are likely to interpret the acceptance of the applicability of the UN Charter to cyberspace to include the right to self-defence, China has been unwilling to embrace the right. Chinese analysts believe the US will use provisions of international law to justify an offensive operation against China.<20>
China and the US remain sharply divided about internet governance, too. At the World Internet Conference in Wuzhen, President Xi robustly defended the principle of cyber sovereignty, the “right of individual countries to independently choose their own path of cyber development, model of cyber regulation and internet public policies, and participate in international cyberspace governance on an equal footing.”<21> Xi implicitly criticised the multistakeholder model of governance favoured by the US and its allies, saying governance should not be the purview of a small number of parties. Instead, Xi called for an approach that was multilateral and more state-centric.
Framed against the broad landscape of cyber issues, the agreement on cyber espionage looks less consequential even if it was a significant diplomatic achievement. After years of gaining little traction, the norm against the theft of intellectual property was referenced in quick succession in three agreements — US-China, UK-China and the G20. But the US and China continue to hold fundamentally incompatible conceptions of how cyberspace should be ordered. China will continue to pursue a strategy of exerting sovereignty over cyberspace through economic, technological and diplomatic measures.
The pressing short-term issue in the bilateral relationship will be the scope and scale of cyber espionage. The Obama administration may be happy to run out the clock until 2016 without incident, but if there is new evidence of a major breach, there will be great pressure for the US to sanction China. In April 2015, President Obama issued an executive order that laid the groundwork for more active use of economic sanctions against Chinese, Russian, Iranian and North Korean hackers as well as non-state actors. Declaring “significant malicious cyber-enabled activities” a “national emergency”, the order enables the Treasury secretary to sanction individuals and entities with punishments that could include freezing their financial assets and barring commercial transactions with them.<22> If there is no sign that the attacks from China have abated, the US is likely to levy sanctions on high-level officials and state-owned enterprises. Beijing may retaliate with new regulation restricting foreign company access to the domestic market.
In addition to the dialogue between DHS and MPS on cybercrime, the 2015 September bilateral announcement mentions the creation of “a senior experts group for further discussions” on the norms of cyberspace, and the subsequent DHS-MPS meetings have included discussion of the creation of this expert group. Beijing and Washington have a common interest in preventing escalatory cyber operations — attacks that one side sees as legitimate surveillance but the other as prepping the battlefield.<23> The expert group should conduct formal discussions on the acceptable norms of behaviour and possible thresholds for use of force as well as greater transparency on doctrine. These cooperative measures can reduce the chance of misperception and miscalculation and thus diminish the likelihood that a conflict in cyberspace will become kinetic. The membership of the expert group has not yet been publicly announced. It is imperative that it includes members of the PLA.
Beijing and Washington also have a shared interest in preventing extremists and other third parties from attacking critical infrastructure. Terrorist groups have so far shown greater dexterity in the use of the web for recruitment, fundraising and propaganda than in launching destructive attacks but that will change over time. ISIS, for example, has a stated desire to develop cyber weapons and has reportedly recruited hackers from western Europe. To respond to emerging challenges, the US and China should discuss joint measures to prevent the proliferation of cyber attack capabilities, but this is bound to be politically difficult. At the World Internet Conference in 2015, President Xi called for an international convention against terrorism in cyberspace. While Beijing has not offered any details of what the convention will cover, it is likely to touch on removing extremist content from the internet, data storage and retention, and encryption. There are already contentious debates within the US about how best to manage these issues and Washington is unlikely to find common ground on controlling content with Beijing.
While the 2015 agreement on cybersecurity was an important step forward for China and the US, narrowing the gap between the two sides on cyber issues will require multiple dialogues involving a wide range of actors. Given the sharp ideological divisions over the organisation and governance of cyberspace, the best Washington and Beijing may hope for is a greater understanding of each other’s redlines so that a conflict in cyberspace does not spill into the real world
This essay originally appeared in the third volume of Digital Debates: The CyFy Journal
<1> White House, Remarks by the President to the Business Roundtable, September 16, 2015, https://www.whitehouse.gov/the-press-office/2015/09/16/remarks-president-business-roundtable
<2> Office of the Press Secretary, FACT SHEET: President Xi Jinping’s State Visit to the United States, White House, September 25, 2015, https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states
<3>Wendy Wu, “Handshake to end the hacking: China and Germany pledge for peace in cyberspace by 2016,”South China Morning Post, November 9, 2015, http://www.scmp.com/news/china/diplomacy-defence/article/1877288/china-and-germany-aim-reach-commercial-cyberspying-deal.; Chen Qin, “China, Germany Working on Cybersecurity Deal, Envoy Says,” Caixin, March 17, 2016, http://english.caixin.com/2016-03-17/100921423.html.
<4>Robert Abel, “G-20 nations agree: No cyber-theft of intellectual property,” SCMagazine, November 19. 2015, http://www.scmagazineuk.com/g-20-nations-agree-no-cyber-theft-of-intellectual-property/article/454845/
<5> Joseph Marks, “U.N. body agrees to U.S. norms in cyberspace,” Politico, July 9, 2015, http://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyberspace-119900#ixzz3veYOOKwf
<6> Paul Mozur, “China Tries to Extract Pledge of Compliance From U.S. Tech Firms,” The New York Times, September 16, 2015, http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html?ref=technology
<7> Office of the Press Secretary, FACT SHEET: U.S.-China Economic Relations, White House, September 25, 2015, https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-us-china-economic-relations
<8> Counter-Terrorism Law of the People's Republic of China, China Law Translate, http://chinalawtranslate.com/%E5%8F%8D%E6%81%90%E6%80%96%E4%B8%BB%E4%B9%89%E6%B3%95-%EF%BC%882015%EF%BC%89/?lang=en
<9> “People’s Republic of China Cybersecurity Law (Second Reading Draft),” China Copyright and Media, July 6, 2016, https://chinacopyrightandmedia.wordpress.com/2016/07/06/peoples-republic-of-china-cybersecurity-law-second-reading-draft/.
<10> Aaron Mehta, “Clapper Skeptical of US-China Cyber Deal,” DefenseNews, September 29, 2015, http://www.defensenews.com/story/defense/policy-budget/cyber/2015/09/29/clapper-skeptical-us-china-cyber-deal/73027008/
<11> White House, Remarks by President Obama and President Xi of the People's Republic of China in Joint Press Conference, https://www.whitehouse.gov/the-press-office/2015/09/25/remarks-president-obama-and-president-xi-peoples-republic-china-joint
<12> First U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues Summary of Outcomes, December 2, 2015, http://www.justice.gov/opa/pr/first-us-china-high-level-joint-dialogue-cybercrime-and-related-issues-summary-outcomes-0
<13> DHS Press Office, “Second U.S.-China Cybercrime and Related Issues High Level Joint Dialogue,” Department of Homeland Security, June 15, 2016, https://www.dhs.gov/news/2016/06/15/second-us-china-cybercrime-and-related-issues-high-level-joint-dialogue.; Ministry of Public Security, “China-U.S. high-level dialogue on striking cybercrime and related issues formally establishes hotline mechanism,” August 28, 2016, http://www.cac.gov.cn/2016-08/28/c_1119466923.htm.
<14> Mark Hosenball, “U.S. counterintelligence chief skeptical China has curbed spying on U.S.,” Reuters, November 18, 2015, http://www.reuters.com/article/us-usa-cybersecurity-idUSKCN0T72XG20151119
<15> Ellen Nakashima, “Following U.S. indictments, Chinese military scaled back hacks on American industry,” The Washington Post, November 30, 2015, https://www.washingtonpost.com/world/national-security/following-us-indictments-chinese-military-scaled-back-hacks-on-american-industry/2015/11/30/fcdb097a-9450-11e5-b5e4-279b4501e8a6_story.html
<16> FireEye, “Red Line Drawn: China Recalculates its Use of Cyber Espionage,” June 2016, https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf.; Dexter Roberts, “Chinese Hackers Like a ‘Drunk Burglar,’ ‘Kicking Down the Door,’ Says FBI Director,” Bloomberg, October 6, 2014, http://www.bloomberg.com/news/articles/2014-10-06/fbi-chief-james-comey-lambasts-chinese-hackers.; Joe Uchill, “Obama administration confirms drop in Chinese cyber attacks,” The Hill, June 28, 2016, http://thehill.com/policy/cybersecurity/285153-obama-administration-confirms-drop-in-chinese-cyber-attacks.
<17> Peter Mattis, “Three Scenarios for Understanding Changing PLA Activity in Cyberspace ,”China Brief, December 7, 2015, http://www.jamestown.org/programs/chinabrief/single/?tx_ttnews%5Btt_news%5D=44865&tx_ttnews%5BbackPid%5D=789&no_cache=1#.VoKkKPkrK70
<18> Ellen Nakashima and Adam Goldman, “In a first, Chinese hackers are arrested at the behest of the U.S. government,” The Washington Post, October 9, 2015, https://www.washingtonpost.com/world/national-security/in-a-first-chinese-hackers-are-arrested-at-the-behest-of-the-us-government/2015/10/09/0a7b0e46-6778-11e5-8325-a42b5a459b1e_story.html
<19> Adam Segal, “China’s Internet Conference: Xi Jinping’s Message to Washington,” Net Politics, December 16, 2015, http://blogs.cfr.org/cyber/2015/12/16/chinas-internet-conference-xi-jinpings-message-to-washington/
<20> Elaine Korzak, International Law and the UN GGE Report on Information Security, Just Security, December 2, 2105, https://www.justsecurity.org/28062/international-law-gge-report-information-security/
<21> Ministry of Foreign Affairs of the People’s Republic of China, Remarks by H.E. Xi Jinping, President of the People's Republic of China, at the Opening Ceremony of the Second World Internet Conference, December 16, 2015, http://www.fmprc.gov.cn/mfa_eng/wjdt_665385/zyjh_665391/t1327570.shtml
<22> Office of the Press Secretary, “Executive Order—‘Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,’” White House, April 1, 2015, https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m.
<23> Adam Segal, “Stabilizing Cybersecurity in the U.S.-China Relationship,” National Bureau of Asian Research, September 16, 2015, http://xivisit.nbr.org/2015/09/16/stabilizing-cybersecurity-in-the-u-s-china-relationship-2/
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
