A cybersecurity agreement signed by President Barack Obama and his Chinese counterpart Xi Jinping this past September began the long road to prevent future cyber-related espionage for economic gain. The deal, assuming it is upheld, was a major development in a budding sector that has very few international regulations.
Washington and Beijing also agreed to negotiate an arms control accord — the first of its kind — to ban peacetime attacks on critical infrastructure such as power grids and seaports. The discussions mark the first attempts by both governments to seek “international rules of the road for appropriate conduct in cyberspace,” as Obama put it during a Rose Garden press conference.
Cybersecurity is a relatively new policy phenomenon. There are no international or American doctrines pertaining to the subject. That’s why defining where cyberspying for national security purposes ends and economic espionage begins isn’t always clear.
During Xi’s state visit, Obama announced that both China and the U.S. “agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
The pact removed a major irritant in the bilateral relationship that threatened to overshadow Xi’s visit, with the administration hinting it might slap sanctions on Chinese hackers involved in stealing secrets from American businesses. Tensions also grew in the wake of the massive cybertheft of personal data belonging to 22 million Americans from the U.S. Office of Personnel Management, an attack widely blamed on hackers in China.
Despite the agreement, Obama has reserved the right to respond to suspected cyberattacks emanating from China with sanctions or other retaliatory measures. Indeed, the president himself admitted that, “The question now is, ‘Are words followed by actions?’”
While the leaders agreed to investigate respective cases of nefarious online activity against the other country, the details of the agreement — and its enforcement mechanisms — remain murky. Critics in Congress say they are skeptical the deal will curb what many experts see as rampant Chinese hacking of U.S. commercial interests.
Moreover, the distinction between economic and traditional spying in the cyber realm is a difficult one to make.
“The idea the U.S. government has basically been [pushing] is that governments have and always will spy on each other to sort of gain military secrets or national security information to better protect the country and that that is distinct from a government stealing intellectual property from a company in order to give companies in their country a competitive edge,” Josephine Wolff, an assistant professor of public policy and computing security at the Rochester Institute of Technology, told The Washington Diplomat. “The U.S. is fairly adamant everybody does military espionage, but what we don’t do is spy on foreign companies to give ourselves a competitive edge.”
The fine line between one type of spying versus another, however, is one that not every country recognizes. The United States, for instance, has been accused of spying on its own allies during talks for major trade agreements with Europe and the Asia-Pacific Rim, presumably to get a leg up on the competition. Likewise, nations such as China see propping up their state-owned enterprises and developing their economy as a national priority.
Beijing and Washington seem to have papered over their differences of opinion on economic espionage versus old-fashioned reconnaissance, but as Wolff notes, “It’s a somewhat murky distinction.”
“Even surveillance directed toward companies is considered national security as long as the purpose is to give companies a competitive edge,” Wolff said. “Not all countries agree that there is a meaningful distinction and it is not always clear where the lines are drawn. It’s not about spying on another government versus a company; there’s more nuance and subtly to it than that.”
A larger dilemma is the lack of consensus worldwide over how to regulate the burgeoning field of cybersecurity — and punish transgressors. The international community has yet to lay out a comprehensive plan to deal with issues relating to cybersecurity policies. For many analysts, this glaring gap needs to be addressed quickly as the industry’s importance continues to grow — as does the potential for large-scale attacks.
In fact, cybertheft and cybercrime have prompted many governments to take the issue more seriously, although collective action remains elusive.
Diego Molano Vega, former minister of information technologies and communications for Colombia, said his government didn’t have a comprehensive cybersecurity strategy until the emails of President Juan Manuel Santos got hacked, along with emails containing details about the FARC peace process negotiations. “The main issue we have is awareness,” Molano told a panel called “Global Approaches to Cybersecurity” at the Council on Foreign Relations on Nov. 4. “Awareness is basically the source of the solution, because if you see — out of 34 countries in Latin America, just half of them have a clear e-government policy. And just four or five of them have a clear cybersecurity policy. Why is that? Because people and leaders are not aware of the risks.”
Likewise, Makita Shimokawa, ambassador in charge of cyber policy at the Japanese Ministry of Foreign Affairs, said that his government formulated its cybersecurity strategy after an attack on the Japanese pension fund scheme stole the personal information of 1.2 million people.
Speaking on the same panel, Shimokawa said that securing critical infrastructure from cyberattacks is a priority in the government’s overall strategy. But Shimokawa lamented that in general, the focus on cybertheft and hacking obscures the importance of preventing an attack on infrastructure such as power grids. “So maybe the sense of urgency in terms of cybersecurity, national security issue or attack on critical infrastructure may not be as heightened as it should be. So I think the question of raising the literacy and the awareness of cybersecurity vulnerability is also an important area.”
But the question is where to start? There is currently little to go on besides poorly defined existing norms and behaviors. China, on the other hand, sees it differently.
“Today, no such official doctrine guides international, or for that matter, U.S. cybersecurity policy,” Daniel M. Gerstein, former deputy undersecretary in the Science & Technology Directorate of the U.S. Department of Homeland Security, wrote in U.S. News & World Report. “No comprehensive framework exists for thinking about cyberspace issues, managing concerns or even responding to crises. There are no set limitations on potentially destabilizing behavior. There’s not even an internationally accepted glossary of terminology to guide creation of cyber norms.”
Such a doctrine would require defining limits and boundaries as to what is and what is not acceptable activity in cyberspace. Obama described the consensus as a work in progress, while Xi said China would follow existing cyberspace norms, a complex issue considering that these are based on self-regulation.
Nonetheless, some analysts believe the agreement is a crucial increment in broader, sector-wide progress.
“Evidence that it’s been successful is that China publicizes its companies or individuals who are perpetrating [cybercrimes] and successfully prosecutes them. Once we start to see that, then that would show that China is putting its money where its mouth is,” Alexander Neill, a Shangri-La Dialogue senior fellow for Asia Pacific security at the International Institute for Strategic Studies, told Voice of America.
Jason Healey of the Atlantic Council told the Politico’s Joseph Marks that the bargain is a win-win for the administration. “If China lives up to the deal, then we win…. If they [comply] halfway, then we still have less cyber operations than we had before,” Healey said. And if the Chinese government fails to live up to its word, the U.S. can publicly embarrass Xi.
Other experts also point out that as head of a repressive, one-party state, Xi has the power to minimize attacks, or at least state-directed ones.
But inducing an authoritarian regime to respect international rules of the road can be a double-edge sword.
“The bedrock of a state-based strategy to address cyber challenges would be sound national policies, codified in domestic law and fully enforced. The key to this is to ensure that states rein in non-state actors, whether individuals or groups,” wrote Robert S. Litwak and Meg King in the article “Cybersecurity treaties may be nice, but it’s really every country for itself,” as part of the Wilson Center’s Digital Futures Project. “The problem, however, is that authoritarian states, such as Russia and China, have an interest in preserving ‘patriotic hackers’ as a policy instrument while maintaining plausible deniability.”
Indeed, Obama has admitted that a major flaw of any cyber agreement will be addressing the threat posed by non-state actors.
Litwak and King argue that deterrence is key to preventing future attacks. That includes strengthening computer networks and holding states accountable through sanctions, with the goal of making the internet “Wild West” a bit less wild.
The analogy of the Wild West was also raised at the Council on Foreign Relations discussion on cybersecurity, where experts said that establishing international norms and rules of conduct was instrumental in taming this new frontier.
But Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing, argues that while many governments agree in principle that more cyber safeguards are needed, the devil is in the details.
“So one of the big challenges in all of this, including the new Chinese-U.S. agreement, is how do you determine whether or not people are actually following the norms? And people have gotten into the space on the internet where they go, because it’s hard to do authentication, because it’s hard to do traceability; there’s always plausible deniability.”
Iddo Moed, cybersecurity coordinator with the Israeli Foreign Ministry, also pointed out that individual countries have their own unique set of cyber challenges and therefore should be allowed to tailor their own plans to meet those challenges.
“[T]his is a new kind of a discussion, and everybody has to be involved. And from our perspective … we feel that norms should be, at this stage at least, voluntary or non-binding so everybody can join in; everybody can understand and learn what it means; work a lot on confidence-building measures, which are very focused actions that countries can take; and also work hard on capacity-building,” he said. “I think the point is that every country has a very different set of circumstances. So there is no good and bad. Every country is trying to mitigate the threats from its own circumstances, its own environment.”
About the Author
Justin Salhani (@JustinSalhani) is a contributing writer for The Washington Diplomat. Anna Gawel is the managing editor of The Washington Diplomat.