One of the most-anticipated outcomes of the president of China’s recent state visit to the United States was an agreement between the two countries on beefing up cybersecurity and putting a halt to economic espionage. But analysts question whether the deal actually can deliver.
In a September 25 ceremony on the White House lawn, Chinese President Xi Jinping pledged that China would not participate in cyber espionage. U.S. President Barack Obama announced that both leaders had promised their respective countries’ increased cooperation in fighting corruption, money laundering and terrorist financing online.
“This is progress,” Obama said of the agreement, “but I have to insist that our work is not yet done.”
Yet less than a week after Xi’s departure, James Clapper, the top U.S. intelligence official, appeared to throw cold water on the agreement. When asked at a Senate Armed Services Committee hearing whether the framework agreement could prevent Chinese hacking, Clapper gave a one-word answer: “No.”
A growing number of analysts are questioning whether the framework is substantive enough to improve cybersecurity cooperation between China and the U.S. – or whether any such agreement is even possible, particularly when it comes to the theft of intellectual property.
Dueling definitions of cybersecurity
“I think it was a broad statement of generalities, which is not necessarily a bad thing,” said Dean Cheng, senior Chinese affairs research fellow at the Heritage Foundation, a nonprofit think tank. “But is that enough? Depends who you ask.”
While there are no specifics in the framework cybersecurity agreement – or “common understanding,” as it’s officially known – Obama said it affirms the principle that “governments don’t engage in cyber espionage for commercial gain against companies.”
But that, according to Cheng, is unlikely in the extreme.
“Deterring economic espionage is hard,” he said. “OK, the Chinese agreed not to engage is cyber espionage, which they’ve always said they never did anyway. Especially on economic issues, which, again, they’ve always denied. So what have we really got?”
China and much of the West, he said, have very different definitions of what constitutes cybersecurity. In the U.S., the term usually applies to hacking attacks and the basic integrity of computer networks, he said. However, in China, “cybersecurity” applies to nearly any activity that bolsters the nation or threatens Communist Party rule.
“China just passed a new national security law, which has a very broad and expansive view of what constitutes national security,” he said. “Economics is part of Chinese national security under the new law, which directly touches on economic cyber espionage.”
“In the U.S., the government sees itself as a partner to private industry, and not in the lead in safeguarding the Web,” said Tristan Reed, security analyst at Stratfor Global Intelligence. “This contrasts greatly with a country like China, where everything serves the state.”
China and Chinese industry, he said, has every incentive to continue economic espionage against the United States.
“The U.S. has far more to lose than China in intellectual property,” Reed said, “so while this agreement is probably the most significant step yet made, it’s not the solution and it’s not likely to end or even slow attacks coming from China.”
As long as Chinese industry continues to benefit from intellectual property stolen from U.S. firms, Reed told VOA, there’s not much the U.S. government can do in the short term except to help the private sector defend its data networks. “This agreement is a move for the U.S. to find an effective long-term policy,” he added.
Cyber’s attribution problem
International agreements on cyber espionage also present a unique challenge: that of attribution, or proving that a particular individual or government is responsible for a hack.
Attribution, the first step in determining a response, “is particularly challenging,” said Reed. “Though there are a lot of attacks from China, they’re all not necessarily going to be state-sponsored. Remember, it’s the economic incentive [of Chinese industry] that’s driving this.”
Cheng agreed. “Attribution can take a lot of time, and that raises the issue of how quickly you can retaliate. Cyber’s a cheap game. It’s not quite anyone with a laptop, but it’s very close, so you have to be very careful before you start retaliating,” he told VOA.
While governments are traditionally leery of publicly revealing and possibly compromising their intelligence assets, the U.S. Department of Justice last year took the unusual step of indicting five Chinese army officers for infiltrating computer networks of six large U.S. corporations, making their attribution evidence public.
However, such measures are rare as they can compromise other valuable national intelligence assets.
Imposing economic sanctions might be another tool for government to deter cyber espionage. But the U.S. at least temporarily pulled such sanctions off the table before Xi’s state visit.
“Part of the problem with this framework agreement, which didn’t really agree on much, is that it’s put on hold the prospect of sanctions for some period of time,” Cheng said. “It would be remarkably rude for President Obama to say goodbye to Xi Jinping and then impose sanctions. But now we have to ask how long we wait for Chinese actions to change.”
Stratfor’s Reed said that overall, the framework is a good first step, but any effective deterrence policy must by necessity involve the U.S. tech and Internet industries.
“That’s one reason for Xi’s visit to Washington state,” he said, referencing the Chinese president’s meetings with the leaders of tech giants Apple, Facebook and Microsoft, among others. “The private sector is the target, and ultimately the one [that] has to be involved in talks and any agreement.”
Cheng, who calls the agreement “not particularly helpful,” targets another group for help in building lasting cybersecurity agreements: U.S. allies such as the United Kingdom, Japan, South Korea, Israel and Canada.
“There’s a lot of players in the cyber game,” he said. “It might be more helpful to sit down with our friends and allies, who share certain views of what constitutes security and acceptable behavior, to create a shared standard among ourselves.”
“That, arguably, would have been a better first starting point, rather than meeting with a country with very different views about what is acceptable cyber behavior.”