The New York Times‘ David Sanger reports that the United States and China are on the cusp of a bilateral arms control agreement concerning the first-use of cyber weapons against critical national infrastructure. Such an agreement would the first of its sort, and potentially a major development between the United States and China. Tensions between the two countries have been high over U.S. accusations that China regularly engages in state-sponsored cyber attacks and cyber espionage against U.S. targets.
Per Sanger’s reporting, it appears that the agreement under consideration would exclude cyber espionage and attacks resembling last year’s attack against Sony Pictures, an attack that was allegedly carried out by an independent hacker group with North Korean backing. Sanger clarifies that the agreement will concern attacks on “power stations, banking systems, cellphone networks and hospitals.” In short, to compare with conventional threats, this agreement would preclude a first “strategic” cyber strike. U.S. and Chinese negotiators are working hastily to finalize an agreement, potentially to be announced at the conclusion of Xi Jinping’s looming state visit next week.
Observers of U.S.-China relations expect few positive concrete deliverables out of Xi’s state visit given the current bilateral climate, but a cyber arms control agreement would at least show that the U.S. and China are making some progress on uncomfortable topics. China has consistently denied that it sponsors offensive cyber attacks or cyber espionage, and has reacted angrily to U.S. insinuations to the contrary. The U.S. Department of Justice’s decision to indict five senior People’s Liberation Army officers for crimes related to cyber espionage, including “computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries,” was met with furious indignation from the Chinese side. That China is willing to participate in these talks is a diplomatic win for the Obama administration.
Diplomatic context aside, an arms control agreement on cyber “first-strikes” will be path-breaking and could possibly set the example for similar bilateral and multilateral agreements. Cyber “weapons,” however, have several peculiar qualities that make regulating and monitoring compliance difficult. Traditional arms control agreements, particular for strategic nuclear weapons, measure how states are using easily countable and measurable weapons of mass destruction. Concerning first-use, we can measure several important benchmarks, including if nuclear warheads are mated to delivery systems and where they are position. With cyber, these conventional measurements are considerably more complicated.
Consider also the troubling question of “zero-day” exploits in the cyber realm. In short, a “zero-day” is a previously unknown vulnerability that is discovered first by an attacker instead of the target. The recent breach of the U.S. Office of Personnel Management, for example, has been described as a “zero-day” attack. When first-strikes are concerned, zero-days present a unique problem. If a war between the U.S. and China were to break out and either side had identified a vulnerability in the other’s critical national infrastructure that could cause massive damage, the temptation for cyber first-use is immense. It’s doubtful that U.S. and Chinese negotiators will find a way to guarantee no-first-use that extends beyond a written guarantee. Strategic stability with cyber weaponry is tricky business.