Flashpoints

Evaluating the US-China Cybersecurity Agreement, Part 3

Recent Features

Flashpoints

Evaluating the US-China Cybersecurity Agreement, Part 3

Over a year later, what impact has the 2015 cyber agreement had on U.S.-China relations?

Evaluating the US-China Cybersecurity Agreement, Part 3
Credit: Screenshot of White House video

Part one of this three-part series showed how differing approaches to their respective national interests drove China and the United States to contrasting views on the implementation of cyber policies and explored the U.S. position as well as the 2015 agreement between the two states. Part two detailed China’s approach to cyberspace and cybersecurity. Part three concludes by reviewing reactions to the agreement, and assessing its success to date and its longer-term prospects.

Reactions to the Agreement

Some U.S. cyber policy analysts are hesitantly pleased with the agreement while others are skeptical. The entire process is been seen by some as an elaborate way of saying that the two sides agreed to nothing. One concern has been with the lack of substance in the agreement; another is that Xi Jinping has continued to deny Beijing’s involvement in the theft of commercial secrets, which casts doubt on China’s seriousness in following through. An indicator of China’s attitude toward the agreement is that there have not been extensive references to it inside China, and when it is referenced, it’s referred to internally as a “consensus” rather than agreement. While it’s difficult to know exactly what this means, it suggests that China believes each party has the right to exercise discretion in how it interprets the agreement and how to proceed. By contrast, the United States believes the two sides have agreed to specific measures.

Consequently, another issue is with the specific interpretation of the agreement. The terms of the agreement require the two countries to abide by their respective national laws. As discussed in the previous two articles, the United States and China have very different approaches to cyberspace governance. There could be real disconnects in the way the agreement is interpreted under the different laws of the United States and China, even if both parties act in good faith.

Even with honest effort, it may be tough for China to deliver on Xi’s pledges. The PLA is responsible for most hacking campaigns against the United States, and local PLA units engage in hacking to supplement their salaries, which is not uncommon in developing militaries like China’s. Beijing’s ability to control the hacking at issue shouldn’t be taken for granted. It may take some time for the central government to assert sufficient control to make a difference in the hacking.

Other analysts believe this agreement is a welcome step, says the right things about Sino-American cooperation in cyberspace, and might be the first step in slowing Chinese cyber attacks. It has marked the most advanced steps taken by Washington to obtain a commitment from Beijing to address the growing concern for U.S. companies and combat corporate espionage in cyberspace. Even though there is not an enforcement mechanism or promise of meaningful behavioral changes by Beijing, it is still creating a framework for increased dialogue and cooperation. This is a step forward from the preceding stance of denial and counterattacks. Dean Garfield, chief executive of the Information Technology Industry Council, believes this development of “sustained dialogue where there was very little communication” indicates cooperation and sends a positive message to U.S. companies. Dmitri Alperovitch of CrowdStrike also notes this is important because it obligates Beijing to respond to evidence presented by the United States instead of being able to ignore it.

China’s statements after the meeting seemed to reflect a somewhat different view than those expressed by their American counterparts, with both government officials and analysts pleased with the outcome of the agreement. They hail the summit as a success in reconciling differences between the two powers, reducing tensions and deepening cooperation on major issues, such as cyber crime.  Chinese news agency Xinhua reflected that the summit’s outcome shows the high priority given to cyber issues on both nation’s agendas. The U.S.-China cyber agreement paved the way for a U.K.-China agreement, beginning to set a precedent for China’s cyber cooperation with other Western countries.

The comments given by the respective leaders reflect their different views on the importance of the cyber agreement. During the press conference, Presidents Obama and Xi reflected some of the same points in their remarks but also suggested very different outlooks. Obama opened with recognizing the need to halt the growing cyber threat to U.S. companies and citizens, especially economic espionage. He said China and the United States will work together with other nations to “promote international rules of the road for appropriate conduct in cyberspace.” The president stressed the significant progress they had achieved during the meeting, paving the way to a more secure cyberspace.

Unlike Obama, Xi didn’t lead his remarks with a discussion of cyber issues. His approach suggested that the agreement may just be another cosmetic move by China that ultimately may mean very little. He said the confrontation and friction between the two countries was unintentional. He noted the United States is the strongest country in cyber power, but China has the most netizens, asserting the importance of China in the grand scheme of cyber development. He then restated the unaltered stance that China “strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”  It was also revealing that Xi advanced a six-part proposal for the next stage in the development of China-U.S. relations, which did not mention cyber issues.  This all suggests that optimism toward the agreement ought to be tempered with hard-nosed realism.

The Way Forward

Only a few days after the agreement was reached, the FBI sent an alert to at-risk technical and engineering firms, reporting that hackers based in China had compromised computer systems and stolen military information from companies contracted with the Navy and Marine Corps. These actions don’t necessarily violate the agreement, as it doesn’t prohibit China from targeting U.S. military contractors to collect classified information useful to China’s national security interests. By contrast, however, as early as the day after the Obama-Xi agreement was completed, the cybersecurity company CrowdStrike detected at least seven Chinese cyber attacks targeting intellectual property carried out against U.S. technology and pharmaceutical companies. Another cybersecurity company, FireEye, said the state-sponsored Chinese hackers remained active, but it was unclear whether their overall objectives had shifted.

These incidents might be seen as indications of how little the agreement means to China. There was certain to be some delay between the signing and effectively implementing a new policy in China, but well into 2016 some cyber security experts maintained that China had done nothing to limit cyber espionage against the United States. It will be some time before it’s clear if China is serious about turning over a new leaf. What is certain is that continued action like this from Chinese actors will pressure Washington to take action to hold China accountable for violating the agreement.

China may see it as in its interests to comply with the agreement to decrease cyber economic espionage against the United States for the same reason that it signed on to the agreement in the first place. It appears U.S. anger and frustration on the issue has reached the point that, if the activity continues, Washington is willing to take meaningful action in response.

Another reason for China’s willingness to enter into the agreement, and one that may play in role in a decision to follow through, is the growing reluctance of U.S. companies to locate in China, particularly in the case of research and development centers. An increasingly unfavorable reputation regarding the theft of intellectual property from companies located in China may have been dampening enthusiasm for continued investment in China. In the long run, this could be a blow to China’s continued economic development.

Finally, the advance of Chinese companies’ technology may play a role in Beijing’s decisions regarding the agreement.  China seems to have perfected the art of corporate espionage, and used it to advance the technology of its corporate base, as well as becoming more innovative. As a result, Chinese companies have themselves become targets of corporate espionage. For example, Chinese telecom giant Huawei, currently with over 47,000 patents itself, is suing Chinese telecom rival ZTE for stealing its intellectual property. With valuable intellectual property of its own to protect, China may have been less reluctant to begin a conversation about how a protective regime might function.

Conclusion

Although few have been willing publicly to draw conclusions one way or the other, at least one prominent cybersecurity firm believes Chinese corporate espionage aimed at U.S. companies has dramatically decreased. Still, it remains to be seen what effect the 2015 agreement will have on long-term Sino-American relations. China faces several pressures that will be relevant to its behavior in cyberspace over the next several years. Among them are the potential for economic sanctions in response to commercial espionage, assuming its place on the world stage, and the internal problem of economic theft. Even if Beijing wishes to stop the type of cyber espionage the United States finds most offensive, it may turn out not to be completely in control of the hackers – even the military ones. And switching off the flow of stolen intellectual property to Chinese firms, including government-owned enterprises, could have consequences that are difficult to predict.

The Obama-Xi agreement has not solved all the problems, but it may be a start toward defusing tension over cyber issues. Overall, although one can argue over the margin of victory, the agreement must be seen as a success at a minimum for getting China on record as agreeing there is a separate category of commercial espionage.

Gary Brown is Professor of Cyber Security at Marine Corps University. Christopher D. Yung, Ph.D., is Donald Bren Chair of Non-Western Strategic Thought at Marine Corps University. The views expressed here are personal and do not represent the views of Marine Corp University or the U.S. military.