Back in December 2014, China’s cyber czar, Lu Wei, director of the State Internet Information Office, succinctly summarized Beijing’s position on sovereignty in cyberspace in the title of an article published by the Huffington Post: “Cyber Sovereignty Must Rule Global Internet.” Time and again, China has repeated the mantra that states have to respect China’s “information borders,” emphasizing that a focus on national sovereignty and a state-centric approach will guarantee stability in cyberspace. The People’s Republic is especially keen to discredit the Western propagated multi-stakeholder approach to Internet governance, which it sees as intrinsically dangerous and undermining China’s national security interests.
In the Huffington Post article, Lu Wei, posits,
“For example, with regard to the cyberspace governance, the U.S. advocates ‘multi-stakeholders’ while China believes in ‘multilateral.’ [‘Multi-stakeholder’ refers to all Internet participants on an equal footing making the rules and is considered more ‘people-centered’ while ‘multilateral’ refers to the state making the rules based on the idea of the sovereignty of the nation-state representing its citizens.] These two alternatives are not intrinsically contradictory. Without ‘multilateral,’ there would be no ‘multi-stakeholders.’ Exaggerating our disagreements due to difference in concepts is neither helpful to the China-U.S. Internet relations nor beneficial to global governance and the development of the Internet.”
Partially to accommodate Chinese fears about the United States’ control over Internet structure, Washington announced back in March 2014 that it will give up oversight of web domain managers at ICANN — a non-profit organization that manages worldwide domain names and the assignment of IP addresses, among other things. Yet, unsurprisingly, China so far has not been prepared to yield an inch in turn on its stance on Internet sovereignty. It is hard to find common ground with the United States and its allies, since to Western countries Chinese ideas on Internet sovereignty are tantamount to Internet censorship, the restriction of free speech, and the online prosecution of political dissidents.
Yet, as an article in the Strategic Studies Quarterly already argued in 2011, the Chinese are not unique in their quest. In one way or another every country is attempting to control what comes through its borders:
“While it is not recognized as such nor publicly endorsed by most democratic leaders, a cyberspace regulating process is happening, building the initial blocks of emergent national virtual fences. A new ‘cybered Westphalian age’ is slowly emerging as state leaders organize to protect their citizens and economies individually and unwittingly initiate the path to borders in cyberspace. Not only are the major powers of China and the United States already demonstrating key elements of emerging cybered territorial sovereignty, other nations are quickly beginning to show similar trends. From India to Sweden, nations are demanding control over what happens electronically in their territory, even if it is to or from the computers of their citizens.”
Back in June 2013, the United Nations “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” unequivocally concluded that “international law and in particular the United Nations Charter is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.” China was part of this working group and signed off on the report’s conclusion and recommendations. The report continues, “The Group also concluded that State sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them.”
This was not a new commitment and merely reflected pre-existing legal realities. China is technically responsible for preventing the use of its territory for aggression or sabotage against other states. However, Beijing’s aggressive crusade for Internet sovereignty could result in an increased emphasis on China’s direct responsibility for attacks originating from China. Beijing currently often hides behind a veil of plausible deniability by accusing (patriotic) domestic hackers of having gone rogue (which in fact is true in many instances).
Take the recent example of the Sony Hack: Pyongyang relies on China Unicom — a Chinese state-owned telecommunications operator — for Internet access. North Korea also procures most of its routers and servers from its big communist neighbor. In addition, China is training North Korean cyber warriors now numbering — according to uncorroborated reports — around 5,900. Some members of North Korea’s Unit 121 of the Reconnaissance General Bureau of the Korean People’s Army, an elite DPRK hacker unit, are allegedly stationed in and operate out of Shenyang, China. Should Unit 121 be clearly identified as responsible for the Sony Hack, China will find itself as an accessory after the fact in the best of circumstances, or a plain accomplice in the courtroom of world opinion, which will be detrimental to China’s diplomatic efforts in cyberspace.
For the time being, the United States and China have to find less politically sensitive ways to cooperate on mutually beneficial issues, while circumventing their disagreements in other domains.
For example, my colleague Dr. Greg Austin, in a keynote delivered back at the “2014 Canada-U.S. Cybersecurity Conference: Securing Our Financial Infrastructure,” proposes that China and the United States cooperate on international protection for exchanges and clearing houses in cyberspace.
Austin argues, “States should commit by treaty to the absolute protection in cyberspace of designated exchanges and clearing houses in the same way as they now commit to the absolute protection of diplomats as internationally protected persons and embassies as internationally protected premises.” For example, a China-U.S. working group could look at the 1997 Convention on Crimes against Internationally protected persons and use it as a framework for a “Convention on Internationally Protected Facilities.” Of course, this will be a tricky thing to sell to the private sector. Government intervention — especially in the financial sector — is a touchy political subject. Yet the risks in cyberspace are ever increasing and time for voluntary best practices may have run out.
As I stated before, cybersecurity demands international collaboration, which essentially implies an almost schizophrenic, two-layered approach of simultaneously cooperating with a country on one level of cybersecurity while dissuading the country from excessively engaging in malicious cyber activities at another level. This strategic doublethink dichotomy holds true for all nations in cyberspace, yet it especially holds true for the China-U.S. relationship.
A version of this article was previously published on ChinaUSFocus.com.