The agreement between the United States and China to limit cyberespionage of intellectual property for commercial gain, announced on September 25, caps a tense debate over Chinese activities in cyberspace. Over the past several months, American officials had routinely called high-profile breaches of American digital networks, such as the hacking of the Office of Personnel Management, state-sanctioned espionage. This fed a belief, held by both American and Chinese officials, that China’s “cyberwarfare doctrine” is a way to balance America’s superior conventional capabilities.
Jon R Lindsay, Tai Ming Cheung, and Derek S Reveron have compiled a timely volume of academic papers detailing, in their words,
how China both generates and copes with Internet insecurity through close attention to its domestic institutions and processes.
This multifaceted book discusses the doctrines, motives, purposes, and capabilities of Chinese activities in cyberspace, internal and external. The chapters authored by Chinese writers, including one current member of the People’s Liberation Army, are especially illuminating. Particularly striking are their attempts to create new terms to describe this new sphere of geopolitical activity, and their overall optimism over the possibility of international management of cyberspace.
The inclusion of the Chinese authors is not just even-handed but necessary, for this is primarily a book about China. The American writers largely view the United States as a victim of Chinese cyberespionage, neglecting in large part the other prominent entity: the U.S. National Security Agency. American cyber-activity is discussed mostly in passing by the book’s American authors, though the Chinese authors as well as the editors ensure that the contradictions inherent in American protestations are mentioned.
The official position of the United States, according to Professor Fred Cate, one of the volume’s concluding authors, is that it
only conducts cyber operations against government for military and other commercial information, while the Chinese are hacking businesses for trade secrets and commercial information.
The strange corollary to this argument that commercial secrets are somehow more valuable than military information. It also creates a distinction between the private and public spheres that that is increasingly blurry given how often corporate success is seen as a part of national interest. Nor, finally, does this distinction have any basis in fact. Edward Snowden’s revelations have revealed that the NSA has targeted Huawei, Hong Kong-based universities, and foreign trade delegations.
This has made the American argument, continues Cate, “a tough sell.” He quotes a former Department of Defense official as saying
… the Huawei revelations are devastating rebuttals to hypocritical U.S. complaints about penetration of U.S. networks, and also make USG protestations about not stealing intellectual property to help U.S. firms’ competitiveness seem like the self-splitting hairsplitting that it is.
Philosophy aside, the practical difficulty in controlling cyberespionage, as shown by both American and Chinese activity, is that it very hard to sanction. Both traditional and cyberespionage break the target country’s laws, but only the former requires (in most cases) someone to be physically inside a country’s territory and thereby subject to apprehension. Even if law enforcement could identify precisely who instigated a hack, actual arrests are rarely possible. Thus, domestic sanctions are largely meaningless.
This is of course a function of the Internet itself, which allows action at distance, and is not a characteristic of cyberespionage per se. American websites pushing information through the Great Firewall may in practice be in violation of local Chinese censorship laws, yet China can do little but block access to those websites. This issue also occurs between allies: France’s data-privacy watchdog has told Google and other Internet firms that, in order to execute Europe’s “right to be forgotten,” they need to scrub offending links from all their websites, and not just their European versions. Of course, without erecting a China-style firewall, there is little France can practically do.
The editors’ conclude that
… the United States and China, or any other advanced industrial countries [sic] for that matter, will not be able to separate cybersecurity from their diplomatic relations.
Cyberespionage, furthermore
is simply too essential a tool for China’s economic development and political stability strategy and for the national security strategy of the United States
for either country to expect the other to limit its activity.
Cyberespionage and its variants therefore become an important avenue for inter-state competition, though its extent, threat and usefulness remain subject to actual international conditions.
The editors provide a useful two-by-two matrix in their final chapter that best illustrates the possible outcomes. One dimension asks whether the international environment is collaborative or combative; the second asks whether the threats posed by cyberspace are limited or severe. A collaborative environment is more able to manage the threats posed by cyberspace; severe threats would lead to the development of new norms and rules governing cyberspace. However, a competitive environment leads to different outcomes: mild threats leads to “contested cyberspace”, while severe threats leads to cyberwarfare.
The question thus becomes whether the international environment is collaborative or competitive, and whether threats are mild or severe. These determinations are clearly easier listed than evaluated, and they require a knowledge of local institutions in both the United States and China, the possibility of cooperation, and whether either side feels the other’s cyberactivities represent an “existential threat”.
There are a few hopeful indications that things may not be as bad as pessimists believe. First, despite the “cloak-and-daggers” vibe in many general discussions around cyberespionage, the researchers have drawn intelligent and well-thought out conclusions using publicly-available data: the chapter detailing the locations of China’s information-warfare groups and the state-owned companies they are attached to was compiled using publicly-accessible websites.
There is also room for cooperation between China and the United States, or at least an understanding of what is broadly unacceptable. Cate argues that a focus on China is ill-advised, as it
contributes to US policymakers losing sight of the broad range of cyberthreats and their many sources, which include, but certainly are not limited to, China.
If cybersecurity really presents such broad threats, it may be that Washington and Beijing can agree on some solutions. Both countries have promised not to target “critical infrastructure” (however that is defined) during peacetime, and have pledged to pursue cybercrime more vigilantly within their own territories. In addition, as China develops further, it may reach a point where allowing unchecked cyberespionage presents more costs than benefits, pushing Beijing to support more international management. It remains to be seen how these agreements develop, yet while it seems that the odds are that cybersecurity will become a significant source of tension between Beijing and Washington, the editors note (with some surprise) that Chinese authors are much more optimistic that cyberspace can be managed than are the American authors.
The editors’ framework is helpful for evaluating the probability of each outcome. If the international environment is cooperative, the results will be largely benign; if anything, more severe threats will make an international solution more likely. In contrast, a more competitive environment makes the danger posed by cyberspace becomes far more important, making the difference between a contested, but ultimately peaceful, cyberspace (akin, perhaps, to Cold War mistrust) and outright “cyberwarfare.”
Cyberspace is both new and complicated, even lacking in many instances the questions to be asked when analyzing the issue. China and Cybersecurity is a step towards providing them. Are threats perceived to be existential, or merely troublesome? How conducive are both countries to international management? Are countries able to close themselves off from the global Internet without suffering disproportionate consequences, as China has partially done? With these in mind, one can begin to evaluate whether these new activities is really as threatening as the pessimists believe, or whether it remains a significant, but not dangerous, nuisance.
China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, Jon R Lindsay, Tai Ming Cheung, Derek S Reveron (eds) (Oxford University Press, April 2015)
Nicholas Gordon is a researcher at the Global Institute For Tomorrow in Hong Kong. He has an MPhil from Oxford in International Relations and a BA from Harvard. His writing has also appeared in The South China Morning Post, The Diplomat, China Daily and Caixin. The views here are his own. A version of this review was originally published in the Asian Review of Books. It is republished with kind permission.