China and the United States are in negotiations over a cyber agreement that would see each side commit not to conduct a cyber first strike against the other country’s critical infrastructure, the New York Times’ David Sanger reports. My colleague Ankit Panda has more on the implications of such a “cyber arms control” agreement, should it be successfully announced during President Xi Jinping’s visit to the United States this week.
Both Washington and Beijing would be eager to present some sort of agreement on cyber issues – one of the most vexatious problems in the relationship – during Xi’s time in America. A cybersecurity-themed delegation from China held talks on exactly that issue with U.S. officials from September 9 to 12. Presenting at least a partial solution to the cyber debate would do wonders for public perceptions of the U.S.-China relationship.
Yet precisely because both sides will be eager to frame this as a breakthrough, it’s important to note the limitations of such an agreement. For one thing, as Sanger notes, such a deal is unlikely to actually spell out a definition of what constitutes “critical infrastructure.” That lack of clarity also plagued a 2015 report from the United Nations Group of Governmental Experts on Information Security (GGE), which included a list of “norm, rules, and principles” for state behavior in cyberspace.
As Alex Grigsby of the Council on Foreign Relations explained in an analysis of the GGE:
On the surface, getting everyone to agree to not attack critical infrastructure is great. But it’s hard to see what additional clarification this new norm provides. Each state classifies critical infrastructure differently – the United States has sixteen sectors, Japan has thirteen, Canada has ten, Germany has nine – and many of these sectors are defined so broadly, that any disruptive or destructive cyber incident is likely to affect some form of critical infrastructure.
Unless a U.S.-China agreement goes far beyond the GGE report (and, on the contrary, Sanger expects an endorsement of the UN document), this vagueness will limits its actual utility in the real world. As Grigsby points out, it’s not too far of a stretch to argue that the November 2014 hack against Sony Pictures could be an attack on “critical infrastructure” according to the U.S. definition.
And then there is the question of enforcement – what sort of response would a violation of the deal (particularly a low-level one, such as the Sony hack) elicit? That issue is particularly complicated given the problem of attribution when it comes to cyber attacks, and the potential for non-state actors to launch attacks. China, for one, frequently points out that simply because an attack was carried out on its soil doesn’t mean the government had any involvement.
Even if the deal is concluded and improves upon the the GGE report by clarifying these essential questions (unlikely), it still wouldn’t address a fundamental disagreement on the limits of cyber espionage. Cyber attacks for financial gain – aimed at stealing intellectual property, business strategies, and other proprietary information – are a separate issue from the use of offensive-minded cyber attacks designed to shut down real-world targets. The agreement, as reported on by Sanger, would deal exclusively with the latter even though economic cyber espionage has been the main issue for the U.S.-China relationship.
The Obama administration has repeatedly justified its own cyber espionage (including hacks into Chinese government offices and universities) as necessary steps to defend U.S. national security, while arguing that corporations being targeted for purely economic reasons should be off-limits. Beijing, meanwhile, tends to fuse national security and economic interests without drawing a dividing line between the two. Obama’s threat to impose cyber sanctions on China would come in response to such economic hacking, not the cyber weapons governed by the (still hypothetical) agreement discussed in the New York Times.
The importance of a U.S.-China cyber arms agreement shouldn’t be overestimated – it’s not going to solve all (or even most) of the cyber issues between the two sides, nor will it put a stop to any activities currently taking place. That’s not to say it’s not important; as Ankit pointed out, “an arms control agreement on cyber ‘first-strikes’ will be path-breaking and could possibly set the example for similar bilateral and multilateral agreements.” But such an agreement would be a beginning – not an end – to the hard work of creating mutually agreed upon cyber norms between China and the United States.