On September 25, the United States and China agreed to contain their industrial or economic cyber espionage activities against each other. This is the first instance of two major cyber powers reaching common ground on norms of state behavior in cyberspace.
The agreement, reminiscent of the United States-Soviet Union arms control accords of the Cold War era, is important because industrial or economic cyber espionage has been a thorny issue in the U.S.-China relationship since the early 2000s.
Although traditional espionage—the collection of state secrets—is an accepted part of statecraft worldwide, the U.S. government has repeatedly tried to distinguish between such spying and economic cyber espionage. And it has repeatedly accused China of engaging in economic espionage through cyber attacks against American companies to steal intellectual property and commercially valuable data such as corporate strategies, product designs, business negotiations, and dual-use technology-related data.
The U.S. has often cited China’s alleged theft in the mid-2000s of data related to F-35, the stealth fighter aircraft, as a prime example of China’s economic and military cyber espionage. According to the U.S. National Security Agency (NSA), China repeatedly breached the computer networks of American government and private defense companies to steal data about design and radar modules for the F-35, and incorporated it into its own stealth fighter aircraft, the J20.
Attacks like these have cost the U.S. Department of Defense $100 million, mainly in costs for rebuilding networks. The repeated attacks have also potentially increased the cost of the $98 million-plus F-35—an escalation that affects the export potential of the fighter aircraft, since it is being jointly developed with the U.K., Israel, Italy, Australia, Canada, Norway, Denmark, the Netherlands, and Turkey.
The U.S. claims that this alleged data theft has adversely impacted America’s economic fortunes. These accusations are a step above the U.S.’s assertions in 2013, when for the first time the U.S. Department of Defense officially stated that the Chinese government was launching cyber attacks against the U.S.
Before the two countries reached the September agreement, the Obama administration was reportedly considering sanctions against the companies and individuals in China who may have benefitted from stealing U.S. economic and commercial data. The trigger for that possible step was a major data breach in the U.S. Government’s Office of Personnel Management in June 2015, when the records of approximately 21.5 million current and former government employees were stolen. The breach was unofficially attributed to China.
On its part, China has consistently rejected the American allegations. Besides, unlike the U.S., it does not separate traditional espionage and economic cyber espionage. In fact, China has argued that in the world of intelligence gathering, such a distinction is irrelevant. To support that argument, China has cited former NSA employee Edward Snowden’s revelations about how the NSA spied on foreign companies such as Petrobras, Siemens, and Huawei to get data that benefitted American economic interests.
With the September agreement, by mutually agreeing to limit their cyber espionage activities, both the U.S. and China can bring an element of stability to their bilateral relationship.
But cyber perils go beyond the economic realm and include threats to critical infrastructure, as well as cyber crimes. To address these, both countries have also agreed to improve cooperation between their law enforcement agencies in investigating malicious cyber activities. This makes the U.S.-China understanding, in addition to its bilateral significance, an important step towards creating norms in international cyberspace, where not only states but also non-state actors such as terrorist groups possess offensive cyber capabilities. The anonymity offered by cyberspace has been effectively used by non-state actors for ever-growing cyber crimes and for running black markets on the “deep web.”
Despite these threats, major cyber powers such as Russia and European Union countries, besides the U.S. and China, have failed to frame common rules for cyber security. In fact, the absence of clear established rules of engagement has been seen as advantageous, a situation where anyone can engage in cyber war but deny culpability. This attitude may change once these powers see the benefits of cooperation—including better control over cyberspace, better regulation, and mutual trust—and they will closely watch the progress of the U.S.-China cyber agreement.
The implementation of the U.S.-China agreement will however face major challenges—chief among these is the problem of attribution in cyberspace. Attributing a cyber attack or hacking to a particular region or specific state actor is often difficult since the attack is usually routed through multiple servers located in different countries. Even sophisticated analysis can typically only identify the computer used for the attack, but it is far more difficult to determine whether the computer was remotely operated. When attacks are “crowd-sourced,” where several groups work together or separately to target a particular company, it further complicates attribution.
More importantly, establishing attribution and identifying the complicity of state actors are different. Even if the attack is traced to a particular country that attack could have been committed by a private citizen, with or without the involvement of the state. Therefore, even after China and the U.S. have committed to contain their cyber espionage, will they be able to guarantee the actions of their citizens?
Besides, formal attributions for cyber attack are rare. The U.S. has rarely formally attributed attacks to a particular state; there have been only a few exceptions, such as the Federal Bureau of Investigation’s indictment of five Chinese military hackers for cyber espionage in 2014, and sanctions against North Korea for the Sony server hacking in 2015. Usually though, governments have avoided formally naming any country as responsible for a cyber attack because of the problems associated with attribution.
The U.S.-China agreement is a symbolic beginning to establish a cyberspace management regime. While it may bring in some cyber stability, businesses and companies that have been repeated targets in the game of economic cyber espionage cannot only depend on such agreements and formal understandings. Rather, they must proactively plug their vulnerabilities against malicious cyber activities by rigorously implementing information security protocols, strenuous background checks of personnel, and by staying informed about the latest cyber security developments.
This is particularly applicable to India, which has been a sustained target of cyber espionage and has not yet taken adequate steps to defend itself.
Sameer Patil is Fellow, National Security, Ethnic Conflict and Terrorism, at Gateway House. This article was originally published at Gateway House: Indian Council on Global Relations, a foreign policy think tank in Mumbai, India, established to engage India’s leading corporations and individuals in debate and scholarship on India’s foreign policy and the nation’s role in global affairs.