The September 25 joint statements issued in parallel by the Chinese government and the White House on how to strengthen bilateral relations in cyberspace are the most positive development between the two countries in this field since the June 2013 Sunnylands summit.
Although not groundbreaking in their substance, the agreements—as described by a Fact Sheet released by the White House—nevertheless establish a long-term framework for cooperation that may help reduce tensions in cyberspace between the two countries and further solidify cyber-related issues as a top priority on the Sino-U.S. bilateral agenda.
Conversely, it is important to understand that the agreements reached are only a starting point and need to be followed up by more concrete and more clearly defined documents specifically addressing issues that have plagued Sino-U.S. bilateral relations in cyberspace from the start—issues such as questions over verification, terminology, and norms. Without this, real progress will not be likely.
The most talked about section of the joint statement outlines that both countries will refrain from engaging or “knowingly” supporting “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
This is an important diplomatic breakthrough. Curtailing Chinese state-sponsored cyber espionage activities has been the top priority of the Obama administration in the Sino-U.S. bilateral relationship in cyberspace for some time. Overall, in the past year, the U.S. assumed a tougher stance on alleged Chinese state-sponsored cyberespionage activities.
For example, in April 2015, U.S. President Barack Obama signed an executive order establishing the first-ever sanctions program specifically designed to deter state-sponsored malicious activities in cyberspace on a strategic scale, declaring such activities a “national emergency.”
In a separate analysis a few weeks back, I noted that by threatening sanctions, the Obama White House intends to elevate the subject of cyber espionage to a more strategic level between the two sides during bilateral discussions.
Thus, the Chinese concession to agree to a joint statement on this subject can be construed as a diplomatic victory for the Obama administration. However, in order to yield more concrete results, the Xi-Obama statement needs to be immediately followed up by a more comprehensive agreement.
For one thing, Chinese President Xi Jinping still maintains that his state is not collecting commercial intelligence and does not engage in cyber espionage. Therefore, it is fair to assume that Xi could claim that the agreement does not apply to ongoing Chinese state-sponsored activities in cyberspace. Thus, it is easy for Beijing to support a new norm that the Chinese government insists it is following already.
Moreover, the statement contains the loophole that both sides only refrain from “knowingly” supporting the collection of commercial intelligence—a position that both countries had already agreed to in past meetings. This provision permits plausible deniability for both sides when caught: commercial espionage is often outsourced to quasi-independent (“patriotic”) hackers over which both governments can claim that they have no control.
Lastly, the agreement only talks about refraining from collecting trade secrets rather than curtailing the passing on of intelligence to third parties (private companies) in order for them to gain a competitive advantage. However, practically every state in the world, including the United States, is engaged in collecting commercial intelligence and there is no agreed upon international norm against it. This could potentially undermine the larger legal principle behind the agreement to abstain from cyber-enabled intellectual property theft as outlined in the White House Fact Sheet.
Interestingly, there are some hints in the statement that both sides are open to discussing the question of verification, something that the Chinese side in particular has refused in past dialogues. Both countries, the text reads, agree “that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.”
Additionally, the statement reads that China and the United States “agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.”
To institutionalize this cooperation both sides agreed to establish a new high-level joint dialogue mechanism “on fighting cybercrime and related issues.” This effectively replaces the defunct U.S.-China Cyber Working Group (China suspended its participation after the indictment of 5 PLA members by the U.S. Justice Department in May 2014).
On the Chinese side, the Cyberspace Administration of China in close collaboration with the Ministry of Public Security will likely take the lead in this group. In addition, representatives from the Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will also participate in the dialogue, according to the White House.
The U.S. Secretary of Homeland Security and the U.S. Attorney General, both co-chairing the group on the American side, will lead the U.S. delegation which will also include representatives from the FBI, the U.S. Intelligence Community and other agencies.
While this does not establish an intrusive verification mechanism per se, it nevertheless is a step in the right direction and could have some spillover effects when it comes to U.S.-China CERT-to-CERT cooperation. Also, there are two concrete next-steps, which are noteworthy in this respect. First, there is an agreement to establish a cyber crime hotline in order to avoid an escalation of tensions in the event of a cyber-related incident. Second, both sides agreed that the first meeting will be held before the end of 2015 and that subsequent meetings shall occur twice per year. Given that there had been no official high-level contact on cybersecurity between both countries since May 2014, this is a notable achievement.
Furthermore, both sides want to establish an additional bilateral group made up of senior experts, presumably from the U.S. Department of State and the Chinese Ministry of Foreign Affairs, to re-ignite the discussion on norms of state behavior in cyberspace. In that respect, the White House Fact Sheet notes that the United States and China both “welcome” the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security, which addresses norms of behavior and other crucial issues for international security in cyberspace.”
This UN report is a follow-up document to a June 2013 report, also published by the UN Group of Governmental Experts. The 2013 report concluded that “international law and in particular the United Nations Charter is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”
China was part of this working group and signed off on the report’s conclusion and recommendations, which stated that “state sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them.”
As I pointed out in a previous analysis, this was not a new commitment and simply reflected pre-existing legal realities. However, it reiterated that China is technically responsible for preventing the use of its territory for aggression or sabotage against other states, although some Chinese legal scholars may disagree on this point. It also somewhat weakens China’s repeated defense that it cannot control the majority of cyber attacks launched against the United States from Chinese territory. The discussion of norms is thus an important necessity if both sides ever want to achieve enduring “peace” in cyberspace.
The larger question will be whether this set of agreements will lead to a decline in the number of cyber incidents over the next couple of months. While this remains doubtful, the new support mechanisms in place will help to depoliticize the debate surrounding cyber espionage and perhaps let both countries—in particular the private sectors in China and the United States—engage in more fruitful technical cooperation rather than mere finger pointing. Consequently, steps should be taken that future cyberattacks will not automatically derail this agreed-upon fragile framework, since it could yield some tangible results in the years to come.