The first meeting of the U.S.-China Working Group on cybersecurity has ended, and preliminary reviews are fairly positive. Xinhua reports that “the two sides held candid in-depth discussions” and that Washington and Beijing have signaled their intention to improve cooperation in cyberspace. A senior U.S. government official rolled out the old chestnut of “constructive discussions,” but also noted that both sides made “practical proposals to increase our cooperation and build greater understanding and transparency.”
The United States raised the issue of “cyber-enabled” espionage during the working group, and cyber espionage is on the agenda during the high-level meetings of the Strategic and Economic Dialogue. As many have noted, however, Edward Snowden’s revelations about National Security Agency hacking against Tsinghua University and other Chinese targets may make it easier for Beijing to deflect U.S. charges. Senior officials have responded that U.S. surveillance and Chinese industrial espionage are “apples and oranges” but there is little doubt that progress on this issue is going to be extremely slow going through bilateral negotiations, if it comes at all.
The one possible bright spot is the broader discussion of international cyberspace rules. There have not been any public statements yet on what concrete rules or norms were put on the table or how the two sides may increase cooperation. But it seems likely that the United States pressed very hard for the norm of state responsibility—-governments are responsible for attacks coming from their territory. Senior U.S. officials have said that President Barack Obama raised this with President Xi Jinping at their “shirt sleeves” summit in June. Also in June, China signed on to a report prepared by the United Nations Group of Government Experts that endorsed the application of the United Nations Charter and international law to cyberspace. James Lewis of the Center for Strategic and International Studies, who wrote the report, has said that it “included agreement that states would not use ‘proxies’ for malicious cyber actions.”
Building on this is not going to be easy. The Chinese might be more than happy to continue to talking about cooperation and then go back to the status quo. The norm of state responsibility also creates responsibility for the United States. As Jason Healey has argued, U.S. cyberspace is “one of the least secure online realms.” Forty percent of the world’s botnet controllers, for example, are in the United States according to McAfee. But narrowing the difference between the two sides on an important norm is a positive first step. The United States must make sure that as it continues to press China on cyber espionage it sustains and reinforces the discussion on international norms.