Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2015. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In this post, the United States-China Cyber Agreement.
For much of 2015, cyber espionage was an especially contentious issue in the U.S.-China relationship as Washington pushed for a norm against cyberattacks on private companies designed to steal intellectual property, trade secrets, or business strategies. Assistant Secretary of State for East Asian and Pacific Affairs Daniel Russel warned that cyberspace had the “potential to drive strategic mistrust in the relationship,” and Beijing called U.S. hacking charges “irresponsible and unscientific.” Claims that China-based hackers were behind the attacks on the Office of Personnel Management (OPM) and the theft of the data of 22 million individuals further exacerbated tensions, even though the administration was careful to distinguish between legitimate political and military espionage, which the OPM hack would seem to be, and cyber industrial espionage (leading to a weird sort of professional admiration, with Director for National Intelligence James Clapper speaking on China and the OPM hack saying he “kind of salutes them for what they did“).
In the weeks before President Xi Jinping’s visit to Washington, press leaks suggested that the White House was considering sanctioning Chinese individuals or entities that benefit from cyber theft. The threat seemed to have worked. In September 2015, at a joint press conference in the Rose Garden, President Obama announced that the United States and China had agreed that neither government “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Washington and Beijing would also provide timely responses to requests for assistance in cybercrime investigations; cooperate in conducting investigations and collecting evidence; identify and endorse norms of behavior in cyberspace; and establish two high level working groups and a hotline between the two sides.
Was the agreement a real breakthrough, or just a tactical maneuver by China, an effort to prevent Washington from levying sanctions and disrupting a summit that was important politically for President Xi? There was positive follow up in the first round of cyber talks between the Department of Homeland Security and Chinese Ministry of Public Security in December 2015. The two sides agreed on guidelines for requesting assistance on cybercrime or other malicious cyber activities, as well as to conduct “tabletop exercises” in spring 2016 and to define procedures for use of the hotline. The Washington Post also reported that China arrested some hackers before the summit, but the arrests were not publicized in China and the United States government has not confirmed. Security experts outside of China with connections to Chinese hackers have suggested that those arrested supplied malware to the PLA, but are not PLA operators.
In addition, after years of promoting the norm against cyber industrial espionage, the U.S. announcement was followed by a similar agreement between the UK and China, and a report that Berlin would sign a “no cyber theft” deal with Beijing in 2016. In November 2015, China, Brazil, Russia, the United States, and other members of the G20 accepted the norm against conducting or supporting the cyber-enabled theft of intellectual property.
This diplomatic effort is important progress, but early reports on whether these statements have had any affect on the scope and scale of cyberattacks on U.S. companies have been mixed at best. Just three weeks after the agreement, cybersecurity companies reported new attacks on pharmaceutical companies. Unnamed officials told the Washington Post that the May 2014 indictment of five PLA hackers has had the effect of shifting much of the activity to the Ministry of State Security, but National Counterintelligence Executive Bill Evanina has said there is “no indication” from the U.S. private sector “that anything has changed.”
If during the first few months of 2016 there is no noticeable decline in the hacking, or if there is a major attack against a private firm, then pressure will rise on the Obama administration to levy sanctions on China. Even if it is a quiet year in terms of breaches, and that is a big if, China and the United States remain divided over Internet governance and policies designed to secure supply chains and information and communication technology equipment. U.S. technology companies will continue to find themselves squeezed by Chinese efforts to make the technology used in critical infrastructure “secure and controllable.” Cyberspace will continue to be an area of conflict and competition.