As recent news reports highlight, the U.S. government and cyber security firms are now naming names as they accuse the Chinese of a wide ranging state-directed campaign of cyber espionage. Pinpointing who has actually directed such intrusions and data theft is technically difficult. But there is now convincing evidence that state-supported players in China are undertaking massive, organized efforts to penetrate foreign networks and steal information of commercial, diplomatic and security value to various Chinese interests.
These activities are increasing tensions in U.S.-China relations and warrant serious diplomatic efforts to address. But there are no quick fixes in this arena, and it is especially important therefore to be clear about what can and cannot be accomplished through negotiations.
Put simply what could American negotiators feasibly accomplish if the Chinese side is willing to engage in serious, sincere talks to reach agreements on cyber space norms and activities? The following answers assume that Beijing will insist that the U.S. and the other major advanced industrial countries hold themselves to any rules that are negotiated.
Americans are alarmed and infuriated by Chinese intrusions into our defense, intelligence, and diplomatic networks and by Beijing’s acquisition of information on how to penetrate (and potentially attack) the systems that control our critical infrastructure such as power plants, the electrical grid, dams, and financial services networks. All of this falls under into the category of espionage – acquiring nonpublic information that can give one state an advantage over another. But nobody has ever figured out a way to stop states from engaging in espionage wherever they are able to do so, and the new cyber realm is unlikely to prove an exception to this.
Information on American cyber espionage is largely classified, but it is unrealistic to assume that the United States as a matter of principle does not exploit these opportunities on a large scale, including against China. It is, moreover, hard to imagine that the relevant Washington agencies would agree to negotiate limitations with China on what information the U.S. government will be allowed to gather in the future. Even if we did so, our allies would almost certainly not go along.
There are a lot of ways to try to render a foreign power’s espionage efforts ineffective or even counterproductive. But establishing self-limiting rules of the road is almost certainly not among them.
The U.S. would have much less trouble advocating a multilateral agreement to prohibit the use of government-sponsored cyber intrusions to steal data (proprietary technology, negotiating strategies, bid prices, etc.) to provide to the country’s corporations or other profit-making bodies a competitive advantage. The U.S. government does not engage in such activity itself.
But even here, there are constraints. For example, the United States has repeatedly identified foreign firms, including in China, that have engaged in nuclear proliferation or other activities that violate U.N. sanctions or American law. Undoubtedly, the U.S. government has at times learned of these activities through cyber intrusions into corporate networks abroad. In addition, the French government is widely reputed to engage in corporate cyber espionage to benefit French companies, and this may also be the case for some other American allies.
Differentiating intrusions for legitimate security purposes from those for commercial competitive advantage may prove very difficult in practice. Beijing may thus have a lot of company in opposing any agreement to prohibit intrusions for commercial gain.
Cyber warfare means using cyber weapons to disrupt another country’s security capabilities and/or inflict direct harm on its people. It may be possible to identify certain types of cyber attacks that by common agreement are prohibited and would warrant severe retaliation (the 21st century equivalent of the post WWI agreement to prohibit the use of poison gas as a weapon of war). Applying already-accepted international principles such as those prohibiting targeting civilians and requiring efforts to minimize noncombatant casualties from an attack may prove feasible in the cyber realm. Negotiations aimed at reaching such agreements can also increase understanding of redlines that various countries have and the rationales behind them. This in itself can potentially reduce the risk of cyber attacks that escalate into major conflict.
But any blanket effort to restrict the use of cyber weapons to achieve military objectives is almost certainly a reach too far. The United States, for example, reportedly worked with Israel to employ cyber weapons (most notably the Stuxnet virus) to disrupt Iran’s nuclear program. All advanced militaries, including China’s PLA, moreover, have developed and deployed various offensive and defensive electronic warfare capabilities. Various militaries will have strong views on what types of capabilities, if any, they feel they can sacrifice in the context of multilateral negotiations to constrain cyber warfare capabilities and actions.
Utilization of cyber space in criminal activity comes in all shapes and sizes – such as fraud, identity theft, bank account raids, child pornography, money laundering, gun running, and a vast array of other endeavors.
Criminality is an arena that may well hold the most promise for reaching meaningful and enforceable multilateral agreements, as many (but by no means all) types of crimes are recognized as such by all major governments. Negotiations may progress most effectively if they begin with clear-cut shared concerns (such as child pornography) and then move on to more complex issues only as mutual trust is created and understanding develops as to feasible international enforcement measures.
In sum, Chinese activities rightly produce anger and frustration in the U.S. and elsewhere, but figuring out what the United States itself is prepared to put on the table and what types of agreements to seek with China and others requires cool-headed calculations of what is feasible. Simplistic ideas of demanding that the Chinese curtail the full array of their obnoxious and offensive behavior will raise the temperature but will also fall far short of producing constructive outcomes, especially given that the U.S. government would not itself accept many of the restrictions on conduct that many feel we should require of Beijing.
The above brief overview provides some introductory thoughts about what types of activities can and cannot be addressed by negotiations to establish international agreements in cyber space. This brief overview does not address either enforcement or the technical details of the cyber world that add another huge level of difficulty, especially as the relevant technologies are constantly changing. A Brookings monograph I coauthored with Peter Singer, Cybersecurity and U.S.-China Relations, elucidates these complexities and recommends a path forward.
As that monograph explains, a process of engaging the Chinese to map out what might be negotiable is, if carefully constructed, potentially very worthwhile. The negotiating process itself can: generate common vocabularies and concepts that are essential to future agreements on approaches and rules; better inform each side about perspectives of the other side; clarify what is feasible to try to accomplish; and nurture growing familiarity and, possibly, trust. None of these will fully resolve the outstanding problems, but all potentially enhance the ability to manage the increasing dangers cyber issues pose to United States and to U.S.-China relations. In a realm where there are no quick fixes, that is an objective worth pursuing.
This post has been revised.