The theft of online intellectual property (IP) has led to what former NSA director General Keith Alexander has called ‘the greatest transfer of wealth in history.’
Unsurprisingly, it has also generated headlines. Just last week, the Financial Times was reporting the names of three state-owned Chinese companies that benefited from a Chinese government attack on U.S. companies.
And at the end of last month, Presidents Obama and Xi announced ‘that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property’ as well as progress on how the two countries would cooperate on the law enforcement side when perpetrators are identified.
Given the enormous stakes for the United States, reaching agreement on this issue is critical. But as President Obama hinted, the issue is far from resolved: “the question now is, are words followed by actions.”
Unfortunately, the most obvious immediate test of this new agreement is also the most fraught. In May 2014, the U.S. Justice Department issued five arrest warrants for members of the Chinese military who were alleged to have conducted cyberattacks against U.S. companies. It’s hard to imagine a rush to hand them over, but surprisingly, The Washington Post has reported “The Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government … It is not clear if the hackers arrested were with the Chinese military, but they were accused of carrying out state-sponsored economic espionage.”
Gaps in the U.S.-China hacking agreement
Despite these positive early signs, the agreement leaves many serious gaps (and pitfalls). Given the massive economic losses experienced by the United States, the focus was naturally on the theft of intellectual property. However, there are other reasons for attacking a U.S. company besides stealing its IP. In April of this year, the Citizen Lab at the Munk School of Global Affairs released a report on a new offensive tool China developed, ‘the Great Canon’, which it used against selected pages of GitHub, a code sharing site. This included pages that monitor Chinese online censorship, and others that publish a Chinese language version of The New York Times. Another reason could be political revenge: In 2014, Iranian hackers launched a large cyberattack on Las Vegas Sands Casino in an apparent attempt to get back at its CEO and majority owner, Sheldon Adelson, for comments he’d made about Iran. There are also military rationales for hacking into certain companies, which could be activated in the event of a conflict or as a coercive measure.
As the Iranian example above highlights, the bilateral nature of this agreement excludes other significant perpetrators of IP theft. As U.S. Director of National Intelligence James Clapper stated in his report to the Senate Armed Services Committee in February, “several nations—including Iran and North Korea—have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives.” He also noted, “the Russian cyber threat is more severe than we had previously assessed.”
The deal with China is significant, but the big issue is going to be developing agreed international rules of the road. As President Obama himself acknowledged:
…because this is a global problem, and because, unlike some of the other areas of international cooperation, the rules in this area are not well developed, I think it’s going to [be] very important for the United States and China, working with other nations and the United Nations…and the private sector, to start developing an architecture to govern behavior in cyberspace that is enforceable and clear.
Without this, the outlook is damaging. Beyond the mass of IP already stolen, the scenario anticipated by Clapper is “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
The long road to consensus
The challenge will be finding the right forum to pursue what will likely be a long road to consensus. The U.N. route has the advantage of bringing all states to the table, but has multiple downsides. These include excluding critical actors from voting, such as the current Internet-governing bodies and major IT companies. It also is vulnerable to efforts by some states to reduce protections for human rights and free speech.
Another option might be the G-20, which brings together key states, the private sector, and civil society (through the B-20 and C-20). It operates more informally, lending itself to an area like this where agreed norms of behaviour are desperately needed, but formal agreement is unlikely for many years to come.
On the home front, more effort is needed to boost private sector cyber defences. As the Clapper observed, “China is an advanced cyber actor; however, Chinese hackers often use less sophisticated cyber tools to access targets. Improved cyber defences would require hackers to use more sophisticated skills and make China’s economic espionage more costly and difficult to conduct.” The Justice Department has recently established a new office to help companies with this but more effort is needed.
The agreement with China is a starting point. If it sticks, it will help build global norms. However, a broader tent is needed as well as an expanded agenda. The stakes for the United States are enormous.
This post is part of a series drawing from Fergus Hanson’s new book, “Internet Wars: The Struggle for Power in the 21st Century.” Read the second piece in the series, “Waging (cyber)war in peacetime,” and the third, “The organized millions online.”