What should be the boundaries of government-sponsored cybertheft and surveillance beyond national borders? To what extent do apps such as TikTok pose a national-security threat? Can the United States and European Union reach an agreement on transatlantic data flows that balances economic, privacy, and national-security concerns? These seemingly disconnected questions lurked in the background of the recent inaugural meeting of the EU-U.S. Trade and Technology Council. They all point to the difficulty of defining the proper scope of state power to access and exploit data—one of the defining governance challenges of our time.
The world’s major cyberpowers are plagued by internal contradictions in their approaches to online espionage, law enforcement, and data collection—when it comes to data access, governments want to have their cake and eat it too. The U.S. government struggles to keep its story straight on the distinction between “commercial” cyberespionage, which it decries, and the more traditional cyberspying that it accepts as a reality of international politics. Brussels is in the awkward position of asking other countries to do more to protect Europeans’ privacy rights than the EU can ask of its own member states. China’s expansive carveouts for national security and lack of checks on government surveillance call into question the meaningfulness of the PRC’s new privacy initiatives and feed global distrust.
It is an open question whether self-serving approaches are sustainable in an era when data security and national security have become all but synonymous. Reckoning with the challenge of digital coexistence should begin with a candid acknowledgment of these inconsistencies, if only to clarify that in the long run, the only realistic way to transcend them is through forms of legal and political restraint.
The U.S. approach
Although the United States lacks comprehensive federal legislation regulating private-sector data practices, a web of constitutional, statutory, and institutional protections limit U.S. government surveillance of U.S. persons—including in the context of foreign intelligence collection. Beyond U.S. borders and U.S. citizens, however, the American position is less clear.
In its approach to defining acceptable forms of government-sponsored cyberespionage (as distinct from cyberattacks, for example, that undermine critical infrastructure), the United States has attempted to draw a red line at commercially motivated espionage. That distinction—effectively condoning espionage by digital means so long as it is not done for commercial advantage—provided the basis for the 2015 agreement between the United States and China seeking to tamp down tensions in cyberspace. The agreement (later affirmed by the G20) provided that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” The norm purports to rule out “commercial” cybertheft while implying that cybertheft for national security purposes remains fair game.
Yet U.S. signaling on this issue has been decidedly confused. The commercial/national security distinction has always been somewhat artificial in the Chinese political context, where commercial interests and national-security objectives are often entangled (a fact highlighted by Beijing’s recent “Big Tech crackdown”). But increasingly, Washington has assessed that next-generation technologies—a key target of IP theft—are inherently “dual-use” items that should be subject to export controls and other special protections because of their national-security implications. This growing securitization of technology policy threatens to undercut the U.S. attempt to draw a line between commercial and national-security espionage. After all, how many commercially valuable advanced technologies—whether turbofan engine designs or life-saving vaccine research—have no plausible nexus to national security?
Even the personal data with which artificial intelligence and machine learning applications are built is increasingly viewed by U.S. officials as a dual-use item with commercial and national-security value alike. As Attorney General William Barr put it when announcing the indictment of hackers who stole data on millions of Equifax customers, “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.” (These data-security concerns, set against the backdrop of suspicion about Chinese government access to the data of Chinese companies, have also factored into U.S. actions against Chinese-owned platforms such as TikTok and Chinese investment in U.S. companies such as MoneyGram and Genworth.)
The United States’ approach in messaging its displeasure toward Chinese cybertheft also is arguably in tension with the effort to carve out a category of “commercial” espionage that is off-limits while leaving space for “traditional” espionage for national-security purposes. To communicate this displeasure, the United States has relied on attribution in the form of indictments issued by the Justice Department’s National Security Division. Setting aside the debate regarding their efficacy, such indictments—often accompanied by language citing threats to U.S. “economic and national security”—are intended to signal to Beijing that commercial cybertheft is fundamentally a matter of U.S. national security.
Finally, U.S. signaling has been muddied by the Biden administration’s recent sanctions against Russia for the SolarWinds hack—a targeted operation that seems to fall within the scope of classic national-security espionage. The point is not to underscore that sanctions and threats seem to have done little to deter Russian operations. The problem is one of principle. As analysts were quick to point out regarding the SolarWinds sanctions, “it’s tough to see exactly what rule or norm for the world of state-sponsored hackers the Biden administration is seeking to write—or at least, what rule that the U.S. itself hasn’t broken in its own hacking operations.”
It is tempting to imagine that the European Union—with the privacy entrepreneurship of its General Data Protection Regulation (GDPR)—takes a more principled approach to state-sponsored cyber operations and government surveillance. But a closer look reveals that the EU’s policy is contradictory and confused in its own way.
The ongoing negotiation over a successor to the EU-U.S. Privacy Shield following the July 2020 judgment of the Court of Justice of the European Union (CJEU) in the Schrems II case illustrates the basic problem. The Privacy Shield was designed to provide mechanisms for companies to transfer data from the EU to the United States in compliance with Europe’s GDPR. In Schrems II, the CJEU invalidated the Privacy Shield, casting uncertainty over the future of cloud services and transatlantic data transfers for a wide range of companies. The problem, according to the court, was not the United States’ lack of a comprehensive, GDPR-like federal privacy law. Rather, the CJEU concluded that the Privacy Shield was invalid because U.S. law regarding government surveillance for national-security purposes does not grant foreign citizens located outside the United States the same legal protections and rights of judicial redress as U.S. citizens and people within the United States. That is, the U.S. side of the Privacy Shield lacked sufficient institutional checks to protect Europeans’ privacy. Guidance on data transfers by the European Data Protection Board has interpreted this ruling strictly, suggesting the possibility of a broader move toward stringent EU data localization. This despite the fact that, as Peter Swire and others have noted, “the U.S. has stronger safeguards than most or all other countries for foreign intelligence surveillance and privacy.”
Herein lies the contradiction: By effectively seeking to impose limits on U.S. extraterritorial surveillance activities, the CJEU sought to constrain cyber actions that EU states also carry out but that are excluded from the scope of EU law. For example, a review of French legislation on international surveillance indicates that France probably does not meet the very standards the EU has set for determining whether third countries—like the United States—have safeguards adequate to protect the privacy of European citizens. This is because EU law does not prevent direct access to data by intelligence agencies when such access does not impose specific data processing obligations on private companies.
The EU’s double standard is all the more galling to U.S. officials given that the U.S. government has offered unrivaled transparency about its surveillance oversight and its policies to protect individual privacy rights, including those of non-U.S. persons. As the U.S. recently argued to European data regulators, Europe’s proposed standards “would have the perverse result of punishing countries like the United States that have taken substantial measures towards transparency and rewarding others who have chosen to keep their involvement in such activities entirely secret.” China looms large in the background of this complaint.
Beijing’s double standards
This brings us to China, perhaps the country most obviously plagued by internal contradictions in its approach to cyberespionage and surveillance. The Chinese government is adopting a growing raft of data localization policies aimed at protecting Chinese data from foreign surveillance and the perceived unfairness of U.S. and EU “long-arm jurisdiction” used to access data overseas. At the same time, Beijing has engaged in massive hacking campaigns to vacuum up data from abroad. Similarly, Beijing has beefed up its domestic legal regime for intellectual property protection even as its cybertheft of IP reportedly continues.
The Chinese government has complained about the “bullying” actions the Trump administration took against Chinese tech companies like TikTok and WeChat in the name of national security—many of which were blocked by U.S. courts prior to being walked back and reconsidered by the Biden administration—at the same time that it continues to impede U.S. tech platforms such as Facebook, YouTube, Google, and Twitter from operating in China without any meaningful judicial review or external oversight. At home, the Chinese government operates an expansive surveillance state and reportedly enlists Chinese companies to assist with intelligence activities. Yet it is also attempting, through new legislation on personal information protection and data security, to curb abusive data-collection and surveillance practices by domestic companies and government entities alike.
There is thus a fundamental dissonance between the Chinese party-state’s imperative to improve data protection and its expansive conceptions of national security and public order. Chinese laws that contain exceptions for these broad objectives are easily exploited in a system that lacks an independent judiciary to credibly check central government prerogatives. Beijing has given other countries no reason to believe that Chinese companies or individuals can use the Chinese legal system to meaningfully push back when the party-state seeks access to data in the name of national security.
Against this backdrop, there is little to suggest that the rights of non-Chinese citizens are relevant to Beijing’s considerations when it engages in overseas cyber operations. With respect to these activities, Chinese official rhetoric proceeds from a largely defensive position, portraying China as the victim of cyber intrusions and advocating for an amorphous conception of sovereignty that reflects existential concerns about the need to control the online domain. Foreign interlocutors have been frustrated by the Chinese government’s lack of transparency around government surveillance and its officials’ refusal to specify which types of cross-border cyber operations it considers to be violations of international law or norms. Accusations that Beijing engages in persistent cyberespionage—the recent Microsoft Exchange hack being just one example—are met with generic denials and claims by Chinese officials that China is “a staunch defender of cybersecurity” and “firmly opposes and cracks down on all forms of cyberattacks.”
The result is that Beijing’s hacking operations, alongside its denials and finger-pointing, are feeding calls for greater transatlantic cooperation to counter China’s “cyber-aggression.” Divergences between the U.S. and EU over the nuances of government surveillance, privacy rights, and corporate data transfers seem trivial by comparison.
Squaring the circle?
The foregoing suggests a bleak outlook for global convergence around the limits of cyber-snooping and the protections necessary to ensure the “free flow of data with trust.” Over the long term, a workable path forward will likely require bold commitments to restraint and compromise by all parties.
Eventually, U.S. interests in cyber stability with China may call for a general agreement to abstain from data theft of a certain scale or effect rather than on the basis of operational intent. This would be particularly salient if U.S. officials determine that a principled distinction between the modes of cyberespionage that Washington currently condemns and those it condones is untenable in the age of AI. In the near term, there is little cause for optimism that such an agreement to exercise restraint is achievable, or that it could be verifiably enforced even if achieved.
A more realistic near-term goal is reaching an agreement with Europe on transatlantic data flows, partly with an eye toward competition with China. This may require its own variant of U.S. “restraint”—namely, reforms to provide more robust avenues for privacy redress to European citizens. To be sure, European law on cross-border data flows is rife with contradiction; and in any event, the EU’s concerns about U.S. government access to data may pale in comparison to its concerns vis-à-vis China. In the wake of Schrems II, the EU is flirting with a brand of hard data localization that could impose far-reaching economic and security costs on its member states. Still, none of this changes the reality that Washington cannot simply dictate terms of digital coexistence to Brussels.
Taking the long view, we should not abandon hope that a multilateral arrangement among like-minded governments could incentivize China and other governments to improve protections of individual rights and set clearer boundaries on cross-border cyber operations. It’s worth noting that serious efforts in this vein are already under way. One such initiative is a multistakeholder process under the auspices of the Organisation for Economic Cooperation and Development (OECD) to flesh out shared principles regarding government surveillance and access to data. This work addresses “the legal bases upon which governments may compel access to personal data; requirements that access meet legitimate aims and be carried out in a necessary and proportionate manner; transparency; approvals for and constraints placed on government access; limitations on handling of personal data acquired, including confidentiality, integrity and availability safeguards; independent oversight; and effective redress.”
Any such agreement will need to grapple with thorny issues concerning governments’ “direct access” (i.e., international surveillance that does not involve compelling private entities to disclose data). And it must confront head-on the difficulty of operationalizing those principles on which states can agree. For example, the Council of Europe’s Modernised Convention 108+ provides exceptions to individual data rights “when such an exception is provided for by law, respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society.” It goes without saying that many governments that self-describe as “democratic” would define “necessary and proportionate” in quite different ways. Should the jurisprudence of the (non-democratically-elected) European Court of Human Rights provide the touchstone for such standards? Will the U.S. and EU agree to special protections that apply to each other’s citizens but leave the nationals of other countries out in the cold? Will competing incentives, such as the desire to preserve access to the Chinese market, water down these efforts to the least common denominator?
In the absence of digital trust, the ongoing shift toward robust encryption practices and “zero-trust architectures” is sure to be one part of the solution, but it cannot be the only answer. Here again, governments still want to have it both ways: genuinely secure private communications but access to data when needed for law enforcement or security agencies. As long as cyber offense outpaces cyber defense, technical solutions cannot obviate the political challenge of forging a coherent vision for how to circumscribe governmental power in cyberspace.
Some might argue that these are conditions to be managed, not problems that can ever be truly solved. Perhaps so, but citizens should not let policymakers off the hook so easily. Genuine rule of law means that laws provide enough certainty to regulate conduct and are accompanied by institutional structures to protect against the arbitrary exercise of government power. The question of how to protect national security through rule of law in the digital era should be a matter of robust public debate, not merely the specialized province of government technocrats and industry insiders. To make that debate honest and effective, we must begin by acknowledging not only the mutual vulnerability of all nations in the digital era, but also the self-serving contradictions that have contributed to the mess we find ourselves in.
Robert D. Williams is a nonresident senior fellow in the John L. Thornton China Center at Brookings. He is a senior research scholar, lecturer, and executive director of the Paul Tsai China Center at Yale Law School.