The China-US Cyber Spying Deal: Where Are We Now?
Despite improvements, there are still large areas of distrust in U.S.-China relations regarding cybersecurity.
It has been over a year since Chinese President Xi Jinping and U.S. President Barack Obama agreed to refrain from “conducting or knowingly supporting commercial cyber espionage” for “commercial advantage” in September 2015. While it is still unclear what impact the agreement had on reducing the number of cyber attacks from China on U.S. networks, the deal nevertheless remains politically significant for a number of reasons.
First, the agreement helped to depoliticize and depolarize discussions on cyber issues between the two countries. On the one hand, by concluding the agreement, the U.S. administration leveraged a tool to assuage concerns of the private sector and wider public that it is not doing enough to counter Chinese cyber attacks. On the other hand, the Chinese government (i.e. Xi Jinping) reportedly has utilized the agreement to push for reforms and weed out corruption within the People’s Liberation Army and the intelligence services. (It is believed that rogue actors within the PLA and intelligence services are responsible for a large share of sophisticated cyber attacks against U.S. targets originating from China).
As a consequence, the U.S. private sector felt less compelled to publicly “name and shame” Chinese attackers over the last year, which would invoke a response from the U.S. government. Conversely, due to the crackdown on rogue actors within the PLA and intelligence apparatuses, Chinese hackers allegedly resorted to fewer, more sophisticated, and stealthier hacks, that, while strengthening the Chinese government’s plausible deniability claim when it came to cyber espionage, in turn made it more accommodating during bilateral negotiations on cyber issues with the United States.
Second, the agreement led to a number of promising new diplomatic initiatives. In September 2015, in addition to the cyber spying agreement, China and United States also agreed to promote appropriate norms of state behavior in cyberspace, and to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. In May, the first Sino-U.S. Senior Experts Group convened to discuss international norms in cyberspace. In June 2016, China and the United States held their second round of bilateral talks on cybercrime in Beijing. Both sides agreed to the so-called “U.S.-China Cybercrime and Related Issues Hotline Mechanism Work Plan.” According to the Cyberspace Administration of China, a new Sino-U.S. cyber hotline is now functional. Both countries also conducted a tabletop exercise in April and are slated to hold a second exercise by the end of the year.
It is important to recall where the U.S.-China cyberspace relationship stood prior to the deal.
The two countries experienced a sharp deterioration of mutual understanding after the U.S. Justice Department indicted five members of the People’s Liberation Army for malicious activities in cyberspace in May 2014 in an effort to stem the tide of Chinese state-sponsored cyber attacks on U.S. critical information infrastructure.
This in turn led Beijing to freeze official discussion of bilateral cyber issues and included suspending participation in the U.S.-China Cyber Working Group (although quiet diplomatic dialogues between both countries continued throughout that period).
Concurrently, Beijing accused Washington of duplicity based on the 2013 revelations of U.S. cyber espionage activities worldwide released by Edward Snowden. The United States in turn, insisted that it had the right to conduct cyber espionage for national security purposes, whereas it insisted that China was violating international norms with its massive commercial cyber espionage effort.
While contacts at the technical level (e.g., between Computer Emergency Response Teams) persisted throughout the period, the diplomatic impasse made any substantial progress on cyber policy questions all but impossible.
The September 2015 Sino-U.S. agreement ostensibly reversed this downward trajectory.
However, the recent progress cannot deduct from the fact that a cyber cold war atmosphere persists between China and the United States. One sign is the continuing militarization of cyberspace by both sides. As I noted in January:
In 2015, the United States and China also stepped up the cyber arms race. In May of last year, China issued its first ever “Military Strategy” emphasizing the importance of cyberspace for future military operations. In 2015, the Pentagon issued a new “Cyber Strategy,” and Cyber Command issued a new planning document, titled “Beyond the Build.” In addition, the Pentagon issued a new Law of War Manual, in which the pre-emplacement of “logic bombs” in an adversary country’s networks and information systems is advocated.
This year, U.S. President Barack Obama also extended a national state of emergency, first announced in April 2015, due to continued (Chinese) cyber attacks against U.S. critical information infrastructure.
China is highly sensitive to any perceived encroachment on its cyber sovereignty and rejects both the free flow of information and the Western “multi-stakeholder” approach when it comes to internet governance. Despite the September 2015 China-U.S. cyber espionage agreement, mutual distrust will remain high for the foreseeable future.