In late September 2015, the Presidents of China and the United States reached a number of agreements on cyber security, cyber espionage, and cybercrime. They provide for a new high-level contact group as well as assurances to investigate and resolve complaints from each other. The agreements are important diplomatic breakthroughs, but they are relatively piecemeal when seen against the bigger picture. They may ultimately prove to be destructive if not followed up quickly by a more comprehensive agreement.
From the United States’ side, the agreements intended to constrain China from using government-collected commercial intelligence for the benefit of its civil sector firms. This narrow focus on just one aspect of the bilateral cyber problem appears to reflect a belief in the United States that it can be addressed without Washington having to give up anything. Further evidence is its repeated demands unaccompanied by any concessions, even rhetorical ones. The US decision to stake so much on eliminating cyber espionage, without considering other major challenges, may be misguided for at least three reasons.
First, the United States overestimates the negative impact of China’s cyber espionage on US competitiveness. Take for example the case of Westinghouse, the giant US corporation named as a victim in the indictments brought against five People’s Liberation Army (PLA) personnel in May 2014 for commercial espionage. Westinghouse was almost certainly the victim of cyber espionage and undoubtedly, a Chinese competitor received its trade secrets.
However, within two months of the indictment, Westinghouse raised its estimates of likely new contracts in China to US$20 billion. Its competitiveness does not appear impacted negatively in the short to medium term. Moreover, Westinghouse was already in a long-term technology transfer relationship with China that had seen it hand over some 75,000 technical documents as well as engaging in joint nuclear construction projects in China.
Second, the US position rests on its assertion that there is a workable and enforceable distinction between the national security purposes of economic cyber espionage (which Washington defends and conducts) and the commercial purposes of cyber espionage (which Washington says it opposes). In effect, the United States is implying very clearly that the espionage against Westinghouse had no national security implications at all. Such a claim is not sustainable.
There may be few companies in the United States where the blurring between military and civil purposes is more profound. Westinghouse is a major supplier of military nuclear reactors to the US Navy. For this reason, Westinghouse and the nuclear technology sector appear therefore to have been poor choices for action by the United States as part of a diplomatic strategy to counter China’s cyber espionage for being commercial in character.
Third, as many commentators have argued, the agreement on commercial espionage may create more diplomatic minefields than it eliminates because of imprecise language and lack of enforcement capability.
There are several much larger considerations as well. In cyberspace, there is no wall big enough to prevent commercial cyber espionage across national borders. This applies as much to the Great Firewall (the nickname for China’s efforts at technical control of cyber space) as it does to the ‘Little Firewall’ (US efforts to stem Chinese, Russian, French, or Israeli cyber espionage by technical and policy means). According to a senior FBI official, 90 per cent of the cyber security systems in the United States are hackable with only moderate levels of technology and determination.
The current approach in most countries to cyber security can be summed up as ‘patch and pray’, a reference to the reality that existing technical systems have very large numbers of vulnerabilities that are only gradually discovered and are addressed by periodic ‘patches’ to update software. One unfortunate corollary of this situation is that in countries such as China that have a heavy reliance on pirated software (which does not receive patches), almost all corporate data is highly vulnerable to theft and leak.
The problem is also a human one. We need new suites of ‘highly secure computing’ technologies that can begin to compensate for the weakness of the people who operate them.
The concept of ‘highly secure computing’, as an alternative model to ‘patch and pray’, refers to information technologies likely breached only in exceptional and rare circumstances, and at high costs and risk to the attacker. In 2009, the US Department of Homeland Security declared that scalable secure computing should be the first of 11 national priorities for research and commercial development to ‘transform the cyber-infrastructure so that critical national interests are protected from catastrophic damage’. Highly secure computing is still developing for the business world. The global user community would then have to adapt to it and be adapted for it. As pointed out in a study by the EastWest Institute, this will definitely be difficult and costly.
More fundamentally, there can be no national cyber security for the United States without ‘international information security’. The US government has yet to find an agreement with other major powers on what this is. It has promoted certain normative behaviour in cyber space. As long as the United States is determined to maintain technological superiority in as many cyber and military related technologies as it can, then it must understand that other states will continue to want to weaken it, including through cyber espionage.
Thus, apart from promoting cyber norms, the United States and China, and other cyber powers, need to begin talking about what, in practical technological and human terms, constitutes ‘international information security’, ‘strategic stability’ and an enduring ‘peace’ in cyber space. This is a staggeringly difficult problem. In addition, the United States will have to compromise to achieve such a state of affairs.
Taken together, all of the considerations mentioned above suggest that the recent US–China agreements do not address the main problem between the two countries in cyber space. Could this be a case of ‘fiddling while Rome burns’?