(Cybersecurity/Cina/USA) Cybersecurity and China (Kenneth G. Lieberthal, Brookings, 22 febbraio 2013)
As recent news reports highlight, the U.S. government and cyber security firms are increasingly naming names as they accuse the Chinese of a wide ranging state-directed campaign of cyber espionage. For technical reasons, pinpointing who has actually directed such an attack is typically a fraught effort. But the evidence is by now convincing that some players in China are undertaking massive efforts to penetrate foreign networks and exfiltrate information of commercial, diplomatic and security value to various Chinese interests.
These activities are becoming a source of increasing tensions in U.S.-China relations and warrant serious diplomatic efforts to address. But there are no quick fixes in this arena, and some issues will prove very difficult for the U.S. government itself to pursue.
What might it be feasible for American negotiators to accomplish if the Chinese side is willing to engage seriously and sincerely in talks to reach agreements on norms and activities in the cybersecurity realm? I assume here that Beijing will insist at least that the U.S. and the other major advanced industrial countries hold themselves to the rules that are negotiated. What types of issues may be subject to successful negotiation? Four broad categories warrant consideration.
Espionage
Americans are alarmed and infuriated by Chinese intrusions into our defense, intelligence, and diplomatic networks and by China’s acquisition of information on how to penetrate (and potentially attack) our systems that control critical infrastructure such as power plants, the electrical grid, dams, and financial services networks. But all of this falls under into the category of espionage – acquiring nonpublic information that can give one state an advantage of another. Nobody has ever figured out a way to stop states from engaging in espionage wherever they are able to do so.
Information on American uses of cyber capabilities for espionage is largely classified, but it is unrealistic to assume that the United States does not exploit these opportunities on a large scale, including against China. It is, moreover, hard to imagine that the U.S. government agencies involved would agree to negotiate with China restrictions on what they can gather.
In sum, the U.S. is very unlikely to put cyber espionage on the table for serious discussion. Even if we did so, our allies would almost certainly not go along. There are a lot of ways to try to render a foreign power’s espionage efforts ineffective (or even through disinformation and other tactics to use them against the foreign power), but establishing self-limiting rules of the road is not among them.
Commercial Data
Washington would have much less trouble calling for a multilateral agreement to prohibit the use of government-sponsored cyber intrusions to steal data (technology, negotiating strategies, bid prices, etc.) to provide to the country’s corporations or other bodies to use to make money. The U.S. government does not penetrate foreign corporations and then turn over commercially valuable information to private sector companies.
But even here, there are constraints. For example, the United States has repeatedly identified foreign firms, including in China, that have engaged in proliferation or other activities that violate U.N. sanctions or American law. Undoubtedly, the U.S. government has at times learned of these activities through cyber intrusions into corporate networks abroad. In addition, the French government is widely reputed to engage in corporate cyber espionage to benefit French companies, and this may well be the case as well for some other American allies. Differentiating intrusions for legitimate security purposes from those for commercial gain may prove very difficult in practice. And Beijing may have serious company in opposing any agreement to prohibit intrusions for commercial gain.
Criminal Activity
A third area is battling criminal activity. This can range across the spectrum from cyber fraud, to cyber heists of bank accounts, to child pornography, to money laundering, to gun running, to a vast array of other criminal endeavors that utilize digital capabilities.
Criminality is an arena that may well hold the most promise for reaching meaningful and enforceable agreements, as many (but by no means all) types of crimes are recognized as such by all major governments. Negotiations along these lines would most likely progress most effectively if they begin with clear cut common concerns (such as child pornography) and then move on to more complex issues only as mutual trust is created and as understanding develops as to the types of enforcement measures that are feasible and acceptable across national borders.
Warfare
Cyber warfare means using cyber weapons to disrupt another country’s military capabilities and/or inflict direct harm on its people. It may be possible to identify certain types of cyber attacks that by common agreement are prohibited and would warrant severe retaliation (the 21st century equivalent of the post WWI agreement to prohibit the use of poison gas as a weapon of war). Applying principles such as those in the Geneva Conventions (for example, prohibiting targeting civilians and requiring efforts to minimize noncombatant casualties from an attack) may be a fruitful subject to investigate. Negotiations aimed at reaching such agreements can also increase understanding of redlines that various countries have and the rationales behind them. This in itself can potentially reduce the risk of cyber attacks that escalate into major conflict.
But any effort to sharply restrict the overall use of cyber weapons to achieve military objectives is almost certainly a reach too far. The United States, for example, reportedly worked with Israel to use cyber weapons (most notably the Stuxnet virus) to disrupt Iran’s nuclear program. All advanced militaries, including China’s PLA, moreover, have developed and deployed various offensive and defensive electronic warfare capabilities. Various militaries will have strong views on what types of capabilities, if any, they feel they can sacrifice in the context of multilateral negotiations to constrain cyber warfare capabilities and actions.
In sum, Chinese activities rightly produce anger and frustration in the US and elsewhere, but figuring out what the United States itself is prepared to put on the table and what types of agreements to seek with the Chinese and others is a very difficult, complicated task. Simplistic notions of insisting that the Chinese halt their obnoxious and offensive behavior will certainly increase the temperature but will inevitably fall far short of producing constructive outcomes, especially given that the U.S. government would not itself accept many of the restrictions on conduct that people would like to impose on Beijing.
The above brief overview highlights the importance of thinking clearly about what types of activities can and cannot potentially be addressed by negotiations to establish international agreements in cyber space. The technical details of the cyber world of course add another huge level of difficulty to negotiations concerning cyber security, especially as the relevant technologies are changing rapidly and constantly. A Brookings monograph I coauthored with Peter Singer, Cybersecurity and U.S.-China Relations, elucidates these complexities and lays out a path forward.
As that monograph explains, a process of engaging the Chinese to map out what might be negotiable and to try to develop common approaches to reducing threats in the cyber realm is, if carefully constructed, potentially very worthwhile. The negotiating process itself can begin to develop common vocabularies and concepts that are essential to any development of common approaches and rules, help to inform each side about perspectives on the other side, start to clarify what is feasible to try to accomplish, and in the process nurture a sense of familiarity and possibly growing trust. None of these will resolve the major outstanding problems, but all potentially increase both sides’ ability to manage the increasing dangers cyber issues are posing to U.S.-China relations. In a realm where there are no quick fixes, that is an objective worth pursuing.