EastWest Direct: U.S.-China Cyber Tensions

Commentary | April 18, 2013

EWI's Michael McShane interviews Piin-Fen Kok, director of EWI's China program, about heightened discord  in the U.S.-China relationship on cybersecurity issues.

Could you provide the background on Sino-U.S. diplomacy on cybersecurity in recent years?

U.S.-China tensions over cybersecurity have been rising for many years now, so this isn’t really a new issue. The U.S. has, for years, accused China of probing and hacking systems—whether it’s emails or networks—of various U.S. entities (e.g., government agencies, commercial businesses and various non-commercial entities). In terms of commercial interests, this is one of the biggest points of contention for U.S. businesses. The main allegation is that Chinese entities have used cyber means to steal proprietary information, trade secrets and intellectual property from U.S. companies. In 2011, the U.S. and China added cybersecurity to their bilateral Track 1 agenda, as part of the Strategic Security Dialogue, but after two years, those talks didn’t seem to result in much progress.

On the military side, the Chinese military is also building up its asymmetric capabilities (including cyber) under the broader rubric of “informationization” of warfare. There is a good amount of concern on the part of the United States and other countries, especially in Asia, about China’s military, because of a lack of transparency from the People’s Liberation Army (PLA) about its strategic capabilities and intentions. 

With regard to the various allegations of probing and hacking, the standard Chinese response has been: “Our cyber capabilities are not as developed as those of U.S. and other Western nations, and we are victims of such intrusions too.” Some Chinese officials and experts even claim that China is only a victim. Public opinion leaders, scholars and Chinese officials have posited that the U.S. is using the cyber issue, among many other issues, as an excuse to contain China’s rise.

Why have tensions become more significantly pronounced this spring?

The Obama administration is facing increasing pressure from its constituents and U.S. businesses about Chinese actions in the cyber realm, as well as the seeming lack of accountability on the Chinese side. This comes on the heels of various media reports, from earlier this year, about widespread hacking—apparently from Chinese sources targeting media companies, research organizations, and other U.S. entities. 

For example, a New York Times reporter who broke a story about Wen Jiabao’s family’s fortune had his email hacked, as did other Times reporters. Media organizations and some NGOs had their systems hacked as well, so it’s reached an apex. In his most recent State of the Union address, President Obama indicated that the U.S. would not stand for “enemies” attacking U.S. critical infrastructure, as well as foreign countries stealing U.S. commercial secrets. 

Around the same time, Obama signed an Executive Order that was meant to boost the defenses of U.S. critical infrastructure. While he did not single out China by name, if you’ve read the news over recent months, it would not be stretch to infer that much of his recent words and actions were  aimed at China. Again, it reflects a great sense of frustration on the part of the Obama administration. Then, there was the Mandiant report, which linked a lot of the Chinese hacking actions to a PLA unit. This is where it gets really tricky and very controversial; this would mean it’s state-sanctioned.  

Another sign that the U.S. government’s patience has really run out is that high-level officials such as National Security Advisor Tom Donilon and Under Secretary of State Robert Hormats have publicly called out China and urged them to work on cybersecurity issues. 

How do you see these disputes affecting U.S.-China relations on important bilateral issues, such as trade and defense, going forward?  

This different and more outspoken approach by the U.S. has suddenly generated a great deal of discomfort in China. We hear several people saying similar things: “we are primarily victims,” “we should be thinking about constructive approaches and working on common interests,” “the U.S. is trying to contain China,” “the U.S. is more advanced than us,” etc.

On the trade issue, there’s growing concern about allegations of Chinese entities engaging in commercial cyber espionage—for example, by stealing proprietary information. That immediately affects the U.S.-China trade relationship because it erodes the trust between the two and it just makes it very difficult for American businesses to do business with China. As I noted in a recent op-ed, there will come a point when the costs to foreign investors of doing business in China will rise relative to the benefits. If China is serious about attracting foreign investors, then it really has to do something about this issue. 

On the defense side, China’s key concerns are about how the Pentagon will use this cyber issue for the military. Chinese concerns are that it might be used as an excuse or justification for the U.S. to beef up its cyber offensive capabilities. So, there’s this whole issue of the militarization—and weaponization—of cyberspace, where the U.S., at this point, has realized that perhaps the best defense is offense.

What kind of action is being taken on this issue at a global level? Are the U.S. and China going to forge ahead on their own or will the international community play a role?

Interestingly, China and Russia actually jointly submitted a draft code of conduct to the UN, on information security. And that’s another thing: the terminology is going to be tricky because the term cybersecurity doesn’t really exist in the Chinese language. It’s called 网络安全 (wangluo anquan), but if you actually translate it literally, wangluo means network. Because the Chinese language is very precise, you have separate terms for concepts like information security, Internet security and network security. There are also philosophical differences. The Chinese view cyberspace as a domain for promoting common development; they don’t want to touch the whole freedom/human rights aspect, whereas the U.S. is really big on that – so that’s another form of tension. 

The U.S. has urged China to engage in dialogue to establish acceptable norms of behavior in cyberspace. It has to be an international effort, because I really don’t see the U.S. and China teaming up to set rules of the road for the whole world. In June 2010, the Chinese government issued its first ever white paper on the Internet in China and laid out its key concerns and challenges. Under the section on international cooperation, China specifically proposed a UN-backed mechanism to govern actions of the international community in cyberspace. This indicates the desire of China and other developing countries for a greater say in developing international norms governing this domain. As it is, China hasn’t been very pleased about the fact that the few global institutions governing cyberspace, such as the Internet Corporation for Assigned Names and Numbers (ICANN), have been primarily U.S.- or Western-led initiatives.

Given the current course of the relationship, what could potentially ease these tensions? 

We’ve seen a lot of tension being played out publicly in the media. It’s tricky because the Chinese like to save face. And this whole “name and shame” thing doesn’t go well with the Chinese psyche because they are publicly embarrassed. It’s understandable that they are going to come up with the responses that they have come up with publicly, but if the rhetoric is ratcheted up through the media, that’s not going help. This would create an even more contentious public climate that will tie the hands of both countries, especially if it affects public opinion on both sides.

Discreet conversations need to continue. I’m glad to hear that the U.S. and Chinese governments have agreed to form a bilateral working group on cybersecurity, in a continued effort to try and address their mutual concerns at the Track 1 level. And I think one encouraging sign is that we’ve seen some reports recently that China has actually reached out to the U.S. and said “OK, let’s sit down and talk about this, we are willing to talk about this.”  The first step is that both sides need to acknowledge that there is a problem, especially on the Chinese side. It definitely is a perceptual and public diplomacy issue because everybody thinks that China is the bad guy.

You said that the Chinese want to save face. I would imagine that Washington understands that this element is important to the Chinese? 

It is precisely because the U.S. opted to save face for the Chinese that it has not come out, until recently, to say, “Look China, you’ve got to deal with this right now.” The U.S. has decided that enough is enough, and I think there was a lot of domestic pressure for the Obama administration to do something. The Chinese need to recognize that, first, this is a big public diplomacy problem for them. Second, and perhaps more importantly, look at the evidence—they can’t just say that this is a cyber threat, that they are just victims. They should at least acknowledge that they need to assess how much of that is true, and they are of course entitled to come to their own defense, but at least acknowledge the problem. Acknowledging the problem is a first step to actually finding a way to move forward.

China’s foreign minister Yang Jiechi effectively said, “We need to talk about this.” Was that their way of acknowledging that there is a problem?    

Yes, and I think the Chinese realized that for them, at least on the public diplomacy front, there is an issue. The way they’ve tried to address it is to present themselves as very engaged in bilateral, multilateral and international cooperation. I think they’ve been active enough. Even now, the Chinese and many Americans are saying that while they’re having these discreet conversations and trying to acknowledge the problem and address perceptual issues, there are also some very real, concrete concerns that affect both sides. For example, protecting critical infrastructure is something that’s going to affect every single country. It’s a mix of talking it out and addressing perceptions, and implementing concrete cooperation and confidence-building measures—I think that’s key.    

EastWest Direct is an ongoing series of interviews with EWI experts tied to breaking news stories.