EWI's Greg Austin proposes first steps to make progress on cyber crime—and to defuse bilateral tensions
On March 12, a spokesperson for China’s Foreign Ministry said the government is prepared to talk to the United States about the concerns raised on March 11 by National Security Adviser Thomas Donilon on cyber-assisted theft of intellectual property. But as flagged by Donilon himself, the concerns raised are not limited to the commercial sector and go to deeper issues of national security.
This linkage is not about whether the Chinese actions are destabilizing traditional areas of military activity. The United States, as revealed again in the Donilon speech, has now staked out its view of global Internet governance and order as in themselves constituting vital strategic interests. The United States will now regard as its enemies those countries that “seek the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” as expressed by President Barack Obama in his State of the Union address this year. The remark is understood to have been an allusion to China, among others. But China is rejecting the very foundations or premises of this U.S. policy.
The international system of 2013 could not have thrown up a policy challenge less likely to be solved soon than this one. Its solution depends on so many bureaucratic interests in two very different countries—from law enforcement and commerce to national defense and internal security. The issues range from the most sensitive intelligence sources and methods to protection of political leaders. The private sector, so very different in legal character and standing in each country, is heavily involved. The legal regimes and indeed the capabilities of its agencies to fight cyber crime are very different, and in both cases, weak.
In the two countries, though the balance of opinion among political elites on privacy and surveillance rights is very different, there is no strong consensus among policy elites. This lack of consensus constrains formulation of a national position on effective international cooperation. What’s worse, and what makes this problem so difficult, is that the “smoking gun” in cyber crime—if we are lucky enough to find one—is so indecipherable to the non-specialist it might as well be invisible. While specialists have no problem with it, having policymakers allocate large amounts of money to investigating cyber attacks (something many of them don’t understand and can’t actually see) is a very big demand. Even worse, staking the future of the entire strategic relationship between China and the United States on an early resolution of the challenges would seem foolhardy in the extreme.
In his speech, Donilon acknowledged that a major weakness of the strategic relationship between the two countries is the lack of military exchanges. He noted that to solve major security challenges in the region and the world, such as the Korean nuclear situation, the armed forces of the two countries need a better understanding of each other and much more direct contact. He appealed for some action on this front. As importantly, however, if the two countries are to begin to address the global cybersecurity challenges, including the very sensitive bilateral ones, then the police and internal security organizations, and the lawyers, of both countries need much closer ties as well.
The underlying motivations of each are not well understood by the other. Donilon issued three demands to China. It is unlikely that China will be able to meet these demands in the short term in a way that satisfies the United States. The tension around cybersecurity issues will remain until both sides find a way of bridging the gulf between the countries’ different perceptions of them. Moreover, the bigger challenge may be addressing what the Foreign Ministry spokesperson in the remarks on March 12 called China’s marginalization in the digital world. That marginalization is the result of a deep gulf in Chinese and American cyber power. The gulf is evident in military capabilities, law enforcement capabilities, and legal regimes.
In light of the Donilon’s challenge to China and its positive response in principle, this short commentary offers an outline of concrete steps that might be taken to advance dialogue between the two countries. It centers on the idea of connecting Chinese and American cyber crime fighters and their policy advisers.
Understand the problem first
Little attention has been paid, in public debate at least, to ways of getting American and Chinese cyber crime fighters together to discuss solutions to the challenges raised by Donilon. This is an urgent matter. It would have to have a wide view of all of the challenges outlined above, at the same time focusing on concrete problems that are bedeviling the relationship today.
For its part, the EastWest Institute’s cyber crime legal working group, led by Norwegian Judge Stein Schjolberg, has recommended one course of action to address the threat to critical infrastructure referred to by Obama. In a 2011, summary report, this group suggested that a new treaty should be agreed upon that outlaws “intentional global cyber attacks against critical national infrastructures.” The group noted that this issue has “not yet been regulated by international law” and has not yet been sufficiently addressed in the practices of states. It further recommended that “all countries implement legislations necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, whoever by destroying, damaging, or rendering unusable critical communications and information infrastructures” or “causes substantial and comprehensive disturbance to the national security, civil defense, public administration and services, public health or safety, or banking and financial services.”
To pursue that recommendation, policy makers would need to begin to navigate between the very divergent Chinese and American approaches toward treaty regulation of cyberspace, with the former favoring new formal treaty arrangements, and the latter so far not remotely disposed to any new treaty. The United States has argued that current international law is adequate. Yet Donilon’s appeal for the United States and China to agree on rules of the road for cyberspace may presage a shift on this point.
The institutional structure of the bilateral relationship at official levels for addressing these issues is weak. It was only in September 2012 that the U.S. Department of Homeland Security and the Chinese Ministry of Public Security agreed to an annual meeting. They also agreed to lower level working interactions to address the structures to address the “full range of homeland security issues,” of which cyber crime was one. Even though the FBI set up an office in China in 2002 (mainly for counter-terrorism issues after 9/11), and China has maintained a ministry of public security representative in its Washington Embassy for some years, the cooperation in terms of cyber crime has been episodic. Those offices have so far clearly failed to bridge the huge gulfs between the two countries in this area of policy.
One view of the strategic framework of the relationship between the United States and China in cyberspace is spelled out in an EWI policy paper on this subject published in October 2012. One of its recommendations was the inclusion of China in the G8 working group on high-tech crime. At the Munich Security Conference in February 2103, an EWI briefing identified three urgent measures for international collaboration on fighting cyber crime and three for addressing stability in cyberspace. One of the anti-crime proposals which could have immediate symbolic effect was to develop an international action plan against the “most wanted” cyber criminals. A second was to create an international process for standardization of procedures and exchange of information among national and regional CERTs and other first responders. These sorts of ideas can be worked into the U.S.-China framework.
The international setting provides a foundation for closer connections between crime fighters in the United States and China. But this also remains weak. Separate from a sharp difference of opinion over the value of the Budapest Convention on Cyber Crime, which the United States has signed but which China refuses to sign, international cooperation on policing of cyber crime is a fairly recent phenomenon and expertise in most police forces and prosecutorial services remains weak. The first Interpol Cyber Crime Investigation Training Conference was held in Lyon, France in 2005. An Interpol General Assembly resolution of 2006 acknowledged global weaknesses in terms of investigating cyber crime, while calling for international standards on the search, seizure and investigation of electronic evidence. China is an active member of Interpol and has an office in Beijing. A Chinese vice minister visited Interpol HQ in Lyon in 2011 where he reasserted China’s commitment to international collaboration in fighting crime. Both China and the United States have trouble filling the rapidly expanding number of government posts in cyber crime fighting because demand is high and competition from the private sector is intense.
Is détente on cyber crime possible without addressing the military security dilemmas?
No. A close reading of Donilon’s speech and China’s reaction would suggest that the political will for closer cooperation between China and the United States on cyber crime is simply not there for the moment. That will probably change only if some mutual understanding can be reached at high levels on what China calls its marginalization and on what the United States regards as China’s quest for a military advantage in penetrating critical infrastructure. While these are each highly complex problems in their own right, there are crossover points between the two issues on which joint efforts might produce an improvement in the political atmosphere. One is to understand better the mutual dependence of the ICT sectors of the two countries, and the development trajectory of this relationship which will eventually see the lifting of technology trade bans on China. A second is to try to find the middle ground on legal approaches to critical infrastructure protection (perhaps simply by mutually compatible domestic legislation).
We can modify the three recommendations from EWI’s briefing for the 2013 Munich Security Conference to fit the U.S.-China scenario as follows:
- Commitment: States need to make an explicit commitment to strategic stability in cyberspace within the framework of a fully articulated foreign policy and national security doctrine. This has to be grounded in a series of overlapping bilateral and multilateral understandings.
- Transparency and understanding: Parliaments, business leaders and specialists in the two countries should undertake studies on the impact of their national military activities in cyberspace.
- Joint Action: The two governments, research organizations, businesses and NGOs need to foster the emergence of many more informal but highly focused exchange processes with a view to making progress on sub-elements (points of disagreement) within the larger picture of cybersecurity.
The Donilon demands and China’s positive response in principle need to be buttressed by quick action from the private sector and non-government organizations. To this end, private actors in the United States and China should set up a high-level task force to mobilize support for more effective cooperation between China and the United States in investigation and prosecution of cyber crime in three areas: (a) protecting intellectual property (b) securing critical national infrastructure in peacetime; and (c) practical measures for drawing the line in international law between criminal action and national security.
Greg Austin is a professorial fellow at the EastWest Institute. He leads the Institute's Policy Innovation Unit.