EWI Senior Vice President Bruce McConnell provides insights into what the recent U.S.-China agreements mean for cyberspace.
On September 25, 2015, the White House and the Chinese government issued parallel statements explaining the various agreements Presidents Obama and Xi reached during Xi’s state visit. On the cyber and technology front, the agreements break no new policy ground, but do create a much-needed umbrella under which concrete, practical steps can be taken to reduce conflict in cyberspace and tensions in the bilateral relationship. This is the most positive development in the cyber-related aspects of the bilateral relationship since the two Presidents’ Sunnylands meeting in June 2013. Seven aspects bear mentioning:
1. The agreement not to “conduct or knowingly support cyber-enabled theft of intellectual property . . . with the intent of providing competitive advantages to companies or commercial sectors” restates the existing positions of both governments not to concede that they “conduct or knowingly support” such activity. This agreement sets an explicit norm in place, but, without work on compliance, it would be merely window dressing.
2. Compliance begins to be addressed, however, in the agreement that “timely responses should be provided to requests for information and assistance concerning malicious cyber activities.” Both countries agree to cooperate with requests to “mitigate malicious cyber activity emanating from their territory.”
3. This agreement is made more practical by the establishment of a “high-level joint dialogue mechanism,” led by the Departments of Homeland Security and Justice on the U.S. side. Chinese participation will likely be led by the Cyberspace Administration of China (Minister Lu Wei) with participation by the Chinese Ministries of Public Security, State Security, Justice, and the State Internet and Information Office. The joint dialogue mechanism “will be used to review the timeliness and quality” of requests for information assistance. It effectively replaces the defunct government-to-government working group established at Sunnylands and suspended by China after the U.S. indicted five active duty Chinese army officers for alleged cyber thefts of U.S. intellectual property.
4. There will be a cyber incident hotline that will ring at DHS or Justice.
5. More broadly, the governments “welcome” (this is a moderate level of support, higher than “note” but a long way from “endorse”) the July 2015 report of the UN Group of Governmental Experts on cyber matters.1 A senior expert group will be created for bilateral discussions on this topic, presumably led by the U.S. Department of State and the Chinese Ministry of Foreign Affairs.
6. On trade, the two nations agree to moderate their use of cybersecurity as a criterion for evaluating the “purchase sale or use” of ICT products by commercial enterprises, and, further, to limit the scope of their respective national security reviews of foreign investments (i.e., the CFIUS2 process on the U.S. side, and recently proposed Chinese national security and technology regulations).
7. The most measurable commitment is that the high-level dialogue will meet in 2015.
Everyone will be watching in the months ahead to see if the level of attacks, which appear to come from Chinese territory declines from historic levels. If it does, that will be viewed as a sign of Chinese good faith by the U.S. However, if it does not, the U.S. will need to present evidence of the Chinese government’s involvement in order to claim a violation of the first of Xi-Obama agreements listed above.
More broadly, there is a two-way argument to be made regarding attacks that appear to come from the other’s territory. To date, neither side has had much success getting help from the other with requests for assistance. Now the “high-level dialogue mechanism” will work to bring the two sides together for assistance cooperation. If China and the U.S. cooperate better on cyber incident response, that will show real progress in the bilateral cyber relationship.
1. The July report concludes a multi-year set of meetings among cyber foreign affairs officials of 20 countries, including China, Russia, the U.S. and several EU countries. The principal accomplishments were agreements that international law is applicable to cyberspace and that certain norms (e.g., mutual assistance on cyber incidents, no cyber attacks on critical infrastructure) should guide state behavior in cyberspace during peacetime. The agreements are completely non-binding.