Cybersecurity is one important area where both China and the U.S. agree cooperation is necessary, but on very different terms. The Cipher Brief spoke to Adam Segal, a senior fellow at the Council on Foreign Relations, to learn more about these differences and what it will take to create and enforce a cybersecurity agreement between the U.S. and China.
The Cipher Brief: The previous U.S.-China SED ended with no agreements on cybersecurity. Do you foresee any progress at this year’s SED?
Adam Segal: It is unlikely that there will be any concrete progress on cybersecurity issues at the S&ED this year. Part of this is due to the format. There are many other issues on the agenda, and so policy makers will have very limited time to address cybersecurity. It is also a reflection of the continuing gap on cyber issues, despite the agreement on the prohibition of cyber-enabled theft of intellectual property and some norms of state behavior in cyberspace that were announced at the conclusion of the September 2015 summit between Presidents Xi and Obama.
TCB: How does each country view the cyber domain and how do these differences make reaching an agreement difficult?
AS: There are two broad differences that make cooperation and agreement difficult. While the White House’s 2011 International Strategy on Cyberspace proclaims the United States has a national interest in an “open, interoperable, secure and reliable” internet, Beijing has promoted a vision of cyber sovereignty, the idea that states have the right to regulate the internet just as they regulate any other territory. These differing views manifest themselves in conflicts over the free flow of data, internet governance, and how best to secure the security of IT products.
Second, the United States has gradually been more transparent in revealing its thinking about its development of offensive cyber operations, from the 2011 Defense Department cyber strategy that declared the military would treat cyber—like air, sea, space, and land—as a domain of warfare, to the 2015 version that announces that there may be times when “it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure.” For the most part, Beijing has denied that it even has specialized offensive cyber forces and has tended to interpret these Pentagon strategies as directed at China and as evidence that the United States is “militarizing” cyberspace. The recent announcement that the PLA is establishing Strategic Support Forces, which will combine space, cyber, and electronic warfare units, may provide an institutional basis for greater engagement between the two militaries.
TCB: What specific cybersecurity issues are most in need of an agreement between the two countries?
AS: Most important is concrete follow up on the 2015 agreement on cyber espionage. There was positive follow up in the first round of cyber talks between the Department of Homeland Security and the Ministry of Public Security in December 2015. The two sides agreed on guidelines for requesting assistance on cybercrimes or other malicious activities, as well as agreeing to conduct “tabletop exercises” in spring 2016 and to define procedures for use of a hotline. But any goodwill created by the agreement will evaporate without a noticeable decline in economic cyber espionage and some successful cases of cooperation in the investigation and exchange of evidence in cyber crime.
There is also a need for in depth discussions on what the thresholds for a cyber attack becoming a use of force or an armed attack might be. Without greater understanding between the two sides, the risks of escalation from cyber to kinetic attacks rise dramatically. What one side may see as legitimate—say breaking into the network of a power grid— the other may view as crossing a red line.
TCB: How would an agreement over cybersecurity be enforced? Are there specific challenges to enforcement?
AS: One of the biggest challenges facing any agreement would be the attribution problem. Washington and Beijing, for example, may have a shared interest in an agreement that restrained cyber attacks on critical civilian infrastructure, but proving that either side was upholding the norm would be technically difficult. In addition, the United States and China differ on how possible attribution is, with U.S. policy makers arguing that it is becoming more possible, given time and resources. Chinese policy makers, however, remain skeptical (and have an incentive to undercut U.S. claims publicly). Any initial agreements between Washington and Beijing are likely to resemble no-first use or non-targeting pledges with nuclear weapons, unverifiable but signed in the hope of generating trust on which to build future cooperation.