Last week, the United States and China came to an agreement on cyberspying. What are its consequences likely to be?
neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
This marks an important (and unexpected) concession to the United States.
However, its scope is limited.
The agreement does not address many of the more dramatic recent examples of Chinese spying, such as the apparent hack of the U.S. security clearance system, which led Washington to withdraw embassy personnel from Beijing for fear that the cover of CIA operatives has been blown. One excellent reason why the agreement doesn’t address this kind of spying is that the United States does it too, is very good at it, and doesn’t want to stop. US officials have expressed chagrin at the hacking of U.S. security clearances. They have also expressed some envy, and made it clear that if they could do the same to the Chinese government, they would.
Furthermore, the Chinese government can still hack U.S. companies, and steal their secrets with impunity. The only difference is that they cannot pass the secrets that they have learned to Chinese companies to give them competitive advantage. Gary Hufbauer at the Peterson Institute suggests that the “exact lines of demarcation” will mean that defense contractors remain fair game, while other companies, such as telecoms, might perhaps be off limits. This seems to misunderstand the agreement. The United States has not only been willing to hack into telecommunications companies, but also into energy companies, and, for that matter, universities and human rights organizations. It is unlikely that China’s sensibilities are any daintier. The agreement limits the goals of spying, not the targets being spied upon.
It’s unclear how the agreement will be monitored.
Security agreements are, almost by definition, pacts between states that don’t trust each other. This means that monitoring is usually key. Agreements to prevent nuclear proliferation require inspections, which allow signatories to see whether other states are cheating. The armed forces agreements of the Cold War relied on “remote sensing” – satellite technology that allowed both the United Staes and Soviet Union to see if dangerous concentrations of forces were building up along key borders.
Cybersecurity is notoriously resistant to these kinds of monitoring. Satellites tell you nothing, and inspection regimes are not likely to reveal very much. Part of the solution to the monitoring problem may lie in forensics – the careful study of attacks to see where they originated and what their features were – combined with attention to the business strategies of Chinese firms. The United States has hinted that it has improved its forensic capabilities in recent years. Part may lie in CERT teams – specialized computer response centers that deal with cybersecurity incidents. Finally, there will be a continuing dialogue between the two states, which will regularly evaluate how well they have responded to requests for help (and implicit or explicit complaints).
Still, it’s unclear how well this will work in practice. One big problem is that the boundaries between the Chinese state and big Chinese companies are sometimes blurry. Large Chinese corporations – especially those in sensitive sectors – often have non-transparent ownership structures, leading to suspicions that some of them are effectively state owned. If one of these companies is found to have engaged in commercial espionage, it could raise tricky questions. Is the business responsible or the state?
Quasi-formal agreements also have limits. While the deal might conceivably help a global norm against commercial spying to take root, it is uncertain how well other states will be able to evaluate whether China and the United States are living up to commitments. If, for example, the United States believes that China is cheating on the agreement, it will have a tough time releasing the kind of detailed information that might convince other states. Hence, it will more likely have to rely on unilateral action.
Figuring out how to respond to cheating is itself a tough problem.
As Tobias Feakin argues in a recent Council on Foreign Relations Cyber Brief, we have no good framework for figuring out what a proportionate response might be to various cyber-attacks. Spying is particularly problematic, since it has been a tolerated behavior for a very long time. When a country catches another country spying in peacetime, it may, if it wants, signal its displeasure, by expelling diplomats whom it believes to be spies. The target of its actions may expel diplomats in turn. Overly strong responses to cyber spying may be seen by other states as disproportionate (especially because many other states, including US allies, spy for commercial reasons too).
Robert Knake, who has spent time working in the administration on cyber issues, suggests that the United States will employ sanctions against businesses that it believes to have engaged in espionage. This provides the U.S. administration with some flexibility. However, it is not clear how strong a deterrent U.S. primary sanctions will be against Chinese firms that do not have a significant exposure to US markets. U.S. sanctions have usually been most effective when they involve both primary and secondary sanctions (e.g. sanctions against non-U.S. firms that facilitate transactions with the targets of the sanctions) and when they are accompanied by sanctions from U.S. allies. Secondary sanctions are likely to be highly controversial with other countries (especially because some key US allies are looking to build strong economic relationships with China, even when it annoys Washington). There’s probably even less appetite among third countries for issuing sanctions themselves. The United States faces the danger that sanctions against some Chinese firms might work better as symbolic expressions of disapproval than as active displeasure.