The United States and China have agreed that neither country will conduct economic espionage in cyberspace in a deal that addresses a major source of tension in the bilateral relationship.
The pact also calls for a process aimed at helping to ensure compliance.
The agreement, reached in talks Thursday and Friday between President Obama and Chinese President Xi Jinping, has the potential — if it is upheld — to alleviate one of the most significant threats to U.S. economic and national security.
“The question now is,” Obama said in a joint news conference with Xi on Friday, “are words followed by actions?”
The United States has accused China of stealing billions of dollars’ worth of intellectual property and trade secrets from U.S. companies and was ready to impose economic sanctions on Chinese firms that benefited from cyber-enabled theft.
China has long denied such activity — and Xi at the press conference said “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”
Washington, for its part, has said that it does not conduct cybertheft for the benefit of U.S. companies. The disclosures of a former National Security Agency contractor, Edward Snowden, about extensive U.S. cyberspying overseas have given Beijing ammunition to counter such assertions.
Nonetheless, apparently rattled by the threat of sanctions — a threat that Obama reiterated in his meetings with Xi, China agreed to affirm the norm against cyber economic spying.
The two sides also said they would set up a high-level joint dialogue on cybercrime in which senior officials from both countries would be able to review allegations of cyber-intrusions. They agreed to establish a hotline to discuss issues that might arise in that process.
The U.S. secretary of homeland security and the attorney general will co-chair the dialogue on the American side.
Sanctions are not off the table, Obama administration officials said.
Obama said he described to Xi the “tools” the administration has to deter and punish cybercrime and cyberattacks. They include criminal indictments, such as the those issued against five Chinese military officials last year for economic cyberespionage. He said that while they did not discuss specific cases of alleged Chinese cybertheft, he mentioned the executive order he signed in April that authorized the imposition of economic sanctions for malicious cyber-acts.
“I did indicate to President Xi that I would apply those and whatever tools we have in our tool kit to go after cybercriminals, either retrospectively or prospectively,” Obama said.
“Those are tools generally that are not directed at governments,” he said. “They are directed at entities or individuals that we can identify and they’re not unique to China.”
The agreement does not address traditional espionage, such as China’s alleged theft of personal information of more than 22 million current and former federal employees through a hack of Office of Personnel Management computers.
While the agreement “marks a significant step forward” in the bilateral relationship on cyber issues, “it does not and will not solve all of our cyber-challenges that we face with China,” said a senior administration official, who spoke under ground rules requiring anonymity. “A lot of the proof will be in whether or not the Chinese can live up to their commitment.”
The official expressed confidence that the United States’ means of detecting cyber-intrusions by China, including through the NSA, would ensure that Washington can detect backsliding by Beijing.
The agreement has been in the works for several weeks, the official said. Discussions began after the OPM hack — which incensed U.S. negotiators whose own personnel files were compromised — and continued when national security adviser Susan E. Rice traveled to Beijing in late August to lay the groundwork for the summit.
But “the meat of it was done” during a visit two weeks ago by special envoy Meng Jianzhu, a member of the political bureau of the Communist Party Central Committee. Meng flew to Washington in the wake of a Washington Post story about the administration preparing sanctions and met with Rice, Secretary of State John F. Kerry and Homeland Security Secretary Jeh Johnson. “The Chinese wanted a happy outcome to the summit,” said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies.
The senior administration official said the indictments last year, the threat of sanctions “and the messages that the administration have been delivering both publicy and privately have begun to persusde the Chinese that this is not just something we are doing for domestic political consumption, but it is in fact a significant issue and a significant irritant in the bilateral relationship.”
Dmitri Alperovitch, a cyber-policy expert and co-founder of CrowdStrike Inc., a cybersecurity firm, called the commitment “an inflection point.” He said: “While I don’t expect changes overnight, we’re on the path to an eventual resolution of this issue.”
“The issues now,” said James A. Lewis, a cyber-expert at the Center for Strategic and International Studies, “are making sure we can verify it and that there are consequences if they don’t live up to it.”