The first US-China cybersecurity working group meets next week, but significant progress is unlikely in the short term
The United States and China will hold the first round of the official US-China cybersecurity working group talks during the week of July 8-12 as part of the fifth round of the US-China Strategic and Economic Dialogue (S&ED) in Washington, DC. The United States initiated the talks as part of its efforts to push China to address US concerns over cyber trade secret theft. Washington’s primary concerns are that Chinese state actors, in addition to conducting routine political and military espionage, are using cyber means to obtain non-military related corporate secrets, aiding China’s economic growth while damaging America’s innovative economy. In these initial discussions, many barriers are likely to block rapid progress, but through continued dialogue and effort results may be possible in the long term.
Cybersecurity and the US-China presidential summit
The summit between US President Barack Obama and Chinese President Xi Jinping on June 7-8 showed that the official US-China conversation on cybersecurity remains at an early stage. According to former National Security Advisor Tom Donilon’s June 8 post-summit remarks, “the president made clear the threat posed to our economic and national security by cyber-enabled economic espionage.” However, China’s State Councilor Yang Jiechi, also speaking after the summit on June 8, continued to reiterate China’s standard talking points and barely acknowledged the problem, saying: “China pointed out that the Chinese government pays high attention to cyber security and objects to any form of hacker and cyber attacks.”
During a July 17 interview on PBS, Obama shared further details: “Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese, which is standard fare, and we’ve tried to prevent them from penetrating that and they try to get that information. …There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that. … And so we’ve had very blunt conversations about this. They understand, I think, that this can adversely affect the fundamentals of the US-China relationship.”
In a March 11 speech to the Asia Society in New York, Donilon laid out three requests of China regarding cyber economic espionage: to recognize the urgency and scope of the problem, to take steps to investigate and put a stop to economic espionage activities, and to engage in a dialogue with the US government to establish norms of behavior in cyberspace. In his June 8 post-summit remarks, Donilon said some progress had been made on those requests, saying that the Chinese had acknowledged the United States’ concerns, as well as agreeing to investigate cyber espionage activities and engage in dialogue.
But the progress demonstrated is limited. The United States has communicated its concerns at the presidential level and the two sides have agreed to use the working group mechanism to manage the issue.
The United States’ options are constrained
Many analysts suggest that the United States must impose costs on China or China-based entities for cyber trade secret theft. The US government has a range of options for imposing such costs including legal, trade, and financial market measures. Many of these options were highlighted in a May 22 report by the Commission on the Theft of American Intellectual Property. However, there is still a lack of consensus between the US business community and the government about the threat of Chinese cyber trade secret theft. On one hand, the government has said cyber is the number one national security threat. On the other, the business community is concerned about damaging the US-China trade and business climate. Because of this dynamic, the US government is unlikely to impose large penalties on China through significant trade sanctions. However, legal, trade, and financial market actions of limited scope against Chinese commercial entities that benefit from cyber trade secret theft may be possible.
Another major source of tension in the bilateral relationship, the renminbi (RMB) exchange rate issue, provides a useful example of how the cyber issue may evolve. As early as 1992 the US government strongly voiced displeasure at China’s currency policy. Since then, Congress has written numerous bills aimed at imposing costs on China for perceived problems with its currency policy, and none have become law. It is only when China’s policy makers have viewed that it was in China’s interest to reform its currency policy that significant progress has been made. The exchange rate issue continues to cause tension. In March, H.R. 1276, the Currency Reform for Fair Trade Act, was introduced in the House.
If progress is not made on the cyber theft issue, Congress may take action on cybersecurity similar to actions taken on the currency issue. There are currently four bills that aim to counter trade secret theft before Congress: H.R. 2281, the Cyber Economic Espionage Accountability Act; S. 1111, the Senate version of the same bill; S. 884, the Deter Cyber Theft Act; and H.R. 2466, Private Right of Action Against Theft of Trade Secrets Act. Compared with bills aimed at the currency exchange issue, these bills have far fewer co-sponsors and even less likelihood of even being voted on, let alone passing.
Progress on cybersecurity will be slow
The US complaint regarding cyber trade secret theft may be difficult for China’s leadership to address when placed in the larger context of China’s national security, which does not distinguish between trade secret theft and routine political and military espionage. For example, the People’s Liberation Army (PLA) is unlikely to easily give up the right to obtain information that it views as critical to understanding US military capabilities and to aid the PLA’s development. Slade Gorton, a member of the Commission on the Theft of American Intellectual Property, during a June 25 Senate hearing, said that progress will only be made when there is a group of sufficiently powerful actors in China interested in limiting the scope of cyber operations.
Another challenge is the recent alleged leaking of US national security information by Edward Snowden. This is likely to make US-China cybersecurity discussions more difficult and further slow progress. The Chinese press has given significant attention to reports based on these leaks, and use the Snowden leaks to support China’s position that it is a victim of cyber operations. According to Xinhua, Washington owes “an explanation to China and other countries it has allegedly spied on. It has to share with the world the range, extent and intent of its clandestine hacking programs.”
The actions of Snowden and the prominent place they have been given in the Chinese media makes it more difficult for the United States to influence China’s behavior regarding cybersecurity. Anyone in the Chinese government who was internally advocating limiting the scope of Chinese cyber operations is now in a much weaker position. The fine point the United States is trying to make regarding the difference between political and military intelligence and economic espionage has likely been swamped by the broader issue of China’s concerns regarding US cyber activities around the world.
There have been two recent positive developments that may aid US-China cybersecurity discussions. For the past two years, the United States and Russia have been conducting a cybersecurity dialogue and have recently agreed to implement a range of measures to increase cooperation and confidence-building within this arena. And in 2011, a UN Group of Government Experts (GGE) was established to discuss global cooperation on information security issues. The group included representatives from Russia, China, the United States, and a number of other countries. According to a State Department press release issued after the group’s final meeting in June 2013, “the group affirmed that international law, especially the UN Charter, applies in cyberspace.” This has been the Unites States position for some time. Until this statement, the United States’ position had been opposed by China and Russia who instead sought a new treaty for cyberspace. This represents some limited progress on the major powers forming a common view on cyberspace issues.
Going into the cyber working group it is clear that the United States would like to see rapid progress on the issue of cyber trade secret theft. However, China rarely addresses detailed concerns at these types of meetings and does not see the need for specific deliverables. China is more likely to want to begin discussions by establishing conceptual frameworks to identify the scope and agenda for future discussions.
Given China’s response at the June summit and the way trade secret theft and China’s national security may overlap it is unlikely that there will be rapid tangible progress on US concerns. The United States must try to convince China that continued cyber trade secret theft damages China’s economic development. However, such a shift in thinking will only occur when a group internal to China emerges that argues that cyber intellectual property theft is not in their interest. There seems to be no such group at the moment. The United States should identify stakeholders within China who are likely to shift their position and craft appropriate actions to encourage such a shift. For some stakeholders, limited punitive actions may help, while for others, cooperation could be the key.
[author] Doug Mackey ([email protected]) helped to develop Australia’s national cyber defense capability; he worked as an analyst for Australia’s Department of Defense for more than 10 years. He is currently undertaking a master’s in information security at the Georgia Institute of Technology. [/author]