Cyber Security Relations

China and the United States continue to negotiate the fine print of their agreement and terms of cooperation

By DR. Ching Chang and Jacob Doyle

The fall of 2015 may well be remembered for the warming trend in China-U.S. relations involving the cyber realm.

It began with a visit in late September by Chinese President Xi Jinping to the United States — first to Seattle where he met with tech luminaries from China and the U.S., including Microsoft co-founder Bill Gates, then on to a summit meeting in Washington, D.C., where Xi met with U.S. President Barack Obama to discuss a range of issues, cyber security notably among them. The “cyber agreement” signed by the presidents was followed by a flurry of activity among their aides, culminating in a follow-up meeting on December 1 devoted to cyber security, attended by heads of law enforcement and national security. Reports from government officials and private sector analysts reinforce the notion of warmth and progress in an area troubled by the chill of contention for many years.

“It is believed that consensus reached by China and the U.S. on the issue of cyber security will help enhance mutual trust and promote cooperation between the two countries in this regard,” China’s Foreign Ministry spokesman Hong Lei told reporters after the summit on September 28, “and have positive effects on the sound and steady growth of China-U.S. relations.”

The agreement promises cooperation from both sides on investigation of cyber crimes, collection of electronic evidence, and mitigation of malicious cyber activity emanating from their territory. Both countries also pledged that neither government will conduct or knowingly support cyber-enabled theft of intellectual property.

Policy analysts in the U.S. recognized the agreement as movement toward better cyber relations between the two countries.

“The United States and China have been disputing the issues of cyber intrusions for quite some time,” Joseph S. Nye Jr., Harvard University distinguished service professor at Harvard Kennedy School, said in an interview with FORUM. “The Americans had accused the Chinese of using cyber attacks as a way to steal intellectual property for commercial purposes. The Chinese have replied that they didn’t do that, that the United States was constantly interfering in their systems. So there had been a dispute for quite some time. It was dealt with by Obama and Xi at the Sunnyland Summit in 2013. But this agreement reached in September 2015 was the first bit of substantive progress that we’ve seen. I think the agreement is an important first step.”

Nye’s observations were largely shared by Andrew Scobell, a senior political scientist at Rand Corp., who added that the Chinese succeeded in showing that Xi understands the importance of reaching an understanding on cyber issues with the U.S. from a commercial perspective.

“The Chinese also realized that they needed to make some gesture to the Obama administration, and they did,” said Scobell.

The need for gestures and tangible expressions of cooperation in the cyber realm resonates from years of discord shared by the two countries in this area, as demonstrated by past statements from government officials in China and the U.S.

A 2014 study headed by Dr. Teng Jianqun, a retired officer of China’s People’s Liberation Army Navy, now director and research fellow of the Centre for Arms Control at the China Institute of International Studies, a think tank in the Ministry of Foreign Affairs in Beijing, indicates China’s less-than-favorable view of U.S. cyber policies at the time.

“It is obvious that by making full use of its advantages in information technology, the United States has not only abused its legal and technological means in anti-terrorism operations,” reads Teng’s study, “but put the leaders of other countries, including its allies, and important international conferences under surveillance, all with the excuse of protecting national security.”

The study reads critically of what it calls “cyber arms,” purportedly used by the U.S., such as the malicious “Stuxnet worm” computer virus and various signal-jamming technologies.

The year following Teng’s study, in January 2015, U.S. Director of National Intelligence James R. Clapper made remarks that echoed a 2014 U.S. indictment against five members of China’s People’s Liberation Army, accusing them of hacking into the networks of Westinghouse Electric, the U.S. Steel Corp. and other U.S. companies.

“China has been robbing our industrial base blind,” Clapper told an audience at New York’s Fordham University during a conference on cyber security.

Tensions escalated in June 2015, when the United States Office of Personnel Management announced that it had sustained a data breach targeting the records of as many as 4 million people. U.S. media reported that U.S. government officials were privately blaming China for the intrusion, to which China’s Foreign Ministry issued a quick response.

“Cyber attacks are usually conducted anonymously and across borders, making it hard to trace back,” Hong told reporters on June 5, 2015. “It is not responsible nor scientific to always use terms such as ‘likely’ or ‘suspected’ instead of conducting thorough investigations. It is the consistent position of China to firmly combat all forms of cyber attacks. China itself is a victim of cyber attacks. We are ready to carry out international cooperation on this issue and build a cyberspace that is peaceful, secure, open and cooperative. We hope that the U.S. side would discard suspicions, refrain from making groundless accusations, and show more trust, and conduct more cooperation in this area.”

Whether the accusations were groundless, Hong’s call for cooperation and peace is similarly made in chapter four of Teng’s study: “China and the United States should cooperate in exploring possible plans for cyberspace arms control,” which advocates an “international cybersecurity treaty, which would set limits on the development of other nations’ cyber-warfare capabilities.”

Peace in cyberspace was not the only prospect luring China into a cyber dialogue with the U.S., Scobell contends. Intellectual property rights (IPR), he explained, have recently been discovered by the Chinese as things worth protecting.

“A lot of these commercial cyber hacks appear to be motivated by acquiring copyrighted or proprietary information that’s owned by a particular company,” said Scobell. “China didn’t much care about IPR until Chinese firms began to develop their own valuable intellectual property. Now China is attuned to the problem and more willing to work with other states to protect IPR.”

Nye recognized discussion of the topic of IPR and its corollary — concern about using cyber espionage for commercial purposes — as comprising one of the 2015 summit’s two most important results relating to cyber issues.

“The second thing is that the two countries have set up a high-level group to deal with this,” said Nye, “and that has actually occurred with Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson meeting a Chinese counterpart in Washington on 1 December, 2015.”

In addition to Lynch and Johnson, the meeting was attended by Chinese State Councilor Guo Shengkun, as well as representatives from the U.S. Department of State, National Security Council and the intelligence community, while the Chinese delegation included representatives from the Committee of Political and Legal Affairs of the Communist Party of China Central Committee, the Ministry of Public Security, the Ministry of Foreign Affairs, the Ministry of Industry and Information Technology, the Ministry of State Security, the Ministry of Justice and the State Internet Information Office.

According to Lynch’s office, the meeting undertook to “review the timeliness and quality of responses to requests for information and assistance with respect to cyber crime or other malicious cyber activities and to enhance cooperation between the United States and China on cyber crime and related issues.”

Chinese Foreign Ministry spokeswoman Hua Chunying called the meeting a success the day after it was held, saying the dialogue was “positive and constructive,” adding that “China-U.S. law enforcement cooperation on cyber security has now entered a new phase of progress as the two sides have solved some specific problems through practical cooperation and candid communication, which helped boost mutual understanding and trust.”

The second “U.S.-China High-Level Dialogue on Combatting Cybercrime and Related Issues” was set for June 2016 in Beijing, reported Lynch’s office.

Formulating and agreeing to a “cyber code of conduct,” or set of norms of behavior in the cyber realm that all signatory countries would follow, has been a topic mentioned in Teng’s study and alluded to by the White House in a statement following the September summit. It said the U.S. and China “welcome the July 2015 report of the U.N. Group of Governmental Experts (GGE) in the Field of Information and Telecommunications in the Context of International Security, which addresses norms of behavior and other crucial issues for international security in cyberspace.”

In early 2015, China and Russia, along with Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan, jointly submitted an update of their own International Code of Conduct on Information Security to the U.N. secretary-general. Originally submitted in 2011, it received criticism from the U.S. and its allies as “an attempt by the four countries to justify greater state control of the Internet’s governance structures and online content,” according to Alex Grigsby, assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. The recent updates, Grigsby added, reference the GGE’s activities and “seem to soften China and Russia’s stance on states taking a leadership role on Internet governance issues.”

While the G20 group of nations endorsed the GGE report during their July 2015 summit in Antalya, Turkey, the concept of a multilateral cyber code of conduct is viewed by Scobell as a somewhat separate issue from the discussions and activities currently involving the U.S. and China.

“The United Nations is not an arbiter in the cyber realm,” said Scobell. “I don’t think either side in Washington or Beijing would shift the dialogue to a multilateral forum like the United Nations any time soon. I suspect both sides would tell you that the two countries need to hash this out. A multilateral dialogue cannot replace this, as there’s some serious contentious issues here that involve the United States and China, and so there is really no substitute for one-on-one discussions.”

Where there is friction, there is warmth. Time will tell if the warming trend continues. Experts agree that much work remains to define the terms of the agreement in practice to enable the thaw to progress.