When forensic computer security company Crowdstrike last week identified a second Shanghai-based PLA unit engaging in large-scale, online espionage, it was only the latest of a growing number of clashes between the US and China on cybersecurity. With both sides digging in their heels, it is necessary to ask what it would take to bring both sides closer, and what would the potential first steps towards an agreement on cyber-governance look like.
Tensions over cybersecurity have been rising for some time. After the US Department of Justice indicted five Chinese military officials for the theft of corporate information on 19 May, China withdrew from a bilateral working group on cyber governance and prohibited the purchase of Windows 8 through government procurement. It also mounted a (mainly domestic) press campaign, accusing the US of being the world’s largest hacker and which culminated in a long report on American surveillance and communications monitoring programmes worldwide.
On both sides of the Pacific, suspicions and worries have grown, making any potential agreement difficult to achieve. The basic stance has been similar for quite some time: China believes that “foreign hostile forces” intend to derail its growth and deny China its place in the sun, while according to the American view, China is happy to enjoy the benefits of global integration without being willing to play by the rules or commit to international leadership. Even as the Chinese and US economies have become increasingly interconnected – and contacts between their populations have grown intensively – the basic stance of both sides remains unchanged.
There are historical instances where governments with less-than-friendly relationships have been able to reach agreements out of well-understood self-interest and mutually-agreed self-restraint. Perhaps the best examples of this are the SALT talks and START treaties between the US and the Soviet Union, which resulted in the reduction of nuclear weapons on both sides. Although these proceeded in fits and starts, the skilful diplomacy and final willingness to compromise might be an inspiration for policymakers on both sides.
However, there are considerable differences between nuclear disarmament (or other similar examples, such as the naval fleet reduction treaties of the 1930s) and cyber-governance. Most basically, these treaties were simple: they dealt with one particular, albeit important, and well-understood aspect of national defence. There was little doubt about the harm that nuclear warfare could inflict on populations across the globe.
The harm inflicted by hacking, however, is much less clear. Some incidents, such as the cyberattack on Estonia and the Stuxnet bug, have shown a glimpse of what aggressive hacking is capable of. Yet grim as it may be, the first truly devastating strike against a well-known target has yet to happen.
Therte is another mismatch, in that everyone understands that the purpose of large battleships and ICBMs is purely military. The Internet, on the other hand, even if its origins lie in military technology aimed at maintaining secure communications in a nuclear war, has become an irreplaceable part of political, economic and social interactions worldwide.
All these interactions could conceivably become a target for an intervention, resulting not in traditional material destruction, but in the shutdown of financial payment systems and vital infrastructure processes and communications. This will inevitably render any negotiations highly complex.
Second, there are great imbalances in the hacking issue. On the economic front, there is much more corporate information in the US that might be of interest to China than vice versa. China has yet to produce its first domestic airliner, computer operating system or successful export car. The technological challenges China faces in these areas are widely appreciated and regularly discussed.
Nor is it simply technological superiority. Equally important are the operational and logistical know-how that supports the sales and exploitation of these products. Global car or aircraft manufacturers, for instance, needs very complex supply chains, spare parts channels and maintenance networks, in order to ensure sales of their primary products. This is expertise that Chinese companies often lack, particularly at the international level.
Therefore, the alleged wholesale capturing of corporate data outlined in, amongst others, the Mandiant report, might not only be lucrative in terms of primary technology or even corporate negotiating positions vis-à-vis Chinese counterparts, but also because they might provide useful insights into corporate governance of globally successful firms.
The US, on the other hand, has little to gain from hacking into Chinese companies, except in the relatively small areas of military and national security matters. As a result, the bargain that must be struck is one in which the Chinese side would agree to cease a lucrative activity, without a directly comparable commitment from the US side. This suggests that the US might need to concede on objectives elsewhere. Again, this will make negotiations more complex and open them up to domestic accusations of weakness.
A third, and related point, is the matter of financial outlay. Military hardware tends to be expensive, which was an important driver of both the 1930s fleet treaties and the nuclear arms treaties, where all parties recognized that continuing the arms race would become unaffordable. In comparison, building cyber-capability is much less expensive, for military purposes as well as for the acquisition of intelligence. The PLA units allegedly involved in cyber-espionage operate from a few buildings in Shanghai, using basic electronic equipment. They do not need to station officials abroad nor procure expensive hardware. Their hacking campaigns have comparatively small budget implications and there is therefore little political incentive within the system to curtail them. In fact, the vast amount of information that can be procured using these methods suggests that hacking is very cost-effective.
These characteristics of hacking per se are compounded by specific perceptions and concerns, both on the Chinese and US sides. While Chinese IT firms have tried to become more competitive with their American counterparts over the past few years, more recently they have also become more infused with security concerns.
Once the Snowden files had revealed some of the NSA’s surveillance capacities, China rapidly became concerned about the dominance of American hardware and software over its domestic market. These concerns were exacerbated when Microsoft announced it would end security support for Windows XP, an operating system that still powers the majority of Chinese government computers. Efforts are currently underway to provide indigenous solutions, and a first Chinese mobile operating system was launched a few months ago.
Domestically, another question is how much political capital the Xi Jinping leadership is able and willing to spend on ending an activity that is not only seen as profitable for domestic development, but also as part and parcel of contemporary politics. More broadly, China has generally been intransigent in matters of international and global governance, and cyber-governance is no exception. Its five principles for cyberspace are based on classical notions of national sovereignty, which sidesteps complicated questions about how borders are to be drawn online. More recently, it did not respond to US overtures on mutual transparency on military cyber-capability.
Citing the Snowden releases, the clearly superior US cyber-capability, and its control over many internet control resources, (“network hegemony”), China has repeatedly accused the US of not recognizing the enormous asymmetry between the two countries. These recriminations are not completely groundless. Post-9/11, the US has vastly expanded its global data collection capacities, with the aim of preventing further terror strikes. It has also used these capabilities to more effectively monitor the activities of state leaders worldwide.
But whereas Angela Merkel’s hacked conversations could conceivably fall under the heading of national security, hacking foreign corporations such as Petrobras and Huawei has greatly weakened the central point that the US would like to underpin a cyber agreement with China: the separation between national security and commercial concerns. Washington lawyers may well find a juristic justification for these acts, but that will not suffice to alleviate concerns on the counterparts’ side.
In other words, if China and the US wish to de-escalate tensions over hacking, it will require both countries to recognize that activities each regards as part of core national interests simultaneously impair international trust. This will not be easy.
In the meantime, private activities may change the strategic calculus somewhat. Corporations may become more assertive in protecting their data, creating not only the equivalent of dye packs, in order to make data unusable, but also virtual guard dogs, which may harm the assailant. If Chinese enterprises use information gained through hacking in third markets, they may open themselves up to intellectual property or commercial secrecy lawsuits, impairing their capacity to work overseas.
Bottom line? If Washington wishes to move towards more durable agreements, it must recognize and aim to alleviate at least some concerns about its own behavior in cyberspace.