Attribution, Proxies, and U.S.-China Cybersecurity Agreement

In evaluating the cybersecurity agreement the United States and China announced on Friday, we can ask ourselves three questions: did Beijing accept there should be a norm against the cyber-enabled theft of intellectual property to help individual firms? Will the agreement lead to a decrease in cyberattacks on the United States? And is the agreement a diplomatic step forward for the United States and China?  We will have to wait and see for more conclusive answers, but for now I think they are: looks likely; very uncertain; and yes, but will have to be built on.

Outside analysts, myself included, have long argued that China does not distinguish between cyber espionage directed at military and political secrets and the cyber-enabled theft of business plans and intellectual property. Both types of espionage, in this view, were part of building comprehensive national power, and the role of state-owned enterprises in the economy blurred the distinction between public and private gain. The United States has for years tried to create a norm against economic theft for competitive advantage, but made little progress, especially in the light of the Snowden disclosures about NSA operations. Last year, former NSA Director Michael Hayden described the problem with the U.S. argument as: "Look, you spy, we spy, but you steal the wrong stuff." [My colleague David Fidler analyzes the joint statement and its impact on norm development here.]

As Jack Goldsmith notes, the Chinese government has said it opposes online theft several times before, but it is important that the opposition to online theft is coming from Xi Jinping himself and not lower level officials or a foreign ministry spokesperson. Beijing now appears to have accept there is good stuff and bad stuff to steal.

Moving forward, as many have noted, the central issue will be implementation and the question of attribution in particular. President Obama said, "the question now is, are words followed by action." As the United States has become increasingly confident in its ability to identify attackers, the Chinese have been equally vociferous that attribution remains difficult, if not impossible. Claims that Beijing was behind the hacking of the Office of Personnel Management and the data theft of over 20 million federal employees were met with a response from a Chinese Foreign Ministry spokesman that "it’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation." The agreement could quickly bog down over what arguments of what evidence China will accept and what the United States is willing to provide. In response to a reporter’s question, President Xi Jinping warned that the two sides should not "politicize" the issue, which is often a claim levied by China when it is criticizing U.S. attribution.

The other big issue is will the agreement increase, or reinforce, Beijing’s reliance on proxies to conduct cyber espionage. As a recent investigation in the Wall Street Journal shows, there is overlap between PLA and freelance hacking groups. During their press conference, President Obama said that President Xi told him, "with 1.3 billion people, he can’t guarantee the behavior of every single person on Chinese soil." But what portion of hacking is government controlled is already murky and now there are reasons to muddy the waters even further.

It is important that the two sides have committed to "further identify and promote appropriate norms of behavior in cyberspace," to create a senior experts group to discuss international security in cyberspace, and are establishing a high-level joint dialogue on cybercrime. But implementation remains to be seen, and what, or who, is missing from the statement is notable. The high-level joint dialogue involves the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office on the Chinese side, and the Secretary of Homeland Security, U.S. Attorney General, representatives of the intelligence community, and FBI on the U.S. side. Maybe they will make up the experts senior group, but the joint fact sheet has no mention of the DoD, State Department, and, most important, the PLA as being involved in cyber discussions.

Expectations before the summit for any progress on the cyber issue were low, so the agreement is a significant outcome, even if question remains. As Herb Lin puts it, "progress has been made towards a better cybersecurity relationship between China and the United States, and more doors are open today than they were last week."