China and Information vs. Cyber Security

On Monday, China, along with Russia, Tajikistan, and Uzbekistan, asked UN Secretary-General Ban Ki-moon to circulate their proposed International Code of Conduct for Information Security as a formal UN document at the 66th session of the General Assembly.  The Global Times quotes foreign ministry spokeswoman Jiang Yu as saying that "China believes information and Internet security is a common challenge facing all countries, thus it can only be effectively coped with through international cooperation."

U.S. policymakers will be pleased to hear Chinese officials framing Internet security as a global problem requiring international cooperation, but the rest of the proposed Code is bound to give them heartburn.  The title alone, with its focus on information security, signals the problems to come in the document.  Information security includes not only the protection of computer, communication, and other critical networks that is the primary focus of U.S. officials, but also the threats that the free flow of information can present to domestic stability in closed authoritarian states—hello Twitter and the Arab Spring.  The document refers to the use of communication technologies that "are inconsistent with the objectives of maintaining international stability and security," as well as the responsibility to "prevent other states from...undermin[ing] the right of the countries, which accepted this Code of Conduct, to independent control of ICTs."  This is going to be hard to square with the State Department’s support for the "Internet in a suitcase," and other circumvention technologies designed to get around the Great Firewall.

The document also places states at the center of international cooperation, giving them a dominant role in cyber governance.  The Code "underlin[es] the need for enhanced coordination and cooperation among States" and "stress[es] the role that can be played by the United Nations and other international and regional organizations."  By contrast, the United States has taken a more inclusive approach involving civil society and the private sector through less traditional groups such as the Internet Governance Forum.

In addition, the Code also tries to call the United States out for its deterrence policy in cyberspace.  In the words of the International Strategy on Cyberspace, the United States reserves "the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."  Or as one Department of Defense official told the Wall Street Journal, "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."  In contrast, signers of the Code will "settle any dispute resulting from the application of this Code through peaceful means and refrain from the threat or use of force."

Not all is bad in the Code.  There is a call for countries to work together to protect supply chains.  The United States will also want to try and build on the call for states to take responsibility for bad behavior that originates from their own networks.  It will, however, take some serious diplomatic jujitsu to convince China to control their "bad" patriotic hackers without the U.S. doing something about its "good" digital activists in return.  Maybe this is a negotiating gambit, but I don’t see U.S. diplomats offering up their Internet Freedom agenda in return for less Chinese hacking.  In short, the U.S. and China are still a long way away from agreeing on acceptable behavior in cyberspace.