Getting Past Captain Renault

Sunday’s New York Times reports that the United States has entered into talks with Russia about cybersecurity.

Given the large number of attacks and probes that seem to come from Chinese IP addresses (for an overview, see the U.S.-China Security Review Commission report, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation), you have to think that the Obama administration would like to engage Beijing in similar discussions, if it hasn’t already done so.

That seems like a good idea, but not because I’d expect the United States to get very far.  First, when confronted with evidence of cyber crime/espionage, Beijing tends to act like Captain Renault in Casablanca--"Shocked, shocked" that anything like that could happen in China.  Second, the Chinese, like the Russians, are likely to want to talk about bans on "cyberterrorism" which one participant describes as Russian efforts to ban "politically destabilizing speech." The United States, which puts great weight on the democratic potential of the web in China, is not going to want to go down that road. Third, again like the Russians, Beijing is not going to be especially open to cross-border investigations, which are critical to limiting and deterring cyber crime.  As it is now, the arm’s-length and deniable relationship Chinese security and intelligence agencies have with "patriotic hackers" gives Beijing capability and maneuverability. Then there are the multiple difficulties defining, controlling, and verifying offensive computer code in traditional arms control agreements: offense looks very much like defensive code; malware and viruses can be reproduced indefinitely; the weapons can sit on a computer, mobile device, or thumb drive anywhere in the world.

Bilateral, or even multilateral, talks with China would be useful however, if only to start a conversation about how Beijing thinks about cyber conflict issues. Getting past Captain Renault would be a good start.