- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
I was in China last week for a cyber dialogue sponsored by the China Institutes of Contemporary International Relations (CICIR) and the Center for Strategic and International Studies (CSIS). The good news is the two sides are continuing to talk. The not so good news is mistrust is high and the next steps will not be easy or quick.
In diplomatic speak, the talks were candid and constructive. Both sides acknowledged the mistrust that characterizes the relationship. The Chinese felt their contributions to global cybersecurity, especially by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), were not adequately acknowledged. Both sides believe their respective governments have a strong desire for cooperation. But there was little clarity on what concretely the two sides could actually do to build trust (except for the obvious but seemingly unattainable: for the United States, China should stop stealing so much intellectual property; and for China, the U.S. should stop trying to maintain its hegemony in cyberspace, contain Beijing, and militarize cyberspace). Calls for greater transparency were met from the Chinese with the habitual protest that this was difficult for the weaker side. When pressed for areas where China and the United States might cooperate, Chinese analysts pointed to protecting critical infrastructure and fighting crime, but also noted that cyber cooperation was a work in progress and the conditions might not be right for moving forward.
To be sure, I’m not privy to what happens behind closed-door meetings, but the Chinese response to the New York Times’ reporting about Stuxnet was more indirect than I expected. The Chinese seemed more direct and aggrieved in their critique of what they saw as the U.S. refusal to engage the International Code of Conduct for Information Security, the norms of behavior in cyberspace that China—along with Russia, Tajikistan, and Uzbekistan—has circulated at the United Nations. Their basic line? "In your International Strategy for Cyberspace you said the United States would work collaboratively to develop norms. We suggested some, not insisting that they were for everyone, and since then silence. Isn’t there anything in the International Code that you like?"
The mistrust has been worsened by both sides inability to signal intentions. This is of course difficult in cyberspace; governments can say that they have nothing to do with attacks but the attribution problem makes it difficult to verify those statements. Moreover, the United States has repeatedly stated that the primary mission of Cyber Command is the defense of U.S. networks, not offensive operations. Not surprisingly, the Chinese are weighing capabilities as much as, if not more than, expressed intent.
The signaling problem has been exacerbated by what one Chinese academic called the "hype of the media"—breathless reporting about cyberwar and digital espionage. You could see the negative effects of this, as at least one Chinese analyst seemed to accept everything in U.S. newspapers as not only true, but also as the official U.S. government position. For example, the story of Secretary Clinton admitting that the State Department hacked al-Qaeda websites in Yemen, later clarified as the purchase of advertisements, was used as evidence of American attacks.
The big takeaway from the meeting was the need for more communication and the development of official points of contact and crisis communication procedures. There was some worrying confusion over how many hotlines exist between the two countries (at least two) and how effective they are (basically, from the U.S. perspective, not at all). It is a cliche that cyber events can occur in hours, if not minutes, but the two sides need to prepare for the almost inevitable crisis. Summoning the other side’s ambassador for an explanation may have worked in the past, but it will be too slow today. People and procedures need to be prepositioned. Sino-U.S. cyber cooperation is a work in progress, but let’s hope this is one area where the conditions allow for progress.