Academic Webinar: Cyberspace and U.S.-China Relations
Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at CFR, leads a conversation on cyberspace and U.S.-China relations.
FASKIANOS: Welcome to the first session of the Winter/Spring 2022 CFR Academic Webinar Series. I’m Irina Faskianos, vice president of the National Program and Outreach here at CFR. Today’s discussion is on the record, and the video and transcript will be available on our website, CFR.org/academic. As always, CFR takes no institutional positions on matters of policy.
We are delighted to have Adam Segal with us to discuss cyberspace and U.S.-China relations. Adam Segal is CFR’s Ira A. Lipman chair in emerging technologies and national security and director of the Council’s Digital and Cyberspace Policy program. Previously, he served as an arms control analyst for the China Project at the Union of Concerned Scientists. He has been a visiting scholar at Stanford University’s Hoover Institution, MIT’s Center for International Studies, the Shanghai Academy of Social Sciences, and Tsinghua University in Beijing. And he’s taught courses at Vassar College and Columbia University. Dr. Segal currently writes for the CFR blog, Net Politics—you should all sign up for those alerts, if you haven’t already. And he is the author several books, including his latest, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. So, Adam, thanks very much for being with us.
We can begin with a very broad brush at cyberspace, the role cyberspace plays in U.S.-China relations, and have you make a few comments on the salient points. And then we’ll open it up to the group for questions.
SEGAL: Great. Irina, thanks very much. And thanks, everyone, for joining us this afternoon. I’m looking forward to the questions and the discussion.
So broadly, I’m going to argue that the U.S. and China have the most far-reaching competition in cyberspace of any countries. And that competition goes all the way from the chip level to the rules of the road. So global governance all the way down the to the chips that we have in all of our phones. Coincidentally, and nicely timed, last week the Washington Post did a survey of their network of cyber experts about who was the greater threat to the United States, China or Russia. And it was actually almost exactly evenly split—forty to thirty-nine. But I, not surprisingly, fell into the China school. And my thinking is caught very nicely by a quote from Rob Joyce, who’s a director at the National Security Agency, that Russia is like a hurricane while China is like climate change. So Russia causes sudden, kind of unpredictable damage. But China represents a long-term strategic threat.
When we think about cyberspace, I think it’s good to think about why it matters to both sides. And on the Chinese side, I think there are four primary concerns. The first is domestic stability, right? So China is worried that the outside internet will influence domestic stability and regime legitimacy. And so that’s why it’s built an incredibly sophisticated system for controlling information inside of China that relies both on technology, and intermediate liability, and other types of regulation. China is worried about technological dependence on other players, in particular the U.S., for semiconductors, network equipment, and other technologies. And they see cybersecurity as a way of reducing that technology.
China has legitimate cybersecurity concerns like every other country. They’re worried about attacks on their networks. And the Snowden revelations from the—Edward Snowden, the former NSA contractor—show that the U.S. has significant cyber capabilities, and it has attacked and exploited vulnerabilities inside of China. And while the Chinese might have used to think that they were less vulnerable to cyberattacks given the shape of the Chinese network in the past, I think that probably changed around 2014-2015, especially as the Chinese economy has become increasingly dependent on ecommerce and digital technology. It’s now—GDP is about a third dependent on digital technology. So they’re worried about the same types of attacks the United States is worried about. And then, fourth and finally, China does not want the United States to be able to kind of define the rules of the road globally on cyber, create containing alliances around digital or cyber issues, and wants to constrain the ability of the U.S. to freely maneuver in cyberspace.
Those are China’s views. The U.S. has stated that it’s working for a free, open, global, and interoperable internet, or an interoperable cyberspace. But when it looks at China, it has a number of specific concerns. The first is Chinese cyber operations, in particular Chinese espionage, and in particular from that Chinese industrial espionage, right? So the Chinese are known for being the most prolific operators, stealing intellectual property. But they’re also hacking into political networks, going after think tanks, hacking activists—Uighur activists, Tibetan activists, Taiwanese independence activists. We know they’re entering into networks to prepare the battlefield, right, so to map critical infrastructure in case there is a kinetic conflict with the United States—perhaps in the South China Sea or over the Taiwan Strait—and they want to be able to deter the U.S., or perhaps cause destructive attacks on the U.S. homeland, or U.S. bases in South Korea, or Japan.
The U.S. is also extremely concerned about the global expansion of Chinese tech firms and Chinese platforms, for the collection of data, right? The U.S. exploited the globalization of U.S. tech firms. Again, that was something that we learned from the Snowden documents, that the U.S. both had legal and extralegal measures to be able to get data from users all around the world because of their knowledge of and relationship to U.S. tech firms. And there’s no reason to believe that the Chinese will not do the same. Now, we hear a lot about, you know, Huawei and the national intelligence law in China that seems to require Chinese companies to turnover data. But it would be very hard to believe that the Chinese would not want to do the same thing that the U.S. has done, which is exploit these tech platforms.
And then finally, there is increasingly a framing of this debate as one over values or ideology, right? That democracies use cybertechnologies or digital technologies in a different way than China does. China’s promoting digital authoritarianism, that has to do about control of information as well as surveillance. And the U.S. has really pushed back and said, you know, democracies have to describe how we’re going to use these technologies. Now, the competition has played itself out both domestically and internationally. The Chinese have been incredibly active domestically. Xi Jinping declared that cybersecurity was national security. He took control of a small leadership group that became a separate commission. The Cyberspace Administration of China was established and given lots of powers on regulating cybersecurity. We had a creation of three important laws—the cybersecurity law, the data security law, and the private—personal information protection law.
We see China pushing very hard on specific technologies they think are going to be important for this competition, especially AI and quantum. And we see China pushing diplomatically, partly through the idea of what’s called cyber-sovereignty. So not the idea that internet is free and open and should be somewhat free from government regulation, but instead that cyberspace, like every other space, is going to be regulated, and that states should be free to do it as they see fit, as fits their own political and social characteristics, and they should not be criticized by other states. They promoted this view through U.N. organizations in particular. And they’ve been working with the Russians to have a kind of treaty on information and communication technologies that would include not only cybersecurity, but their concerns about content and the free flow of information.
The U.S. right now is essentially continuing a policy that was started under the Trump administration. So part of that is to try and stop the flow of technology to Chinese firms, and in particular to handicap and damage Huawei, the Chinese telecom supplier, to put pressure on friends to not use Huawei. But the most important thing it did was put Huawei on an entity list, which cut it off from semiconductors, most importantly from Taiwan Semiconductor, which has really hurt the Huawei of products. The U.S. tried to come to an agreement about—with China about what types of espionage are considered legitimate. And not surprisingly, the U.S. said there was good hacking and back hacking. And the good hacking is the type of hacking that the U.S. tends to do, and the bad hacking is the type of hacking that the Chinese tend to do.
So, basically the argument was, well, all states were going to conduct political and military espionage, but industrial espionage should be beyond the pale. Or if you put it—you can think of it as the way President Obama put it, you can hack into my iPhone to get secrets about what I’m discussing with my Cabinet, but you can’t hack into Apple to get the secrets about how iPhones are made to give to Huawei. There was an agreement formed in 2015, where both sides said they weren’t going to engage in industrial espionage—cyber industrial espionage. For about a year and a half, that agreement seemed to hold. And then it—and then it fell apart. The Chinese are engaged in that activity again. And as a result, the U.S. has once again started indicting Chinese hackers, trying to create—enforce that norm through indictments and naming and shaming.
The U.S. probably also—although I have no evidence of it—has engaged in disrupting Chinese hackers. So we know under the Trump administrationm Cyber Command moved to a more forward-leaning posture, called defending forward or persistent engagement. We’ve heard about some of those operations against Russian or Iranian actors. John Bolton, before he left the NSC, suggested they were getting used against Chinese cyberhackers as well.
So what comes next? And it’s often hard, if not impossible, to end cyber talks on a positive note, but I will try. So I think from a U.S. perspective, clearly the kind of tech pressure, not only of Huawei but on a broader range of companies, is going to continue. The Biden administration has shown no signal that it is going to roll any of that back. And it’s actually expanded it, to more companies working on quantum and other technologies. The Biden administration has worked much more actively than the Trump administration on building alliances around cybersecurity. So in particular, the tech and trade competition group with the Europeans and the quad, with Australia, India, and Japan all have discussions on cybersecurity norms. So how do you actually start imposing them?
Now, where you would hope that the U.S. and China would start talking to each other, again, is where I hope the Biden administration can eventually get to. So there were some very brief discussions in the Obama administration. The Trump administration had one round of talks, but that were not particularly useful. The Chinese were very unwilling to bring people from the People’s Liberation Army to actually kind of talk about operations, and generally were in denial about that they had any cyber forces. But you want both sides really to start talking more about where the threshold for the use of force might be in a cyberattack, right? So if you think about—most of what we’ve seen, as I said, is spying. And so that is kind of the—is below the threshold for use of force or an armed attack, the thing that generally triggers kinetic escalation.
But there’s no general understanding of where that threshold might be. And in particular, during a crisis, let’s stay, in the street or in the South China Sea, you want to have some kind of clarity about where that line might be. Now, I don’t think we’re ever going to get a very clear picture, because both sides are going to want to be able to kind of skate as close to it as possible, but we would certainly want to have a conversation with the Chinese about how we might signal that. Can we have hotlines to discuss those kind of thresholds?
Also, we want to make sure that both sides aren’t targeting each other’s nuclear command and control systems, right, with cyberattacks, because that would make any crisis even worse. There’s some debate about whether the Chinese command and control systems are integrated with civilian systems. So things that the U.S. might go after could then perhaps spillover into the Chinese nuclear system, which would be very risky. So you want to have some talks about that. And then finally, you probably want to talk—because the Chinese open-source writing seems to suggest that they are not as concerned about escalation in cyber as we are. There’s been a lot of debate in the U.S. about if escalation is a risk in cyber. But the Chinese don’t actually seem to think it’s much of a risk. And so it would be very useful to have some discussions on that point as well.
I’ll stop there, Irina, and looking forward to the questions.
FASKIANOS: Thank you, Adam. That was great analysis and overview and specifics.
So we’re going to go first to Babak Salimitari, an undergrad student at the University of California, Irvine. So please be sure to unmute yourself.
Q: I did. Can you guys hear me?
SEGAL: Yeah.
Q: Thank you for doing this. I had a question on the Beijing Olympics that are coming up. Recently the told the athletes to use, like, burner phones because the health apps are for spying, or they’ve got, like, security concerns. What specific concerns do they have regarding those apps, and what do they do?
SEGAL: So I think the concerns are both specific and broad. I think there was a concern that one of the apps that all of the athletes had to download had significant security vulnerabilities. So I think that was a study done by Citizens Lab at the University of Toronto. And it basically said, look, this is a very unsafe app and, as you said, allowed access to health data and other private information, and anyone could probably fairly easily hack that. So, you know, if you’re an athlete or anyone else, you don’t want that private information being exposed to or handled by others.
Then there’s, I think, the broader concern is that probably anybody who connects to a network in China, that’s going to be unsafe. And so, you know, because everyone is using wi-fi in the Chinese Olympics, and those systems are going to be monitored, those—your data is not going to be safe. You know, I’m not all that concerned for most athletes. You know, there’s probably not a lot of reason why Chinese intelligence or police are interested in them. But there are probably athletes who are concerned, for example, about Xinjiang and the treatment of the Uighurs, or, you know, maybe Tibetan activists or other things, and maybe have somewhere in the back of their minds some idea about making statements or making statements when they get back to the U.S. or safer places. And for those people, definitely I would be worried about the risk of surveillance and perhaps using that data for other types of harassment.
FASKIANOS: I’m going to take the written question from Denis Simon, who received two upvotes. And Denis is senior advisor to the president for China affairs and professor of China business and technology.
When you say “they” with respect to Chinese cyber activity, who is “they”? To what extent are there rogue groups and ultranationalists as well as criminals involved?
SEGAL: Yes, Denis, will send me a nasty email if I don’t mention that Denis was my professor. We’re not going to go how many years ago, but when I was at Fletcher. So, and Denis was one of the first people I took—was the first person I took a class on Chinese technology. So, you know, and then I ended up here.
So I think, “they.” So it depends what type of attacks we’re talking about. On the espionage side, cyber espionage side, what we’ve generally seen is that a lot of that was moved from the PLA to the Ministry of State Security. The most recent indictments include some actors that seem to be criminal or at least front organizations. So some technology organizations. We do know that there are, you know, individual hackers in China who will contract their services out. There were in the ’90s a lot of nationalist hacktivist groups, but those have pretty much dissipated except inside of China. So we do see a lot of nationalist trolls and others going after people inside of China, journalists and others, for offending China or other types of violations. So “they” is kind of a whole range of actors depending upon the types of attack we’re talking about.
FASKIANOS: Thank you. So our next question we’re going to take from Terron Adlam, who is an undergraduate student at the University of Delaware. And if you can unmute yourself.
Q: Can you hear me now?
FASKIANOS: Yes.
Q: Hi. Good evening. Yes. So I was wondering, do you think there will be a time were we have net neutrality? Like, we have a peace agreement amongst every nation? Because I feel like, honestly, if Russia, U.S., Mexico, any other country out there that have a problem with each other, this would be, like, there’s rules of war. You don’t biohazard attack another country. Do you think—(audio break)—or otherwise?
SEGAL: So I think it’s very hard to imagine a world where there’s no cyber activity. So there are discussions about can you limit the types of conflict in cyberspace, though the U.N. primarily. And they have started to define some of the rules of the road that are very similar to other international law applying to armed conflict. So the U.S.’ position is essentially that international law applies in cyberspace, and things like the International Humanitarian Law apply in cyberspace. And you can have things like, you know, neutrality, and proportionality, and distinction. But they’re hard to think about in cyber, but we can—that’s what we should be doing. The Chinese and Russians have often argued we need a different type of treaty, that cyber is different.
But given how valuable it seems, at least on the espionage side so far, I don’t think it’s very likely we’ll ever get an agreement where we have no activity in cyberspace. We might get something that says, you know, certain types of targets should be off limits. You shouldn’t go after a hospital, or you shouldn’t go after, you know, health data, things like that. But not a, you know, world peace kind of treaty.
FASKIANOS: Thank you. So I’m going to take the next question from David Woodside at Fordham University. Three upvotes.
What role does North Korea play in U.S.-China cyber discussions? Can you China act outside of cybersecurity agreements through its North Korean ally?
SEGAL: Yeah. I think, you know, like many things with North Korea, the Chinese probably have a great deal of visibility. They have a few levers that they really don’t like using, but not a huge number. So, in particular, if you remember when North Korea hacked Sony and because of the—you know, the movie from Seth Rogan and Franco about the North Korean leader—those hackers seemed to be located in northern China, in Shenyang. So there was some sense that the Chinese probably could have, you know, controlled that. Since then, we have seen a migration of North Korean operators out of kind of north China. They now operate out of India, and Malaysia, and some other places. Also, Russia helped build another cable to North Korea, so the North Koreans are not as dependent on China.
I think it’s very unlikely that the Chinese would kind of use North Korean proxies. I think the trust is very low of North Korean operators that they would, you know, have China’s interest in mind or that they might not overstep, that they would bring a great deal of kind of blowback to China there. So there’s been very little kind of—I would say kind of looking the other way earlier in much of North Korea’s actions. These days, I think probably less.
FASKIANOS: Thank you. I’m going to take the next question from Joan Kaufman at Harvard University. And if you can unmute yourself.
Q: Yes. Thank you very much. I’m also with the Schwarzman Scholars program, the academic director.
And I wanted to ask a follow up on your point about internet sovereignty. And, you know, the larger global governance bodies and mechanisms for, you know, internet governance and, you know, China’s role therein. I know China’s taken a much more muscular stance on, you know, the sovereignty issue, and justification for firewalls. So there’s a lot—there are a lot of countries that are sort of in the me too, you know, movement behind that, who do want to restrict the internet. So I just—could you give us a little update on what’s the status of that, versus, like, the Net Mundial people, who call for the total openness of the internet. And where is China in that space? How much influence does it have? And is it really—do you think the rules of the road are going to change in any significant way as a result of that?
SEGAL: Yeah. So, you know, I think in some ways actually China has been less vocal about the phrase “cyber sovereignty.” The Wuzhen Internet Conference, which is kind of—China developed as a separate platform for promoting its ideas—you don’t see the phrase used as much, although the Chinese are still interjecting it, as we mentioned, in lots of kind of U.N. documents and other ideas. I think partly they don’t—they don’t promote as much because they don’t have to, because the idea of cyber sovereignty is now pretty widely accepted. And I don’t think it’s because of Chinese actions. I think it’s because there is widespread distrust and dissatisfaction with the internet that, you know, spans all types of regime types, right?
Just look at any country, including the United States. We’re having a debate about how free and open the internet should be, what role firms should play in content moderation, should the government be allowed to take things down? You know, we’ve seen lots of countries passing fake news or online content moderation laws. There’s a lot of concern about data localization that countries are doing because of purported economic or law enforcement reasons. So I don’t think the Chinese really have to push cyber sovereignty that much because it is very attractive to lots of countries for specific reasons.
Now, there is still, I think, a lot of engagement China has with other countries around what we would call cyber sovereignty, because China—countries know that, you know, China both has the experience with it, and will help pay for it. So certainly around the Belt and Road Initiative and other developing economies we do see, you know, the Chinese doing training of people on media management, or online management. There was this story just last week about, you know, Cambodia’s internet looking more like the Chinese internet. We know Vietnam copied part of their cybersecurity law from the Chinese law. A story maybe two years ago about Huawei helping in Zambia and Zimbabwe, if I remember correctly, in surveilling opposition members.
So I think China, you know, still remains a big force around it. I think the idea still is cyber sovereignty. I just don’t think we see the phrase anymore. And I think there’s lots of demand pulls. Not China pushing it on other countries, I think lots of countries have decided, yeah, of course we’re going to regulate the internet.
FASKIANOS: Thank you. Next question, from Ken Mayers, senior adjunct professor of history and political science at St. Francis College.
Following up on Denis Simon’s question, to what extent to Chinese state actors and U.S. state actors share concerns about asymmetric threats to cybersecurity? Is there common ground for discussion? And I’m going to—actually, I’ll stop there, because—
SEGAL: All right. So I’m going to interpret asymmetric threats meaning kind of cyber threats from other actors, meaning kind of nonstate or terrorist actors, or criminal actors. So I think there could be a shared interest. It’s very hard to operationalize. Probably about six or seven years ago I wrote a piece with a Chinese scholar that said, yes, of course we have a shared interest in preventing the proliferation of these weapons to terrorist actors and nonstate actors. But then it was very hard to figure out how you would share that information without exposing yourself to other types of attacks, or perhaps empowering your potential adversary.
On cyber—for example, on ransomware, you would actually expect there could be some shared interest, since the Chinese have been victims of a fair number of Russian ransomware attacks. But given the close relationship between Putin and Xi these days, it’s hard to imagine that the U.S. and China are going to gang up on Russia on ransomware. So, again, I think there could be, it’s just very hard to operationalize.
FASKIANOS: Great. Thank you. So just to follow on from Skyler Duggan, who is an undergraduate at the University of Waterloo. Likewise, to these questions, how do we differentiate individual criminal groups from the state? And how can we be sure this isn’t China just trying to abdicate—or, one party, he doesn’t specify, trying to abdicate the responsibility?
SEGAL: Yeah, I think—because there’s—one of the challenges faced by the U.S. and other liberal democracies is that we tend to primarily keep a fairly tight legal control over the cyber operations. They tend to be, you know, intelligence operations or military operations. So Title 10 or Title 50. There’s kind of a whole set of legal norms around it. The U.S. does not rely on proxy actors. And other, you know, liberal democracies tend to don’t. And U.S. adversaries in this space tend to do so. We know Iran does. We know Russia does. We know China does, although less than the others.
Now according to this discussion group that I mentioned before at the U.N., the group of—what’s called the group of government experts, one of the norms that all the actors agreed upon was the norm of state responsibility, which is a common one in international law, that you are responsible for whatever happens in your territory. So using proxies should not, you know, be able to give you an out. You shouldn’t be able to say, well, it’s happening from our territory, we just—you know, we don’t know who they are and we can’t control them. But, you know, in operation that norm is being fairly widely ignored.
Now, the other problem, of course, is the—is how do you actually decide who the actor is, the attribution problem, right? So here, you know, a lot of people are basically saying, well, we have to rely on the U.S. or the U.K. or others to say, well, you know, we say it’s these actors, and how do we know—how do we know for sure? Now, attribution is not as hard as we once thought it was going to be. When I first, you know, started doing the research for the book that Irina mentioned, attribution was considered, you know, a pretty big challenge. But now, you know, there’s a fairly high expectation that the U.S. will be able to eventually identify who’s behind an attack. Now, it may take some time. And we may not be able to completely identify who ordered the attack, which is, you know, as you mentioned, the problem with the proxies.
But it’s not—it’s also not completely reliant on digital clearances. It’s not just the code or the language of the keyboard. All those things can be manipulated, don’t necessarily give you proof. Lots of time the U.S. is pulling in other intelligence—like, human intelligence, signals intelligence, other types of gathering. So, you know, part of it is how much do we believe the attribution, and then how much of it is—you know, what can you do with it afterwards? And, you know, I don’t think the proxy problem is going to go away.
FASKIANOS: Great. So I’m going next to Tim Hofmockel’s question. It’s gotten seven upvotes. He’s a graduate student at Georgetown University.
To flip Denis Simon’s question: Who should the “we” be? To what extent should the U.S. intelligence community and the Department of Defense cooperate on offensive cyber operations? And how would we signal our intentions in a crisis given the overlap in authorities between the intelligence community and DOD?
SEGAL: Yeah. I mean, so right now NSA and Cyber Command are dual hatted, meaning that one person is in charge of both of them, General Nakasone. So to some extent that could theoretically help deconflict between kind of intelligence gathering, offensive operations, and kind of signaling to the Chinese. But it’s unclear. It’s very—signaling in cyber so far seems to be kind of developing and unknown. That seems to be one of the big theories between the U.S. taking these more kinds of operations and, in fact, kind of bringing the fight to the Chinese is a very kind of sociological understanding of deterrence is that over time both sides will kind of understand where those red lines are by engaging and seeing where they’re acting.
You know, others have talked about could you create some kind of watermark on the actual attack or vulnerability, so that the—you know, you might discover some type of malware in your system and there’d be like a little, you know, NFT, maybe, of sorts, that says, you know, the U.S. government was here. We’re warning you not to do this thing. You know, a lot of these have, you know, kind of technical problems. But the question of signaling I think is really hard, and that’s part of the reason why, you know, I think these discussions are so important, that at least we have a sense that we’re talking about the same types of things, and the same general set of tools. But I think probably through cyber signaling is going to be really hard. It’s going to be mostly other types of signaling.
FASKIANOS: Next question from Maryalice Mazzara. She’s the director of educational programs at the State University of New York’s Office of Global Affairs.
How can people who are working with China and have a very positive relationship with China balance the issues of cybersecurity with the work we are doing? Are there some positive approaches we can take with our Chinese colleagues in addressing these concerns?
SEGAL: Good question, Ali. How are you?
So I guess it’s very—so I do think there are forward-looking things that we can talk about. You know, several of the questions have asked, are there shared interests here? And I do think there are shared interests. You know, you we mentioned the proliferation one. We mentioned the nonstate actors. You know, there is a lot of language in the most recent statement from the Chinese government about—you know, that the internet should be democratic and open. I don’t think they mean it in the same way that we do, but we can, I think, certainly use that language to have discussions about it and hope push to those sides. But I think it is hard because it is—you know, partly because government choices, right? The U.S. government chooses to attribute lots of attacks to China and be very public about it. Chinese for the most part don’t attribute attacks, and don’t—they talk about the U.S. as being the biggest threat in cyberspace, and call the U.S. The Matrix and the most, you know, damaging force in cyberspace. But for the most part, don’t call out specific actors.
So they kind of view it—the Chinese side is often in a kind of defensive crouch, basically saying, you know, who are you to judge us, and you guys are hypocrites, and everything else. So I think there are lots of reasons that make it hard. I think probably the way to do it is to try to look forward to these shared interests and this idea that we all benefitted immensely from a global internet. We now have different views of how open that internet should be. But I think we still want to maintain—the most remarkable thing about it is that we can, you know, still communicate with people around the world, we can still learn from people around the world, we can still draw information, most information, from around the world. And we want to, you know, keep that, which is a—which is—you know, not to use a Chinese phrase—but is a win-win for everybody.
FASKIANOS: Great. I see a raised hand from Austin Oaks. And I can’t get my roster up fast enough, so, Austin, if you can unmute and identify yourself.
Q: So I’m Austin Oaks. And I come from the University of Wisconsin at Whitewater.
And I used to live in Guangdong province in China. And I used to go visit Hong Kong and Macau, more Hong Kong, very often. And Hong Kong has this very free internet, which China doesn’t particularly like. Macau tends to be more submissive to Beijing rather than Hong Kong does. But Chinese government has kind of started to put in people in the Hong Kong government to kind of sway the government into Beijing’s orbit more. So then how—so what is China doing in the cyberspace world for both of its separate administrative regions? Because one is a lot easier to control than the other.
SEGAL: Yeah. So I think the idea of Hong Kong’s internet being independent and free is—it’s pretty much ending, right? So the national security law covers Hong Kong and allows the government to increasingly censor and filter and arrest people for what they are posting. We saw pressure on U.S. companies to handover data of some users. A lot of the U.S. companies say they’re going to move their headquarters or personnel out of Hong Kong because of those concerns. So, you know, it certainly is more open than the mainland is, but I think long-term trends are clearly pretty negative for Hong Kong. I expect Macau is the same direction, but as you mentioned, you know, the politics of Macau is just so much different from Hong Kong that it’s less of a concern for the Chinese.
FASKIANOS: Thank you. I’m going to take the next written question from Robert Harrison, a law student at Washburn University School of Law.
My understanding is that there have been significant thefts of American small and medium-size business intellectual property by Chinese-based actors. This theft/transfer of knowledge may reduce the competitive edge from the original property holder. Are there any current efforts to curb IP thefts? Any ongoing analysis of the Belt and Road Initiative to evaluate the use of IP acquired by theft?
SEGAL: Yeah. So, you know, as I mentioned, the U.S. tried to reach this agreement with China on the IP theft challenge. China held to it for about a year, and then essentially kind of went back to it. It’s been very hard to quantify the actual impact of what the theft has been. You know, there are numbers thrown around, a certain percent of GDP, or 250 billion (dollars) a year. There is what’s called the IP Commission, which is run out of the National Bureau of Asia Research that has been updating its report.
But it’s very hard because, you know, a lot of the knowledge and data that’s stolen is tacit knowledge. Or, you know, is actual blueprints or IP, but they don’t have the tactic knowledge. So you can have the blueprints, but it’s then hard to turn from that to an actual product. And it’s hard in the civilian space to kind of track lots of products that seem stolen from U.S. products, as opposed to—on the military side you can look at, oh, here’s the Chinese stealth jet. It looks a lot like the U.S. stealth jet. Now, this could be physics. It could be intellectual property theft. But it’s harder on the commercial side to kind of put a number on it and see what the impact is. Although clearly, it’s had an impact.
We do know that Chinese operators, you know, go after other targets other than the U.S., right? So they certainly go—are active in Europe. We’ve seen them in Southeast Asia. Most of that is probably political espionage, not as much industrial espionage. Although, there has been—has been some. I don’t know of any specific cases where we can point to anything along the Belt and Road Initiative that, you know, seems in and of itself the outcome of IP theft.
FASKIANOS: I’m going to take a written question from Caroline Wagner, who is the Milton and Roslyn Wolf chair in international affairs at Ohio State University.
Chinese actors seem to have incredibly pervasive links to track online discussions critical of China. Are these mostly bots, or are there human actors behind them?
SEGAL: So I’m going to interpret that to me for the net outside of China. So, yes. I think what we’re learning is there’s several things going on. Part of it is bots. So they have, you know, a number of bots that are triggered by certain phrases. Some of it is human, but increasingly probably a lot of it is machine learning. So there was a story maybe last month in the Post, if I remember it correctly, about, you know, Chinese analytical software data companies offering their services to local Ministry of State Security to basically kind of scrape and monitor U.S. platforms. And that is primarily going to be done through, you know, machine learning, and maybe a little human operations as well.
FASKIANOS: Thank you. And this is a bit of a follow-on, and then I’ll go to more. William Weeks, who is an undergraduate at Arizona State University asks: What role does unsupervised machine learning play in China’s cyberspace strategy?
SEGAL: Yeah, it’s a good question. I don’t have a lot of details. You know, like everybody else there, they are going to start using it on defense. It is a big push on what’s called military-civil fusion. You know, we know that they are trying to pull in from the private sector on AI, both for the defense and the offense side. But right now, all I can give you is kind of general speculation about how actors think about offense and defense with ML and AI. Not a lot of specifics from the Chinese here.
FASKIANOS: Thank you. OK, Morton Holbrook, who’s at Kentucky Wesleyan College.
Q: Yes. Following up on your comment about Hong Kong, about U.S. companies reconsidering their presence due to internet controls, what about U.S. companies in China and Beijing and Shanghai? Do you see a similar trend there regarding internet controls, or regarding IPR theft?
SEGAL: I think, you know, almost all firms that have been in China, this has been a constant issue for them. So it’s not particularly new. I think almost all of them have, you know, made decisions both about how to protect their intellectual property theft—intellectual property from theft, and how to maintain connections to the outside, to make them harder. You know, VPNs were fairly widely used. Now they’re more tightly regulated. We know that the Chinese actually can attack VPNs. So it think, you know, those issues have been constant irritants. I think, you know, COVID and the lack of travel, the worry about getting kind of caught up in nationalist backlashes online to, you know, Xinjiang issues or if you refer to Taiwan incorrectly, those are probably higher concerns right now than these kind of more constant concerns about cyber and IP.
FASKIANOS: Thank you. Anson Wang, who’s an undergraduate at the University of Waterloo. We have three upvotes. Is China considered the major threat to the U.S. hegemony because China is actively trying to replace the U.S. as the new global hegemon? Or simply because China is on a trajectory to get there, without or without their active intention in involving other countries’ internal politics, the same way that the U.S. does?
SEGAL: Yeah. So I think this is a—you know, a larger question about what China wants in the world. And do we—you know, we do we think it has a plan or ideology of replacing the U.S.? And does it want—or, would it be happen even with regional dominance? Does it just want to block U.S. interest and others? It’s a big debate. You know, lots of people have contrasting views on where they think China is coming. I’ll just use the cyber example. And I think here, you know, the Chinese started with wanting to block the U.S., and prevent the U.S. from criticizing China, and protect itself. I don’t think it had any desire to reshape the global internet.
But I think that’s changed. I think under Xi Jinping they really want to change the definitions of what people think the state should do in this space. I think they want to change the shape of the internet. I don’t think they want to spread their model to every country, but if you want to build their model they’re certainly welcome to help you. And they don’t mind pushing, perhaps highlighting, in some cases exploiting the weaknesses they see in the U.S. as well.
FASKIANOS: OK. Thank you. I’m going to go to Helen You, who’s a student at NYU. It appears that governments are reluctant to restrict their cyber capabilities because they fundamentally do not want to limit their own freedom to launch cyberattacks. As a result, countries fail to follow voluntary norms on what is permissible in cyberspace. To what extent are industry standards influencing international cybersecurity norms? And what incentives would need to be in place to move these conversations forward?
SEGAL: Yeah, that’s a great point. I mean, I think that’s one of the reasons why we haven’t seen a lot of progress, is because states don’t have a lot of reason to stop doing it. The costs are low, and the benefits seem to be high. Now, I understand your question in two separate ways. One, there is a kind of private attempt to push these norms, and basically arguing that states are going too slow. Part of that was promoted by Microsoft, the company, right? So it promoted the idea of what they were calling the Digital Geneva Convention, and then they have been involved in what’s now known as the Paris Accords that define some of these rules, that the U.S. just signed onto, and some other states have signed onto.
But again, the norms are pretty vague, and haven’t seemed to have that much effect. There’s a thing called the cybersecurity—Global Cybersecurity Stability Commission that the Dutch government helped fund but was mainly through think tanks and academics. It also has a list of norms. So there is a kind of norm entrepreneurship going on. And those ideas are slowly kind of bubbling out there. But you need to see changes in the state to get there. That’s when we know that norms matter. And that we really haven’t seen.
On the—there is a lot of work, of course, going on, on the standards of cybersecurity, and what companies should do, how they should be defined. And that happens both domestically and internationally. And of course, the companies are very involved in that. And, you know, that is much further, right? Because that has to do about regulation inside of markets, although there’s still, you know, a fair amount of difference between the U.S. and EU and other close economies about how those standards should be defined, who should do the defining, how they should be implemented.
FASKIANOS: Thank you. I’m going to take group two questions from Dr. Mursel Dogrul of the Turkish National Defense University. In a most recent article we focused on the blockchain literature expansion of superpowers. In terms of publications and citations, China clearly outperformed the United States and Russia. Do you believe the technological advancement will have an impact on the cybersecurity race? And the Michael Trevett—I don’t have an affiliation—wanted you to speak a little bit more about the cyber triangle with Russia. How are China and Russia coordinating and cooperating?
SEGAL: Yeah. So the first question, you know, clearly, as I have briefly mentioned in my opening comments, that the Chinese are pushing very hard on the technologies they think are going to be critical to the—to the future competition in this space—blockchain, quantum, AI. The Chinese have made a lot of advances on quantum communication and quantum key distribution. Probably behind the U.S. on quantum computing, but it’s hard to say for sure. And blockchain is a space the Chinese have developed some usages and are rolling some test cases out on the security side and the internet platforming side.
On the China-Russia question, so closer cooperation. Most of it has been around cyber sovereignty, and the ideas of kind of global governance of cyberspace. The Chinese were, you know, pretty helpful at the beginning stages, when Russia started using more technological means to censoring and controlling the Russian internet. So helping kind of build some of the—or, export some of the technologies used in the China great firewall, that the Russians could help develop. Russia is pretty much all-in with Huawei on 5G. And so a lot of cooperation there. Although, the Russians are also worried about, you know, Chinese espionage from Russian technology and other secrets.
They did sign a nonaggression cyber pact between the two, but both sides continue to hack each other and steal each other’s secrets. And have not seen any evidence of cooperation on the operations side, on intelligence. with them doing more and more military exercises together, I would suspect we would perhaps start seeing some suggestion that they were coordinating on the military side in cyber. But the last time I looked, I didn’t really see any—I did not see any analysis of that.
FASKIANOS: Thank you. Next question from Jeffrey Rosensweig, who is the director of the program for business and public policy at Emory University.
Q: Adam, I wonder if you could fit India in here anywhere you would like to? Because it think it’ll be the other great economy of the future.
SEGAL: Yeah. So India’s a—you know, a really interesting actor in this space, right? So, you know, India basically think that it has two major cyber threats—Pakistan, and China being the other. China, you know, was reportedly behind some of the blackouts in Mumbai after the border clash. I am somewhat skeptical about reporting, but it’s certainly a possibility, and there’s no reason to doubt the Chinese have been mapping critical infrastructure there. India pushed back on TikTok and ByteDance. You know, also concerns about data control and other things. There is a long history of kind of going back and forth on Huawei. The intelligence agency has not really wanted to use, but others wanting to help, you know, bridge the digital divide and build out pretty quickly. India right now is talking about its own type of 5G.
But from a U.S. perspective, you know, I think the most important thing—and this is often how India comes up—is that, you know, we want India to be an amplifier, promoter of a lot of these norms on cyber governance, because it is a, you know, developing, multiethnic, multiparty democracy. And so we want it just not to be the U.S.’ voice. Now, India’s a pretty complicated, difficult messenger for those things these days, right? India leads the world in internet shutdowns, and we’ve seen a lot of harassment of opposition leaders and other people who are opposed to Modi. So it’s not going to be easy. But I think the U.S. for a long time has hoped that we could forge a greater understanding on the cyber side with India.
FASKIANOS: Great. I’m going to take the next question from Michael O’Hara, who is a professor at the U.S. Naval War College. And I’m going to shorten it.
He asks about China’s fourteenth five-year plan, from 2021 to 2025. It includes a section titled “Accelerate digitalization-based development and construct a digital China.” Do you see their five-year plan as a useful way for thinking about Chinese future in cyberspace?
SEGAL: Yes. So we’re on the same page, the digital plan came out two or three weeks ago. It was just translated. Yeah, I mean, the plan is useful. Like, all Chinese plans are useful in the sense that it certainly gives us clear thinking about the direction that China wants to go, and the importance it puts on a topic. You know, the implementation and bureaucratic obstacles and all those other things are going to play a role. But as I mentioned, I think, you know, the Chinese economy is becoming increasingly digitalized. And in particular, they want to digitize, you know, more and more of the manufacturing sector and transportation, mining, other sectors that are traditionally not, you know, thought of as being digital, but the Chinese really want to move into that space.
Now, from a cybersecurity perspective, that, you know, raises a whole range of new vulnerabilities and security issues. And so I think that’s going to be very high on their thinking. And just today I tweeted a story that they held a meeting on thinking about cybersecurity in the metaverse. So, you know, they’re looking forward, and cybersecurity is going to be a very high concern of people.
FASKIANOS: Well, we couldn’t have the Naval Academy without the U.S. Air Force Academy. So, Chris Miller, you wrote your question, but you’ve also raised your hand. So I’m going to ask to have you articulate it yourself.
Q: Well, actually, I changed questions, Irina. Adam, thank you.
FASKIANOS: Oh, OK. (Laughs.) But still, the Air Force Academy.
Q: So two quick questions. I’ll combine them. One is: I’m curious how you see the new cyber director—national cyber director’s role changing this dynamic, if it at all, or changing the parts of it on our side of the Pacific that we care about. And second of all, curious how you see China viewing the Taiwanese infrastructure that they probably desire, whether or not they eventually take it by force or by persuasion.
SEGAL: Yeah. So I don’t think the NCD changes the dynamic very much. You know, I think there’s lots of—you know, everyone is watching to see how the NCD and the National Security Council, and CISA, the Cybersecurity Infrastructure and Security Agency, work out the responsibilities among the three of them, which will have an impact, you know, of making us more secure. And, you know, Chris Inglis, the head of the NCD has given lots of talks about how they’re going to manage and work together. And I think we’re beginning to see some signs of that. But I think that’s probably the most direct impact it’ll have on the dynamic.
Your second question, you know, I think primarily is about, you know, Taiwan Semiconductor. And, you know, do the Chinese eventually decide, well, chips are so important, and the U.S. is working so hard to cut us off, that, you know, for all the other reasons that we might want to see Taiwan, you know, that one is going to get moved up? You know, I think it’s a possibility. I think it’s a very low possibility. I do think we don’t know what the red lines are on the tech war, right? You know, there’s been talk about cutting off SMIC, the Shanghai manufacturer of integrated circuits, are also a very important company to the Chinese. Would that push the Chinese to do more aggressive or assertive things in this space? You know, what is it that we do in that space that eventually pulls them out?
But I think it’s very hard—(audio break)—that they could capture TSMC in a shape that would be useful. Am I breaking up?
FASKIANOS: Just a little bit, but it was fine. We have you now.
SEGAL: Yeah. That you could capture TSMC in a shape that would be useful, right? I mean, there was that piece, I think, that was written by an Army person, maybe in Parameters, that, you know, the U.S. and Taiwan’s plan should be basically just to—you know, to sabotage TSMC in case there’s any invasion, and make that clear that that’s what it’s going to do. But even without that risk, you’re still dealing—you know, any damage and then, flight of people outside of Taiwan, because the Taiwanese engineers are really important. So it would be very high risk, I think, that they could capture it and then use it.
FASKIANOS: Thank you. Well, I am sorry that we couldn’t get to all the questions, but this has been a great conversation. Adam Segal, thank you very much for being with us. You know, you’re such a great resource. I’m going to task you after this, there was a question from Andrew Moore at the University of Kansas about other resources and books that you would suggest to learn more about China and cybersecurity. So I’m going to get—come to you after this for a few suggestions, which we will send out to the group along with the link to this video and the transcript. So, Andrew, we will get back to you and share with everybody else.
And so, again, you can follow Dr. Segal on Twitter at @adschina. Is that correct, Adam?
SEGAL: That’s right.
FASKIANOS: OK. And also sign up for—to receive blog alerts for Net Politics you can go to CFR.org for that. Our next webinar will be on Wednesday, February 9, at 1:00 p.m. Eastern Time. And we’re excited to have Patrick Dennis Duddy, director of the Center for Latin American and Caribbean Studies at Duke, to talk about democracy in Latin America. So thank you for being with us. You can follow us on Twitter at @CFR_Academic. Visit CFR.org, foreignaffairs.com and ThinkGlobalHealth.org for new research and analysis on other global issues. And again, Adam, thank you very much for being with us. We appreciate it.
SEGAL: My pleasure.
FASKIANOS: Take care.
FASKIANOS: Welcome to the first session of the Winter/Spring 2022 CFR Academic Webinar Series. I’m Irina Faskianos, vice president of the National Program and Outreach here at CFR. Today’s discussion is on the record, and the video and transcript will be available on our website, CFR.org/academic. As always, CFR takes no institutional positions on matters of policy.
We are delighted to have Adam Segal with us to discuss cyberspace and U.S.-China relations. Adam Segal is CFR’s Ira A. Lipman chair in emerging technologies and national security and director of the Council’s Digital and Cyberspace Policy program. Previously, he served as an arms control analyst for the China Project at the Union of Concerned Scientists. He has been a visiting scholar at Stanford University’s Hoover Institution, MIT’s Center for International Studies, the Shanghai Academy of Social Sciences, and Tsinghua University in Beijing. And he’s taught courses at Vassar College and Columbia University. Dr. Segal currently writes for the CFR blog, Net Politics—you should all sign up for those alerts, if you haven’t already. And he is the author several books, including his latest, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. So, Adam, thanks very much for being with us.
We can begin with a very broad brush at cyberspace, the role cyberspace plays in U.S.-China relations, and have you make a few comments on the salient points. And then we’ll open it up to the group for questions.
SEGAL: Great. Irina, thanks very much. And thanks, everyone, for joining us this afternoon. I’m looking forward to the questions and the discussion.
So broadly, I’m going to argue that the U.S. and China have the most far-reaching competition in cyberspace of any countries. And that competition goes all the way from the chip level to the rules of the road. So global governance all the way down the to the chips that we have in all of our phones. Coincidentally, and nicely timed, last week the Washington Post did a survey of their network of cyber experts about who was the greater threat to the United States, China or Russia. And it was actually almost exactly evenly split—forty to thirty-nine. But I, not surprisingly, fell into the China school. And my thinking is caught very nicely by a quote from Rob Joyce, who’s a director at the National Security Agency, that Russia is like a hurricane while China is like climate change. So Russia causes sudden, kind of unpredictable damage. But China represents a long-term strategic threat.
When we think about cyberspace, I think it’s good to think about why it matters to both sides. And on the Chinese side, I think there are four primary concerns. The first is domestic stability, right? So China is worried that the outside internet will influence domestic stability and regime legitimacy. And so that’s why it’s built an incredibly sophisticated system for controlling information inside of China that relies both on technology, and intermediate liability, and other types of regulation. China is worried about technological dependence on other players, in particular the U.S., for semiconductors, network equipment, and other technologies. And they see cybersecurity as a way of reducing that technology.
China has legitimate cybersecurity concerns like every other country. They’re worried about attacks on their networks. And the Snowden revelations from the—Edward Snowden, the former NSA contractor—show that the U.S. has significant cyber capabilities, and it has attacked and exploited vulnerabilities inside of China. And while the Chinese might have used to think that they were less vulnerable to cyberattacks given the shape of the Chinese network in the past, I think that probably changed around 2014-2015, especially as the Chinese economy has become increasingly dependent on ecommerce and digital technology. It’s now—GDP is about a third dependent on digital technology. So they’re worried about the same types of attacks the United States is worried about. And then, fourth and finally, China does not want the United States to be able to kind of define the rules of the road globally on cyber, create containing alliances around digital or cyber issues, and wants to constrain the ability of the U.S. to freely maneuver in cyberspace.
Those are China’s views. The U.S. has stated that it’s working for a free, open, global, and interoperable internet, or an interoperable cyberspace. But when it looks at China, it has a number of specific concerns. The first is Chinese cyber operations, in particular Chinese espionage, and in particular from that Chinese industrial espionage, right? So the Chinese are known for being the most prolific operators, stealing intellectual property. But they’re also hacking into political networks, going after think tanks, hacking activists—Uighur activists, Tibetan activists, Taiwanese independence activists. We know they’re entering into networks to prepare the battlefield, right, so to map critical infrastructure in case there is a kinetic conflict with the United States—perhaps in the South China Sea or over the Taiwan Strait—and they want to be able to deter the U.S., or perhaps cause destructive attacks on the U.S. homeland, or U.S. bases in South Korea, or Japan.
The U.S. is also extremely concerned about the global expansion of Chinese tech firms and Chinese platforms, for the collection of data, right? The U.S. exploited the globalization of U.S. tech firms. Again, that was something that we learned from the Snowden documents, that the U.S. both had legal and extralegal measures to be able to get data from users all around the world because of their knowledge of and relationship to U.S. tech firms. And there’s no reason to believe that the Chinese will not do the same. Now, we hear a lot about, you know, Huawei and the national intelligence law in China that seems to require Chinese companies to turnover data. But it would be very hard to believe that the Chinese would not want to do the same thing that the U.S. has done, which is exploit these tech platforms.
And then finally, there is increasingly a framing of this debate as one over values or ideology, right? That democracies use cybertechnologies or digital technologies in a different way than China does. China’s promoting digital authoritarianism, that has to do about control of information as well as surveillance. And the U.S. has really pushed back and said, you know, democracies have to describe how we’re going to use these technologies. Now, the competition has played itself out both domestically and internationally. The Chinese have been incredibly active domestically. Xi Jinping declared that cybersecurity was national security. He took control of a small leadership group that became a separate commission. The Cyberspace Administration of China was established and given lots of powers on regulating cybersecurity. We had a creation of three important laws—the cybersecurity law, the data security law, and the private—personal information protection law.
We see China pushing very hard on specific technologies they think are going to be important for this competition, especially AI and quantum. And we see China pushing diplomatically, partly through the idea of what’s called cyber-sovereignty. So not the idea that internet is free and open and should be somewhat free from government regulation, but instead that cyberspace, like every other space, is going to be regulated, and that states should be free to do it as they see fit, as fits their own political and social characteristics, and they should not be criticized by other states. They promoted this view through U.N. organizations in particular. And they’ve been working with the Russians to have a kind of treaty on information and communication technologies that would include not only cybersecurity, but their concerns about content and the free flow of information.
The U.S. right now is essentially continuing a policy that was started under the Trump administration. So part of that is to try and stop the flow of technology to Chinese firms, and in particular to handicap and damage Huawei, the Chinese telecom supplier, to put pressure on friends to not use Huawei. But the most important thing it did was put Huawei on an entity list, which cut it off from semiconductors, most importantly from Taiwan Semiconductor, which has really hurt the Huawei of products. The U.S. tried to come to an agreement about—with China about what types of espionage are considered legitimate. And not surprisingly, the U.S. said there was good hacking and back hacking. And the good hacking is the type of hacking that the U.S. tends to do, and the bad hacking is the type of hacking that the Chinese tend to do.
So, basically the argument was, well, all states were going to conduct political and military espionage, but industrial espionage should be beyond the pale. Or if you put it—you can think of it as the way President Obama put it, you can hack into my iPhone to get secrets about what I’m discussing with my Cabinet, but you can’t hack into Apple to get the secrets about how iPhones are made to give to Huawei. There was an agreement formed in 2015, where both sides said they weren’t going to engage in industrial espionage—cyber industrial espionage. For about a year and a half, that agreement seemed to hold. And then it—and then it fell apart. The Chinese are engaged in that activity again. And as a result, the U.S. has once again started indicting Chinese hackers, trying to create—enforce that norm through indictments and naming and shaming.
The U.S. probably also—although I have no evidence of it—has engaged in disrupting Chinese hackers. So we know under the Trump administrationm Cyber Command moved to a more forward-leaning posture, called defending forward or persistent engagement. We’ve heard about some of those operations against Russian or Iranian actors. John Bolton, before he left the NSC, suggested they were getting used against Chinese cyberhackers as well.
So what comes next? And it’s often hard, if not impossible, to end cyber talks on a positive note, but I will try. So I think from a U.S. perspective, clearly the kind of tech pressure, not only of Huawei but on a broader range of companies, is going to continue. The Biden administration has shown no signal that it is going to roll any of that back. And it’s actually expanded it, to more companies working on quantum and other technologies. The Biden administration has worked much more actively than the Trump administration on building alliances around cybersecurity. So in particular, the tech and trade competition group with the Europeans and the quad, with Australia, India, and Japan all have discussions on cybersecurity norms. So how do you actually start imposing them?
Now, where you would hope that the U.S. and China would start talking to each other, again, is where I hope the Biden administration can eventually get to. So there were some very brief discussions in the Obama administration. The Trump administration had one round of talks, but that were not particularly useful. The Chinese were very unwilling to bring people from the People’s Liberation Army to actually kind of talk about operations, and generally were in denial about that they had any cyber forces. But you want both sides really to start talking more about where the threshold for the use of force might be in a cyberattack, right? So if you think about—most of what we’ve seen, as I said, is spying. And so that is kind of the—is below the threshold for use of force or an armed attack, the thing that generally triggers kinetic escalation.
But there’s no general understanding of where that threshold might be. And in particular, during a crisis, let’s stay, in the street or in the South China Sea, you want to have some kind of clarity about where that line might be. Now, I don’t think we’re ever going to get a very clear picture, because both sides are going to want to be able to kind of skate as close to it as possible, but we would certainly want to have a conversation with the Chinese about how we might signal that. Can we have hotlines to discuss those kind of thresholds?
Also, we want to make sure that both sides aren’t targeting each other’s nuclear command and control systems, right, with cyberattacks, because that would make any crisis even worse. There’s some debate about whether the Chinese command and control systems are integrated with civilian systems. So things that the U.S. might go after could then perhaps spillover into the Chinese nuclear system, which would be very risky. So you want to have some talks about that. And then finally, you probably want to talk—because the Chinese open-source writing seems to suggest that they are not as concerned about escalation in cyber as we are. There’s been a lot of debate in the U.S. about if escalation is a risk in cyber. But the Chinese don’t actually seem to think it’s much of a risk. And so it would be very useful to have some discussions on that point as well.
I’ll stop there, Irina, and looking forward to the questions.
FASKIANOS: Thank you, Adam. That was great analysis and overview and specifics.
So we’re going to go first to Babak Salimitari, an undergrad student at the University of California, Irvine. So please be sure to unmute yourself.
Q: I did. Can you guys hear me?
SEGAL: Yeah.
Q: Thank you for doing this. I had a question on the Beijing Olympics that are coming up. Recently the told the athletes to use, like, burner phones because the health apps are for spying, or they’ve got, like, security concerns. What specific concerns do they have regarding those apps, and what do they do?
SEGAL: So I think the concerns are both specific and broad. I think there was a concern that one of the apps that all of the athletes had to download had significant security vulnerabilities. So I think that was a study done by Citizens Lab at the University of Toronto. And it basically said, look, this is a very unsafe app and, as you said, allowed access to health data and other private information, and anyone could probably fairly easily hack that. So, you know, if you’re an athlete or anyone else, you don’t want that private information being exposed to or handled by others.
Then there’s, I think, the broader concern is that probably anybody who connects to a network in China, that’s going to be unsafe. And so, you know, because everyone is using wi-fi in the Chinese Olympics, and those systems are going to be monitored, those—your data is not going to be safe. You know, I’m not all that concerned for most athletes. You know, there’s probably not a lot of reason why Chinese intelligence or police are interested in them. But there are probably athletes who are concerned, for example, about Xinjiang and the treatment of the Uighurs, or, you know, maybe Tibetan activists or other things, and maybe have somewhere in the back of their minds some idea about making statements or making statements when they get back to the U.S. or safer places. And for those people, definitely I would be worried about the risk of surveillance and perhaps using that data for other types of harassment.
FASKIANOS: I’m going to take the written question from Denis Simon, who received two upvotes. And Denis is senior advisor to the president for China affairs and professor of China business and technology.
When you say “they” with respect to Chinese cyber activity, who is “they”? To what extent are there rogue groups and ultranationalists as well as criminals involved?
SEGAL: Yes, Denis, will send me a nasty email if I don’t mention that Denis was my professor. We’re not going to go how many years ago, but when I was at Fletcher. So, and Denis was one of the first people I took—was the first person I took a class on Chinese technology. So, you know, and then I ended up here.
So I think, “they.” So it depends what type of attacks we’re talking about. On the espionage side, cyber espionage side, what we’ve generally seen is that a lot of that was moved from the PLA to the Ministry of State Security. The most recent indictments include some actors that seem to be criminal or at least front organizations. So some technology organizations. We do know that there are, you know, individual hackers in China who will contract their services out. There were in the ’90s a lot of nationalist hacktivist groups, but those have pretty much dissipated except inside of China. So we do see a lot of nationalist trolls and others going after people inside of China, journalists and others, for offending China or other types of violations. So “they” is kind of a whole range of actors depending upon the types of attack we’re talking about.
FASKIANOS: Thank you. So our next question we’re going to take from Terron Adlam, who is an undergraduate student at the University of Delaware. And if you can unmute yourself.
Q: Can you hear me now?
FASKIANOS: Yes.
Q: Hi. Good evening. Yes. So I was wondering, do you think there will be a time were we have net neutrality? Like, we have a peace agreement amongst every nation? Because I feel like, honestly, if Russia, U.S., Mexico, any other country out there that have a problem with each other, this would be, like, there’s rules of war. You don’t biohazard attack another country. Do you think—(audio break)—or otherwise?
SEGAL: So I think it’s very hard to imagine a world where there’s no cyber activity. So there are discussions about can you limit the types of conflict in cyberspace, though the U.N. primarily. And they have started to define some of the rules of the road that are very similar to other international law applying to armed conflict. So the U.S.’ position is essentially that international law applies in cyberspace, and things like the International Humanitarian Law apply in cyberspace. And you can have things like, you know, neutrality, and proportionality, and distinction. But they’re hard to think about in cyber, but we can—that’s what we should be doing. The Chinese and Russians have often argued we need a different type of treaty, that cyber is different.
But given how valuable it seems, at least on the espionage side so far, I don’t think it’s very likely we’ll ever get an agreement where we have no activity in cyberspace. We might get something that says, you know, certain types of targets should be off limits. You shouldn’t go after a hospital, or you shouldn’t go after, you know, health data, things like that. But not a, you know, world peace kind of treaty.
FASKIANOS: Thank you. So I’m going to take the next question from David Woodside at Fordham University. Three upvotes.
What role does North Korea play in U.S.-China cyber discussions? Can you China act outside of cybersecurity agreements through its North Korean ally?
SEGAL: Yeah. I think, you know, like many things with North Korea, the Chinese probably have a great deal of visibility. They have a few levers that they really don’t like using, but not a huge number. So, in particular, if you remember when North Korea hacked Sony and because of the—you know, the movie from Seth Rogan and Franco about the North Korean leader—those hackers seemed to be located in northern China, in Shenyang. So there was some sense that the Chinese probably could have, you know, controlled that. Since then, we have seen a migration of North Korean operators out of kind of north China. They now operate out of India, and Malaysia, and some other places. Also, Russia helped build another cable to North Korea, so the North Koreans are not as dependent on China.
I think it’s very unlikely that the Chinese would kind of use North Korean proxies. I think the trust is very low of North Korean operators that they would, you know, have China’s interest in mind or that they might not overstep, that they would bring a great deal of kind of blowback to China there. So there’s been very little kind of—I would say kind of looking the other way earlier in much of North Korea’s actions. These days, I think probably less.
FASKIANOS: Thank you. I’m going to take the next question from Joan Kaufman at Harvard University. And if you can unmute yourself.
Q: Yes. Thank you very much. I’m also with the Schwarzman Scholars program, the academic director.
And I wanted to ask a follow up on your point about internet sovereignty. And, you know, the larger global governance bodies and mechanisms for, you know, internet governance and, you know, China’s role therein. I know China’s taken a much more muscular stance on, you know, the sovereignty issue, and justification for firewalls. So there’s a lot—there are a lot of countries that are sort of in the me too, you know, movement behind that, who do want to restrict the internet. So I just—could you give us a little update on what’s the status of that, versus, like, the Net Mundial people, who call for the total openness of the internet. And where is China in that space? How much influence does it have? And is it really—do you think the rules of the road are going to change in any significant way as a result of that?
SEGAL: Yeah. So, you know, I think in some ways actually China has been less vocal about the phrase “cyber sovereignty.” The Wuzhen Internet Conference, which is kind of—China developed as a separate platform for promoting its ideas—you don’t see the phrase used as much, although the Chinese are still interjecting it, as we mentioned, in lots of kind of U.N. documents and other ideas. I think partly they don’t—they don’t promote as much because they don’t have to, because the idea of cyber sovereignty is now pretty widely accepted. And I don’t think it’s because of Chinese actions. I think it’s because there is widespread distrust and dissatisfaction with the internet that, you know, spans all types of regime types, right?
Just look at any country, including the United States. We’re having a debate about how free and open the internet should be, what role firms should play in content moderation, should the government be allowed to take things down? You know, we’ve seen lots of countries passing fake news or online content moderation laws. There’s a lot of concern about data localization that countries are doing because of purported economic or law enforcement reasons. So I don’t think the Chinese really have to push cyber sovereignty that much because it is very attractive to lots of countries for specific reasons.
Now, there is still, I think, a lot of engagement China has with other countries around what we would call cyber sovereignty, because China—countries know that, you know, China both has the experience with it, and will help pay for it. So certainly around the Belt and Road Initiative and other developing economies we do see, you know, the Chinese doing training of people on media management, or online management. There was this story just last week about, you know, Cambodia’s internet looking more like the Chinese internet. We know Vietnam copied part of their cybersecurity law from the Chinese law. A story maybe two years ago about Huawei helping in Zambia and Zimbabwe, if I remember correctly, in surveilling opposition members.
So I think China, you know, still remains a big force around it. I think the idea still is cyber sovereignty. I just don’t think we see the phrase anymore. And I think there’s lots of demand pulls. Not China pushing it on other countries, I think lots of countries have decided, yeah, of course we’re going to regulate the internet.
FASKIANOS: Thank you. Next question, from Ken Mayers, senior adjunct professor of history and political science at St. Francis College.
Following up on Denis Simon’s question, to what extent to Chinese state actors and U.S. state actors share concerns about asymmetric threats to cybersecurity? Is there common ground for discussion? And I’m going to—actually, I’ll stop there, because—
SEGAL: All right. So I’m going to interpret asymmetric threats meaning kind of cyber threats from other actors, meaning kind of nonstate or terrorist actors, or criminal actors. So I think there could be a shared interest. It’s very hard to operationalize. Probably about six or seven years ago I wrote a piece with a Chinese scholar that said, yes, of course we have a shared interest in preventing the proliferation of these weapons to terrorist actors and nonstate actors. But then it was very hard to figure out how you would share that information without exposing yourself to other types of attacks, or perhaps empowering your potential adversary.
On cyber—for example, on ransomware, you would actually expect there could be some shared interest, since the Chinese have been victims of a fair number of Russian ransomware attacks. But given the close relationship between Putin and Xi these days, it’s hard to imagine that the U.S. and China are going to gang up on Russia on ransomware. So, again, I think there could be, it’s just very hard to operationalize.
FASKIANOS: Great. Thank you. So just to follow on from Skyler Duggan, who is an undergraduate at the University of Waterloo. Likewise, to these questions, how do we differentiate individual criminal groups from the state? And how can we be sure this isn’t China just trying to abdicate—or, one party, he doesn’t specify, trying to abdicate the responsibility?
SEGAL: Yeah, I think—because there’s—one of the challenges faced by the U.S. and other liberal democracies is that we tend to primarily keep a fairly tight legal control over the cyber operations. They tend to be, you know, intelligence operations or military operations. So Title 10 or Title 50. There’s kind of a whole set of legal norms around it. The U.S. does not rely on proxy actors. And other, you know, liberal democracies tend to don’t. And U.S. adversaries in this space tend to do so. We know Iran does. We know Russia does. We know China does, although less than the others.
Now according to this discussion group that I mentioned before at the U.N., the group of—what’s called the group of government experts, one of the norms that all the actors agreed upon was the norm of state responsibility, which is a common one in international law, that you are responsible for whatever happens in your territory. So using proxies should not, you know, be able to give you an out. You shouldn’t be able to say, well, it’s happening from our territory, we just—you know, we don’t know who they are and we can’t control them. But, you know, in operation that norm is being fairly widely ignored.
Now, the other problem, of course, is the—is how do you actually decide who the actor is, the attribution problem, right? So here, you know, a lot of people are basically saying, well, we have to rely on the U.S. or the U.K. or others to say, well, you know, we say it’s these actors, and how do we know—how do we know for sure? Now, attribution is not as hard as we once thought it was going to be. When I first, you know, started doing the research for the book that Irina mentioned, attribution was considered, you know, a pretty big challenge. But now, you know, there’s a fairly high expectation that the U.S. will be able to eventually identify who’s behind an attack. Now, it may take some time. And we may not be able to completely identify who ordered the attack, which is, you know, as you mentioned, the problem with the proxies.
But it’s not—it’s also not completely reliant on digital clearances. It’s not just the code or the language of the keyboard. All those things can be manipulated, don’t necessarily give you proof. Lots of time the U.S. is pulling in other intelligence—like, human intelligence, signals intelligence, other types of gathering. So, you know, part of it is how much do we believe the attribution, and then how much of it is—you know, what can you do with it afterwards? And, you know, I don’t think the proxy problem is going to go away.
FASKIANOS: Great. So I’m going next to Tim Hofmockel’s question. It’s gotten seven upvotes. He’s a graduate student at Georgetown University.
To flip Denis Simon’s question: Who should the “we” be? To what extent should the U.S. intelligence community and the Department of Defense cooperate on offensive cyber operations? And how would we signal our intentions in a crisis given the overlap in authorities between the intelligence community and DOD?
SEGAL: Yeah. I mean, so right now NSA and Cyber Command are dual hatted, meaning that one person is in charge of both of them, General Nakasone. So to some extent that could theoretically help deconflict between kind of intelligence gathering, offensive operations, and kind of signaling to the Chinese. But it’s unclear. It’s very—signaling in cyber so far seems to be kind of developing and unknown. That seems to be one of the big theories between the U.S. taking these more kinds of operations and, in fact, kind of bringing the fight to the Chinese is a very kind of sociological understanding of deterrence is that over time both sides will kind of understand where those red lines are by engaging and seeing where they’re acting.
You know, others have talked about could you create some kind of watermark on the actual attack or vulnerability, so that the—you know, you might discover some type of malware in your system and there’d be like a little, you know, NFT, maybe, of sorts, that says, you know, the U.S. government was here. We’re warning you not to do this thing. You know, a lot of these have, you know, kind of technical problems. But the question of signaling I think is really hard, and that’s part of the reason why, you know, I think these discussions are so important, that at least we have a sense that we’re talking about the same types of things, and the same general set of tools. But I think probably through cyber signaling is going to be really hard. It’s going to be mostly other types of signaling.
FASKIANOS: Next question from Maryalice Mazzara. She’s the director of educational programs at the State University of New York’s Office of Global Affairs.
How can people who are working with China and have a very positive relationship with China balance the issues of cybersecurity with the work we are doing? Are there some positive approaches we can take with our Chinese colleagues in addressing these concerns?
SEGAL: Good question, Ali. How are you?
So I guess it’s very—so I do think there are forward-looking things that we can talk about. You know, several of the questions have asked, are there shared interests here? And I do think there are shared interests. You know, you we mentioned the proliferation one. We mentioned the nonstate actors. You know, there is a lot of language in the most recent statement from the Chinese government about—you know, that the internet should be democratic and open. I don’t think they mean it in the same way that we do, but we can, I think, certainly use that language to have discussions about it and hope push to those sides. But I think it is hard because it is—you know, partly because government choices, right? The U.S. government chooses to attribute lots of attacks to China and be very public about it. Chinese for the most part don’t attribute attacks, and don’t—they talk about the U.S. as being the biggest threat in cyberspace, and call the U.S. The Matrix and the most, you know, damaging force in cyberspace. But for the most part, don’t call out specific actors.
So they kind of view it—the Chinese side is often in a kind of defensive crouch, basically saying, you know, who are you to judge us, and you guys are hypocrites, and everything else. So I think there are lots of reasons that make it hard. I think probably the way to do it is to try to look forward to these shared interests and this idea that we all benefitted immensely from a global internet. We now have different views of how open that internet should be. But I think we still want to maintain—the most remarkable thing about it is that we can, you know, still communicate with people around the world, we can still learn from people around the world, we can still draw information, most information, from around the world. And we want to, you know, keep that, which is a—which is—you know, not to use a Chinese phrase—but is a win-win for everybody.
FASKIANOS: Great. I see a raised hand from Austin Oaks. And I can’t get my roster up fast enough, so, Austin, if you can unmute and identify yourself.
Q: So I’m Austin Oaks. And I come from the University of Wisconsin at Whitewater.
And I used to live in Guangdong province in China. And I used to go visit Hong Kong and Macau, more Hong Kong, very often. And Hong Kong has this very free internet, which China doesn’t particularly like. Macau tends to be more submissive to Beijing rather than Hong Kong does. But Chinese government has kind of started to put in people in the Hong Kong government to kind of sway the government into Beijing’s orbit more. So then how—so what is China doing in the cyberspace world for both of its separate administrative regions? Because one is a lot easier to control than the other.
SEGAL: Yeah. So I think the idea of Hong Kong’s internet being independent and free is—it’s pretty much ending, right? So the national security law covers Hong Kong and allows the government to increasingly censor and filter and arrest people for what they are posting. We saw pressure on U.S. companies to handover data of some users. A lot of the U.S. companies say they’re going to move their headquarters or personnel out of Hong Kong because of those concerns. So, you know, it certainly is more open than the mainland is, but I think long-term trends are clearly pretty negative for Hong Kong. I expect Macau is the same direction, but as you mentioned, you know, the politics of Macau is just so much different from Hong Kong that it’s less of a concern for the Chinese.
FASKIANOS: Thank you. I’m going to take the next written question from Robert Harrison, a law student at Washburn University School of Law.
My understanding is that there have been significant thefts of American small and medium-size business intellectual property by Chinese-based actors. This theft/transfer of knowledge may reduce the competitive edge from the original property holder. Are there any current efforts to curb IP thefts? Any ongoing analysis of the Belt and Road Initiative to evaluate the use of IP acquired by theft?
SEGAL: Yeah. So, you know, as I mentioned, the U.S. tried to reach this agreement with China on the IP theft challenge. China held to it for about a year, and then essentially kind of went back to it. It’s been very hard to quantify the actual impact of what the theft has been. You know, there are numbers thrown around, a certain percent of GDP, or 250 billion (dollars) a year. There is what’s called the IP Commission, which is run out of the National Bureau of Asia Research that has been updating its report.
But it’s very hard because, you know, a lot of the knowledge and data that’s stolen is tacit knowledge. Or, you know, is actual blueprints or IP, but they don’t have the tactic knowledge. So you can have the blueprints, but it’s then hard to turn from that to an actual product. And it’s hard in the civilian space to kind of track lots of products that seem stolen from U.S. products, as opposed to—on the military side you can look at, oh, here’s the Chinese stealth jet. It looks a lot like the U.S. stealth jet. Now, this could be physics. It could be intellectual property theft. But it’s harder on the commercial side to kind of put a number on it and see what the impact is. Although clearly, it’s had an impact.
We do know that Chinese operators, you know, go after other targets other than the U.S., right? So they certainly go—are active in Europe. We’ve seen them in Southeast Asia. Most of that is probably political espionage, not as much industrial espionage. Although, there has been—has been some. I don’t know of any specific cases where we can point to anything along the Belt and Road Initiative that, you know, seems in and of itself the outcome of IP theft.
FASKIANOS: I’m going to take a written question from Caroline Wagner, who is the Milton and Roslyn Wolf chair in international affairs at Ohio State University.
Chinese actors seem to have incredibly pervasive links to track online discussions critical of China. Are these mostly bots, or are there human actors behind them?
SEGAL: So I’m going to interpret that to me for the net outside of China. So, yes. I think what we’re learning is there’s several things going on. Part of it is bots. So they have, you know, a number of bots that are triggered by certain phrases. Some of it is human, but increasingly probably a lot of it is machine learning. So there was a story maybe last month in the Post, if I remember it correctly, about, you know, Chinese analytical software data companies offering their services to local Ministry of State Security to basically kind of scrape and monitor U.S. platforms. And that is primarily going to be done through, you know, machine learning, and maybe a little human operations as well.
FASKIANOS: Thank you. And this is a bit of a follow-on, and then I’ll go to more. William Weeks, who is an undergraduate at Arizona State University asks: What role does unsupervised machine learning play in China’s cyberspace strategy?
SEGAL: Yeah, it’s a good question. I don’t have a lot of details. You know, like everybody else there, they are going to start using it on defense. It is a big push on what’s called military-civil fusion. You know, we know that they are trying to pull in from the private sector on AI, both for the defense and the offense side. But right now, all I can give you is kind of general speculation about how actors think about offense and defense with ML and AI. Not a lot of specifics from the Chinese here.
FASKIANOS: Thank you. OK, Morton Holbrook, who’s at Kentucky Wesleyan College.
Q: Yes. Following up on your comment about Hong Kong, about U.S. companies reconsidering their presence due to internet controls, what about U.S. companies in China and Beijing and Shanghai? Do you see a similar trend there regarding internet controls, or regarding IPR theft?
SEGAL: I think, you know, almost all firms that have been in China, this has been a constant issue for them. So it’s not particularly new. I think almost all of them have, you know, made decisions both about how to protect their intellectual property theft—intellectual property from theft, and how to maintain connections to the outside, to make them harder. You know, VPNs were fairly widely used. Now they’re more tightly regulated. We know that the Chinese actually can attack VPNs. So it think, you know, those issues have been constant irritants. I think, you know, COVID and the lack of travel, the worry about getting kind of caught up in nationalist backlashes online to, you know, Xinjiang issues or if you refer to Taiwan incorrectly, those are probably higher concerns right now than these kind of more constant concerns about cyber and IP.
FASKIANOS: Thank you. Anson Wang, who’s an undergraduate at the University of Waterloo. We have three upvotes. Is China considered the major threat to the U.S. hegemony because China is actively trying to replace the U.S. as the new global hegemon? Or simply because China is on a trajectory to get there, without or without their active intention in involving other countries’ internal politics, the same way that the U.S. does?
SEGAL: Yeah. So I think this is a—you know, a larger question about what China wants in the world. And do we—you know, we do we think it has a plan or ideology of replacing the U.S.? And does it want—or, would it be happen even with regional dominance? Does it just want to block U.S. interest and others? It’s a big debate. You know, lots of people have contrasting views on where they think China is coming. I’ll just use the cyber example. And I think here, you know, the Chinese started with wanting to block the U.S., and prevent the U.S. from criticizing China, and protect itself. I don’t think it had any desire to reshape the global internet.
But I think that’s changed. I think under Xi Jinping they really want to change the definitions of what people think the state should do in this space. I think they want to change the shape of the internet. I don’t think they want to spread their model to every country, but if you want to build their model they’re certainly welcome to help you. And they don’t mind pushing, perhaps highlighting, in some cases exploiting the weaknesses they see in the U.S. as well.
FASKIANOS: OK. Thank you. I’m going to go to Helen You, who’s a student at NYU. It appears that governments are reluctant to restrict their cyber capabilities because they fundamentally do not want to limit their own freedom to launch cyberattacks. As a result, countries fail to follow voluntary norms on what is permissible in cyberspace. To what extent are industry standards influencing international cybersecurity norms? And what incentives would need to be in place to move these conversations forward?
SEGAL: Yeah, that’s a great point. I mean, I think that’s one of the reasons why we haven’t seen a lot of progress, is because states don’t have a lot of reason to stop doing it. The costs are low, and the benefits seem to be high. Now, I understand your question in two separate ways. One, there is a kind of private attempt to push these norms, and basically arguing that states are going too slow. Part of that was promoted by Microsoft, the company, right? So it promoted the idea of what they were calling the Digital Geneva Convention, and then they have been involved in what’s now known as the Paris Accords that define some of these rules, that the U.S. just signed onto, and some other states have signed onto.
But again, the norms are pretty vague, and haven’t seemed to have that much effect. There’s a thing called the cybersecurity—Global Cybersecurity Stability Commission that the Dutch government helped fund but was mainly through think tanks and academics. It also has a list of norms. So there is a kind of norm entrepreneurship going on. And those ideas are slowly kind of bubbling out there. But you need to see changes in the state to get there. That’s when we know that norms matter. And that we really haven’t seen.
On the—there is a lot of work, of course, going on, on the standards of cybersecurity, and what companies should do, how they should be defined. And that happens both domestically and internationally. And of course, the companies are very involved in that. And, you know, that is much further, right? Because that has to do about regulation inside of markets, although there’s still, you know, a fair amount of difference between the U.S. and EU and other close economies about how those standards should be defined, who should do the defining, how they should be implemented.
FASKIANOS: Thank you. I’m going to take group two questions from Dr. Mursel Dogrul of the Turkish National Defense University. In a most recent article we focused on the blockchain literature expansion of superpowers. In terms of publications and citations, China clearly outperformed the United States and Russia. Do you believe the technological advancement will have an impact on the cybersecurity race? And the Michael Trevett—I don’t have an affiliation—wanted you to speak a little bit more about the cyber triangle with Russia. How are China and Russia coordinating and cooperating?
SEGAL: Yeah. So the first question, you know, clearly, as I have briefly mentioned in my opening comments, that the Chinese are pushing very hard on the technologies they think are going to be critical to the—to the future competition in this space—blockchain, quantum, AI. The Chinese have made a lot of advances on quantum communication and quantum key distribution. Probably behind the U.S. on quantum computing, but it’s hard to say for sure. And blockchain is a space the Chinese have developed some usages and are rolling some test cases out on the security side and the internet platforming side.
On the China-Russia question, so closer cooperation. Most of it has been around cyber sovereignty, and the ideas of kind of global governance of cyberspace. The Chinese were, you know, pretty helpful at the beginning stages, when Russia started using more technological means to censoring and controlling the Russian internet. So helping kind of build some of the—or, export some of the technologies used in the China great firewall, that the Russians could help develop. Russia is pretty much all-in with Huawei on 5G. And so a lot of cooperation there. Although, the Russians are also worried about, you know, Chinese espionage from Russian technology and other secrets.
They did sign a nonaggression cyber pact between the two, but both sides continue to hack each other and steal each other’s secrets. And have not seen any evidence of cooperation on the operations side, on intelligence. with them doing more and more military exercises together, I would suspect we would perhaps start seeing some suggestion that they were coordinating on the military side in cyber. But the last time I looked, I didn’t really see any—I did not see any analysis of that.
FASKIANOS: Thank you. Next question from Jeffrey Rosensweig, who is the director of the program for business and public policy at Emory University.
Q: Adam, I wonder if you could fit India in here anywhere you would like to? Because it think it’ll be the other great economy of the future.
SEGAL: Yeah. So India’s a—you know, a really interesting actor in this space, right? So, you know, India basically think that it has two major cyber threats—Pakistan, and China being the other. China, you know, was reportedly behind some of the blackouts in Mumbai after the border clash. I am somewhat skeptical about reporting, but it’s certainly a possibility, and there’s no reason to doubt the Chinese have been mapping critical infrastructure there. India pushed back on TikTok and ByteDance. You know, also concerns about data control and other things. There is a long history of kind of going back and forth on Huawei. The intelligence agency has not really wanted to use, but others wanting to help, you know, bridge the digital divide and build out pretty quickly. India right now is talking about its own type of 5G.
But from a U.S. perspective, you know, I think the most important thing—and this is often how India comes up—is that, you know, we want India to be an amplifier, promoter of a lot of these norms on cyber governance, because it is a, you know, developing, multiethnic, multiparty democracy. And so we want it just not to be the U.S.’ voice. Now, India’s a pretty complicated, difficult messenger for those things these days, right? India leads the world in internet shutdowns, and we’ve seen a lot of harassment of opposition leaders and other people who are opposed to Modi. So it’s not going to be easy. But I think the U.S. for a long time has hoped that we could forge a greater understanding on the cyber side with India.
FASKIANOS: Great. I’m going to take the next question from Michael O’Hara, who is a professor at the U.S. Naval War College. And I’m going to shorten it.
He asks about China’s fourteenth five-year plan, from 2021 to 2025. It includes a section titled “Accelerate digitalization-based development and construct a digital China.” Do you see their five-year plan as a useful way for thinking about Chinese future in cyberspace?
SEGAL: Yes. So we’re on the same page, the digital plan came out two or three weeks ago. It was just translated. Yeah, I mean, the plan is useful. Like, all Chinese plans are useful in the sense that it certainly gives us clear thinking about the direction that China wants to go, and the importance it puts on a topic. You know, the implementation and bureaucratic obstacles and all those other things are going to play a role. But as I mentioned, I think, you know, the Chinese economy is becoming increasingly digitalized. And in particular, they want to digitize, you know, more and more of the manufacturing sector and transportation, mining, other sectors that are traditionally not, you know, thought of as being digital, but the Chinese really want to move into that space.
Now, from a cybersecurity perspective, that, you know, raises a whole range of new vulnerabilities and security issues. And so I think that’s going to be very high on their thinking. And just today I tweeted a story that they held a meeting on thinking about cybersecurity in the metaverse. So, you know, they’re looking forward, and cybersecurity is going to be a very high concern of people.
FASKIANOS: Well, we couldn’t have the Naval Academy without the U.S. Air Force Academy. So, Chris Miller, you wrote your question, but you’ve also raised your hand. So I’m going to ask to have you articulate it yourself.
Q: Well, actually, I changed questions, Irina. Adam, thank you.
FASKIANOS: Oh, OK. (Laughs.) But still, the Air Force Academy.
Q: So two quick questions. I’ll combine them. One is: I’m curious how you see the new cyber director—national cyber director’s role changing this dynamic, if it at all, or changing the parts of it on our side of the Pacific that we care about. And second of all, curious how you see China viewing the Taiwanese infrastructure that they probably desire, whether or not they eventually take it by force or by persuasion.
SEGAL: Yeah. So I don’t think the NCD changes the dynamic very much. You know, I think there’s lots of—you know, everyone is watching to see how the NCD and the National Security Council, and CISA, the Cybersecurity Infrastructure and Security Agency, work out the responsibilities among the three of them, which will have an impact, you know, of making us more secure. And, you know, Chris Inglis, the head of the NCD has given lots of talks about how they’re going to manage and work together. And I think we’re beginning to see some signs of that. But I think that’s probably the most direct impact it’ll have on the dynamic.
Your second question, you know, I think primarily is about, you know, Taiwan Semiconductor. And, you know, do the Chinese eventually decide, well, chips are so important, and the U.S. is working so hard to cut us off, that, you know, for all the other reasons that we might want to see Taiwan, you know, that one is going to get moved up? You know, I think it’s a possibility. I think it’s a very low possibility. I do think we don’t know what the red lines are on the tech war, right? You know, there’s been talk about cutting off SMIC, the Shanghai manufacturer of integrated circuits, are also a very important company to the Chinese. Would that push the Chinese to do more aggressive or assertive things in this space? You know, what is it that we do in that space that eventually pulls them out?
But I think it’s very hard—(audio break)—that they could capture TSMC in a shape that would be useful. Am I breaking up?
FASKIANOS: Just a little bit, but it was fine. We have you now.
SEGAL: Yeah. That you could capture TSMC in a shape that would be useful, right? I mean, there was that piece, I think, that was written by an Army person, maybe in Parameters, that, you know, the U.S. and Taiwan’s plan should be basically just to—you know, to sabotage TSMC in case there’s any invasion, and make that clear that that’s what it’s going to do. But even without that risk, you’re still dealing—you know, any damage and then, flight of people outside of Taiwan, because the Taiwanese engineers are really important. So it would be very high risk, I think, that they could capture it and then use it.
FASKIANOS: Thank you. Well, I am sorry that we couldn’t get to all the questions, but this has been a great conversation. Adam Segal, thank you very much for being with us. You know, you’re such a great resource. I’m going to task you after this, there was a question from Andrew Moore at the University of Kansas about other resources and books that you would suggest to learn more about China and cybersecurity. So I’m going to get—come to you after this for a few suggestions, which we will send out to the group along with the link to this video and the transcript. So, Andrew, we will get back to you and share with everybody else.
And so, again, you can follow Dr. Segal on Twitter at @adschina. Is that correct, Adam?
SEGAL: That’s right.
FASKIANOS: OK. And also sign up for—to receive blog alerts for Net Politics you can go to CFR.org for that. Our next webinar will be on Wednesday, February 9, at 1:00 p.m. Eastern Time. And we’re excited to have Patrick Dennis Duddy, director of the Center for Latin American and Caribbean Studies at Duke, to talk about democracy in Latin America. So thank you for being with us. You can follow us on Twitter at @CFR_Academic. Visit CFR.org, foreignaffairs.com and ThinkGlobalHealth.org for new research and analysis on other global issues. And again, Adam, thank you very much for being with us. We appreciate it.
SEGAL: My pleasure.
FASKIANOS: Take care.
Council of Councils
Think Global Health
Online Store