On September 25, the United States and China agreed to contain their industrial or economic cyber espionage activities against each other.[1] This is the first instance of two major cyber powers reaching common ground on norms of state behaviour in cyberspace.
The agreement, reminiscent of the United States-Soviet Union arms control accords of the Cold War era, is important because industrial or economic cyber espionage has been a thorny issue in the U.S.-China relationship since the early 2000s.
Although traditional espionage—the collection of state secrets—is an accepted part of statecraft worldwide, the U.S. government has repeatedly tried to distinguish between such spying and economic cyber espionage. And it has repeatedly accused China of engaging in economic espionage through cyber attacks against American companies to steal commercially valuable and intellectual property data such as corporate strategies, product designs, business negotiations, and dual-use technology-related data.
The U.S. has often cited China’s alleged theft in the mid-2000s of data related to F-35, the stealth fighter aircraft, as a prime example of China’s economic and military cyber espionage. According to the U.S. National Security Agency (NSA), China repeatedly breached into the computer networks of American government and private defence companies to steal data about design and radar modules for the F-35, and incorporated it into its own stealth fighter aircraft, the J20.[2]
Attacks like these have cost the United States Department of Defensex $100 million, mainly in costs for rebuilding networks.[3] The repeated attacks have also potentially increased the cost of the $98 million-plus F-35—an escalation that affects the export potential of the fighter aircraft, since it is being jointly developed with the UK, Israel, Italy, Australia, Canada, Norway, Denmark, the Netherlands, and Turkey.[4]
The U.S. claims that this alleged data theft has adversely impacted America’s economic fortunes.[5] These accusations are a step above the U.S.’s assertions in 2013, when for the first time the U.S. Department of Defense officially stated that the Chinese government was launching cyber attacks against the U.S.[6]
Before the two countries reached the September agreement, the Obama administration was reportedly considering sanctions against the companies and individuals in China who may have benefitted from stealing U.S. economic and commercial data.[7] [8] The trigger for that possible step was a major data breach in the U.S. Government’s Office of Personnel Management in June 2015, when the records of approximately 21.5 million current and former government employees were stolen.[9] The breach was unofficially attributed to China.[10]
On its part, China has consistently rejected the American allegations. Besides, unlike the U.S., it does not separate traditional espionage and economic cyber espionage. In fact, China has argued that in the world of intelligence gathering, such a distinction is irrelevant. To support that argument, China has cited former NSA employee Edward Snowden’s revelations about how the NSA spied on foreign companies such as Petrobras, Siemens, and Huawei to get data that benefitted American economic interests.[11]
With the September agreement, by mutually agreeing to limit their cyber espionage activities, both the U.S. and China can bring an element of stability to their bilateral relationship.
But cyber perils go beyond the economic realm and include threats to critical infrastructure, as well as cyber crimes. To address these, both countries have also agreed to improve cooperation between their law enforcement agencies in investigating malicious cyber activities. This makes the U.S.-China understanding, in addition to its bilateral significance, an important step towards creating norms in international cyber space, where not only states but also non-state actors such as terrorist groups possess offensive cyber capabilities. The anonymity offered by cyber space has been effectively used by non-state actors for ever-growing cyber crimes and for running black markets on the “deep web”.[12]
Despite these threats, major cyber powers such as Russia and European Union countries, besides the U.S. and China, have failed to frame common rules for cyber security. In fact, the absence of clear established rules of engagement has been seen as advantageous, a situation where anyone can engage in cyber war but deny culpability. This attitude may change once these powers see the benefits of cooperation—including better control over cyber space, better regulation, and mutual trust—and they will closely watch the progress of the U.S.-China cyber agreement.
The implementation of the U.S.-China agreement will however face major challenges—chief among these is the problem of attribution in cyber space. Attributing a cyber attack or hacking to a particular region or specific state actor is often difficult since the attack is usually routed through multiple servers located in different countries. Even sophisticated analysis can typically only identify the computer used for the attack, but it is far more difficult to determine whether the computer was remotely operated.[13] When attacks are “crowd-sourced”, where several groups work together or separately to target a particular company, it further complicates attribution.[14]
More importantly, establishing attribution and identifying the complicity of state actors are different. Even if the attack is traced to a particular country that attack could have been committed by a private citizen, with or without the involvement of the state. Therefore, even after China and the U.S. have committed to contain their cyber espionage, will they be able to guarantee the actions of their citizens?
Besides, formal attributions for cyber attack are rare. The U.S. has rarely formally attributed attacks to a particular state; there have been only a few exceptions, such as the Federal Bureau of Investigation’s indictment of five Chinese military hackers for cyber espionage in 2014,[15] and sanctions against North Korea for the Sony server hacking in 2015.[16] Usually though, governments have avoided formally naming any country as responsible for a cyber attack because of the problems associated with attribution, identification, and evidence.
The U.S.-China agreement is a symbolic beginning to establish a cyber space management regime. While it may bring in some cyber stability, businesses and companies that have been repeated targets in the game of economic cyber espionage cannot only depend on such agreements and formal understandings. Rather, they must proactively plug their vulnerabilities against malicious cyber activities by rigorously implementing information security protocols, strenuous background checks of personnel, and by staying informed about the latest cyber security developments.
This is particularly applicable to India, which has been a sustained target of cyber espionage and has not yet taken adequate steps to defend itself.
Sameer Patil is Fellow, National Security, Ethnic Conflict and Terrorism, at Gateway House.
This article was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.
For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in.
© Copyright 2015 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited
References
[1] Office of the Press Secretary, The White House, Fact Sheet: President Xi Jinping’s State Visit to the United States, 25 September 2015, <https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states>
[2] Gertz, Bill, ‘NSA Details Chinese Cyber Theft of F-35, Military Secrets’, Washington Free Beacon, 22 January 2015, < http://freebeacon.com/national-security/nsa-details-chinese-cyber-theft-of-f-35-military-secrets/>
[3] National Security Agency, United States Government, ‘Chinese exfiltrate sensitive military technology’, Der Spiegel, <http://www.spiegel.de/media/media-35687.pdf>
[4] Lockheed Martin, F-35 Lightening II, How Much Does the F-35 Cost?: Producing, Operating and Supporting a 5 th Generation Fighter, <https://www.f35.com/about/fast-facts/cost>
[5] Read, Oliver, ‘How the 2010 Attack on Google Changed the US Government’s Threat Perception of Economic Cyber Espionage’ in Jan-Frederik Kremer and Benedikt Müller (Eds.), Cyberspace and International Relations: Theory, Prospects and Challenges, Springer, Berlin Heidelberg, 2014, p. 204.
[6] Department of Defense, United States Government, Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2013, <http://www.defense.gov/Portals/1/Documents/pubs/2013_China_Report_FINAL.pdf >, p. 36.
[7] Nakashima, Ellen, ‘U.S. developing sanctions against China over cyberthefts’, The Washington Post, 30 August 2015, <https://www.washingtonpost.com/world/national-security/administration-developing-sanctions-against-china-over-cyberespionage/2015/08/30/9b2910aa-480b-11e5-8ab4-c73967a143d3_story.html>
[8] Executive Order, Office of the Press Secretary, The White House, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, 1 April 2015, <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m>
[9] U.S. Office of Personnel Management, Cybersecurity Resource Center, <https://www.opm.gov/cybersecurity/>
[10] Nakashima, Ellen, ‘U.S. decides against publicly blaming China for data hack’, The Washington Post, 21 July 2015, <https://www.washingtonpost.com/world/national-security/us-avoids-blaming-china-in-data-theft-seen-as-fair-game-in-espionage/2015/07/21/03779096-2eee-11e5-8353-1215475949f4_story.html>
[11] Internet Media Research Center, People’s Republic of China, The United States’ Global Surveillance Record, 26 May 2014, <http://news.xinhuanet.com/english/china/2014-05/27/c_133363178.htm>
[12] Patil, Sameer, The ‘deep web’: new threat to business, Gateway House, 6 January 2015, <https://www.gatewayhouse.in/the-deep-web-new-threat-to-business/>
[13] Singer, P.W. and Allan Friedman, Cybersecurity and Cyberwar: What everyone needs to know, Oxford University Press, New York, 2014, p.72
[14] Williams, Martyn, ‘What to expect in the US-China cyber treaty’, IDG News Service, 24 September 2015, <http://www.infoworld.com/article/2986314/hacking/what-to-expect-in-the-us-china-cyber-treaty.html>
[15] Office of Public Affairs, Department of Justice, United States Government, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage” 19 May 2014, <http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>
[16] Agencies, ‘US sanctions North Korea over Sony hacking’, Al Jazeera, 2 January 2015, <http://www.aljazeera.com/news/americas/2015/01/us-sanctions-north-korea-over-sony-hacking-20151222954754552.html>