An Update on U.S.-China Cybersecurity Relations

Last week, I participated in another session of the Center for Strategic and International Studies (CSIS) and China Institute of Contemporary International Relations (CICIR) Cybersecurity Dialogue. The meetings, which involve Chinese and American government officials as well as academics and think tank analysts, give both sides the opportunity to express their views on issues like sovereignty and cyberspace; methods to counter cyber attacks; cyber military policy; and the bilateral relationship. This is the second meeting in 2017, and the first to occur since President Trump took office. (My assessment of previous sessions can be found here and here)

Here are three things that came up that I think are worth highlighting, while respecting that the talks were not for attribution:

What happens after the apparent collapse of the UN GGE process?

After releasing consensus reports in 2013 and 2015, the United Nations Group of Government Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security failed to issue a report in June of 2017. There were several sticking points, but a main point of contention was how to apply international law to cyberspace, including the laws of armed conflict and the right of self-defense, and the law of state responsibility, including countermeasures. The Chinese have been resistant to applying international law, arguing that cyberspace is a new domain of conflict and requires new rules, but they also seemed very intent on continuing the discussions on rules of legitimate behavior for states, especially within the United Nations. Some of the suggestions tabled by Chinese speakers included a resolution in the General Assembly around what the GGE has accomplished so far; the development of some alternative platform at the UN that would be more inclusive and include more countries; a continuation of the GGE process as is; or the development of a cyber equivalent to the United Nations Committee on the Peaceful Uses of Outer Space (COPUOS), which resulted in the negotiation of the Outer Space Treaty. Of those possibilities, the United States is most likely to embrace the continuation option. The GGE failed to reach consensus when it expanded from 20 to 25 countries, so an open platform will be unworkable. COPUOS was working toward a treaty, something Washington believes is undesirable and unfeasible in cyberspace. Still, one of the Chinese representatives went out of his way to stress the good work of the GGE, and to minimize the differences that deadlocked the group, mentioning a "90 or even 95 percent" agreement that did not signal the failure of the process.   

The Chinese do seem concerned with the U.S. declaration after the GGE deadlock that it would look to another forum for the development of cyber norms. In a June 2017 speech, Homeland Security Advisor Thomas P. Bossert declared, in the face of the limits of the UN group, "We will also work with smaller groups of likeminded partners to call out bad behavior and impose costs on our adversaries." A Chinese representative noted that, of course, other processes can exist parallel to UN efforts, but they should complement and contribute to them, not substitute or replace. He also warned that use of phrases like "likeminded" would exacerbate divisions.

The need for mil-to-mil talks. 

While both sides seem to recognize the need to reduce instability in cyberspace, the meeting was characterized by an unsurprising, but still frustrating unwillingness from the Chinese side to discuss military cyber operations. There are no clear thresholds, mechanisms for signaling, or methods for escalation control and so a conflict in cyberspace might quickly become kinetic because of misperception or miscalculation. Some Chinese defense analysts have written about these issues in military journals or other open source outlets, but questions from the U.S. side about how reflective they were of Chinese thinking were met with the response that researchers should limit their reading to official documents, such as the white paper on China's military strategy, which provides no guidance on these problems.

The Law Enforcement and Cybersecurity Dialogue is one of the four pillars of the United States-China Comprehensive Dialogue set up by President Trump and President Xi in April 2017, but the U.S. military seems to want more opportunities to engage the People's Liberation Army (PLA) on cyberspace issue, even if the two sides come to the table with a "gentle agenda" of a discussion of objectives and missions. The Chinese side countered that the "full use" of existing platforms would be more fruitful. Why are the Chinese being coy? They are still angry about the indictment of 5 hackers from the PLA. There is a real need for the two sides to come up with some way of putting this irritant behind them. 

Is the cyber espionage agreement fraying?

Recent reporting suggests that China is pushing the envelope of the 2015 agreement between President Obama and President Xi, in which both sides agreed not to hack each other's private companies for commercial gain. The news, until last month, was good. The Chinese might have shifted activity to Southeast Asia and traditional espionage, but the cybersecurity companies reported a significant decrease in commercial activity.

Now it looks like Chinese operators are going after technologies that are dual-use, and so might not be covered by the agreement, as well as some civil society groups.  The U.S. side delivered what I understood as a mild warning, expressing concern about "backsliding" and stating that Washington was interested in seeing Beijing respect not just the letter, but the spirit of the agreement. I did not hear a Chinese response.