Cyber Pact With China: Distrust But Verify
Presidents Obama and Xi to Discuss Cybersecurity at Summit MeetingPresident Obama, in reaching any type of cybersecurity accord with Chinese President Xi Jinping, should borrow from the diplomacy he used to reach the Iranian nuclear agreement: Get the best deal possible and then distrust but verify.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Cybersecurity will be a major topic at this week's White House summit between the two leaders. At the top of Obama's agenda is the hacking of American corporate IT systems by the Chinese, who have been accused of stealing industrial secrets and sharing them with Chinese businesses.
Achieving the best deal means establishing a foundation that could lead to real progress on cybersecurity, including an agreement to end the pilfering of corporate trade secrets.
"The best outcome would be to begin a serious, senior-level negotiating process that addresses the full range of issues," writes James Lewis, a cybersecurity expert at the think tank Center for Strategic and International Studies. "The worst outcome would be one that endorsed already-agreed report language and restarted unproductive working-level discussions. The summit will not solve the cybersecurity problem, but if it is done right, it can be the beginning of a solution."
Xi's Promises
Xi, in a speech earlier this week to American business leaders in Seattle, said the Chinese government will not engage in commercial thefts or encourage or support such attempts by anyone. "Both commercial cyber theft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties," Xi said. "The international community should, on the basis of mutual respect and mutual trust, work together to build a peaceful, secure, open and cooperative cyberspace. China is ready to set up a high-level joint dialogue mechanism with United States on fighting cybercrimes."
Even if Xi is sincere in his comments about China not stealing American corporate secrets - and there are good reasons to be skeptical - remember that the Chinese government and military are part of a huge bureaucracy. And, despite the powers given to the Communist Party and its chairman, Xi, the leader isn't always in control. Though Xi has significant influence over the People's Liberation Army - which has been blamed for breaches of American corporate IT systems - Xi might not have the ability to halt such cyber intrusions, even though he chairs China's Central Military Commission.
Employing Attribution
To protect American interests as the U.S. and China forge accords on cybercrime and other issues, the Obama administration must mirror its approach to the Iranian nuclear deal in which an imperfect pact is enforced through verification of compliance. That will require tracking who's responsible for cyberattacks against U.S. networks.
If the U.S. government is to be believed, its military - which includes the National Security Agency - has gotten much better at attributing cyberattacks. The Department of Defense Cyber Strategy issued earlier this year contends: "The United States used verifiable and attributable data to engage China about the risks posed by its economic espionage. The attribution of this data allowed the United States to express concerns regarding the impact of Chinese intellectual property theft on U.S. economic competitiveness, and the potential risks posed to strategic stability by Chinese activity."
As a result, the Justice Department last year indicted five members of the People's Liberation Army for stealing U.S. intellectual property to directly benefit Chinese companies (see The Real Aim of U.S. Indictment of Chinese).
Warning the Chinese
Xi hasn't yet given Obama a reason to trust him on cybersecurity. To help ensure Xi and the Chinese are trustworthy when pursuing cybersecurity accords, the United States should use its intelligence capabilities, including the ability to attribute cyberattacks. The threat of further indictments and/or economic sanctions against Chinese nationals and entities could be appropriate ways for the Obama administration to keep the Chinese honest.
Let's hope Obama wasn't full of bluster when he warned other nations earlier this month not to mess with the U.S. in cyberspace:
"Frankly, although the Chinese and Russians are close, we're still the best at this. And if we wanted to go on offense, a whole bunch of countries would have some significant problems."