U.S.-China Arms Control Agreement for Cyberspace: Desired by All?

EXECUTIVE SUMMARY

Washington and Beijing are hoping to negotiate the first arms control accord for cyberspace. Seemingly an historic occasion, the agreement is unlikely to be concluded in time for the upcoming Obama-Xi summit. The two sides have been unable to agree on the scope, basic terminology, or language of the document. These obstacles also risk obscuring the existence of parties in Washington and Beijing not in favor of the text. 

ANALYSIS

Introduction

The United States and China are negotiating what could become the first arms control agreement for cyberspace. Scheduled to be announced at the upcoming summit meeting between U.S. President Barack Obama and his Chinese counterpart, President Xi Jinping later this week, tentatively the accord will stipulate that Washington and Beijing commit that “neither country will be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime” (Sanger). 

The document could address attacks on critical infrastructure such as; banking systems, hospitals, and cellular towers. However, the current version of the proposed accord would be ineffective against most of the attacks China has been accused of conducting in the United States. The latter include; espionage, “widespread poaching of intellectual property and the theft of millions of [U.S.] government employees’ personal data” (Sanger). Beijing has vehemently denied the charges, terming them “hypocritical” (Unattributed). Indeed, intelligence documents leaked by former National Security Agency (NSA) contractor Edward J. Snowden have revealed that the U.S. itself actively conducts cyber espionage against foreign countries, especially China. (Unattributed; Sanger). Thus, although any accord to restrict cyberattacks in peacetime would be progress in some circles, both American and Chinese defense planners may find their options unduly constricted either by such a document or by its later iterations. 

The Nature of the Chinese Threat

Historically, U.S. officials have blamed the Chinese military for “the most egregious assaults on U.S. computer networks” (Barnes), or officially sanctioned private groups of hackers (Sanger). These have included; the Office of Personnel Management (OPM) breach, and prior to that, the attack against Anthem, the U.S.’s second-largest health insurer, as well as many industrial espionage incidents. In these cases, the difficulty of tracing a cyberattack, coupled with the inherent opacity of military organizations have granted Beijing plausible deniability, and have compromised Washington’s ability to deter or retaliate with confidence. 

However, none of these attacks has targeted American critical infrastructure, an all-encompassing and ill-defined term. In fact, China has never perpetrated a cyberattack against U.S. critical infrastructure (Tucker). One should not conclude that U.S. infrastructure is secure, or that China does not pose a threat to the same. It is not, and it does. However, Beijing is unlikely to attack U.S. critical infrastructure, not least because doing so would be “extremely difficult” (Pollet) and “would reveal too much about China’s capabilities” (Tucker). In light of these considerations, what can be expected from the pending cyberspace accord?

Expectations versus Reality

Even Obama administration officials have attempted to downplay the projected outcomes of the cyberspace agreement. For instance, Dan Kritenbrink, Senior Director for Asian Affairs at the National Security Council stated “I would be reluctant to raise expectations about [a cyberspace] agreement... That would be a long-term goal. We’re a long ways from getting there” (Tucker). Negotiations have faltered as the two sides failed to agree how to address “the theft of trade secrets from American companies that benefit their Chinese competitors” (Perlez). Regardless, a bilateral commitment to “no first use” of cyberweapons against each other’s critical infrastructure in peacetime - as the troubled accord would have stipulated - would have been of limited utility. China has not deployed such attacks, and is unlikely to do so in the future, as discussed above. Notwithstanding this U.S. setback, President Xi struck a conciliatory note on the subject in public remarks on the first day of his U.S. visit. Speaking to American business executives in Seattle, Washington on September 22, President Xi pledged that “the Chinese government will not in whatever form engage in commercial theft, and hacking against government networks are crimes that must be punished in accordance with the law and relevant international treaties” (Perlez). U.S. officials suggested that President Xi’s comments indicate that Beijing “is not denying anymore that [cybercrime] is a problem” (Sanger, Hirschfeld Davis). Perhaps, but doubtless another factor contributed to President’s Xi’s pronouncement. Namely, National Security Advisor Susan E. Rice’s preceding warning that “Mr. Obama was prepared to impose sanctions, perhaps before Mr. Xi’s arrival [in the U.S.]“ unless Mr. Xi restrained “cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses” in China influenced the Chinese President’s non-binding, public remarks (Sanger, Hirschfeld Davis). The attempted conclusion of the cyberspace accord appears to be largely symbolic, a “last chance” for President Obama to jump-start diplomacy with Beijing (Sanger, Hirschfeld Davis). 

Winners and Losers

At first glance, the failure to conclude a cyberspace accord with Beijing is unfortunate. A chance to define currently vague terms, such as critical infrastructure and cyberattack as well as to ratify the first arms control agreement for cyberspace has been lost. Nevertheless, others are breathing sighs of relief. This cohort includes American and Chinese cyber warfare experts (Sanger), as well as Chinese hackers unofficially affiliated with Beijing (Unattributed). American cyberwarriors are worried about “any rules that limited their ability to place ‘beacons’ or ‘implants’ in foreign computer networks (Sanger). Meanwhile, Beijing is relieved not to have to engage in “a more open and more forthright dialogue about its activities” (Barnes). Although it is notoriously difficult to link Chinese hackers to the country’s government, their recent slowdown in advance of the Obama-Xi summit may be suggestive of a connection (Unattributed). The obstacles to the successful conclusion of this accord have in part obstructed the existence of those not in its favor. 

Conclusion

On the surface the proposed cyberspace agreement was a necessary effort to begin to define the outline of a Chinese threat to the U.S. On closer inspection, however, the draft text would not have addressed most of the attacks Beijing has been accused of conducting in the U.S. Thus, the working document would have been of limited utility. Further, the challenges encountered in the attempted negotiation of the cyberspace accord are indicative of the distance between the two sides on many relevant basic issues, such as; scope, term definitions, and responsible parties. Bridging these stumbling blocks will be very difficult, and such efforts most likely will exceed the term limit of the current U.S. administration.

Elizabeth Zolotukhina is a Senior fellow at the CGSRS | Centre for Geopolitics & Security in Realism Studies. She may be contacted at elizabeth.zolotukhina@cgsrs.org

Follow The CGSRS | Centre for Geopolitics & Security in Realism Studies on Facebook and Twitter (@CGSRS_UKCGSRS )