A Chinese New Year

Cybersecurity

​​​​Illustration by Steve McCracken​​​​

A Chinese New Year
 

In Chinese Astrology, the monkey sign embodies an intelligent and inventive person, a problem solver capable of working with others while also demonstrating independence.

Those capabilities were on display in September 2015 when, during a state visit, President Xi Jinping and President Barack Obama announced a cyber pact, agreeing that neither country’s government would engage in cyber economic espionage to steal trade secrets to pass them on to domestic companies.

“China and the United States are two major cyber countries and we should strengthen dialogue and cooperation,” Xi said in a joint press conference with President Obama. “Confrontation and friction are not made by choice for both sides.”

Along with addressing intellectual property theft, the pact also states that the two countries agree that timely response should be provided to requests for information and assistance concerning malicious cyber activities, and that they will create a “high-level joint dialogue mechanism on fighting cybercrime and related issues.”

This mechanism will be used to “review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side,” the White House explained in a fact sheet. “As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.”

While the agreement itself was a breakthrough, critics have raised concerns about whether it will work and whether China is truly turning over a new lotus leaf. Or will it be business as usual in 2016, the Year of the Fire Monkey, with China using other strategies to obtain the information it wants?

True rapprochement is unlikely, according to Adam Segal, Maurice R. Greenberg senior fellow for China studies and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. 

“Even if we were to see a downturn in cyberespionage—which I’m a bit skeptical of—there are still many other ways that the Chinese would like to force or steal or in some way manage technology transfer,” Segal explains. “This has been a strategy for at least 30 years, and that is not going to disappear. We’ve had problems with intellectual property protection in China for a long time and this agreement or affirmation is not going to end that.”

One new tactic that the Chinese could be exploring is acquiring more intellectual property and trade secrets by buying and investing in Western companies. 

Currently, the Committee on Foreign Investment in the United States (CFIUS) reviews the national security implications of foreign investments in U.S. companies or operations. Over the last several years, China has shown increased interest in investing or acquiring U.S. companies. It accounts for the largest share of CFIUS notices recently with 54 of them between 2011 and 2013, according to CFIUS’s annual review released in February 2015. 

As part of the negotiation process to get the Chinese on board with the cyber agreement, the United States may “take the foot off the gas on CFIUS and let China buy more of our companies,” explains Richard Bejtlich, chief security strategist at FireEye and nonresident senior fellow at the Brookings Institute. “Then Xi and the Chinese achieved their goal; they’re just doing it using a different process.”

Bejtlich thinks this strategy is likely because, before visiting Washington, D.C., Xi made a stop in Silicon Valley to meet with leaders in the U.S. tech industry to discuss cybersecurity, foreign investment, and the new security measures China enacted over the last year.

China is “not giving up on trying to achieve its goals of being an information economy, world’s biggest economy, leader in technology, not dependent on the West,” Bejtlich adds. “To achieve that in the time frame they have…they have to get Western technology by any means possible.”

And at this stage of the game, the Chinese would probably rather buy Western companies because Chinese companies are having difficulties getting the level of quality, access to the market, and level of service that they want. “They need, essentially, the cooperation of the West to get access to the highest level stuff,” Bejtlich says. “And you’re only going to get that through investment and acquisition.”

Bejtlich also raises some other ways China could continue to obtain U.S. trade secrets and intellectual property through hacking, including lying about engaging in hacking and by insisting that China’s government is separate from the People’s Liberation Army and the Ministry of State—two of the premier sources of hacking.

It’s possible that Xi could believe that these two entities aren’t part of the Chinese government because “this is the same government who every time any credible report has come out talking about activity conducted by Chinese military forces, they call it unprofessional and groundless…they repeatedly, categorically deny any of this is happening,” Bejtlich explains. 

China might also “outsource” its hacking activities. China would have “plausible deniability by just letting other parties do it, whether they’re criminal groups or contractors,” he adds. “That way, again, China will just say, ‘Well the government’s not doing it, so we’re staying true to our word.’”

If China isn’t seen to be abiding by the agreement, however, the United States still has actions it can take, Segal notes.

“I think it is likely that if we don’t see a significant downturn of cyberespionage that the administration will issue sanctions, either on state enterprises or some higher-level officials that are seen to have been benefitting from cyber theft,” he says. “The administration can’t have made the threat and then not follow through.”

The United States could also target Chinese interests, such as the Great Firewall—a Chinese government project to censor Internet content. “Maintaining control over the population, maintaining control of the information that enters and leaves the country is a priority for the Chinese government,” Bejtlich says. “If anyone were to weaken the Great Firewall and make it more permeable to that information, the Chinese would be very upset.”

However, if the agreement is seen to work it could be a stepping stone to other similar pacts between nations. In fact, just a few weeks after the U.S. and China agreement was reached, China also agreed to a similar understanding with the United Kingdom to not use cyberespionage to steal trade secrets and intellectual property.

And, in November, the Group of 20 (G-20) pledged not to conduct cyber economic espionage and agreed that international law applies to cyberspace. This commitment is notable because it includes the United States, the European Union, Russia, and China.

If it’s effective, the G-20 action could also help spur the creation of an international set of norms for operating in cyberspace—something the United Nations (UN) has been discussing and that both China and the United States say they support, according to a fact sheet issued by the White House.

But not everyone is in favor of the UN leading this charge. Yorgen Edholm, CEO of Accellion, a firm specializing in secure file sharing, says that the biggest stakeholders should develop these norms, not the UN. “The problem with the UN is that it can sometimes be hijacked by all the little nations, that outnumber everybody else but sometimes don’t have a very big stake,” he explains. “Then you get rules that the big guys don’t care about.”

Instead, if the world can take the agreement between the United States and China as a starting point, the United States, China, Russia, and the European Union could work together to codify cyber norms and create a court where cybercrimes could be addressed, such as the International Court of Justice in The Hague or a separate court “with people who know exactly the technicalities of cyber theft,” Edholm explains.

“I’m not holding my breath though, because whenever rules come up, they have to be quite generic because the technology’s evolving so fast that if you become very specific, it’s quite possible that technology just makes this particular restriction useless because you can go around it,” he adds.

While the pact may not specifically codify how the agreement will be enforced, the fact that there’s an agreement at all is a positive sign, Bejtlich says.

“The biggest accomplishment here is that we have both the United States and China on record saying that you should not use government forces to acquire commercial secrets from private companies and then use them for your own domestic benefit,” he explains. “It is a step in the sense that it’s very difficult for us to agree with them on anything, so to get an agreement like this is important.”