Rebooting the U.S.-China Cyber Dialogue
Riley Walters /
U.S. and Chinese officials meet today in Washington to discuss ongoing challenges to cyber-security. Behind closed doors, there’s bound to be finger-pointing. After all, China is a leading source of cyber-attacks on U.S. corporate and government facilities.
Expectations for the meeting have already been lowered. A recent state visit by Chinese President Xi produced nothing of substance in terms of an agreement that might plausibly deter Chinese cyber-theft of U.S. intellectual property.
For decades, now, the U.S.-China relationship has bumped along. Bound by a common desire for economic growth, the two nations have maintained a mostly amicable relationship regardless of disagreements over defense and human rights matters. Yet over the years, theft of corporate intellectual property and cyber-breaches of federal computer systems have been a rising concern for U.S. policymakers.
Today and tomorrow, U.S. Secretary of Homeland Security Jeh Johnson, Attorney General Loretta Lynch, and members of the U.S. intelligence community will meet with their Chinese counterparts with the goal of opening a dialogue on cyber-crimes. It is the first such meeting since Chinese officials ended their participation in a bilateral Cyber Working Group last year following the U.S. indictment of five Chinese nationals for cyber-theft.
The five indicted hackers were all members of China’s People’s Liberation Army (PLA). PLA involvement came as no surprise. Cyber-attacks—such as those from Unit 61398—have long been attributed to the PLA. But since the indictments were handed down, the U.S.-China cyber-relationship has worsened. Only six months ago, the U.S. suffered one of the largest data breaches in federal history: The personal information of 22 million past and present federal employees was effectively siphoned from the Office of Personal Management.
A number of other cyber-breaches and attacks have been attributed to Chinese-based hacking teams, such as Deep Panda, Black Vine, and Axiom. And China’s “Great Cannon” attack on GitHub this March has raised new concerns. Recent revelations about that incident show that China can effectively take over significant portions of its networked systems to launch denial-of-service attacks.
There’s another disagreement that most certainly won’t be resolved at this meeting, and that’s the question of who should set the rules governing the Internet. From the Chinese perspective, it’s a matter of national sovereignty: They want to be able to control and censor what their citizens can see on the Internet, and they want the U.S. to stay out of it. Meanwhile, the U.S. is looking to hand over Internet administration to an international multi-stakeholder community—allowing countries greater say in what they think is appropriate in defining “Internet freedom.”
Another dicey topic of discussion concerns U.S. national security. Last month, the U.S. China Commission (USCC) published its 2015 annual report on the state of trade and economic relations with China, giving 37 specific recommendations to Congress.
Regarding cyber-espionage, USCC recommended that Congress explore the ability of U.S.-based companies to engage in “counter-intrusion practices” (in other words, to fight fire with fire) to ward off cyber-theft attempts. It also asked Congress to review whether of the federal government is able to act on behalf of a company that has been the victim of foreign government-instigated cyber-theft.
Attributing cyber-attacks to a point of origin can be quite difficult, especially when outside actors mount cyber-attacks by proxy, using U.S.-based computers without their owners’ knowledge. And now, exploitation of the virtual private network Terracotta has made attribution even within China difficult.
While it’s good to see U.S. and Chinese officials attempting another high-level dialogue, some of these weightier issues will take a lot of time to be sorted out. Some may never be agreed upon.
For example, what will happen regarding the indictment of the five Chinese military officers? Will the Obama administration turn a blind eye to their crimes in the name of building relations?
And how will the administration respond to USCC’s recommendation for retaliatory hacking? Turnabout being fair play, the idea has some appeal. But it can be a double-edged sword. Poor planning could lead to uncontrolled or misguided “hack-backs” that inflict collateral damage on innocent Chinese companies. And certainly, targeted sanctions by the U.S., as recommended in last year’s USCC report, should be brought up in the meeting.
Also, will Taiwan come up in these talks? The USCC recommends increasing Taipei’s involvement in future cyber-exercises.
Finally, it is important that policy-makers realize that the stakes for cyber-breaches and attacks will only increase as businesses and governments become more technically integrated. As technology grows, each additional cyber-hack will have a marginally greater effect on vital American interests and national security—moving the tipping point for hard-power action ever closer.