But there are several much larger considerations as well. In cyberspace, there is no wall big enough to prevent commercial cyber espionage across national borders. This applies as much to the Great Firewall (the nickname for China’s efforts at technical control of cyber space) as it does to the “Little Firewall” — that is, US efforts to stem Chinese (and Russian, French or Israeli) cyber espionage by technical and policy means. According to a senior FBI official, 90 percent of the cyber security systems in the United States are hackable with only moderate levels of technology and determination.
The current approach in most countries to cyber security can be summed up as “patch and pray”, a reference to the reality that existing technical systems have very large numbers of vulnerabilities that are only gradually discovered and are addressed by periodic “patches” to update software. One unfortunate corollary of this situation is that in countries such as China that have a heavy reliance on pirated software (which does not receive patches), almost all corporate data is highly vulnerable to theft and leak.
But the problem is also a human one. We need new suites of “highly secure computing” technologies that can begin to compensate for the weakness of the people who operate them.
The concept of “highly secure computing” as an alternative model to “patch and pray” refers to information technologies that are likely to be breached only in exceptional and rare circumstances, and at high costs and risk to the attacker. In 2009, the US Department of Homeland Security declared that scalable secure computing should be the first of 11 national priorities for research and commercial development to “transform the cyber-infrastructure so that critical national interests are protected from catastrophic damage.” But highly secure computing is still being developed for the business world. The global user community would then have to adapt to it and be adapted for it. As pointed out in a study by the EastWest Institute, this would definitely be difficult and costly.
More fundamentally, there can be no national cyber security for the US without “international information security.” The US government has yet to find an agreement with other major powers on what this is. It has promoted certain normative behavior in cyber space. But as long as the US is determined to maintain technological superiority in as many cyber- and military-related technologies as it can, then it must understand that other states will continue to want to weaken it, including through cyber espionage.
Thus, apart from promoting cyber norms, the US and China and other cyber powers need to begin talking about what, in practical technological and human terms, constitutes “international information security,” “strategic stability” and an enduring “peace” in cyber space. This is a staggeringly difficult problem. And the US will have to compromise to achieve such a state of affairs.
Taken together, all of the considerations mentioned above suggest that the recent US–China agreements do not address the main problem between the two countries in cyber space. Could this be a case of fiddling while Rome burns?
Greg Austin is a professorial fellow at the EastWest Institute and a visiting professor in the Australian Centre for Cyber Security at the University of New South Wales Canberra. East Asia Forum, a platform for analysis and research on politics, economics, business, law, security, international relations and society based out of the Crawford School of Public Policy at the Australian National University