No Easy US-China Cyber Security Solutions
In late September, the Presidents of China and the United States reached a number of agreements on cyber security, cyber espionage and cyber crime. They provide for a new high-level contact group as well as assurances to investigate and resolve complaints from each other.
The agreements are important diplomatic breakthroughs, but they are relatively piecemeal when seen against the bigger picture. They may ultimately prove to be destructive if not followed up quickly by a more comprehensive agreement.
From the US side, the agreements were intended to constrain China from using government-collected commercial intelligence for the benefit of its civil sector firms. This narrow focus on just one aspect of the bilateral cyber problem appears to reflect a US belief that it can be addressed without Washington having to give up anything.
This is further evidenced by its repeated demands, unaccompanied by any concessions, even rhetorical ones. The US decision to stake so much on eliminating cyber espionage without considering other major challenges may be misguided for at least three reasons.
First, the United States overestimates the negative impact of China’s cyber espionage on US competitiveness. Take for example the case of Westinghouse, the giant US corporation named as a victim in indictments brought against five People’s Liberation Army personnel in May 2014 for commercial espionage. Westinghouse was almost certainly the victim of cyber espionage and its trade secrets were undoubtedly handed to a Chinese competitor.
But within two months of the indictment, Westinghouse raised its estimates of likely new contracts in China to US$20 billion. Its competitiveness does not appear to have been impacted negatively in the short to medium term. And Westinghouse was already in a long term technology transfer relationship with China that had seen it hand over some 75,000 technical documents as well as engaging in joint nuclear construction projects in China.
Second, the US position rests on its assertion that there is a workable and enforceable distinction between the national security purposes of economic cyber espionage (which Washington defends and conducts) and the commercial purposes of cyber espionage (which Washington says it opposes).
In effect, the US is implying very clearly that the espionage against Westinghouse had no national security implications at all. Such a claim is not sustainable. There may be few companies in the United States where the blurring between military and civil purposes is more profound. Westinghouse is a major supplier of military nuclear reactors to the US Navy. For this reason, Westinghouse and the nuclear technology sector appear therefore to have been poor choices for action as part of a diplomatic strategy to counter China’s cyber espionage for being commercial in character.
Third, as many commentators have argued, the agreement on commercial espionage may create more diplomatic minefields than it eliminates because of imprecise language and lack of enforcement capability.
But there are several much larger considerations as well. In cyberspace, there is no wall big enough to prevent commercial cyber espionage across national borders. This applies as much to the Great Firewall (the nickname for China’s efforts at technical control of cyber space) as it does to the “Little Firewall” — that is, US efforts to stem Chinese (and Russian, French or Israeli) cyber espionage by technical and policy means. According to a senior FBI official, 90 percent of the cyber security systems in the United States are hackable with only moderate levels of technology and determination.
The current approach in most countries to cyber security can be summed up as “patch and pray”, a reference to the reality that existing technical systems have very large numbers of vulnerabilities that are only gradually discovered and are addressed by periodic “patches” to update software. One unfortunate corollary of this situation is that in countries such as China that have a heavy reliance on pirated software (which does not receive patches), almost all corporate data is highly vulnerable to theft and leak.
But the problem is also a human one. We need new suites of “highly secure computing” technologies that can begin to compensate for the weakness of the people who operate them.
The concept of “highly secure computing” as an alternative model to “patch and pray” refers to information technologies that are likely to be breached only in exceptional and rare circumstances, and at high costs and risk to the attacker. In 2009, the US Department of Homeland Security declared that scalable secure computing should be the first of 11 national priorities for research and commercial development to “transform the cyber-infrastructure so that critical national interests are protected from catastrophic damage.” But highly secure computing is still being developed for the business world. The global user community would then have to adapt to it and be adapted for it. As pointed out in a study by the EastWest Institute, this would definitely be difficult and costly.
More fundamentally, there can be no national cyber security for the US without “international information security.” The US government has yet to find an agreement with other major powers on what this is. It has promoted certain normative behavior in cyber space. But as long as the US is determined to maintain technological superiority in as many cyber- and military-related technologies as it can, then it must understand that other states will continue to want to weaken it, including through cyber espionage.
Thus, apart from promoting cyber norms, the US and China and other cyber powers need to begin talking about what, in practical technological and human terms, constitutes “international information security,” “strategic stability” and an enduring “peace” in cyber space. This is a staggeringly difficult problem. And the US will have to compromise to achieve such a state of affairs.
Taken together, all of the considerations mentioned above suggest that the recent US–China agreements do not address the main problem between the two countries in cyber space. Could this be a case of fiddling while Rome burns?
Greg Austin is a professorial fellow at the EastWest Institute and a visiting professor in the Australian Centre for Cyber Security at the University of New South Wales Canberra. East Asia Forum, a platform for analysis and research on politics, economics, business, law, security, international relations and society based out of the Crawford School of Public Policy at the Australian National University