A Quick Reaction to the Cybersecurity Portion of the Xi-Obama Summit

This note is based on the White House Fact Sheet.

Cybersecurity-

The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory. Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.

Mechanisms to promote dialogue are always a good thing, but it remains to be seen what specific changes will emerge from dialogue. For example, a great deal rests on what “cybercrime” means. Is it financial cybercrime, such as credit card fraud? Is it action that disrupts the functioning of the international financial system? Is it cyber-enabled collection of information that could be used against a nation’s security interests? Is it theft of trade secrets for commercial gain? All of these actions are crimes in each nation, and yet which definition is used matters a great deal for the substance of a dialogue and any subsequent action.

The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

This is something that the US has wanted from China for a long time – a high level acknowledgement that theft of IP for commercial purposes should not happen. This is clearly a good outcome from the US perspective compared to silence on this point. But I see at least two issues:

• The phrasing “conduct or knowingly support” is not as broad as it should be. “Conduct or knowingly tolerate” would have been a much better formulation, since the current formulation does not rule out looking the other way at rogue elements.

• Relatedly, it also does not commit China to do anything specific to curb such activities that are already emanating from China. It does not, for example, commit China to prosecuting private enterprises that conduct such activity.

So the details of implementation of this agreement matter a lot. I’m not quite as pessimistic as Paul Rosenzweig, but color me a bit skeptical as well.

Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic.

This endorsement of the July 2015 report is positive, and it shows that the UN-based GGE forum for cybersecurity does have some real value (I have been doubtful about that, but I'm glad to say I was wrong). But this endorsement does not commit either side to or to refrain from any particular behavior. A senior experts group to discuss issues is also good, compared to the alternative of NOT having such a forum to discuss issues--but what will be the substance of the meetings? Mere recitation of each others' talking points will not be particularly productive.

The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue. The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States. This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.

Clearly a good thing. Implementation matters here too.

As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.

Clearly a good thing in principle. But implementation is an issue, and experience with other hotlines between the United States and China has not always been positive. A case in point is the military hotline between the United States and China, intended to enable direct communications between senior military leaders on both sides during crisis, has not always been operational even during routine tests of the system. On several occasions in which the line was tested for operational capability and also in the wake of the 2001 EP-3 incident over Hainan, the Chinese military failed to respond at all. In addition, the purview seems to be limited to cybercrime (whatever that might mean) and not to cyber issues related to national security.

On balance, from my perspective, progress has been made towards a better cybersecurity relationship between China and the United States, and more doors are open today than they were last week. Now each side needs to walk through those doors and do some hard work.

A final note: The White House posted a fact sheet on the summit, on which this blog post is based. A more significant public release regarding the summit would be a comparable fact sheet posted on an official Chinese government web site, written in Chinese, such as this one, located on the site of the Chinese Communist Party. That would be a clearer statement to the Chinese people about the intentions of the Chinese government than anything posted on a U.S. government web site.