Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Three Observations on China's Approach to State Action in Cyberspace

Michael Sulmeyer, Amy Chang
Sunday, January 22, 2017, 2:48 PM

We just returned from 36 hours in Beijing as part of a small group of American academics and government representatives to meet with Chinese counterparts about contemporary issues in cybersecurity. This is the 10th round of this dialogue, led by U.S. think-tank Center for Strategic and International Studies (CSIS) and Chinese think-tank China Institute for Contemporary International Relations (CICIR).

Published by The Lawfare Institute
in Cooperation With
Brookings

We just returned from 36 hours in Beijing as part of a small group of American academics and government representatives to meet with Chinese counterparts about contemporary issues in cybersecurity. This is the 10th round of this dialogue, led by U.S. think-tank Center for Strategic and International Studies (CSIS) and Chinese think-tank China Institute for Contemporary International Relations (CICIR). (These so-called “Track 1.5” dialogues blend official Track 1 discussions between senior government leaders with Track 2 meetings of academics and other non-government individuals.) We were fortunate to have on the other side of the table a mix of representatives from various Chinese ministries and agencies (including the Cyberspace Administration of China, its Ministry of Foreign Affairs, its Ministry of Defense, China's national Computer Emergency Response Team, and its security services via think tank links), as well as a handful of independent researchers.

In exchange for candor, participants forfeit the ability to publicize details of these discussions. We will honor that arrangement. But we also think it worthwhile to share three observations from our recent interactions that shed light on Chinese thinking about recent cybersecurity-related events.

First: The Chinese believe that attribution is nearly impossible. We were continually surprised by how pervasive this talking point about attribution being so difficult in cyberspace continues to be. From our respective experiences in government (Michael in the Department of Defense, Amy on Capitol Hill) as well as our experiences conducting cybersecurity research, perhaps we are biased with a greater awareness that it is indeed possible to determine who does what. The general thinking is that while public attribution of cyber intrusions has historically been quite challenging, today there are several reasons why it is possible for states (and private companies) to attribute hacks. The real question is not if states can attribute cyber attacks, but if they will publicly do so.

Throughout the discussion we found our Chinese colleagues to be not just convinced that attribution is too difficult and uncertain, but that only the United States can do it. China, in their view, lacks the sophisticated techniques and technology to attribute cyber attacks, and has appealed to the United States to share its own attribution technologies (as if the ability to attribute rested solely in some sort of magic device) so that the international community could have greater transparency behind malicious cyber activity.

Second: Chinese condemnations of malicious cyber activity rest on the principle of absolute non-interference by external powers in internal affairs. The Chinese are always quick to argue that they are a developing nation, not nearly as capable or as threatening as the United States. They also state frequently that they are the single largest victim of cyber crime and hacking in the world. While they did not condone alleged Russian interference in the U.S. election (after all, it's impossible to attribute!), they could not accept U.S. sanctions or any unilateral action by one actor as a valid response.

Pushed on this, Chinese colleagues discussed the need to resolve issues bilaterally or multilaterally, though nuances of today’s complex cyber scenarios often became too difficult to parse (e.g., how to resolve a situation if a multilateral institution ruled against a state’s principle of sovereignty, or how to handle a third party state operating in one country against the other). Ultimately, however, Chinese counterparts implicitly acknowledged that unilateral, non-diplomatic responses are within the realm of possibility, even for China: it all just depends on a country’s capabilities and means to respond.

Third: Although they did not openly support “alleged” Russian hacking to manipulate the U.S. election, some of our Chinese counterparts were gloating at seeing the United States on the receiving end of hacking. In essence, they felt we were now getting a taste of our own medicine. We detected an underlying theme throughout this dialogue on the Chinese side that they took some satisfaction from the fact that someone else had meddled in U.S. domestic politics. It was hard for them to come out and endorse it, given their adherence to non-interference. But they could not resist the temptation to tell us, in no uncertain terms, “How does it feel now that you have someone doing to you what you have been doing to others?” They further pointed out that the pervasive influx of fake news affecting the U.S. election is clear precedent for why the Chinese government regulates the internet, to “insure that information online is true.”

To be sure, the U.S. and Chinese sides agree on some issues regarding state behavior in cyberspace, but deep divisions remain. Dialogues such as the one we attended are important to continue to keep channels for dialogue open no matter what the political winds of change may bring in the future.


Dr. Michael Sulmeyer is the Belfer Center's Cyber Security Project director at the Harvard Kennedy School. He recently concluded several years in the Office of the Secretary of Defense, serving most recently as the Director for Plans and Operations for Cyber Policy. He was also Senior Policy Advisor to the Deputy Assistant Secretary of Defense for Cyber Policy. In these jobs, he worked closely with the Joint Staff and Cyber Command on a variety of efforts to counter malicious cyber activity against U.S. and DoD interests. Previously, he worked on arms control and the maintenance of strategic stability between the United States, Russia, and China. As a Marshall Scholar, Sulmeyer received his doctorate in Politics from Oxford University, and his dissertation, "Money for Nothing: Understanding the Termination of U.S. Major Defense Acquisition Programs," won the Sir Walter Bagehot Prize for best dissertation in government and public administration. He received his B.A. and J.D. from Stanford University and his M.A. in War Studies from King's College London.
Amy Chang is an affiliate with the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. Her research examines cybersecurity and technology policy issues, U.S.-China relations, and U.S.-Asia foreign policy. Ms. Chang recently served as the Staff Director of the Asia and the Pacific Subcommittee at the U.S. House of Representatives Committee on Foreign Affairs, where she was responsible for federal oversight and legislation on political, security, and economic issues in the greater Indo-Asia-Pacific region. Previously, Ms. Chang was the Norman R. Augustine Research Associate in the Technology & National Security Program at the Center for a New American Security (CNAS). She is now a fellow at the Truman National Security Project.

Subscribe to Lawfare