Three Observations on China's Approach to State Action in Cyberspace
We just returned from 36 hours in Beijing as part of a small group of American academics and government representatives to meet with Chinese counterparts about contemporary issues in cybersecurity. This is the 10th round of this dialogue, led by U.S. think-tank Center for Strategic and International Studies (CSIS) and Chinese think-tank China Institute for Contemporary International Relations (CICIR).
Published by The Lawfare Institute
in Cooperation With
We just returned from 36 hours in Beijing as part of a small group of American academics and government representatives to meet with Chinese counterparts about contemporary issues in cybersecurity. This is the 10th round of this dialogue, led by U.S. think-tank Center for Strategic and International Studies (CSIS) and Chinese think-tank China Institute for Contemporary International Relations (CICIR). (These so-called “Track 1.5” dialogues blend official Track 1 discussions between senior government leaders with Track 2 meetings of academics and other non-government individuals.) We were fortunate to have on the other side of the table a mix of representatives from various Chinese ministries and agencies (including the Cyberspace Administration of China, its Ministry of Foreign Affairs, its Ministry of Defense, China's national Computer Emergency Response Team, and its security services via think tank links), as well as a handful of independent researchers.
In exchange for candor, participants forfeit the ability to publicize details of these discussions. We will honor that arrangement. But we also think it worthwhile to share three observations from our recent interactions that shed light on Chinese thinking about recent cybersecurity-related events.
First: The Chinese believe that attribution is nearly impossible. We were continually surprised by how pervasive this talking point about attribution being so difficult in cyberspace continues to be. From our respective experiences in government (Michael in the Department of Defense, Amy on Capitol Hill) as well as our experiences conducting cybersecurity research, perhaps we are biased with a greater awareness that it is indeed possible to determine who does what. The general thinking is that while public attribution of cyber intrusions has historically been quite challenging, today there are several reasons why it is possible for states (and private companies) to attribute hacks. The real question is not if states can attribute cyber attacks, but if they will publicly do so.
Throughout the discussion we found our Chinese colleagues to be not just convinced that attribution is too difficult and uncertain, but that only the United States can do it. China, in their view, lacks the sophisticated techniques and technology to attribute cyber attacks, and has appealed to the United States to share its own attribution technologies (as if the ability to attribute rested solely in some sort of magic device) so that the international community could have greater transparency behind malicious cyber activity.
Second: Chinese condemnations of malicious cyber activity rest on the principle of absolute non-interference by external powers in internal affairs. The Chinese are always quick to argue that they are a developing nation, not nearly as capable or as threatening as the United States. They also state frequently that they are the single largest victim of cyber crime and hacking in the world. While they did not condone alleged Russian interference in the U.S. election (after all, it's impossible to attribute!), they could not accept U.S. sanctions or any unilateral action by one actor as a valid response.
Pushed on this, Chinese colleagues discussed the need to resolve issues bilaterally or multilaterally, though nuances of today’s complex cyber scenarios often became too difficult to parse (e.g., how to resolve a situation if a multilateral institution ruled against a state’s principle of sovereignty, or how to handle a third party state operating in one country against the other). Ultimately, however, Chinese counterparts implicitly acknowledged that unilateral, non-diplomatic responses are within the realm of possibility, even for China: it all just depends on a country’s capabilities and means to respond.
Third: Although they did not openly support “alleged” Russian hacking to manipulate the U.S. election, some of our Chinese counterparts were gloating at seeing the United States on the receiving end of hacking. In essence, they felt we were now getting a taste of our own medicine. We detected an underlying theme throughout this dialogue on the Chinese side that they took some satisfaction from the fact that someone else had meddled in U.S. domestic politics. It was hard for them to come out and endorse it, given their adherence to non-interference. But they could not resist the temptation to tell us, in no uncertain terms, “How does it feel now that you have someone doing to you what you have been doing to others?” They further pointed out that the pervasive influx of fake news affecting the U.S. election is clear precedent for why the Chinese government regulates the internet, to “insure that information online is true.”
To be sure, the U.S. and Chinese sides agree on some issues regarding state behavior in cyberspace, but deep divisions remain. Dialogues such as the one we attended are important to continue to keep channels for dialogue open no matter what the political winds of change may bring in the future.