A central feature of U.S.-China cyber diplomacy has been Washington’s effort to persuade Beijing to acknowledge and enforce a norm against state-sponsored commercial cyber theft. After years of private diplomacy and public signaling, in September 2015, U.S. President Barack Obama and Chinese President Xi Jinping reached an agreement that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” This norm gained the support of G-20 leaders at their November 2015 summit, and the U.S.-China agreement was reaffirmed as recently as October 2017.
In consenting to this language, what did the respective leaders understand themselves to be committing to? What constitutes intent to provide competitive advantage to a nation’s commercial sector? Where is the line between commercial purposes and national security objectives? What degree of control is necessary to impute responsibility to a government rather than a nonstate actor?
The lack of good answers to such questions exposes one aspect of the complexity of efforts to develop and implement norms of state conduct in cyberspace. China provides a particularly illustrative case study of the complexity because its institutional environment does not break down neatly along lines between state-government and nonstate-commercial sectors. Nor is this a straightforward matter of government ownership—that is to say, a reflection of the outsized role played by state-owned enterprises in China’s economy (a phenomenon not unique to China). The challenge is deeper and more fundamental.
One aspect of the challenge is that the usual dichotomy between state-owned and privately-owned enterprises simply does not hold in the Chinese context. Distinctions between state and market actors, interests, and motivations are often blurred. Numerous firms, regardless of ownership structure, have close connections to state agencies and officials, as well as some (often difficult to define) role in carrying out state policy objectives. The ruling Chinese Communist Party is deeply woven into the institutional fabric of China’s economy, and its role in institutional settings can be extremely difficult to disaggregate.
A second and related aspect of the challenge is China’s expansive official conception of “national security.” A few months prior to the 2015 agreement, China’s National People’s Congress adopted the National Security Law, which codifies a sweeping vision of national security, instructing officials to “adhere to a comprehensive understanding of national security” that explicitly includes economic welfare as well as cultural, social, and other concerns. Xi has echoed this call for a “comprehensive” approach that incorporates “political, economic, territorial, social and cyber security.” Chinese laws and policy statements thus indicate that virtually any objective the CCP might determine to be within the realm of national interests—including economic interests—qualifies in principle as a national security objective. The expansiveness of this conception also opens the possibility that Chinese companies that support and carry out the party-state’s priorities cannot be disentangled from the party-state’s capacious national security objectives.
In a new Hoover Institution essay, I refer to these characteristics collectively as the challenge of “China, Inc.+.” I borrow the term “China, Inc.” from Mark Wu and others who have used it to describe the unique role of the state in the Chinese economy and to broaden the concept to include China’s expansive understanding of national security—hence the “plus.” (The “+” moniker also evokes the Chinese government’s “Internet Plus” (互联网+) agenda, which aims to capitalize on the integration of Internet and cutting-edge digital technologies into various Chinese industries and government agencies.)
The attributes of China, Inc.+ raise vexing questions when considered alongside the country’s articulated national strategies and policies for cyberspace. Policy initiatives such as “military-civil fusion” blur the distinction between defense and commercial activities and aim to bolster the involvement of Chinese companies and universities in national defense. For example, so-called cyber “militias” in Chinese businesses and universities are reportedly comprised of “hackers, IT companies, scientists, network engineers, foreign language speakers, and others with useful skills” who operate under a command hierarchy with ambiguous connections and accountability to the Chinese government and the People’s Liberation Army. Thus, the blurred lines between state and nonstate actors, as well as between the national security and commercial priorities of China, Inc.+, are rendered even murkier by what we know from publicly available materials about China’s strategy of cyber power integration. The blurriness is further illustrated by a sampling of reported cyber intrusions by China-based actors.
In short, the China, Inc.+ challenge is about the blending of state and nonstate domains. This has significant and perhaps underappreciated consequences for U.S. policy. For example, even if we assume perfect attribution of the source of every digital breach (a significant challenge in itself), there may be cases in which the deeply integrated nature of China’s party-state apparatus makes it all but impossible to determine with certainty the precise relationship of the operational source to “the state” or the degree of “state control” over that entity. This in turn has implications for international law and norms, as it muddies the waters around both the actors (whether to attribute state responsibility for a given cyber operation) as well as the conduct itself (whether the operation is in fact a violation of a norm).
The challenge is illuminated by the (perhaps unavoidable) failure of language in recent norm-setting documents to capture the characteristic murkiness of state-nonstate distinctions within Chinese state capitalism. The norm against state-sponsored commercial cyber theft, as memorialized in the 2015 agreement, is a conspicuous example. The putative law of state responsibility for cyber operations in the Tallinn Manual 2.0, which hinges on a particular notion of “state control,” is also illustrative. The subtleties of China, Inc.+ also point to difficulties of cyber norm-construction in other areas, such as putative limits on states’ sovereign rights to regulate the internet on the basis of national security or debates over how to define “critical infrastructure,” which international norms aim to protect from state-sponsored cyberattack.
This is not to suggest that all of the challenges outlined above are necessarily China-specific. Nonetheless, they are especially salient in the Chinese context and have important implications for U.S.-China relations and global governance. The future of international relations in cyberspace will not be decided without the participation of the United States and China. It is thus important for U.S. policymakers to be alert to these challenges and to approach future U.S.-China interactions on cyberspace norms with strategies for addressing them. My paper, “The ‘China, Inc.+’ Challenge to Cyberspace Norms,” concludes with a few thoughts along these lines.