Cybersecurity: Crime and Espionage

The Donilon Approach to Cybersecurity

By Paul Rosenzweig
Tuesday, March 12, 2013, 10:13 AM

Raffaella has already beaten me to the punch with her link to Tom Donilon's speech yesterday to the Asia Society.  For those who want a short version, here's today's report in the New York Times.  And for those who want a very short summary of what Donilon said, here's the money quote:

First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations.  Second, Beijing should take serious steps to investigate and put a stop to these activities.  Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.

So what are we to make of this?  First, it is obviously a good thing that the Administration is willing to call China out publicly over its brazen cyber theft.  As far as I know this is the first time that it has been willing to publicly make such a statement.  And while I understand and actually appreciate the sensitivities that are involved (since we have a host of significant issues to consider involving our meta-relationship with China) it is, I think, essential to be willing to publicly call for a change if you want to see change achieved.

Second, the Administration has taken an interesting tack -- probably not the one I would have chosen, but certainly a plausible one.  Note that Donilon calls on Beijing to take "serious steps to investigate and put a stop" to cyber intellectual property espionage and theft.  By couching the overture in those terms, Donilon is giving Beijing a diplomatic out.  Even though we all are reasonably convinced from the Mandiant report (and, I am told, many other classified sources) that much of the economic espionage is being conducted by State-sponsored entities (not to mention State-tolerated and/or encouraged entities that might not be directly sponsored), the Administration is willing to start the conversation by pretending that the hackers are rogue actors who are outside the bounds of Chinese law and policy.  This allows them to simply call on China to do a better job of enforcing its own existing laws and allows China, if it wants to, to rein in the cyber hackers without acknowledging its underlying role as the sponsor of the theft.  Pretty neat (and probably not helped much by my outing them -- but its sufficiently transparent that I don't think I'm doing any harm).

Finally, note the last call -- for China to agree to a discussion directly with the US over these issues.  I like that very much. Over the past several years China has sought to "internationalize" the cyber discussion -- bringing in the ITU as a stalking horse for governance and allying with the Shanghai Cooperative Organization (Russia and the "Stans") to propose an international code of behavior, etc.  The US has, rightly in my judgment, resisted the internationalization of Internet governance, and the call for direct bilateral negotiations over norms of behavior strikes me as the right step.

Which brings me to an amusing point -- China has routinely rejected multilateral negotiations over the South China Sea (which, I learned on my recent trip to Vietnam, the Vietnamese call the East Sea!) while the US has favored them. In cyber, the valence of the discussion is reversed -- which just goes to show that much of diplomacy is situational ethics!