The Forthcoming (?) China-U.S. Agreement on Cybersecurity

By Herb Lin
Wednesday, September 23, 2015, 9:48 PM

Press reports suggest that China and the United States are likely to come to an agreement to refrain from cyber actions that intentionally damage each others’ critical infrastructure. It’s worth unpacking what such an agreement might entail, though of course speculation in the absence of specific language is always dangerous.

According to the New York Times, the United States and China are negotiating “a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime.” A provision of the June 2015 report of the Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security stated that in paragraph 13(f) that “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” Signed by representatives of 20 nations including the United States and China, this report asked member states of the United Nations to actively consider their recommendations that this and other norms of behavior. Another press report indicated the United States and China would probably not address directly the point regarding critical infrastructure, but rather would announce a “generic embrace” of the GGE’s recommendations.

Several observations stand out to me.

  • This agreement would not address the major irritant in U.S.-China cyber relations today—that of cyber-enabled espionage regarding trade secrets and other intellectual property or regarding traditional intelligence gathering for military and/or foreign policy purposes. This point, noted by a variety of press reports, is entirely true, and yet the agreement does try to address what is in fact a far more serious issue—the threat to critical infrastructure. In the long run, maintaining the security of critical infrastructure is almost certainly an objective of higher priority than preventing cyber-enabled espionage.
  • The agreement would prohibit “intentional damage” to critical infrastructure but not intelligence-gathering activities involving critical infrastructure. An interesting question then arises—how is one nation to distinguish between cyber activities conducted by the other nation that may on one hand be damaging or on the other hand for intelligence-gathering?
  • The agreement would be inherently unverifiable, or more precisely, as unverifiable as an agreement to refrain from using kinetic weapons to target ambulances on the battlefield. This is not necessarily a reason for opposing the agreement—the United States is a party to certain agreements, such as the Geneva Conventions, that constrain its behavior without regard for whether another party’s compliance can be assured. That is, we will not deliberately violate the laws of war even if other signatories to the Geneva Conventions do. Regardless of the other side’s behavior, we find value in a commitment to observe the laws of war, and there may be similar value in this case.
  • An explicit embrace by Presidents Xi and Obama of the GGE 2015 recommendations would be both desirable and remarkable--desirable because it would be a step forward in improving cyber relations between the two nations, even if only symbolically, and remarkable in light of the lingering doubts about China’s commitment to the consensus achieved in the GGE. I have been quite skeptical of that commitment, and I eagerly await tangible evidence that China is not seeking to back away from that putative agreement.

None of these comments negate Jack Goldsmith’s view that we shouldn’t get too excited about the reported agreement. As Jack points out, the devil is in the details of how the two nations define the prohibited activities. Jack’s comments regarding verification are also right on the money, and as an arms control agreement, what is being discussed falls far short of, for example, the Iran deal. But even if that is true, and the forthcoming agreement merely represents better atmospherics, that’s better than a summit that breaks down because of mutual recriminations over the cyber issue.

Let’s see what happens.