In his speech yesterday in Seattle, China President Xi Jinping said:
China is a staunch defender of cybersecurity. It is also a victim of hacking. The Chinese government will not, in whatever form, engage in commercial thefts or encourage or support such attempts by anyone. Both commercial cyber theft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties. The international community should, on the basis of mutual respect and mutual trust, work together to build a peaceful, secure, open, and cooperative cyberspace. China is ready to set up a high-level joint dialogue mechanism with United States on fighting cyber crimes.
Most of the coverage of the speech has focused on Xi’s improbable but perhaps conciliatory claims about China’s innocence in offensive cyber. This focus overlooks what I think is Xi’s most significant statement in this paragraph: “hacking against government networks” is a crime that “must be punished in accordance with law and relevant international treaties.”
This passage could mean many things, and it is far from clear what “international treaties” Xi has in mind. But I speculate that Xi is signaling a demand for reduction in USG cyberoperations, and in support for NGO cyberoperations, that are designed to weaken or to circumvent China’s fierce control of its proprietary network, as an item of negotiation in any deal that would include a reduction of China’s private commercial theft inside the United States.
I have long noted that our adversaries are not going to stop cyber activities we find offensive without some reduction in USG cyberactivities that they find offensive:
[T]he United States is widely viewed as a major source of cyber attacks and exploitations, as well as a major spur to the cyberarms race. We have the biggest private botnets in the world. They are used for cyber attacks and exploitations around the globe, and the government has done practically nothing to clean them up. The government subsidizes a robust “hacktivist” community that uses digital tools for such activities as circumventing content filters in the networks of authoritarian states. It views these activities as benign, but the Chinese consider them on a par with the Google hack. In addition, the U.S. government has famously prodigious cyber-exploitation and cyber-attack capacities. All of these reasons, and more, explain why an early-2010 study by McAfee, the computer security company, concluded that more information-technology experts from critical infrastructure firms around the world expressed concern about the United States as a source of computer network attacks than about any other country.
For our government to receive the concessions and relief that it thinks international cooperation by treaty [or any other mode of cooperation] can bring, it must be willing to clamp down on some, probably many, aspects of its many public and private cyber activities. But no one in Washington has indicated publicly which cyber operations the United States might terminate in exchange for reciprocal concessions. Indeed, there is no public indication that Washington is seriously interested in the question. Until the United States gets serious about which concessions that are attractive to our adversaries it is willing and able to make, American talk of a cyber-arms agreement is empty. We aren’t going to get restraint from our adversaries unless we restrain ourselves, and in a significant way. (And agreeing to forgo activites that we are already known not to engage in does not count as a concession that will induce reciprocity.)
Or as I once stated more pithily, a major hurdle to genuine progress on cybersecurity cooperation with our adversaries is the USG’s “refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.” There is no reason to think China will unilaterally back down in its cyber-operations against the United States.