By Robert Potter China ’ s cybersecurity relations have rarely been more complicated than they are today. Beijing is presently subj...
By Robert Potter
China’s cybersecurity
relations have rarely been more complicated than they are today. Beijing is
presently subject to a significant level of criticism, with cybersecurity
taking a leading role in the attention it receives from the United States
(U.S.). For its part, the U.S. is struggling to respond to China for a number
of reasons. First, there is a problem of attribution, as linking an attack to
an individual or country is often a difficult technical problem[1]. Secondly,
corporate entities are reluctant to disclose attacks. And finally,
there is no agreed upon framework as to how an attack fits within a threat matrix[2]. These factors
contribute to an ambiguous cybersecurity environment wherein it becomes
difficult to assess a state’s intentions. Thus,
with this perspective, a response against Beijing on this subject becomes a
difficult task.
In international
politics, when one thinks of
effective arms control measures they generally stick to identifiable events. It
is relatively straightforward to identify a nuclear explosion or a large scale
conventional military invasion. It is also usually possible to discover who is
responsible for these actions and categorize them within in the understanding
of threat. For example, when employing the term ‘invasion’ or ‘declaration of war’, there is an
immediate communicated understanding of the context that propels such actions. In
contrast, modern international security undermines such classifications. For
example, it is known that Russia is operating in Ukraine but the terms we use
to describe those activities are greyer than say, identifying the beginning of
Operation Barbarossa. This creates the ambiguity in classifying cyber attacks.
This means that
while cyber threats are difficult to classify, they are not unique in their
ambiguity as they form an identifiable part of an ongoing trend. For example,
the U.S. Government’s Sandia National
Laboratories produced a very well written report on cyber threat metrics but Sandia treated
the problem in isolation.
This shows that the
institutions within the United States that are responding to this challenge are
doing so in isolation and feel they need to reinvent the wheel in order to make
progress. Contrasting this back to China’s perspective, cyber policy is seen as a
natural outgrowth of a general foreign policy directive to protect the
longevity of the Chinese Communist Party[3]. This means that
cyberattacks will be leveraged into offensive efforts to develop an advantage
and defensive efforts to hedge against attacks in the future.
This has placed
China in a strong position. For Beijing, the cyber realm is purely a
Clausewitzian effort to develop capability by another means. Conversely, states
that seek to respond are placed in a situation where they must deal with a
technology with no strong rules based on order, leveraged by a major power and
deployed in asymmetric terms.
Cyber threats are
not a new problem and they are certainly not the only asymmetric threat
that states face. However, while other
states are struggling to collaborate and leverage existing expertise, the level
of attacks is creating a steady stream of instability that is becoming the
norm. This new reality favors China’s position.
It will be a
lengthy process for rivals to construct international norms that cover
cyber attacks and an even longer one to make attacks less permissible. This says
nothing of the task involved in rolling back the level of attack activity. The
recent agreement between China and the U.S. is small step in that direction. In
his recent trip to U.S., Chinese President Xi
Jinping made the
following statement alongside President Barack Obama:
“that neither country's government will
conduct or knowingly support cyber-enabled theft of intellectual property,
including trade secrets or other confidential business information, with the
intent of providing competitive advantages to companies or commercial
sectors."
The
statement also included an agreement to share information to assist in
attributing cyberattacks. This agreement is a small towards international norms
that facilitates a divide between cyberattacks
involving companies and those that relate to espionage.
The
reality of President Xi’s statement on the subject is that China’s
cyber capability has grown so large that it is no longer practical for it to be
denied. In realist terms, denial has run out of utility and the international
community is now acclimatized to a certain level of cyberattacks. Essentially,
China by waiting and agreeing to this statement won the argument and now any reduction will
be seen as a
positive step, rather than as part of
an ongoing defiance of international norms[4].
China
can now shift its response from denying the capability to denying
responsibility. The statement, while making marginal progress in developing
rule based norms in the area places China in the position of saying it will
respond to a problem but not acknowledge the existence of the problem. This
provides another advantage for China’s
position.
President
Xi went to the United States facing a significant amount of criticism for China’s
present level of cyberattacks. By electing not to resist the development of
international norms in cyberspace, Xi has instead decided to shape what will
emerge from the discussion. Had President Xi chosen the former, he would have
been placed into a position of responding to the efforts of other states. By
essentially buying into the debate, Xi has placed China at the head of the
table. This pragmatic tactic probably favors the Chinese position for the time
being.
In
this case, the joint statement between China and U.S. is emblematic of the
present trends in cyber security. Efforts are being made in classifying threat
and developing norms around investigation. Those efforts are moving forward in
a halting fashion, stuck in bilateral rather than treaty frameworks and
restricted to agreements designed to foster goodwill on the one side. This then
allows China to work in a framework where events are deniable and allows
Beijing to operate within a space of superficial compliance[5]. This means that in its
forward movement, such trends are favoring China’s
position.
About the Author:
About the Author:
Robert Potter is currently a PhD
Candidate at the University of Queensland. Prior to this he was Research
Assistant Volunteer at the John F Kennedy School of Government, Harvard
University. Prior to this he was a Visiting Scholar at Columbia University – Saltzman
Institute of War and Peace Studies, School of International and Public Affairs. Thomson Reuters Researcher ID: L-5421-2015
Twitter account: @rpotter_9
References:
[1] Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal
of Strategic Studies 38, no. 1–2 (January 2, 2015): 4, doi:10.1080/01402390.2014.977382.
[2] Rick Dakin, “SEC Cyber Risk Disclosure Guidance,” 2012,
http://www.coalfire.com/medialib/assets/PDFs/Perspectives/Coalfire-Perspective-SEC-Cyber-Risk-Disclosure-Guidance.pdf.
[3] Amy Chang, “Waring State, China’s Cybersecurity Strategy,” Center
for a New American Security, December 2014, 7.
[4] “Net
Politics » Chinese Arrest of Hackers a Good Sign, But Not the End of the
Story,” accessed October 18, 2015,
http://blogs.cfr.org/cyber/2015/10/13/chinese-arrest-of-hackers-a-good-sign-but-not-the-end-of-the-story/.
AIDN: 001-10-2015-0326