FEATURED | China and Cybersecurity
IndraStra Open Journal Systems
IndraStra Global

FEATURED | China and Cybersecurity

By Robert Potter

FEATURED | China and Cybersecurity by Robert Potter

Chinas cybersecurity relations have rarely been more complicated than they are today. Beijing is presently subject to a significant level of criticism, with cybersecurity taking a leading role in the attention it receives from the United States (U.S.). For its part, the U.S. is struggling to respond to China for a number of reasons. First, there is a problem of attribution, as linking an attack to an individual or country is often a difficult technical problem[1]. Secondly, corporate entities are reluctant to disclose attacks. And finally, there is no agreed upon framework as to how an attack fits within a threat matrix[2]. These factors contribute to an ambiguous cybersecurity environment wherein it becomes difficult to assess a states intentions. Thus, with this perspective, a response against Beijing on this subject becomes a difficult task.

In international politics, when one thinks of effective arms control measures they generally stick to identifiable events. It is relatively straightforward to identify a nuclear explosion or a large scale conventional military invasion. It is also usually possible to discover who is responsible for these actions and categorize them within in the understanding of threat. For example, when employing the term invasion or declaration of war, there is an immediate communicated understanding of the context that propels such actions. In contrast, modern international security undermines such classifications. For example, it is known that Russia is operating in Ukraine but the terms we use to describe those activities are greyer than say, identifying the beginning of Operation Barbarossa. This creates the ambiguity in classifying cyber attacks.

This means that while cyber threats are difficult to classify, they are not unique in their ambiguity as they form an identifiable part of an ongoing trend. For example, the U.S. Governments Sandia National Laboratories produced a very well written report on cyber threat metrics but Sandia treated the problem in isolation.

This shows that the institutions within the United States that are responding to this challenge are doing so in isolation and feel they need to reinvent the wheel in order to make progress. Contrasting this back to Chinas perspective, cyber policy is seen as a natural outgrowth of a general foreign policy directive to protect the longevity of the Chinese Communist Party[3]. This means that cyberattacks will be leveraged into offensive efforts to develop an advantage and defensive efforts to hedge against attacks in the future.

This has placed China in a strong position. For Beijing, the cyber realm is purely a Clausewitzian effort to develop capability by another means. Conversely, states that seek to respond are placed in a situation where they must deal with a technology with no strong rules based on order, leveraged by a major power and deployed in asymmetric terms.

Cyber threats are not a new problem and they are certainly not the only asymmetric threat that  states face. However, while other states are struggling to collaborate and leverage existing expertise, the level of attacks is creating a steady stream of instability that is becoming the norm. This new reality favors Chinas position.

It will be a lengthy process for rivals to construct international norms that cover cyber attacks and an even longer one to make attacks less permissible. This says nothing of the task involved in rolling back the level of attack activity. The recent agreement between China and the U.S. is small step in that direction. In his recent trip to U.S., Chinese President Xi  Jinping made the following statement alongside President Barack Obama:

that neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."

The statement also included an agreement to share information to assist in attributing cyberattacks. This agreement is a small towards international norms that facilitates a divide between cyberattacks involving companies and those that relate to espionage.

The reality of President Xis statement on the subject is that Chinas cyber capability has grown so large that it is no longer practical for it to be denied. In realist terms, denial has run out of utility and the international community is now acclimatized to a certain level of cyberattacks. Essentially, China by waiting and agreeing to this statement won the argument and now any reduction will be seen as a 
positive step, rather than as part of an ongoing defiance of international norms[4].

China can now shift its response from denying the capability to denying responsibility. The statement, while making marginal progress in developing rule based norms in the area places China in the position of saying it will respond to a problem but not acknowledge the existence of the problem. This provides another advantage for Chinas position.

President Xi went to the United States facing a significant amount of criticism for Chinas present level of cyberattacks. By electing not to resist the development of international norms in cyberspace, Xi has instead decided to shape what will emerge from the discussion. Had President Xi chosen the former, he would have been placed into a position of responding to the efforts of other states. By essentially buying into the debate, Xi has placed China at the head of the table. This pragmatic tactic probably favors the Chinese position for the time being.

In this case, the joint statement between China and U.S. is emblematic of the present trends in cyber security. Efforts are being made in classifying threat and developing norms around investigation. Those efforts are moving forward in a halting fashion, stuck in bilateral rather than treaty frameworks and restricted to agreements designed to foster goodwill on the one side. This then allows China to work in a framework where events are deniable and allows Beijing to operate within a space of superficial compliance[5]. This means that in its forward movement, such trends are favoring Chinas position.

About the Author:

Robert Potter is currently a PhD Candidate at the University of Queensland. Prior to this he was Research Assistant Volunteer at the John F Kennedy School of Government, Harvard University. Prior to this he was a Visiting Scholar at Columbia University – Saltzman Institute of War and Peace Studies, School of International and Public Affairs. Thomson Reuters Researcher ID: L-5421-2015
Twitter account: @rpotter_9


[1] Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, no. 1–2 (January 2, 2015): 4, doi:10.1080/01402390.2014.977382.
[2] Rick Dakin, “SEC Cyber Risk Disclosure Guidance,” 2012, http://www.coalfire.com/medialib/assets/PDFs/Perspectives/Coalfire-Perspective-SEC-Cyber-Risk-Disclosure-Guidance.pdf.
[3] Amy Chang, “Waring State, China’s Cybersecurity Strategy,” Center for a New American Security, December 2014, 7.
[4] “Net Politics » Chinese Arrest of Hackers a Good Sign, But Not the End of the Story,” accessed October 18, 2015, http://blogs.cfr.org/cyber/2015/10/13/chinese-arrest-of-hackers-a-good-sign-but-not-the-end-of-the-story/.
[5] Chang, “Waring State, China’s Cybersecurity Strategy,” 32.

AIDN: 001-10-2015-0326