US and China Reach Historic “Cyber Arms Control Agreement” – But Will Anything Come of It?
BY JESSICA ZUCKER
Standing side-by-side in the White House rose garden on September 25, U.S. President Barack Obama and Chinese President Xi Jinping announced that they had reached a “common understanding” to combat “cyber-enabled theft of intellectual property.” In a widely anticipated announcement, the two leaders also agreed to respond to requests for law enforcement and assistance between computer emergency response teams (CERTs), as well as establish ministerial-level dialogues on cyber espionage. A few days earlier in a meeting with major U.S. technology firms, Xi had pledged that the Chinese government “will not in whatever form engage in commercial theft.”
These sorts of pronouncements should come as a relief to Western and Japanese businesses—China is one of the largest perpetrators of using cyber intrusions to steal intellectual property and industrial secrets. General Keith Alexander, the former director of the National Security Agency (NSA) and overseer of U.S. Cyber Command, has warned that such industrial espionage is causing the “greatest transfer of wealth in history.”
But despite Xi and Obama’s rosy proclamations, it’s unlikely that Chinese cyber theft is going to stop any time soon. The bilateral agreement did not contain any groundbreaking steps forward in the protection of intellectual policy. Instead, it was simply a reflection of the United Nations Group of Governmental Experts’ report on the code of conduct in cyberspace, which ensures that states will pledge not to attack critical infrastructure and uphold other norms related to cyber warfare.
Any reference to cyber theft came from nonbinding promises between the two leaders. As Obama put it, the question for Western businesses now is “Are words followed by actions?”
Why would they be? China can reap huge rewards from intellectual theft, with little consequence. According to a report by the cybersecurity firm McAfee, the global cost of cybercrime is estimated at $1 trillion. The Washington think tank, Center for Strategic and International Studies, estimates cost at $445 billion, which is still eye-poppingly large. (Exact data on cyber theft losses are unreliable, however, because hacked companies often don’t want to report it and because many of the estimates come from the security firms, which may want to overhype the threat.)
Earlier this summer, China introduced a new National Security Law to regulate foreign investment. Many western technology companies have criticized the law, arguing that the Chinese government could use it as a means to favor Chinese companies or push multinationals to develop Chinese companies’ capabilities through the transference of intellectual property. Article 23, for example, calls for certain measures to “prevent and withstand adverse cultural influence” and “increase overall cultural strength and competitiveness.” It is unclear how these new regulations on foreign companies in China will work in practice, but China has a history of cajoling, co-opting, and often coercing Western and Japanese businesses for its economic benefit.
Despite Xi’s assurances that China will not engage in cyber economic espionage, the U.S. has pushed forward with implementing sanctions, targeting Chinese companies however, rather than government officials. The sanctions will help Xi save face, and allow him to domestically spin the agreement as a positive step forward in fighting corruption. Because of the difficulties in attribution (determining who is giving orders to whom) and the blurry distinction between state-owned enterprises and privately owned companies in China, these cyber intrusions are unlikely to stop any time soon.
So what are U.S. companies to do? Current U.S. policies do not allow for companies who are breached to “hack back” by targeting the perpetrators—nor is it clear that turning cyber space over to vigilantes is a prudent long-term solution. Given the lack of progress on binding international treaties and effective enforcement mechanisms, some cyber-security experts, wonder if western nations should address industrial espionage through a totally different avenue—the World Trade Organization or the U.S. Special Trade Representative.
Setting an international precedent through prosecuting cyber-intellectual property theft as a trade issue could deter China because of the importance of WTO membership. Entrance into the trade organization took nearly 15 years of negotiation, and required China to undertake serious economic reforms. As a member, China is required to comply with WTO commitments, such as the Trade Related-Aspects of Intellectual Property Rights Agreement (TRIPS), which protects against intellectual property theft. The U.S. Special Trade Representative also has jurisdiction on matters of intellectual property theft, and could use diplomatic pressure to push the issue in other relevant multilateral forums. Regardless of whether the U.S. intends to pursue such drastic legal action, even raising the topic in the WTO could raise the stakes enough to change Chinese behavior.
But there are obstacles to this course of action. Victim companies fear being the guinea pig case. The first company to pursue an international legal trade route may be forced to disclose information that would harm their reputation or result in disquiet from clients and customers. Furthermore, China could retaliate by kicking the company out of their markets. Many companies view cyber theft as part of the “cost of doing business” in the Chinese market.
The hard truth is that high-level diplomatic, security or economic agreements on intellectual property theft are unlikely to take effect any time soon. So in the meantime, U.S. company executives and managers should focus on bolstering their companies’ cybersecurity practices. Strong security doesn’t just require the latest anti-malware, although that’s a necessary component. The most common reason intruders can access a victim’s system is the result of human error, such as falling for phishing or social-engineering attacks.
In a new age of cyber insecurity and growing cyber policy headaches for U.S. companies, creating a strong corporate culture of cyber hygiene is one of the few areas where U.S. companies can make great strides in protecting their networks.
Jessica Zucker is a Master in Public Policy candidate at the Harvard Kennedy School, concentrating in International and Global Affairs. Originally from San Diego, she spent the past few years as a Fulbright Scholar in South Korea where she was an English teacher and co-founder of an educational non-profit. Additionally, she has also worked for the U.S. Southern Command and U.S. Forces Korea. At HKS, she is a Belfer IGA Fellow, the co-president of the Cybersecurity Professional Interest Council, and an e-board member of the North Korea Study Group.
Photo via Luis Llerena on Unsplash