Xi Pledges Cooperation vs. Hacking as Sanctions Loom

In a written interview with The Wall Street Journal on Tuesday, Chinese President Xi Jinping restated his government’s now well-worn Party line on cybersecurity. The comments are unlikely to dispel the shadow cast by the issue over his state visit to the United States this week, following mounting tension over major hacks of American businesses and government departments. From Xi:

China takes very seriously. China is also a victim of hacking. The Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way. Cybertheft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offenses and should be punished according to law and relevant international conventions. China and the share common concerns on cybersecurity. We are ready to strengthen cooperation with the U.S. side on this issue.

I will have in-depth exchanges of views with President Obama on bilateral relations and the international developments and engage the American public in order to jointly chart the course for growing China-U.S. relations. I am sure that this visit will send a positive message to the international community that China and the United States will strengthen cooperation and jointly meet global challenges.

[…] The international community as a whole should work together to build a peaceful, secure, open and cooperative cyberspace on the basis of the principles of mutual respect and mutual trust. [Source]

[Updated at 23:04 PDT on Sep 22, 2015: Xi echoed these comments in a speech in Seattle on Tuesday night, saying that “China is ready to set up a high-level joint dialogue mechanism with the United States on fighting cybercrimes.” An earlier bilateral working group on cybersecurity was suspended last year due to the U.S.’ “lack of sincerity” after it issued hacking indictments against five PLA officers.]

In a pair of public engagements over the past two weeks, Obama expressed a less sunny assessment of the current situation. The first was a town hall meeting at Fort Meade on September 11, at which he said:

We continue to be the best in the world at understanding and working within cyber. But other countries have caught up. The Russians are good. The Chinese are good. The Iranians are good. And you’ve got non-state hackers who are excellent. And unlike traditional conflicts and aggression, oftentimes we don’t have a return address. If somebody hacks into a system and goes after critical infrastructure, for example, or penetrates our financial systems, we can’t necessarily trace it directly to that state or that actor. That makes it more difficult as well.

[…] The bulk of vulnerable information and data isn’t in our military; it’s in the private sector. It’s throughout our economy. It’s on your smartphones. And so we’re going to have to both strengthen overall networks, but we’re also going to have to train millions of individual actors – small businesses, big vendors, individuals – in terms of basic cyber hygiene. We’re going to have to be much more rapid in responding to attacks.

And this is something that we’re just at the infancy of. Ultimately, one of the solutions we’re going to have to come up with is to craft agreements among at least state actors about what’s acceptable and what’s not. And so, for example, I’m going to be getting a visit from President Xi of China, a state visit here coming up in a couple of weeks. We’ve made very clear to the Chinese that there are certain practices that they’re engaging in that we know are emanating from China and are not acceptable. And we can choose to make this an area of competition – which I guarantee you we’ll win if we have to – or, alternatively, we can come to an agreement in which we say, this isn’t helping anybody; let’s instead try to have some basic rules of the road in terms of how we operate.

Now, as I said, there’s still going to be individual actors, there are going to be terrorist networks and others, so we’re still going to have to build a strong defense. But one of our first and most important efforts has to be to get the states that may be sponsoring cyber-attacks to understand that there comes a point at which we consider this a core national security threat and we will treat it as such. [Source]

The president revisited the topic in a Q&A session following a speech to the Business Roundtable in Washington on September 16:

With respect to China, this will probably be one of the biggest topics that I discuss with President Xi. We have repeatedly said to the Chinese government that we understand traditional intelligence-gathering functions that all states, including us, engage in. And we will do everything we can to stop you from getting state secrets or transcripts of a meeting that I’ve had, but we understand you’re going to be trying to do that. That is fundamentally different from your government or its proxies engaging directly in industrial and stealing trade secrets, stealing proprietary information from companies. That we consider an act of aggression that has to stop.

And we are preparing a number of measures that will indicate to the Chinese that this is not just a matter of us being mildly upset, but is something that will put significant strains on the bilateral relationship if not resolved, and that we are prepared to some countervailing actions in order to get their attention.

My hope is, is that it gets resolved short of that, and ultimately the goal should be to have some basic international framework that won’t be perfect because there’s still going to be a lot of non-state actors and hackers who are very good, and we’re still going to have to have good defense and still have to be able to find the fingerprints of those and apprehend them, and stop networks that are engaged in cybercrime.

But among states, there has to be a framework that is analogous to what we’ve done with nuclear power because nobody stands to gain. And, frankly, although the Chinese and Russians are close, we’re still the best at this. And if we wanted to go on offense, a whole bunch of countries would have some significant problems. And we don’t want to see the Internet weaponized in that way. That requires I think some tough negotiations. That won’t be a one-year process, but we’d like to see if we can – if we and the Chinese are able to coalesce around a process for negotiations, then I think we can bring a lot of other countries along. [Source]

National Security Advisor Susan Rice echoed Obama’s words in a speech at George Washington University on Monday:

In his meetings with President Xi, President Obama has repeatedly made plain that state-sponsored, cyber-enabled must stop. This isn’t a mild irritation. It is an economic and national security concern to the United States. It puts enormous strain on our bilateral relationship, and it is a critical factor in determining the future trajectory of U.S.-China ties. Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation, and it needs to stop. So, we’ll continue to urge China to join us in promoting responsible norms of state behavior in cyberspace. [Source]

These remarks were mentioned only in passing in Xinhua’s summary, which focused instead on Rice’s comments that “it can be easy to lose sight of the larger arc of progress in our bilateral relationship with China”; that “the United States welcomes a rising China that is peaceful, stable, prosperous, and a responsible player in global affairs”; and that “we reject reductive reasoning and lazy rhetoric that says conflict between the U.S. and China is inevitable, even as we’ve been tough with China where we disagree. This isn’t a zero-sum game.”

The lack of common ground between Xi and Obama might suggest little hope of diplomatic resolution. Reporting after the Fort Meade speech, The New York Times’ David E. Sanger explained the kind of “countervailing actions” with which Obama hopes to break the impasse:

If Mr. Obama sounded uncharacteristically combative on the topic, it is because finding a way to deter computer attacks is one of the most urgent and confounding problems he faces in his last 16 months in office. The problem is all the more pressing because it is where the high-tension diplomacy surrounding the state visit of President of China next week merges with the challenge of containing Iran in the aftermath of the recently completed nuclear agreement with Tehran.

Mustering the leverage to deter attacks is exactly what Mr. Obama is struggling to accomplish in the days leading up to Mr. Xi’s visit. For six weeks, American officials have warned that they are preparing sanctions against Chinese hackers, telling Chinese officials in private meetings that the combination of intellectual property theft and espionage on an unprecedented scale — the theft of the 22 million security dossiers from the Office of Personnel Management, for example — cannot go unanswered. [Source]

Many of these reports have come from Ellen Nakashima at The Washington Post. Her sources have suggested that sanctions would be presented as a response to economic spying rather than the Office of Personnel Management breach, although that case is said to have helped build consensus over the need for action. But one official suggested that this public line might cloak “a private message that said, ‘Oh, and by the way, part of the reason for this is OPM.’

The administration has struggled to select a “meaningful, yet proportionate, retaliation” to deter further escalation without inadvertently fueling it or revealing too much about the U.S.’ own capabilities. Another mooted approach, endorsed by Richard Bejtlich of security firm FireEye, involved further efforts to subvert the “Great Firewall” used to control access to foreign web content. Sanctions enjoy widespread endorsement in the American information security industry: nearly three quarters of experts polled by Christian Science Monitor’s Passcode blog supported them. One dissenter, though—Tenable Security’s Cris Thomas (aka Space Rogue)—argued that they would merely appease domestic political critics while risking escalation, and that hardening U.S. networks against attack would be a more effective response.

Another issue is that of timing. Some, including Republican legislators and prospective presidential candidates, called for sanctions to be announced ahead of Xi’s U.S. trip. The administration seems ultimately to have decided that this would risk derailing the visit, and to use the threat of deploying them in the future to encourage engagement on the issue during the meetings. The Council on Foreign Relations’ Adam Segal, for example, suggested that “the leaks were happening to try and create some kind of pressure on the Chinese as they come into the summit, to get some type of traction with them.” According to Patrick M. Cronin of the Center for a New American Security, speaking to The New York Times:

“The administration is, on the one hand, looking for as much cooperation as they can get from Xi Jinping and China’s leadership and, at the same time, saying: ‘Here is the stick of sanctions. We’re not going to use it right now; we’re going to wait to see what you say at the summit about good-faith progress on cyber rules of the road, but if we’re not satisfied, sanctions will follow.’” [Source]

It has not been clear whether China would take the threat more seriously than earlier responses. Referring to last year’s indictment of five alleged PLA hackers at Foreign Policy earlier this month, Elias Groll reported growing frustration at the ineffectiveness of these measures:

[…] The indictment of the PLA hackers now stands out as a watershed moment in the escalating campaign by the U.S. government to deter China from its aggressive actions in cyberspace — both as an example of the creative ways in which the United States is trying to fight back and the limits of its ability to actually influence Chinese behavior.

Since the indictment was announced, cybersecurity experts say China has altered some of the methods used by its hackers but that its campaign against U.S. firms remains active. “We’ve seen tactical change but strategic continuity,” said Jen Weedon, a manager for threat intelligence at FireEye, a leading cybersecurity firm. […]

[…] On the one hand, the indictment deeply embarrassed Beijing. “I thought it was tremendously effective, in that it irritated the heck out of the Chinese, and my impression was that there was never any intention to bring these people to trial,” said Jim Lewis, a widely consulted cybersecurity expert at the Center for Strategic and International Studies. On the other hand, there’s little evidence it concretely altered Chinese behavior, and that has led to what Lewis describes as “a lot of dissatisfaction [with] the failure of our deterrence strategy.” [Source]

Jack Goldsmith of Harvard Law School and the Hoover Institution, for instance, has described the administration’s handling of as “feckless” and “befuddled,” and “flailing” and “embarrassing.” In August, a Washington Post editorial described the U.S. response to actions from China, Russia, and North Korea as “complacent and lazy.” This is part of a broader pattern of discontent: one senior Defense Department official labeled the administration’s foreign-policymaking in general as “sclerotic at best, constipated at worse.” Such dissatisfaction extends to some U.S. allies, as the Sydney Morning Herald’s John Garnaut reported last week:

The mandarins in Canberra were horrified by Washington’s incompetent response to China’s Asia Infrastructure Investment Bank. They were shocked that Obama sent his trade representative to Hawaii to seal the Trans-Pacific Partnership without room from Congress to negotiate a palatable deal. They were dismayed that the administration could threaten to conduct “freedom of navigation” exercises but fail to follow through. Most recently, they suspect Obama will baulk – again – before enforcing his new cyber red lines. Canberra’s frustrations stems from its desire for the US to be more effectively engaged, not less.

“This is the worst civilian Asia team we’ve seen since before World War II,” says one senior official. “Secretary of State [John] Kerry is simply not interested in Asia,” says another. And a third: “If I’m held hostage somewhere I would hope to God that this [National Security Council] team is not responsible for rescuing me.” [Source]

Most importantly, according to Foreign Policy editor and CEO David Rothkopf, the Chinese themselves have not believed a strong reaction is likely. “The Chinese have discovered they can launch cyberattacks against us and that our officials seek to downplay them or offer up limp, ineffective responses,” he told The New York Times last week. “This has added to the perception that we are weak.” The Center for Strategic and International Studies’ James Andrew Lewis commented similarly this week:

The Chinese believe the United States will not penalize them. A close watcher of China’s military says that the PLA’s assessment of U.S. cyber policy is “amazing capabilities, no will.” This idea, not unique to China, explains why cyber deterrence hasn’t worked. Our primary opponents do not believe we will do anything in response to their actions in cyberspace. [Source]

Nevertheless, Reuters’ Joseph Menn and Doina Chiacu report signs that China may be starting to take the threat of retaliation more seriously, citing “three senior executives at private-sector firms in the [cybersecurity] field.”

“The pace of new breaches feels like it’s tempering,” said Kevin Mandia, founder of Mandiant, a prominent company that investigates sophisticated corporate breaches.

[…] Mandia has probed major corporate breaches, including those at Sony Pictures Entertainment, Target and healthcare insurers. Experts have connected some of these to a breach of classified background investigations at the U.S. Office of Personnel Management, which was traced to China.

Government-supported hackers in China may have backed off recently as Chinese and U.S. officials began negotiating in earnest over cyber security ahead of the Obama-Xi summit.

“In my gut, I feel like the Chinese and the U.S. over the next couple of years are going to figure this out,” said Mandia, now an executive at Mandiant’s parent, FireEye Inc. [Source]

The threat may also have helped secure a visit from , head of the Party’s Central Political and Legal Affairs Commission, who traveled ahead of Xi for what a White House spokesman described as a “pretty blunt” and “pretty candid exchange of views.” After an all-night meeting, the two sides reportedly reached “substantial agreement” on a number or cybersecurity issues. Last weekend, The New York Times’ David E. Sanger reported the apparent fruit of these efforts:

The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.

While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees’ personal data.

[…] Last week, a high-level Communist Party envoy, Meng Jianzhu, who is responsible for state security, came to Washington and met with Ms. Rice, several American intelligence officials and the director of the F.B.I., James B. Comey. That session focused on coming up with some kind of agreement, however vaguely worded, that Mr. Obama and Mr. Xi could announce on Friday. [Source]

A commentary by Liu Xin at People’s Daily Online claimed optimistically that the agreement is “expected to halt disputes” and “could serve as a role model for other countries”—though only if the U.S. would “restrain its behavior” and abandon its “double standard on cyber security, blaming others for attacks while monitoring the activities of foreign senior officials at the same time.” At Foreign Policy, however, Elias Groll was less sanguine:

James Lewis, a cybersecurity expert at the Center for Strategic and International Studies who participated in the drafting of the U.N. report, said an agreement that “ignores the source of tension” would be “a major concession by the United States.”

[… T]he kind of activity China would be giving up under the agreement is activity that it isn’t carrying out and that Beijing apparently does not see as being in its best interests anyway. Commercial espionage, on the other hand, is very much something China sees as a vital interest. “Trying to deter China from theft of intellectual property is inherently hard. They’re highly motivated, our systems have generally been unprotected, and there have been no penalties of any kind for a long time,” said a former senior defense official, who requested anonymity to candidly assess the difficulties facing the U.S. government of altering Chinese behavior.

[…] So in the emerging great power rivalry between China and the United States, the two countries are now approaching a point in cyberspace where they can try to salvage a bit of cooperation or continue down a path of further competition that will see the United States likely apply sanctions. The diplomatic agreement may provide a small measure of cooperation, and there are signs China may be stepping back its campaign of commercial espionage, with cybersecurity experts saying this week that they’ve seen a slight reduction in Chinese attacks. But there’s still little evidence to indicate that the United States has solved the riddle of how to end Chinese commercial espionage. [Source]

A new RAND report on possible clashes over Taiwan or the Spratly Islands, highlighted by Paul Mozur at The New York Times, suggests that the agreement could have substantial value even if it fails to address spying.

As it maps out the potential conflicts, and in turn the potential ways each country could attack the other’s network, it becomes apparent why a first agreement between President Obama and Mr. Xi might focus on the rules of the road for attacks on core infrastructure instead of on better publicized Chinese attacks aimed at gaining advantages and intellectual property for companies.

In particular, it argues unclassified networks for key infrastructure are more vulnerable than those of the military, and that broad attacks have a huge potential to cause unanticipated escalations.

[…] “In view of the potential for escalation, it is uncertain whether either side will resort to strategic cyberwarfare,” the report said. “If they do, results may be highly unpredictable. The outcome will depend not only on each side’s competence but also on chance factors (e.g., cascading affects), the defensive posture and resiliency of each side’s organizations and infrastructure, how each side’s public reacts, how political leaders factor public opinion into their strategic calculus, and whether and how one side or the other escalates as a result.” [Source]

At Lawfare Blog, though Jack Goldsmith argues that the deal would probably fail to achieve much on this front either:

If you want to understand the hurdles against a real cyber-arms control agreement, compare any such agreement to the Iran Deal. Marvel at the extraordinary technical detail of the Iran Deal, note that a real cyber arms agreement would likely be much more technical (and indeed that for many of the most obvious terms we cannot imagine what a concrete agreement looks like right now), realize that verification and attribution are generally easier in nuclear than cyber, contemplate how Cybercommand would warm to the types of inspection and verification regimes that would be needed for China to monitor U.S. compliance with any cyber deal, and then imagine gathering 67 votes in the Senate for the deal without airtight verification and attribution regimes (and yes, a cyber deal, unlike the unusual Iran Deal, would need to go to the Senate).

Not going to happen any time soon.

Some will argue that even if we cannot generate real cyber arms control agreements, consensus on softer norms is still useful. James Lewis captured this view well when he once wrote: “agreements could increase stability and reduce the risks of miscalculation or escalation by focusing on several specific areas: confidence-building and transparency measures, such as increased transparency in doctrine; creation of norms for responsible state behavior in cyberspace; and expansion of common understandings on the application of international law to cyber conflicts, or development of assurances on the use of cyberattacks.” Maybe. But I still adhere what I once wrote in response to this: “in the absence of decent verification, we cannot be confident that transparency measures are in fact transparent, or that revealed doctrine is actual doctrine. Nor can norms get much purchase in a world without serious attribution and verification; anonymity is a norm destroyer.” [Source]

In a ChinaFile conversation—also including GreatFire.org’s Charlie Smith—China Media & Copyright’s Rogier Creemers summed up the prospects for progress:

Will peace in cyberspace between the U.S. and China be maintained? The good news is that we will most likely not see devastating cyber assaults with spill-overs into the kinetic realm between both nations. The probability that China switches off the lights in New York City or the U.S. in Shanghai is negligible. The reported talks on a sort of agreement about proliferation in the cyber realm demonstrates that there is a recognition on both sides that there are worst case solutions [scenarios?] that must be avoided. However, the importance of this agreement must not be overstated: neither side currently has an interest in causing serious bilateral conflict. In that sense, the agreement is an empty gesture: a promise not to do something neither side was planning anyway, without strong implementation and monitoring measures.

And this brings us to the bad news, which is that irritation and tensions will continue to persist in the relationship.

[… P]erhaps most problematically, it seems that— beyond wanting an end to economic espionage—the U.S. government doesn’t have a plausible and realistic scenario for where it wants the cyber relationship to go, and how to get there. Most importantly, it is necessary to consider what actually can be achieved. Many aspects of Chinese Internet governance are unlikely to change any time soon, regardless of any U.S. input. There are few incentives to relax policy on online speech, or change Beijing’s stance on China’s cyber sovereignty. Political capital spent in these areas will strengthen the agenda of hawks in Beijing, without any significant progress on the ground. Rather, priority should be given to interests that are mutually significant and immediately relevant, as well as to developing better structured channels for consultation and negotiation. Lastly, the U.S. will need to bear in mind that, as its leadership in cyberspace is considerably less dominant than in the past, it will face the argument that other countries are equally entitled to conduct similar actions. [Source]