On December 1 and 2, China and the U.S. will hold ministerial level talks on cybersecurity.[i] These talks stem from Chinese President Xi and President Obama’s September 2015 agreement not to engage in cyber-enabled economic espionage. These will be the first official discussions between the two nations since China ended its participation in a working group following the U.S. indictment of five PLA officers in May 2014.
Why do these talks matter?
It’s easy to dismiss the significance of diplomatic discussions given the persistence, frequency, and impact of cyber espionage, but these talks are the gateway to establishing norms—rules of the road for nation states. For years, the U.S. and European governments have been hard pressed to distinguish between cyber espionage intended for economic gain (where the targets are companies’ intellectual property) and cyber espionage conducted for political gain (where targets have value only to a government or military.)
In September 2015, the U.S., along with several other countries that had made similar public agreements with China, appeared to make headway in establishing that cyber data theft for economic gains is unacceptable.
Presidents Obama and Xi agreed that:
“…neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”[ii]
The December talks should serve as the natural progression in developing what actions may constitute a violation of this agreement and how China and the U.S. will vocalize violations.
What might they discuss?
Terminology: To deepen their dialogue about what activity is off limits, China and the U.S. need to agree on definitions for cyber activity. This has been historically difficult because of the nature of states’ varying interpretations of malicious activity. The philosophical difference hinges on whether a country conceives of this issue as cybersecurity (securing networks and systems and associated infrastructure) or as information security (securing information, content, and ideas in addition to networks.) China, along with Russia, more broadly defines cyber operations and tools in terms of “information and communications technology.” With differences at this conceptual level—typified in China’s UN proposal including the 2015 “International code of conduct for information security,”[iii] more granular terms like “cybercrime,” “cyber-enabled data theft” and “cyber espionage” will also require significant discussion before either side will feel confident that there is a clear, joint understanding of the activity at issue.
Signaling: Designating a communication channel, and identifying agencies and individuals who will utilize it, is a step that would benefit both sides. Expectations that the other side will communicate perceived violations or other response-worthy actions through a designated channel, builds trust and can serve to de-escalate tension. In light of the inevitable difficulty in finding common terminology ground, such a channel would serve as a productive step towards describing unacceptable behavior on a case by case basis. In past bilateral meetings, Russia and the U.S. agreed to notify one another of major cyber-related incidents via the Nuclear Risk and Reduction Center, the long-maintained channel for discussing nuclear arms concerns.[iv]
Confidence-Building Measures (CBMs): CBMs are the goal posts of nation-state working relationships, and will be sought on cyber issues to increase predictability and understand a state’s intent and potential decision calculus for response. We should expect that both sides begin to consider which CBMs would be valuable and realistic, and look for some articulated measures to come out of future talks.
What impact can we expect?
FireEye and Mandiant have long documented the perils our clients have had with Chinese state-sponsored data theft, and we hope that steps like this agreement and pursuant talks will lead to progress in abating this significant threat to intellectual property. The current openness to a dialogue, however limited it may be in actuality, is still marked progress from the outright denial that state-sanctioned, large-scale data theft occurred. That said, we are unconvinced that there will be a wholesale change in China’s desire to acquire critical R&D and intellectual property via network compromises. Given the volume and value of stolen data, frequency of intrusions, and persistence that state-sponsored groups have demonstrated in acquiring corporate intellectual property over the last decade, we doubt that the beneficiaries of economic espionage will abandon their pursuits entirely.
[i] https://www.dhs.gov/news/2015/11/09/statement-press-secretary-marsha-catron-deputy-secretary-mayorkas-upcoming-trip; http://thehill.com/policy/cybersecurity/259176-december-date-set-for-first-china-us-cyber-meetings