Sino-U.S. relations in cyberspace in 2016 will be defined by three key policies: attribution, sanctions, and norms. The first two tacks will be used by the United States to contain malicious Chinese activities in cyberspace (and to assuage the U.S. private sector and U.S. public opinion), whereas the last device will be used for promoting strategic stability between both nations by deepening the understanding of what is acceptable behavior in the cyber realm.
First, while it is true that attribution, i.e. tracing back a cyber attack to its originator, remains difficult, it is not impossible. Both the U.S. government and the private sector have repeatedly called out Chinese hackers in so-called “naming and shaming” campaigns. This tactic consists of either leaking classified intelligence to the press or publishing cyberattack reports by U.S. cyber security firms (which over the years became a clever marketing ploy for those companies). And while “naming and shaming” sustained a severe setback with the Snowden revelations, we will certainly witness a number of such cyberattack disclosures in 2016. However, the shock value—and as a consequence its potential negative impact on the Sino-U.S. bilateral relationship—will be less severe than in 2014 and 2015, given that, after the recent Office of Personal Management data breach and the Snowden disclosures, the threshold for disclosures with the potential to severely undermine the Sino-U.S. bilateral relationship has substantially risen. At the same time “naming and shaming” will at least contain both sides from going overboard when it comes to cyber espionage activities and aggressive network intrusions.
Second, sanctions, while an imperfect tool, appear to have caught the attention of the Chinese leadership in 2015 and will likely play a role in Sino-U.S. relations in 2016 as well. On April 1, 2015, U.S. President Barack Obama signed Executive Order 13694, which argues that “the increasing prevalence and severity of malicious cyber enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
As a consequence, the Obama White House threatened China with economic sanctions and individual Chinese citizens with travel restrictions should Beijing not rein in its hacker community. One indication that this worked has been the arrest of a number of Chinese hackers prior to the September 2015 state visit by Chinese President Xi Jinping, although there is considerable debate among experts whether there is a genuine connection between the two events. However, the threat of economic sanctions will have significantly higher impact on the senior Chinese leadership in 2016, primarily due to China’s deteriorating economic situation, but also due to the international humiliation the country would suffer from being the first nation subject to economic sanctions for cyber attacks.
Third, norms of behavior in cyberspace will gain increasing importance in 2016 and some progress can be expected. For example, in November 2015, the G20 countries, including the United States, China, Brazil and India agreed that international law, including the United Nations Charter, applies to the behavior of nations in cyberspace. (A U.N. Group of Government Experts came to the same non-binding resolution in2013.) The G20 countries also agreed that no country should conduct or support the cyber enabled theft of intellectual property. The U.N. Group of Government Experts also laid out a set of norms and confidence building measures in 2015. These recent developments could serve as additional incentives for both the United States and China to expand these measures.
However, Sino-U.S. disagreement over what constitutes use of force in cyberspace will likely persist. For one thing it is in China’s interest to keep the definition vague, since no international norm for retaliation against cyber attacks could then be established, making it more difficult for the United States and its allies to come up with a common response to future state-sponsored malicious cyber activities.
Furthermore, as one scholar told me in an email exchange: “China simply does not pursue these legal concepts for armed hostilities involving cyberspace in the same forensic, semi-obsessive manner as Western scholars and officials.” However, some scholars have argued that China sees itself bound by international law, including non-use of force except in self-defense and that this norm is seen to be applying in cyberspace, which is not too different from U.S. and Western positions.
However, we will have to be realistic with expectations in 2016. Today’s fresh air can become tomorrow’s ill wind, as the saying goes. The United States and China will continue to disagree over internet governance—the former preferring a “multi-stakeholder” position, the latter, a state-centric “multilateral” approach. Chinese state-sponsored cyberattacks against the U.S. private sector will continue most likely at a higher level than in 2015. Both countries will continue to prepare for the possibility of a cyber war,—which necessitates probing each other’s national critical information infrastructure—and will continue to disagree over China’s new anti-terror law, which has the potential to undermine private sector cooperation on combatting cybercrime in both countries.
Sino-U.S. Cyber Diplomacy in 2015: A Review
The last quarter of 2015 saw some progress on the diplomatic front in improving relations between the United States and China in the field of cyber security. During a state visit to the United States in September 2015, Chinese President’s Xi Jinping and U.S. President Barack Obama agreed to deepen bilateral cooperation and build trust between the two countries in cyberspace by, among other things, refraining from conducting or knowingly supporting commercial cyber-espionage, promoting appropriate norms of state behavior in cyberspace, and establishing a high-level joint dialogue mechanism on fighting cybercrime and related issues.
Indeed, the first meeting of the U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues took place on December 1, in Washington D.C. in which the participants, including representatives from various U.S. and Chinese departments and ministries, agreed to a set of guidelines for requesting assistance on cybercrime and how to respond to requests; developed the scope, goals and procedures for a joint hotline mechanism; decided to conduct a tabletop exercise involving network protection scenarios in order to deepen the understanding regarding the other side’s authorities, processes, and procedures; agreed to further develop case cooperation on cybercrime including the theft of trade secrets; and most importantly agreed to meet again in June 2016. (The U.S.-China Joint Liaison Group on Law Enforcement Cooperation, which has been in existence since the late 1990s, has also monitored bilateral cybercrime issues including child pornography.)
China and the United States, despite some quiet contact between the two governments, have not officially discussed cyber security since May 2014. China at that time suspended participation in the U.S.-China Cyber Working Group after the U.S. Justice Department had indicted five members of the People’s Liberation Army for malicious activities in cyberspace. The agreements reached at the December 1 High-Level Dialogue are a notable achievement and should be cause for wary optimism when it comes to the future of Sino-U.S. relations in cyberspace in 2016, although it goes without saying that the agreements have to first be implemented to have any real impact. Nevertheless, the meeting indicated a more conciliatory stance by both countries towards one another’s positions on a number of contentious cyber related issues (e.g., the theft of trade secrets), and, more importantly, laid the political groundwork for deeper technical cooperation.
In 2015, the United States and China also stepped up the cyber arms race. In May of last year, China issued its first ever “Military Strategy” emphasizing the importance of cyberspace for future military operations. In 2015, the Pentagon issued a new “Cyber Strategy,” and Cyber Command issued a new planning document, titled “Beyond the Build.” In addition, the Pentagon issued a new Law of War Manual, in which the pre-emplacement of “logic bombs” in an adversary country’s networks and information systems is advocated.
On the more positive side, unless there will be a significant deterioration of relations between both countries (e.g., a military confrontation in the South China Sea), it is highly unlikely that either the United States or China will employ strategic cyber weapons in 2016 to disrupt each other’s command and control systems and hack into the software of advanced weapons platforms in order to disable them, since this would be tantamount to a declaration of war.