Friends Don’t Let Friends…

Recent leaks reporting that the United States might sanction China reflects growing – but not universal - agreement in Washington that the United States needs to respond forcefully to rampant Chinese cyber espionage and that the authorities established by April’s Executive Order on cyber sanctions are the best option. There are several reasons for this. First, nothing has worked when it comes to economic espionage. According to data collected by the FBI and NSA, China is responsible for more economic espionage directed at U.S. companies than any other country – perhaps more than all other countries combined. This has been true for years.

The amount of economic espionage is troubling, but even more troubling is China’s decision to ignore hints, suggestions and direct requests from the United States. This indicates a certain disrespect and is a disturbing indicator for the bilateral relationship. Cyber espionage has been raised at senior levels repeatedly since 2009. President Obama made it agenda item number one at the Sunnylands Summit. The Chinese ignored all this. The only U.S. action that got their attention was the indictment of five PLA officers in 2014. Some Americans greeted the indictments with misgiving (and other with confusion), but the indictments remain the most effective public action the United States has taken to date. The chief criticism of the indictments is that the United States has been slow to follow up. If any sanctions are a “one-off,” not followed with concrete proposals for reducing tensions, we will not gain much at all.

Sanctions can be a tool to restore leverage in discussing an intractable problem where the other side seems to have all the cards. Three concepts explain why sanctions would be useful: costs, deterrence and incentives. The goal is not to punish China or to name and shame (an amateurish concept), but to change China’s analysis of the costs of ignoring the United States. So far, cyber espionage has been costless for China. Sanctions that hit Chinese actors who benefit from cyber espionage in the bank account will create a cost for cyber espionage.

The Chinese believe the United States will not penalize them. A close watcher of China’s military says that the PLA’s assessment of U.S. cyber policy is "amazing capabilities, no will." This idea, not unique to China, explains why cyber deterrence hasn’t worked. Our primary opponents do not believe we will do anything in response to their actions in cyberspace. The last year saw North Korea, Iran, and China use cyber attacks for coercive effect against American companies. These actions went well beyond espionage. The Presidential statements and Executive Order on sanctions announced after Sony are intended to make clear to other nations that these actions unacceptably crossed a threshold and the U.S. will respond. Credible threats, including sanctions, strengthen deterrence.

Deciding whether to impose sanctions after the summit depends on whether the two leaders have agreed on a way out of this mess. The United States needs to ask for specific concrete actions, and given the intractability of the problem, these actions will to start with process. Cybersecurity is too important an issue in the bilateral relationship to approach in an ad hoc or episodic fashion. It requires structured discussions at senior levels. China lacks the long negotiating experience of the Russians, and sometimes prefers to divert talks towards vague but prejudicial language, such as calling for us to resist the militarization of cyberspace and keep it “a zone of peace.” This kind of thing leads to meaningless exchanges.

Similarly, asking China to immediately dismantle the Great Firewall or stop spying may be emotionally satisfying but pointless. We cannot expect the Chinese to be able to turn off economic espionage as if there was a light switch. In fact their first reaction to sanctions (other than to feign outrage) would be to wait and see what the United States will do next. They will gamble that the United States will do nothing, or settle for some symbolic concession from them, like reestablishing a working group. The United States may even be able to make changing cyber behavior more palatable to China by putting it in the context of the anti-corruption effort and PLA reform.

Rebuilding serious cooperation will take time – there is too much distrust. Cooperation begins with communication. It has to be frank and honest. This has been hard for both sides. It might be better to start by creating a common framework for discussion of the full range of problems. The United States can draw upon previous Summit experiences to develop goals that include agreement on scope and format of discussions, and, more importantly, linkages among issues. The connection between technology, trade and security needs to be untangled through discussion and concrete proposals that can be both binding and verifiable. Specific deliverables – such as an agreement for direct mil-to-mil talks on cyber security, are a good start.

A comprehensive approach will require the United States to decide what it actually wants, what it can get first from the Chinese and, more importantly, what concessions it could make. This last point is unpopular but we cannot expect to compel China to simply stop.

If President Xi, coming out of a meeting with tech CEOs, says they don’t think espionage is a problem, the Summit dialogue could go like this:

Xi: “I just met with your tech companies and they tell me this isn’t a problem.”

Obama: “That’s not what they’re telling me.”

American companies quite reasonably have no desire to be caught in the middle of this fight, but left unchecked, China will always be tempted to squeeze them. The Chinese believe they have more leverage over U.S companies than they actually possess. While a few U.S. companies are dependent on the China market, the average S&P 500 company gets only 2% of its revenue from China. That’s not a lot of leverage. China might retaliate, but they are already pinching tech companies for its own reasons. The Administration must be prepared to push back. The message should be that this not the year for China to start a trade war.

There are people who worry that sanctions might anger China (the Chinese don’t seem to worry about angering America with spying.) This leads to arguments that we should temporize, delay, or hold off, what might be called the early Christian martyr strategy for cybersecurity. Others believe we can pursue cooperation while putting cybersecurity to the side, but this simply increases tensions. The recent Strategic and Economic Dialogue (S&ED) is a good example, with 127 agreements that did little to build trust or reduce tensions. This approach made sense in the old bilateral relationship, but our relations with China have changed.

What was acceptable for the poor developing China of the 1980s is not acceptable for the world’s second largest economy, and a casual attitude towards rules for trade and state behavior creates a larger concern for how China will interact with the world – no one takes peaceful rise at face value any more, especially after last week’s flamboyant display of military hardware.

Sanctions that penalize Chinese behavior can create incentives for it to change and, ultimately, build a cooperative relationship. This sounds counterintuitive, but it is a normal part of relations among great powers, and there is ample precedent in both arms control and non-proliferation. This is one way that nations define boundaries that guide behavior.

President Reagan, speaking to the Russians, quoted President Kennedy, who said “let us not be blind to our differences, but let us also direct attention to our common interests and to the means by which those differences can be resolved.'' Kennedy called for “concrete actions and effective agreement” if we were to have peaceful relations. This is our goal with China, and sanctions, when needed and done correctly, can be part of the means by which differences can be resolved.

James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2014 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program