Moving Forward with the Obama-Xi Cybersecurity Agreement

China’s leaders often talk about the need for a “new model of great power relations.” The agreement on cybersecurity between President Xi and Obama is a first step in defining it. The agreement does not mean we are done with cybersecurity. It is the start of a long journey to define both cyberspace and the larger relationship.

Serious discussions on how to respond to China’s cyber espionage began several years ago. A strategy that combined pressure and accommodation seemed the best alternative to passivity, and U.S. concerns were raised many times, including in a December 2013 non-paper given to Chinese officials that discussed sanctions, indictments and other measures if matters did not improve. At the time, there were objections that this approach wouldn't work because Chinese culture and attitudes worked against reaching any agreement and that we could not influence their decision-making. These criticisms were wrong. If there are grounds for criticism, they would be that it was wrong to let so many months pass between indictments (which, contrary to much of the public discourse, had a powerful effect) and any follow on action.

Threatening to impose sanctions, using the new cyber sanctions created after the Sony incident, played a key part in moving China and orchestrated leaks built pressure with a skill not always seen in the White House. Eighteen months ago the United States indicted five PLA officers for cyber espionage. Some thought this was a waste of time as the five would never go to trial. But the Chinese hated the indictments and did not want renewed pain from sanctions.

The theft of millions of records from the Office of Personal Management set the stage for agreement. While the United States did not publicly blame China, it had no hesitation in naming it as the culprit in private briefings. There was real anger on the U.S. side and a willingness to confront China that came across in summit preparations. Chinese officials were persuaded the United States would hold China responsible for OPM and a few even expressed fears about possible U.S. retaliation. When Sony Pictures was hacked (an incident where China was not involved), the United States intentionally revealed its vastly improved ability to identify hackers and take action against them. In the internal U.S. debates over how to respond to the OPM hack, sanctions were a middle option and some wanted something much more forceful. China took note.

Xi foreshadowed the agreement in his meetings in Seattle, but as late as two days before the Presidential meeting, there was no deal. The United States got almost everything it wanted, except agreement for “mil-to-mil” talks, where the PLA and Department of Defense would meet regularly on cybersecurity issues. These talks are a normal part of confidence building between unfriendly states – and that it was the Sino-American relationship has become, so China’s unwillingness reinforces questions about the PLA’s role in any cybersecurity agreement.

Until now, China has walled off any discussion of espionage in the bilateral dialogue on cybersecurity. Now, commercial espionage is on the table, but the PLA’s role in hacking is still walled off. China was able to hold the line in treating cybersecurity as a law enforcement and public safety issue, something best left to civilian agencies.

There was also the puzzling incident of the planes during the summit. Two Chinese fighters dangerously and aggressively buzzed an American spy plane over international waters. This is not to the sort of thing countries do when their leaders are about to meet. Was it Xi sending a signal to Obama, the PLA sending a signal to Xi, or was it a local commander slipping the leash? We do not know, but the answer has important implications for the cybersecurity agreement.

The PLA is responsible for most hacking against the United States. Some of this is the normal political-military espionage that the United States itself is well-known. But local PLA units also hack to make money. It is a source of private income when they steal commercial secrets and sell them to Chinese companies for cash or favors. The PLA is not yet a Western-style professional military and still has attributes found in developing militaries, where officers engage in private commercial activities – Thai Air Force generals used to operate an airline on the side, for example, and similar military businesses could be found in Southeast Asia.

Chinese officials are always quick to assert (sometimes without being asked) that there is no tension between PLA and Party, but by committing to end commercial espionage, Xi is cutting the PLA’s private income. They will not like this, and while the cybersecurity agreement fits with China’s recently announced military modernization effort and Xi’s anti-corruption campaign, it will require time and difficult Party politicking for him to deliver results.

The United States had unique leverage at the Summit and with the Summit over, White House officials expect some backsliding. Even with the best intentions, it will be hard for Xi to deliver on his promises. This means we should expect more tension over cybersecurity in the future, not less. Sanctions are “still on the table” as one U.S. negotiator put it, and Chinese hacking is so extensive it cannot be turned off overnight. The United States may decide that a few timely sanctions against private Chinese individuals and companies who have benefited from cyberespionage can reinforce agreement.

Like any serious agreement, the language is imprecise and there is wiggle room. Trade agreements define processes and penalties for noncompliance, but this kind of strategic understanding usually does not. So it is not a useful criticism to point out the absence of such measures in the Xi - Obama agreement. There will be backsliding and the Chinese will watch how we respond. This informal process of action and response will define the boundaries for compliance.

Agreements of this kind are always met with complaints that the other side will cheat. Cheating has been a problem in every arms control agreement since the 1922 Washington Naval Convention. Ikle's piece remains the best discussion of this. When democracies negotiate with authoritarians, the other side usually cheats. There is always a risk of cheating, and it is no brilliant insight to point this out, nor is it a reason not to move forward. An agreement is the first chapter and the following chapters are about compliance and consequences if the agreement is not observed. The White House says the United States is prepared to act if China does not observe its agreement on cyber espionage.

The questions for this next chapter are what level of noncompliance justifies a punitive response, what format should that response take, how do we avoid delays in responding, and what actions would reinforce the agreement. In considering the latter, we need to say where we are willing to make concessions, a difficult topic but one that is being discussed when it comes to norms. This may not be enough to only think about norms, as we may have to consider constraints on U.S. action, but this is a larger debate.

Other parts of the agreement also mean continued tension. Negotiations in the UN are difficult. The United States and its allies face strong opposition from China and Russia over rules for cyber war and the place of human rights in cybersecurity. The Russia-China partnership is no love match, but the two countries unite in opposition to America, and the Chinese are skilful in playing Russia against the U.S. in law enforcement cooperation. In 2013, the FBI made eleven requests for aid to China’s Ministry of Public Security. China responded to only two. When asked for help with the Sony hack, the Chinese said they had no information, even though North Korea uses known front companies in China for hacking. China might turn the tables by requesting assistance it knows it will not get against dissidents living in the United States.

But it is misleading to emphasize the difficulties. There is no credible alternative to the agreement. Sermons and chest-beating, while pleasing to a domestic audience, do not work. Some say better cyber defenses – we’ve been saying that for twenty years and it hasn’t worked because the internet cannot be made defensible. Building a Maginot line in cyberspace is pointless. Some say we should deter China - another failed approach, in good measure because espionage isn’t deterreable. We couldn’t deter Soviet espionage with the threat of nuclear war and we should not expect to deter China with comparatively puny cyber threats. We are not going to start a war with China over cyber espionage - as with the Iran deal, there is no serious military option. Covert action requires a different discussion of risk. These answers might not please everyone, but when Washington politics and international realities collide, reality wins. There are dangers with the current course, but these are manageable. We need to see what comes of the bilateral talks on norms and law enforcement before we succumb to more hand wringing. An outcome to avoid is a debate that encourages hesitation or timidity.

Cooperating between the United States and China on cybersecurity will be difficult. The Americans knew this going into the agreement and the Chinese probably knew it as well. Like any agreement between two powers suspicious of each other, implementation is complicated, verification is essential, and there must be consequences for noncompliance.

The agreement on cybersecurity is the first agreement in a new U.S.-China relationship shaped by competition, even hostility. We are not friends, nor should we expect to be friends any time soon. There are deep tensions between one party rule and democracy, and between a would-be regional hegemon and a global superpower. Strategic competition does not mean, however, that we cannot cooperate. The summit showed that while there are serious differences, there are also common interests. The United States can build on these common interests to get a relationship that is more stable if not more friendly. This relationship will not be a Cold War, nor an alliance, but something new, where both countries will have to feel their way forward with cautious steps. Agreement on cybersecurity agreement is the first step. The new relationship is not a Cold War, nor is it an alliance, but something new where both countries will have to feel their way forward with cautious steps, and agreement on cybersecurity is the first.

James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2015 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program