Overall, there is reason to be cautiously optimistic about the relationship for three reasons.
First, we have not seen the disclosure of a likely Chinese state-sponsored cyber operation akin to the U.S. Office of Personnel Management data breach revealed in June 2015. This in no way means that these sorts of attacks are not occurring at the moment. However, the fact that neither country has chosen to publicize any large-scale attacks in 2016 indicates a willingness by both sides to at least attempt to find a modus operandi in cyberspace that will not have spillover effects into other parts of the bilateral relationship.
Second, the September 2015 Sino-U.S. agreement to refrain from conducting or knowingly supporting commercial cyber-espionage appears to have had some impact (in combination with the threat of economic sanctions). While difficult to verify independently, the U.S. private sector has seen a reduction in Chinese state-sponsored hacking over the last few months, according to a number of key U.S. security experts. This could indicate that “the days of widespread Chinese smash-and-grab activity, get in, get out, don’t care if you’re caught, seem to be over,” a former U.S. National Security Council official told the Financial Times. Chinese hackers have been more careful in covering their tracks, which paradoxically will help depoliticize cyber issues during bilateral discussions, even when attacks continue.
Third, official talks between China and the United States are continuing with a real chance to slowly institutionalize cooperation on cybercrime and norms of state behavior in cyberspace. In May, the first Sino-U.S. Senior Experts Group convened to discuss international norms and other security-related topics. The U.S. State Department called the dialogue “fruitful.” The recently concluded eight S&ED reaffirmed that both China and the United States “refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” The recent High-Level Dialogue on Cybercrime and Related Issues expanded on guidelines and mechanisms for cooperation outlined during the last meeting in December 2015. China and the United States also held a tabletop exercise concerning cybercrime and network protection in April 2016.
Nevertheless, major stumbling blocks remain.
First, while there may be a slowdown in Chinese state-sponsored attacks on the private sector, U.S. President Barack Obama extended a national state of emergency due to continued cyberattacks against U.S. critical information infrastructure in April 2015. “Significant malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy and economy of the United States,” Obama wrote in a letter justifying the state of emergency extension this March. As a result, the United States can still impose economic sanctions and travel restrictions on foreign nationals thought to be behind cyberattacks—hardly a vote of confidence for the Chinese government.
Second, progress during recent talks has been slow, leaving both the U.S. private sector and the U.S. military (along with U.S. intelligence agencies) dissatisfied with the Obama administration’s approach to reducing Chinese state-sponsored attacks. Time and again, U.S. defense officials, along with private sector representatives, have leaked to the media the possibility of cyber counterattacks against Chinese critical information infrastructure. Neither, the Pentagon nor private sector is happy with the current U.S. cyber deterrence strategy. In particular, the U.S. State Department’s concepts of “deterrence by denial” as well as “voluntary norms of responsible state behavior in cyberspace” are seen as too weak in the face of persistent Chinese attacks. As a result, there is a chance that bilateral talks might collapse given the apparent disunity among stakeholders in the United States.
Third, fundamental differences between China and the United States remain when it comes to Internet governance issues, China’s new anti-terror law, and military-to-military relations in cyberspace, among other things. Both the China and the United States continue building up their cyber weapons arsenals and probing each other’s networks. In a number of speeches Chinese President Xi Jinping vowed to improve China’s cyberwarfare capabilities and strengthen “cyber defense and deterrence capabilities.” As I noted previously, the U.S. Department of Defense published a new Law of War Manual, in which the pre-emplacement of “logic bombs” in an adversary country’s networks and information systems is advocated, which can further fuel competition and bred mistrust. Neither side accepts limitations in the development neither of cyber weapons nor to the overall militarization of cyberspace.
However, analysts of China-U.S. relations in cyberspace have to take into account the ultimate objective of talks.
That is, it is important to understand that the end goal of Sino-U.S. deliberations will not be an end to state-sponsored hacking and any other form of cyberattacks including cyber espionage, but to put a framework in place that will not only help prevent disagreements in cyberspace from spilling over into other parts of the bilateral relationship, but also help both sides to get closer to an understanding of what constitutes strategic stability, i.e., peace, in cyberspace. On that front, we may expect some progress in the months ahead.