Will the New Cyber Understanding with China Bring Change?

A new 'understanding' on cybersecurity was announced this past week during Chinese President Xi Jinping's formal state visit. But while this agreement certainly offers a positive step forward for security in cyberspace, many questions remain unanswered.

by / September 27, 2015

President Obama with Chinese President

Credit: Flickr/White House/Pete Souza


What are China’s true intentions in cyberspace following the new agreement with the White House on cybersecurity? The world will know soon enough.

Hope and positive progress regarding cybercrime and overall cybersecurity has been in short supply as of late. So the announcement this past week of a White House deal with China regarding new cybersecurity “norms of state behavior in cyberspace” is certainly good news. A few of the agreement provisions include:

• The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyberactivities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyberactivity emanating from their territory. ...

• The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

• Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. ...

• The United States and China agree to establish a high-level joint dialog mechanism on fighting cybercrime and related issues. ...

The Washington Post described the agreement in this way:

The United States and China have agreed that neither country will conduct economic espionage in cyberspace in a deal that addresses a major source of tension in the bilateral relationship.

The pact also calls for a process aimed at helping to ensure compliance.

The agreement, reached in talks Thursday and Friday between President Obama and Chinese President Xi Jinping, has the potential — if it is upheld — to alleviate one of the most significant threats to U.S. economic and national security.

“The question now is,” Obama said in a joint news conference with Xi on Friday, “are words followed by actions?”

Cyberskeptics Abound

While the agreement offers the potential for a new beginning in U.S. China relations in cyberspace, President Obama is not the only one who raised doubts over whether Chinese actions will actually match their words in the coming years.

Numerous skeptics pointed to concerns. For example, Congressman Jim Langevin, who is a senior member of the House Armed Services and Homeland Security Committees, said, “… As positive as this agreement is, I remain skeptical about the Chinese commitment to carry it out. ...”

Also, TheHill.com reported:

At least six members of Congress — Democrats and Republicans — used the phase “step forward” or “first step” to describe the accord.

But those same members also said they were “skeptical” that China would adhere to its promise and vowed to closely oversee the agreement’s implementation.

“There’s a difference between an agreement on paper and having the Chinese government, including the People’s Liberation Army, actually stop conducting and supporting cyber attacks on U.S. companies,” said Senate Intelligence Committee ranking member Dianne Feinstein (D-Calif.).

But some experts went further and stated that this new understanding was just talk.

CNBC reported: "The agreement on cyberarms is nice ... but it won't mean very much on the practical side," said Adam Segal, a senior fellow for China studies and director of the digital and cyberspace policy program at the Council on Foreign Relations. "It really is just symbolic."

The biggest impediment to making a deal work, however, is simply that the Chinese government refuses to admit that it engages in any offensive cyberactivities.

More Background on Tensions with China on Cybersecurity

The concerns over China’s cybersecurity intentions run deep and wide. From "fake" Apple stores to Chinese military intrusions, the breadth and depth of problems has reached crisis levels – which is why these announcements are so important.

For example, the huge data breach this year at the U.S. Office of Personnel Management (OPM) is being blamed on the Chinese government by most experts.

Further, Protect Internet Freedom.com pointed to China’s Internet intentions and proposed United Nation’s governance structure as a major threat to Internet freedom.

[The Chinese] envisioned a UN style structure that required each country respect the Internet sovereignty of others, where they had the power to demand that free nations respect the authoritarian denial of Internet access and accept restrictions on freedom-enhancing activities that they did not like. They see an opportunity to bring this vision to life through ICANN, an organization that typically handles website naming and coding languages.

The American Interest described our problems with China regarding cybersecurity as complex in that actions rarely match words. They provided several examples to highlight those claims.

The Wall Street Journal said, “They have a lot of groups that are encouraged with relatively vague guidance to go out and develop hundreds of accesses and bring back lots of data.”

Broader Perspective: This Week Was a Tale of Two Visitors

Perhaps the most memorable aspect of this week in America was not the visit of the Chinese President Xi Jinping but the huge crowds and humble messages given by Pope Francis. The images of both world leaders visiting the White House within hours of each other were unforgettable. The security surrounding the two visits was unprecedented – with online security playing an important part.

Remarkably, the coverage of the pope’s words, sermons and travels dwarfed the coverage of the visit by the Chinese leader. The media attention given to the pope seemed to appeal to the left, center and the right of politics – even gaining coverage around the globe.

Memorable quotes from the pope to a joint session of Congress were even covered by RT.com:

“In a word, if we want security, let us give security; if we want life, let us give life; if we want opportunities, let us provide opportunities. The yardstick we use for others will be the yardstick which time will use for us.”

I bring the Pope Francis visit into this conversation, since the two men are in many ways similar and yet in other ways opposites. While both leaders have a massive online following and both play tremendously important roles regarding global security, they gain their respect and influence in very different ways.

Pope Francis has no military or economic power, and yet his words are trusted and repeated as perhaps no other person alive today. His impact amongst millions of people goes beyond the Catholic Church.

In contrast, meetings with the Chinese leader were the hot ticket in Seattle amongst the billionaire tech leaders and business elite, but the Chinese leader’s words are generally not trusted to nearly the same level by most Americans.

And yet, the two leaders both play central roles regarding online life as we move deeper into the 21st century.

Some Reasons for Cautious Optimism on Cyber

The overall sentiment from this week seems to be cautious optimism that things may improve regarding Chinese cybersecurity. The formal White House ceremony this week along with the many meetings with high-tech leaders in Seattle show that China wants to be seen as a fair player on the world stage.

The Minneapolis StarTribune reported: “Seeking to project a sunny climate for U.S. business, Chinese President Xi Jinping said on Wednesday his country was prepared to greatly reduce restrictions on foreign investment and forecast a long period of economic growth in China, despite recent wobbles.”

Those wobbles in the Chinese economy may be a positive opening for cyber-relations between the top two economic and military powers in the world. The NY Times pointed out that the Chinese president came to America at a time of vulnerability, due to their stock market fluctuations.

For all of these reasons, the majority of commentators on international relations and security matters believe that this cyberagreement is a positive first step overall.

I agree.

We have needed a new direction and new arrangements in cyberspace with China for several years. At least now we can build off of some common good will to curb state-sponsored cyberattacks and theft of intellectual property.

Now it is time to move on to the “trust and verify” stage. We will know if things have changed online very soon.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso