Cyber Cease-Fire: US v. China

100615-640x400

As published on Norse on October 6th, 2015

Interesting times indeed, now that the outcome of Chinese president Xi Jinping’s two-day visit to the White House last week has been made public. According to the White House press release, this is what was agreed:

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.  The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace.  The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.  China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue.  The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States.  This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.  As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.  Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

 

Second-guessing

At first glance this sounds wonderful, but it didn’t take long before the second-guessing started. With Barack Obama making statements such as “What I’ve said to President Xi, and what I say to the American people, [is] the question now is: ‘Are words followed by actions?’”.

It’s important to look at this meeting in the context in which it was held. As most people are aware, the US has been experiencing cyber-attacks almost non-stop for years now, on multiple fronts. The US criticizes China for attacking not only US government infrastructure, but commercial enterprises are suffering massive theft of intellectual property in almost every industry as well. The widely publicized OPM hackwas only the most recent event that made the American cup ‘runneth over’.

But the US is hardly the innocent victim that it portraits itself to be. Well-known whistleblower Edward Snowden revealed that the US has actively been attacking Chinese infrastructure as well, in order to ‘prepare the battlefield’ for any potential physical conflict. They have admitted doing so, but claim that no intelligence from the large cyber intelligence gathering ‘driftnet’ known mostly by its moniker PRISM is fed to American enterprises for their commercial benefit. Whether that is true, of course, remains to be seen. After all, accusations of unfair commercial advantages through government espionage have been shown to contain some substance in the past.

 

Limiting cyber-attacks

In this regard, it is not surprising that it is the US calling for an agreement on limiting the cyber-attacks between the two nations. When taking the theft of intellectual property into account, the US simply has more to lose. It should also not be forgotten that not long ago China signed a treaty with Russia that, among other things, contained a pledge that they would not hack each other. This same treaty also further solidified their efforts to influence global internet governance, about which I commented in an earlier article, giving the US all the more reason to try to calm the waters with China.

 

So what does this treaty mean?

Of the four points covered under Cybersecurity, only the first two are points with some meat to it. As also mentioned in my previous article, the Chinese are very unlikely to sign any treaty on internet norms of behavior that include a reference to the UN’s definition on human rights. The entire bullet point might as well not have been there. It is window dressing and was probably only agreed upon because it shows a willingness to ‘get along’, whether real or imagined. The last point about the ‘cyber hotline’ doesn’t actually say a whole lot at all, so let’s move on to the more salient points.

It should be noted that the US is trying to stop the attacks against American businesses while trying to keep the option of ‘battlefield preparation’ on the table. This isn’t guesswork, its public record; just look atwhat American politicians are saying on the subject. In other words, both countries now seemingly agree that attacks on government networks are more-or-less allowed, but commercial enterprises are considered off-limits. In the unlikely event that both parties actually honor the agreement, this would be a clear win for the US.

 

An unlikely agreement

And that the agreement will be honored does seem very unlikely. For one, the Chinese government has never acknowledged that it has any involvement in cyber-attacks against commercial enterprises, and it is highly unlikely that they ever will. If those attacks would now suddenly cease, it would be a tacit admission that it had such control in the first place and put the lie to every official statement the Chinese government has ever issued on this topic. Another important factor is the simple question of “Cui Bono?”. Who benefits? The Chinese would lose a very effective method for national advancement in many areas, and the only cost thus far has been (relatively light) international criticism. They would gain nothing, whereas the US would gain a stopgap in the massive IP drain.

In short: The agreement seems a bit one-sided and that does not bode well. It may well be that China agreed only to stave off the sanctions that the US has been casually dropping to the press recently. Whether China takes these sanctions seriously is debatable, because China still remains the greatest holder of US debt, which means it can give a considerable pushback. Then again, China not honoring the agreement is probably expected. Despite what some critics may say, the people involved in drafting this treaty are not fools. With this agreement on the table it makes the American case much stronger if Chinadoes violate it, as Jason Healey points out.

As always, time will tell.

 

On Iran and Pre-Emptive Cyber Attacks

irancyberEarly in February of 2013, many news outlets came out with articles about the US Government having a ‘secret legal review‘ on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to ‘legitimately’ having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack.  As many nations are developing their own Cyber program, and some nations are very actively using cyber attacks to get a definite leg up, nobody really expected any other outcome. A very damning report by Mandiant on “APT1” recently emphasised yet again how professional and broad-scoped China’s cyber espionage apparatus has become, and the United States finds itself a major target in these operations. Even though this same report is heavily criticized by experts for having critical analytical faults, it is hard to deny that Cyber is still increasing in overall popularity on the world’s geopolitical stage.

Some say that this ‘right to strike pre-emptively’ is a warning shot across the bow of China, but it cannot be said that it is a timely revelation in any respect. After all, not having formally asserted this right to strike pre-emptively did not deter the cyber attack against Iran’s nuclear enrichment facilities in Natanz, which was devised during the Bush Jr. administration but was executed under Obama. A cynical view might take that to mean that not one, but two separate administrations had already asserted that right years before. Also, even though it was never confirmed officially, the Washington Post published an article in 2012 that claimed Flame, a piece of malware dubbed the successor to Stuxnet, was also developed by the US government years before, and launched against Iran in roughly the same period of time, also with the intent of slowing down Iran’s nuclear enrichment program.

What makes this all especially interesting is the recent publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, as commissioned by NATO’s Cooperative Cyber Defence Center of Excellence in Estonia. It’s lead author, Michael D. Schmitt, is also a professor of international law at the US Naval War College in Newport. In a recent interview with the Washington Times professor Schmitt revealed that the collective of authors who worked on the Tallinn Manual were of the opinion that the Stuxnet attack was indeed an Act of Force. These are “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force”. This is significant because it means that by the opinion of the worlds leading legal minds on Cyber Law (lead by an American, no less), Iran has a legitimate legal reason to declare war against the United States. I should point out that the reverse is not the case, even ifIran is actively seeking nuclear weapons (which does seem likely, seeing as how it would level the geopolitical playing field for them).

Given the already volatile nature of the Middle East as a whole, you’d have to wonder if cyber weapons are a blessing or a curse. The threshold to their use seems to be significantly lower than kinetic means, but this –in turn- may quickly give legitimate claim to escalate matters into the kinetic spectrum. Whatever else may happen, on this front it will be a most interesting decade.