On Friday, President Obama and his Chinese counterpart, Xi Jinping, announced that the United States and China agreed to prevent cyberattacks on one another, and that the nations would not use the Internet to steal, or allow others to steal, trade secrets and intellectual property.
While, at first glance, this pact may seem like a big victory for the United States--some experts estimate that over 80% of all information thefts targeting American businesses currently emanate from China--it actually appears to be more political posturing than a substantive agreement, and, in fact, in some ways may aggravate matters. While it may provide some hope that the ball of change has begun to roll, China still has a strong incentive to hack American people, businesses, and the government, and the present agreement seems to do little to change that situation.
Here are ten problems with the agreement:
1. The agreement as explained by the White House prohibits hacking for commercial advantage, but other forms of hacking, including government on government spying, are allowed. Considering the recently discovered massive breach of the Office of Personnel Management--which led to millions of Americans having their private details and fingerprints stolen, and which many in the government believe was perpetrated by China--an agreement not addressing inter-governmental spying is severely deficient. The Chinese government could literally steal every American citizen's tax returns from the IRS and use the information within them for all sorts of nefarious purposes without violating the current agreement. (It is true that the US and many of its allies cyber-spy on one another, but, that is a separate issue with risk levels of a different magnitude.)
2. The agreement does not define any standards. What is considered hacking, and what is considered acceptable activity? What constitutes an attack? What is considered commercial--especially considering that the 12 largest Chinese companies are owned by its government? Is it acceptable for a business or government to counter-attack against a commercial party attacking it--when perhaps that party has been infected by malware and is the unwilling agent of someone else? Most international agreements use internationally-accepted or mutually-agreed-upon understandings of terms, standards, and the like. In the world of "cyber" these clarifications do not yet exist, and, without them, any agreement is subject to misinterpretation, misunderstanding, and abuse.
3. Based on the text of the Presidential statement, the agreement does not prohibit hacking individuals or businesses for purposes other than commercial gain. Taking out a public utility or financial network in order to inflict political harm? Using people's personal data or photos in order to blackmail them into spying for China? Both might be perfectly acceptable under this agreement. Furthermore, if Chinese agents were caught hacking an American cybersecurity business, defense contractor, or supplier of equipment don't you think they'll find a way to explain their actions as having governmental purposes?
4. Even if it were more comprehensive, the agreement is essentially unenforceable. There are no "inspections" or any other clear methods of implementing a "trust, but verify" strategy. One cannot simply prevent a country from launching cyberattacks by inspecting facilities as would be done to verify that a nation is not building nuclear weapons or the like. Hackers can be anywhere; it is a lot easier for them to hide--even in plain sight--than to hide thousands of centrifuges and a nuclear reactor. Chinese hackers don't even need to be in China in order to carry out their attacks. Furthermore, much as Iran sponsors terror through proxies--Hezbollah and the like--China could easily hack through third parties; it is often impossible to determine who is paying a hacker to carry out attacks, or if an attack is emanating from its true source or has been routed through another party.
5. Contrary to the perception that many people develop from fictional stories, experts often cannot identify with certainty the source of a professionally-executed cyberattack; to this day, experts disagree as to who carried out various high profile breaches. Furthermore, even when the culprit of an attack is identified, that party often has a great deal of plausible deniability. As Stewart Draper, Director of Insider Threats for Securonix, noted: "China has always denied involvement in data theft by its government, or encouraging Chinese companies to perform espionage." Practically speaking, should the need arise, how is the United States going to substantiate any perceived violations by China?
6. In order to verify that the parties are honoring their commitments, the US and China are supposed to "establish a high-level joint dialogue mechanism on fighting cybercrime and related issues" and "this mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side" In other words, the determination of whether the Chinese are adhering to the agreement will be a subjective decision based on conversations and communications; no objective metrics have been established by the agreement. This deficiency in the agreement is serious--as one of the arguments that has been made for supporting an agreement with China, as noted by Jason Healey, Senior Research Scholar at Columbia University's School of International and Public Affairs and Senior Fellow at the Atlantic Council, has been that if China violates the agreement the United States "will be in a much stronger position to respond to Beijing over its commercial espionage" (perhaps by levying sanctions and/or gaining international support for sanctions). If there is no objective way to measure compliance, why would anyone support a US contention that China has violated the agreement? Measuring the number of arrests made by China at the request of the US, and calculating how much cooperation was received when aid was requested, are also poor methods to determine compliance; the US's primary need is not for China to arrest hackers, but to curtail the hacking. Under this agreement China can arrest hackers who are identified by the United States, and appear to be compliant, but simultaneously continue to tolerate or actively carry out attacks through other parties. Also, keep in mind that the most dangerous and damaging attacks are often those that have not been identified, and, therefore, for which no requests for assistance or arrests have been made.
7. Even if China desired to deliver on its promises, it is not clear that the country has the resources to do so. Chinese hackers are believed to commonly hack businesses within China, making one wonder whether the nation's government truly has the capability to curtail hacking. Furthermore, as Ken Westin, Senior Security Analyst at Tripwire noted, the Chinese government has "taken a stance of complete innocence when it comes to cyber war and espionage to the point of claiming naivety." This deal is "sort of like having two parties agree to not hit each other in the face, but one of the parties says he cannot agree because he doesn't have the ability to punch."
8. There is nothing in this agreement that addresses Chinese censorship or abuse of human rights. While some might argue that those are not issues related to hacking, a government that shuts off access to portions of the Internet that allow free communication is essentially no different than a party that executes denial-of-service attacks. And human rights cannot be left off the table.
9. The agreement states that two nations will not "conduct or knowingly support cyber-enabled theft." The term knowingly is troublesome. It is not hard to imagine that if the Chinese government were caught violating the agreement in the future its officials would simply deny knowing about the offending hacking. Seem implausible? Consider how many American politicians from both major parties have denied knowledge of inappropriate actions despite overwhelming evidence that they either knew or should have known? Classified emails on a personal server? A bridge illegally blocked? Why would the Chinese act any differently?
10. The agreement does nothing to address the reasons that China has been able to hack us all along - several of which I discussed in an article that I wrote four years ago. While some might argue that the US is better off with a bad deal or a partial deal than with no deal, and that any reduction of hacking is better than the present situation, or that the agreement is simply a framework for moving forward, I am not so sure. By announcing this agreement, the US government has granted some level of de-facto legitimization to activities that it should not be willing to tolerate. Consider what the reaction of the government would have been had Chinese agents been found to have physically broken into the Office of Personnel Management and stolen millions of physical files. Why should hacking be treated dramatically differently? Also, this agreement may dis-incent various politicians from pursuing a stronger, clearer, more comprehensive agreement that addresses the ten issues raised above, or from levelling comprehensive sanctions should the need arise.
Of course, the Chinese have every right to be suspicious of our own government as well; the NSA spying scandal and various other cyber-incidents such as the Stuxnet attack against Iran's nuclear program clarified that the US is not a passive bystander when it comes to cyber-spying and cyberattacks. We don’t, however, have a history of allowing corporations to hack their competitors.
Hopefully, our elected officially realize the serious level of deficiencies with the present agreement, and are already working on a better framework going forward. As Jonathan Sander, VP of product strategy for Lieberman Software, said about the current deal: "It's good that there is a starting point, but no one should feel like it's anything but setting the pieces on the board--not even the first pawn has moved in this game."
Please feel free to discuss this article with me. I’m on Twitter at @JosephSteinberg.