The cybersecurity deal between the United States and China is a deal without trust. With the United States threatening sanctions and declaring that its patience for Chinese cyberattacks had reached an end, the leader of the Chinese Communist Party (CCP), Xi Jinping, agreed to end cyberattacks that have been stealing trillions in value annually from the U.S. economy.
The agreement is being viewed with a sort of pessimistic hope in the cybersecurity community.
“My opinion is, I'll believe it when I see it,” said Darren Hayes, director of cybersecurity and an assistant professor at Pace University, in a phone interview.
While some experts believe the threat of sanctions against Chinese companies is too large for the CCP not to comply, the CCP has a track record of saying one thing and doing another.
“I know it’s a priority for the U.S. government, because they estimate that trillions of dollars have been stolen, but this agreement lacks credibility,” said Hayes.
Obama and Xi announced the agreement during a joint press conference on Sept. 25, and drew a distinction between spy operations meant for economic gain, and those meant solely for espionage.
They agreed, Obama said, that neither country will “conduct or knowingly support cyberenabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
Obama said he told Xi “the question now is, are words followed by actions.”
Oversight for Cyberspies
The cyberagreement will establish a system for high-level dialogue between the United States and the CCP. On the U.S. side, this will include U.S. secretary of homeland security and the U.S. attorney general.
The CCP will assign an official at the ministerial level. Other departments, including the FBI, the Department of Homeland Security, and Chinese offices with similar roles, will take part.
According to a White House fact sheet, this biannual dialogue will be used as a mechanism “to review the timeliness and quality of responses” if an incident takes place. In other words, if the United States detects a cyberattack being used to steal from a business, they will alert the CCP, and participants in the dialogue will review whether the CCP did anything about it.
Despite the oversight, on the surface the agreement appears to be toothless. Yet, deep down this may not be the case.
The context of the agreement is what’s important, according to Dmitri Alperovitch, co-founder and CTO of CrowdStrike, a cybersecurity technology company.
The CCP realized, he said in a phone interview, “if they didn’t concede on these points that sanctions would have been put on Chinese companies.”
While it doesn’t appear sanctions are mentioned directly in the agreement, the United States is reserving them as an option if the CCP’s use of cyberattacks for theft continue.
Obama hinted at this during the joint press conference with Xi. He said, “We will be watching carefully to make an assessment as to whether progress has been made in this area.”
If the CCP doesn’t comply, Obama said, sanctions and other retaliatory options are still on the table. He said, “I did indicate to President Xi that we will apply those and whatever other tools we have in our toolkit to go after cybercriminals, either retrospectively or prospectively.”
New Targets
One of the main problems the CCP faces is that its systems for economic theft are massive, and deeply entwined with its programs for economic growth.
Epoch Times recently exposed this system in an investigative report. The CCP’s economic theft is directed by legislation, and carried out by large-scale networks of military and private hackers. Stolen information is reverse engineered by a network of hundreds of “technology transfer centers” under government and academic offices. The system is also supported by more than 3,200 military front companies operating in the United States.
“We’re talking about tens of thousands of people involved in doing this for the Chinese government, and to say this is going to stop today or tomorrow is absurd,” said Hayes.
According to Alperovitch, however, the CCP may not need to dismantle this system. He believes the program could solve the problem of economic theft in the United States, but said Chinese hackers will still have plenty of targets to choose from.
Alperovitch said the CCP is unlikely to dismantle its network of military hackers. Instead, “They’re just going to give them new tasks.”
“It’s not going to cut down on all espionage,” he said, noting that we will likely see an increase in cyberattacks that fall under conventional espionage—and there will likely be an increase of Chinese cyberattacks against other countries.
The issue rests in two key elements of the agreement. First off, the agreement is currently only between the United States and China—and the CCP’s operations to steal intellectual property could simply turn their sights on businesses outside the United States.
Second, the agreement doesn’t cover cyberattacks that fall under the definition of old-fashioned espionage.
“The line is it has to be for commercial benefit,” Alperovitch said.
This means that cyberattacks stealing U.S. military blueprints, personal data on federal employees, and cyberattacks monitoring U.S. officials and other persons of interest will not only not end, but may even increase.
“I think the hope was just to curtail commercial espionage,” Alperovitch said. “There’s absolutely nothing you could do to stop the Chinese from stealing the blueprints from the F-35 [fighter jet].”
Obama emphasized this key difference in operations during a Sept. 16 business roundtable.
He said the United States has told the CCP, “We understand traditional intelligence gathering functions that all states, including us, engage in,” yet noted “that is fundamentally different from your government or its proxies engaging directly in industrial espionage and stealing trade secrets.”