China Daily has responded to a very detailed study Project 2049 published two weeks ago about Chinese signals intelligence and cyber reconnaissance. The response, which doesn't directly address any of the report’s specific claims about the role that the PLA General Staff Department’s Third Department plays in computer network exploitation, is essentially: those in glass houses shouldn’t throw stones. The United States may portray itself as the victim in cyberspace, “but it is no secret that the U.S. has already developed an information warfare doctrine and has capability to make cyber attacks on other nations.” And “the U.S. military is clearly capable of conducting offensive operations in cyberspace at any time and against any country.”
This is one of the standard comebacks to U.S. claims of Chinese cyberattacks (the other being China is also a victim) and would normally not be worthy of too much attention. But this article does end with two suggestions about how China and the United States might build trust in cyberspace. The first, that the two sides should cooperate and exchange information about “profit-driven” cyber crime, isn't much to get excited about, as it has been made several times in different fora. In November 2010, Gu Jian, head of Network Security in the Ministry of Public Security, suggested the United States and China cooperate on cases where there is “double criminality”– acts that are illegal in both countries. In May 2011, the EastWest Institute announced a joint agreement on battling spam. The problem, of course, is that the United States’ main complaint with China is not cyber crime, but cyber espionage — the theft of military and political secrets as well as commercial intellectual property, business plans, and corporate strategy. Mistrust will remain high unless this is tackled head on.
The second suggestion of communicating during a cyber crisis so as to avoid miscommunication and escalation does seem to be a small, yet important, step forward. A couple of months ago, U.S. State Department officials told me that the Chinese were notably lukewarm about setting up a cyber hotline, perhaps because it's too reminiscent of the Cold War or because the United States and Russia are reportedly discussing a cyber hotline and the Chinese want their own thing, not a repeat of what the U.S is doing with the Russians.
It may also be that the Chinese were resistant because they had no idea who should answer the phone on their end when it rang during a crisis. The Project 2049 report describes a widely distributed and stove-piped set of organizations conducting cyber operations. How closely the civilian and military leadership oversees or understands what these groups are doing and how well they might coordinate a response is an open question. Past performance in crisis management doesn't instill a great deal of confidence. It's hard not to recall Admiral Joseph Prueher's frustration that the Ministry of Foreign Affairs and the PLA wouldn't answer the phone as the EP-3 incident developed in April 2001.
Discussions about a crisis hotline might seem like an obvious first step in improving relations. But if it's a sign the Chinese government is beginning to think about how to coordinate a rapid, unified response to cyber emergencies, then it is an extremely important one.
Adam Segal is the Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies at the Council on Foreign Relations. He blogs at Asia Unbound, where this piece originally appeared.