Earlier this month, the United States and China met for the first U.S.-China Law Enforcement and Cybersecurity Dialogue. This and future similar dialogues seek to expand upon cooperation begun in 2015 with the Obama-Xi cyber agreement, which barred state-sanctioned cyber theft of intellectual property for the purpose of enhancing commercial competitive advantage. Although some reports indicate the agreement has contributed to a quantitative decline in cyber theft, further reports indicate that that the U.S.-China intellectual property cyber front is anything but calm. Not only are state-to-state cyber espionage activities likely ongoing (a category of competition not addressed in the 2015 agreement), but analysts suggest efforts to infiltrate U.S. companies continue, but are simply more sophisticated, targeted, and calculated. Why has the 2015 agreement seemingly fallen short despite apparent bilateral support?
There are several possible explanations. As some have argued, the Chinese Communist Party’s control over entrepreneurial Chinese cyber actors may be limited. Although Xi Jinping continues to consolidate power, it is plausible that state hackers — including those in the People’s Liberation Army and China’s numerous state-owned enterprises (SOEs) — may act independently of central government guidance. Others argue that differences between cyber theft and cyber espionage are ill-defined and SOE-sponsored cyber theft skirts a grey area between interstate espionage and commercial intellectual theft, making the agreement difficult to track and enforce.
Perhaps more importantly, the two countries were likely ill-prepared to comprehensively embrace to the agreement from the onset. Not only is it nearly impossible to enforce international cyber law and hold violators accountable, but hacking organizations have a strong economic incentive to steal data. The estimated worth of stolen information can be astronomical, especially to firms attempting to compete against U.S. comparative advantages. Absent effective international enforcement mechanisms, cyber theft trends are likely to continue. Other than inciting anger abroad, little has come of the U.S. Department of Justice’s 2014 effort to indict Chinese state-sponsored hackers, for example.
Yet even if state-to-state cyber espionage will likely remain steady — or even increase — in coming years, several avenues for enhanced bilateral collaboration exist. Although the 2015 handshake agreement was a step in the right direction, future agreements can serve mutual interests by refocusing efforts to protect shared common goods. In particular, both countries have an overwhelming stake in safeguarding the integrity of global financial data. Experts (here and here, for example) correctly believe that the integrity of financial data is the preeminent security issue facing global networks. In the increasingly cashless and interconnected modern global society, an effective cyber attack could, in the words of a 2017 MIT report, “wreak devastating economic havoc,” and any degradation of public confidence in banking systems could prove similarly catastrophic. The discussion is not just academic; the G20 Finance Ministers and Central Bank Governor’s Meeting held in March this year warned that “[t]he malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence, and endanger financial stability.”
Accordingly, organizations like the Carnegie Endowment for International Peace have called upon states to “explicitly commit not to engage in offensive cyber operations that could undermine financial stability, namely manipulating the integrity of data of financial institutions, and to cooperate when such incidents occur.” As the world’s largest economies, the United States and China might consider leading these initiatives by focusing upcoming cyber talks around constructive options to harden global financial systems against emerging state and non-state threats. Additionally, states should craft bilateral or multilateral response measures should catastrophic attacks occur.
Of course, it is important to note that international cyber policy does not exist in a vacuum, absent broader international security dynamics. An all-inclusive no-first-use commitment encompassing attacks on international financial data may be akin to a nuclear weapons no-first-use commitment, which the United States has refused to make. Rather than encompassing agreements, focusing efforts on protecting civilian cyber infrastructure may be a palatable step to enhancing global cybersecurity. Ultimately, as the cyber and space domains become increasingly entangled with notions of strategic stability, any important international cyber initiative must be carefully weighed against broader strategic considerations.
The timing might be right for progress. Even if the 2015 Obama-Xi agreement has fallen short of its ambitious objectives, it demonstrated that both nations are capable of engaging in cybersecurity dialogue. The current administrations now have an opportunity to leverage continuing dialogue to strengthen, expand, or even redirect the agreement onto pressing and perhaps more tractable matters — the protection of global financial data.
Captain Adam Greer is an instructor pilot, U.S. Pacific Command Foreign Area Officer, and instructor at the Air Force Academy. Nathan Montierth is a resident Young Ambassador at the Carnegie-Tsinghua Center for Global Policy in Beijing. The views are the authors.