During Chinese President Xi Jinping’s state visit to the United States, he reached an agreement with US President Barack Obama on 25 September 2015 to curb “cyber-enabled theft of intellectual property”,1 marking the first of such formal agreements between the two countries. The new agreement will be enforced by the “CERT-to-CERT agreement” — that is, direct cooperation between Chinese and American law enforcement officials. US law enforcement will now be able to call up their Chinese counterparts and expect investigations and possibly even arrests, if American commercial secrets are stolen.
The agreement is a diplomatic success for the United States as the superpower has persuaded the rising power to clamp down on alleged economic cyberthefts from the Chinese side that have posed serious threats to US business interests and economic security. The agreement, through elevating the importance of cyber diplomacy to a new height in bilateral relationship, may temporarily ease the tension between China and the United States over the issue, and help improve the overall bilateral relationship.
Nevertheless, the agreement itself is far from being effective enough to curb the rampant cyber espionage activities due to the complexity of cyber issues, difficulty of enforcement and lack of mutual trust between the world’s two largest economies. The pact may not be effective in curbing pervasive Chinese cyber espionage aimed at extracting US intellectual property and commercial intelligence3 as there were questions about the extent to which it was orchestrated by the Chinese government.4 The two countries will need to continue work on an overarching cyber doctrine and define the limits of acceptable behavior in cyberspace.
China and the US’ Escalating Tension over Cybersecurity
Cybersecurity has been a contentious issue between China and the United States. The United States and China are the two pivotal players in cybersecurity sphere. A mistrust between the two states in the cyber realm can generate negative influence on the long-term strategic intentions of both countries.
China and the United States had made little progress in terms of cybersecurity until Xi’s 2015 state visit. Even as the leaders forged deals on climate change, trade and defense, common ground on cybersecurity was limited.5 Growing tension over cyber issues can erode strategic trust and cause growing suspicion.
According to US Cyber Command and the National Security Agency, China is considered the major threat to US weapons systems on cyber space.6
Over the past decade, Chinese military hackers have allegedly penetrated major defense contractors involved in cutting edge weapons systems, including the fifth generation F-35 Joint Strike Fighter and gas pipeline control systems.7
Since 2013, US security companies have reported that the PLA Unit 61398 in Shanghai was traced to have engaged in frequent cyberwarfare against American corporations and government agencies.8 The increasing tension has also been a problem for US tech companies. While US tech giants such as Apple, Microsoft and Google would like to expand into the enormous Chinese market, they have accused China of widespread snooping into their operations.
The simmering tensions boiled over in February 2015 when the tech sector was required to install Chinese encryption standards that give officials full access to company data.9 A massive coalition of trade groups appealed to the Chinese government and the White House, arguing that the rules would inhibit their ability to operate.10
Xi Jinping's visit to the United States in September 2015 came as the United States and China had been accusing each other of breaking into critical computer systems, stealing data and threatening private and public networks.11 Inextricably, cybersecurity dominated the agenda of Xi's visit. Even before Xi arrived in Washington, the United States and China had been engaged in urgent negotiations on a cybersecurity deal weeks prior to the visit.
A week before Xi's visit to the United States, President Barack Obama gave a stern warning to Chinese President Xi Jinping that the United States will consider any instance of state-sponsored industrial espionage an “act of aggression”.12 President Obama alluded possible sanctions against Chinese hackers, telling Chinese officials in private that the combination of intellectual property theft and espionage on an unprecedented scale — the breach of the 22 million security dossiers from the US federal government’s Office of Personnel Management in June 2015 — cannot go unanswered.13
The United States has repeatedly drew a distinct line between government intelligence gathering and state-sponsored cyberattacks and thefts from corporate firms for commercial interests, which President Obama considered as an “act of aggression” and crime.14 China, on the other hand, denied all allegations of cyber intrusion made by the Pentagon. As Xi restated before his US state visit: “Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions”.15 He also stressed that “China and the United States share common concerns on cybersecurity. China is ready to strengthen cooperation with the US side on this issue”.16
At the eighth annual US-China Internet Industry Forum held at Microsoft's conference center on September 23, 2015, President Xi met with internet titans and CEOs. Among those who attended the meeting were Apple CEO Tim Cook, Amazon’s Jeff Bezos, Alibaba’s Jack Ma and Facebook’s Mark Zuckerberg. Lu Wei, director of the Central Leading Group for Internet Security and Informatisation, China's top cyber policy-making body, reiterated a long-standing Chinese line at the Forum: that both China and the United States are victims of cyber hackers and cyber criminals.17
China’s Cybersecurity Strategy
China’s cyber policy is driven primarily by the domestic political imperative of ensuring the survival of the Chinese Communist Party (CCP). Since 1991, the People’s Republic of China has increasingly funded, developed, acquired and employed advanced cyber technology in its government, military and civil sectors.18 Senior CCP officials have also issued high-level directives and created several high-level Leading Groups and Leading Small Groups to provide coordination and strategic guidance on cybersecurity (see Table 1).
Table 1. Major High Level Groups on Network Security
1993, reinstituted in 2001
1993, reinstituted in 2001, but without any record of meetings between 2008 and January 2014
State Network and Information Security Coordination Small Group
Staffed by senior government and military representatives, this small group focuses particularly on information security
National Security Commission
With Xi Jinping at the helm, this group is a high priority for Xi and other senior officials; it focuses on domestic security concerns, of which network security is a consideration
Central Network Security and Informatization Leading Small Group
Similarly with the National Security Commission, this group is important because of Xi Jinping’s involvement; it prioritises network security in national security considerations
Many formal documents relevant to cybersecurity have been promulgated and published to tighten internet safety since the early 1990s (Table 2). As policies and stakeholders addressing network security grew, strategic direction for policy became more diversified, including input from the State Council, Central Committee (including Politburo Standing Committee and Central Military Commission) and Leading Small Groups (informal consultative bodies that advise the Politburo and State Council).
Table 2. Chinese Documents on Managing Cybersecurity
Military Strategic Guidelines
People's Liberation Army
1956, 1980, 1993
Authoritative documents that represent the PLA’s strategic priorities and objectives in modernization, force structure and organization; provide insight into how the PLA would wage a war
Th Stat Council
Outlines China’s national civilian network security and information security strategy
“National Informatisation Development Strategy, 2006-2020”
Communist Party Central Committee and the State Council
Indicates priorities of the central government arm that is responsible for information security, telecommunications, the internet, and the research and development of electronic and information technology products; this plan highlights investment in the protection of government information systems
The Science of Military Strategy
Academy of Military Science
Strategic thought on how the PLA would prepare, prevent and wage a war
White Paper: The Diversified Employment of China's Armed Forces
Chinese Government (civilian and military)
Authoritative documents that represent both the PLA and civilian government on China's domestic and national security policies, stipulate national security interests in cyberspace and the possibility of deploying military forces in cyberspace
“Opinion on Further Strengthening Military Information Security Work”
Xi Jinping, Central Military Commission
Sets forth the guidelines, basic principles, key tasks and support measures for military information security work
The establishment of a National Security Commission (中央国家安全委员会) in 2013 was especially significant. Yet to date, responsibilities for China’s cybersecurity had been divided among different departments, hampering effectiveness.19
After President Xi took over the helm, he has emphasized cybersecurity and viewed internet safety as a top priority for national security. At the US-China Summit held in June 2013 in California, one of the topics on the agenda was cybersecurity. US President Barack Obama pressed President Xi to address cyber espionage originating from China and, in particular, state-funded industrial espionage against US companies.
China responded to the United States in February 2014 by forming the Central Leading Group for Network Security and Informatisation (中央网络安全和信息化领导小组), personally chaired by President Xi. Premier of the State Council Li Keqiang and First-ranked Secretary of the Central Secretariat Liu Yunshan were appointed vice chairpersons (deputy leaders). The new leading group, headed by Xi himself, is expected to streamline things by providing top-level guidance. He considers this an important national strategy for China to “establish a strong and authoritative mechanism at the central level” to deal with China’s cybersecurity. 20 In February 2014, China’s new Central Network Security and Informatization Leading Group met for the first time, with President Xi chairing the meeting.
Despite high-level guidance and strategic direction from Xi and senior civilian and military officials, overlapping bureaucratic priorities and competing stakeholder interests across regions and functionalities in China’s network prevail.21 In terms of definition, while the United States uses the term “cybersecurity” to refer to the protection and defense of a wide array of electronic and communications information, China uses the term “network security” (网络安全) to refer more specifically to the protection of digital information networks.22 The term “information security” (信息安全) refers to a broader perspective. Such misconceptions and differences in terms used by both sides could exacerbate the gaps between the two countries in terms of cyberspace agreement.
Cyberattack: An Increasing Threat
Since the beginning of the 21st century, cyberattacks have increased steadily both in frequency and scale. The vulnerabilities of cyberspace have let sophisticated cyber actors and nation-states conduct cybercrimes that could possibly disrupt the delivery of essential services and even jeopardize states’ relations.
Cybercriminals have learnt new ways to evade detection by bypassing traditional defense mechanism. A slew of orthodox crimes are now being perpetrated through cyberspace in different forms. This includes the production and distribution of child pornography, banking and financial fraud, intellectual property violations, cyberattacks and other crimes, all of which have substantial political and economic consequences.
In the meantime, malware has become a multinational activity. Over the past year, callbacks were sent to CnC servers in 184 countries, compared to 130 countries in 2010.23 Xinhua also pointed out that nearly 90,000 individual IP addresses suffered attacks from foreign Trojan horse viruses or zombie programs in 2013.24
Of growing concern is the cyber threat to critical infrastructure, which is increasingly subject to sophisticated cyber intrusions that pose new risks.25 As information technology becomes increasingly integrated with physical infrastructure operations, there is increased risk of wide-scale or high-consequence events causing harm or disrupting services.26
As the threat posed by cyberattack escalates, cybersecurity is becoming increasingly important for the military industry as it jeopardizes national security. Military hackers can penetrate the cutting edge weapon system and conduct information-based attacks and put a country’s defense at risk. The United States is a prime target for cyberattack due to the high volume and concentration of intellectual property and digitalised data.27 According to US Cyber Command and the National Security Agency, China has been singled out as the major threat to US weapons systems.28 China was also accused of purportedly unleashing a series of gigantic cyber-assaults on more than 600 US private, government and corporate organizations.29 In the second half of 2009, many corporate entities including Google were subjected to hacking attacks, causing it to suspend its operation in China.
Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex cyber networks.30 In light of the risks and potential consequences of cyber events, building a resilient cyber force and cybersecurity has become the top priority of many big powers.
Challenges and the Next Lap
With the rapid development of information technology, the internet plays an increasingly crucial role in the globalized world today. China and the United States have reached certain consensus on the basic principles of network governance. However, as cybersecurity and defense remain a matter of national security and national defense, the two countries displayed caution, fear and distrust.
China and the United States have differing views on the role of cyberspace now and in the future. To the United States, social networking and other online activities can be viewed as giving greater freedom of speech and a positive development. However, in China this very same area is seen as a threat to the legitimacy and governance of CCP. Their views on intelligence gathering, economic espionage and intellectual property also differ.
While the Chinese support the concept of cyber sovereignty, which is the right to control its own cyberspace, the United States wants China to agree to international norms that would reduce China’s level of control over its own internet.
For the cybersecurity issue to be resolved, the two countries would need to be more accommodative about disagreements and differences. Without establishing a mutual understanding or agreement on this issue, it is unlikely that cybersecurity issue could be solved at the international level. At the strategic level, China and the United States are still wary of each other and fully geared to avoid any potential threats from the internet realm. Retaliation or tit-for-tat could lead to instability or even an open warfare.
As cybersecurity is a brand new issue and challenge, joint endeavors are needed between governments, media, enterprises and other stakeholders. China and the United States as the two pivotal countries in the internet sphere could collaborate to explore important common interests and room for cooperation.
On the positive side, this could possibly create a new bright spot in bilateral cooperation. For example, Chinese internet security company, Qihu 360, has helped fix five new bugs in the Windows software package recently. To date, Qihu has received 86 public commendations from Microsoft for its contributions to the security of Microsoft products.
In March 2015, China's largest e-commerce platform Alibaba's first overseas data center in Silicon Valley began its trial operations to help provide cloud services to overseas clients, especially those in North America. Through the data center, American companies enjoy easy access to cloud services from China and vice versa.31
While the US-China agreement in September 2015 is a welcome first step towards a resolution to cybersecurity threats, it also brings to light the greater issue facing the two countries — that the international cyberspace is an ungoverned space. The two countries will have to continue to work on an overarching cyber doctrine and define the limits of acceptable behavior in cyberspace.
1. The new US-China cybersecurity agreement: a brief guide. (25 September 2015). Vox World.
2. China-US cyber agreements: Has Beijing outmaneuvered Washington? (28 September 2015). The Diplomat.
3. “Commercial intelligence” is defined by the White House as intelligence collected “with the intent of providing competitive advantages to companies or commercial sectors”. This differs from economic espionage, which most states undertake to protect and advance national economic interests. See: China-US cyber agreements: Has Beijing outmaneuvered Washington? (28 September 2015). The Diplomat.
4. Top U.S. spy says skeptical about U.S.-China cyber agreement. (30 September 2015). Reuters
5. US, China see little progress on cybersecurity. (11 December 2014). The Hill
6. Gertz, B. (1 June 2015). Congress: U.S. military highly vulnerable to cyber attacks.
8. China says army is not behind attacks in report. (20 June 2013). The New York Times
9. US, China see little progress on cybersecurity. (11 December 2014). The Hill
11. U.S., China talks on cybersecurity to be a "very complicated negotiation". (24 September 2015). National Public Radio.
12. President Obama warns China: State cyberattacks on business are "acts of aggression," US mulls retaliation. (16 September 2015). International Business Times
13. Cyberthreat posed by China and Iran confounds White House. (15 September 2015). The New York Times
14. Cook, A. D. B. (20 June 2013). The cybersecurity challenge and China-USA relations. EAI Background Brief, no. 828.
15. Xi Jinping says China is not guilty of cyber attacks as he prepares for US visit. (22 September 2015). The Guardian
17. China: On cybersecurity, U.S. must not rock the boat. (23 September 2015). USA Today
18. Chang, A. (December 2014). China cybersecurity strategy. Warring State.
19. Xi Jinping leads China's new internet security group. (28 February 2015). The Diplomat
20. Chang, A. (December 2014). China cybersecurity strategy. Warring State.
21. Lieberthal, K. and Singer, P. W. (February 2012). Cyber security and China-US relationship, in 21st China Defense Initiative. China Centre at Brooking.
22. Chang, A. (December 2014). China cybersecurity strategy. Warring State.
23. Fire Eye (2013). Advanced cyber attack landscape report, p. 5.
24. Xi Jinping leads China's new internet security group. (28 February 2015). The Diplomat
25. Department of Homeland Security. (22 September 2015). Cybersecurity overview
27. Fire Eye (2013). Advanced cyber attack landscape report, p. 10.
29. American victims of China’s cyber attacks and espionage. (3 August 2015).
31. Spotlight: Cyber security promises new highlight of China-U.S. cooperation. (25 September 2015). Xinhuanet