By Miao Wang
The booming of information revolution and rapid development of computer network has wide influence not only on social communication, but also on economic productivity as well as states security in today’s world. As a rapid power today, China is pursuing a leading position in cyber space to contribute to its infrastructure modernization and military transformation. However, cyber development is a double-edge sword. Private information and the hardware with valuable data on it are the targets for financial thieves, political spies, and states soldiers. Financial theft and political espionage do not only cause economic lose but also induce diplomatic suspicion between states.
Cyber threat is seen as one of the most serious economic and national security challenges to nations. Americans hear more about Chinese cyber threats to the U.S. According to the Biden administration’s indictment, China has reorganized its hacking operations. Hacks that were conducted via sloppily worded spear phishing emails by units of the People’s Liberation Army (PLA) are now carried out by front companies and universities that work at the direction of China’s Ministry of State Security. It is also likely that U.S. does more to China’s internet due to American leading-edge technology. Chinese leaders are quite concerned about cyber security. The foreign ministry spokesperson Zhao Lijian told the public that the U.S. is the largest source of cyber attacks targeting China. In 2020, Chinese authorities captured more than 42 million samples of malicious programs from foreign sources, with 53 percent originating in the United States. Cyber security could put huge strain on US-China relationship, and it can be seen as a critical factor to determine the future trajectory of US-China ties.
Currently, however, problems on cyber security are existed between US-China relations though both leaders signed cyber security pact. China is described by the U.S. as a country that desires to penetrate into American business system to gain data access, which is “not okay” in the U.S, as Simon Denyer said. Mandiant, an American cyber security firm, reported that the cyber attacks against 141 U.S. companies in 2013 was traced to a Chinese military unit that is sponsored by central government for cyber theft on trade secrets. China denied all the charges from the U.S. and was not satisfied with the definitions that allow U.S. to spy on foreign companies and governments for national economic gain but view other forms of commercial espionage are not acceptable. The cyber-tensions over espionage have also spilled out into issues for Snowden incident. Some of Snowden’s documents show that National Security Agency (NSA) burrowed into the Shenzhen headquarters of Huawei to exploit the routers and switches, which caused considerable resentment in China for its earlier allegations of Huawei collusion with Chinese intelligence. This completely shifts the focus to American espionage in cyberspace. Then the massive data breach at the U.S. Office of Personnel Management (OPM) that target the data for almost 22 million people again drove U.S. to point the finger to China. With the cyber security pack signed, it leads people to question about what variables impact on cyber security between the U.S. and China, also what to do next. The core variables that determine the nature and future of cyber security are: ambiguous definition on cyber security, mutual mistrust and China’s cyber problem.
Firstly, it is hard to define what constitutes acceptable behavior in cyber space and how to deter actions that cross lines. Both sides need reconciliation on terminology. If not, they will take on different meanings in political and cultural situation to meet their own interests. Cyber defense is challenging because of the failure among stakeholders to have a consensus on technical standards and protocols. For example, Chinese do not often see the clear differences between national security and industrial espionage, which the U.S. tries to articulate. Gaining economic advantage is part of national security in Chinese view so it is difficult to have a clear division. For foreign firms in China, it is hard to tell the difference between security measures and protectionist motives because multiple compliance standards are selectively enforced on private firms, which leaves the room for China to use security policy to justify technical trade barriers. Also, economic espionage is illegal in American domestic law but it is not prohibited by international law. Thus, when U.S. complains about China’s engagement in wrong espionage, it means that China is not playing by US rules.
In the China-US Track II Bilateral on Cyber security in 2013, some key concepts are defined like “hacker” and “compromise”. However, more important words’ definition like “network attack” was not cleared. Similarly, the cyber security pact signed does not define standards. What is considered acceptable activity? What constitutes an attack? Is it acceptable for a business or government to counter-attack against a commercial party attacking it? Efforts to define and to enforce cyber security policy are still needed.
Secondly, there is considerable mutual mistrust on cyber security between the U.S. and China. Both policymakers distrust one another’s accounts of the true scope of their activities and intentions in cyber space. Chinese distrust of the U.S. has persisted ever since the founding of PRC in 1949. The PRC viewed the U.S. as an evil imperial power and military threat during the first several decades of PRC. Although the US-China relation is normalized in 1970s, the threat from the U.S., ranging from fears of American interference in China’s internal affairs to American containment policy toward to China, never disappeared. As American see it, it is doubtful that a strong and prosperous China will become a responsible stakeholder that follows agreements and international rules. U.S. decision makers also see China’s future as very undetermined due to its authoritarian political systems. On the one hand, U.S. tried to argue that it could only conduct cyber operations against government for military and other government information. However, the Chinese are hacking business for commercial secrets since the 2017 Intelligence Law requires any organization and individual to assist China’s national intelligence agency. On the other hand, revelations about US cyber operations against Huawei and Snowden incident cast doubt on US claims. Snowden’s disclosure of NSA and FBI cyber espionage in China is a very serious concern and deepens the distrust among Chinese. Due to the lack of mutual trust and the inconsistency of network regulation mechanisms, there is no effective communication or cooperation on cyber security issue.
Moreover, China’s inefficiency on network coordination and control of information flow also hinder the potential development of cyber security between two countries. China has invested heavily resources into internet infrastructure as well as controlling political content through online filtering and monitoring. However, its network security policies have not developed quickly enough to catch up. Compared to American developed cyber security, Chinese policy is not fully in place. There is lack of guideline and implementation of cyber security; lack of established national or international strategies on cyber; also lack of an efficient decision-making process and network security coordination mechanism. Most of all, there is no openness and flexibility of the internet in China. China’s information security system relies on firewalls, intrusion detections, and virus prevention, which is pretty complex to implement. Although China has invested considerably in its cyber infrastructure, it still relies heavily on foreign countries for core network security technology, which make Chinese networks remain vulnerable to potential attack by foreign actors. What is more, PLA is obviously a crucial player in China’s overall cyber security system with its responsibility for military signals intelligence and electronic warfare, but some PLA organs also undertake industrial espionage. For example, US Department of Justice issued charges against five Chinese hackers for carrying out cyber espionage against US companies in 2014. These hackers were found all worked for the Chinese military, which make it trustful that PLA manages a lot of groups that operate to exploits vulnerable computer networks around the world, especially targeting the U.S. Elite attention in China makes it more likely that bureaucratic friction in the everyday administration of policy will continue, adding to the inefficiency of China’s cyber defenses.
International cooperation is essential for improving cyber security. U.S. and China are negotiating “arms control” for cyberspace, which agreeing not to be the first to target the other’s critical infrastructure in peacetime. The cyber security pact signed between U.S. and China, as well as the agreement achieved on security dialogue make them signals that China starts to show inclination to build the bases for greater mutual understanding on cyber issue with other countries. However, there are more important and difficult steps needed to establish norms of behavior.
According to the variables described above, the deterioration in cyber relations between US and China is the most likely scenario that could evolve over a finite period of time. The blurred definition on the cyber security norm and terminology, deep mutual trust deficit, lack of consistent focus on cyber security by Chinese government and its imperfect alignment between fast-changing technology and slow-moving policy make it hard to have a communication on cyber security issue between two sides. China’s rising pervasive nationalism combined with a powerful CCP’s control over internet could exacerbate pressures to respond aggressively to international crisis and could worsen the bilateral relationship. Also, the U.S. has not hesitated to use its resources and expertise to leverage American firms for intelligence and military advantage. Once the approach that emphasizes on retaliation is adopted, which is threat-based, then there will be more sophisticated and deeper harms in cyber space. With Sino-American trade tensions escalating, China’s cybersecurity standards could be used as an “invisible tool” for retaliating against Washington’s tariffs. Over the past several years, Beijing has issued more than 300 new national standards, there is some concern that Beijing would use its standards regime to retaliate against the U.S. as the countries exchange salvos in their trade war. Thus, rift between the two governments would exacerbates cyber insecurity even further. The biggest problem is the deep mutual mistrust existed between each other. There is a proverb in China, “Ice does not freeze three inches thick from one day’s cold.” Deep mistrust in the cyber space is growing and start producing negative long-term strategy intentions in both countries towards each other. The cyber incident happened in the past several years and Chinese worriedness of American highly privileged position in the global cyber space make the distrust easily spill over into broader assessment on each other. Establishing greater mutual understanding and trust will be a difficult step. Considerable time should be allowed to develop common approaches to structuring the discussion, and selection of topics that hold the most promise for permitting increasing understanding of perceptions, goals, and mutually acceptable approaches and methods. Having each side explain its own views on a core set of issues is important, no matter the setting is an unofficial track two, an official track one, or the new variety of “track 1.5s”. If not, cyber security will continue to be a source of diplomatic distrust, which will definitely worsen U.S.-China relations.
It seems some steps have been taken during the visit of Chairman Xi to U.S. In 2015, President Barack Obama announced that he and Xi had achieved an agreement, in which both sides would not to conduct or support cyber theft of business secrets and intellectual property. Xi agreed that the countries would abide by “norms of behavior” in cyberspace. Also, China-U.S. High-Level Dialogue on Cybercrime and Related Issues in 2016 indicates a willingness by both sides to find a way out in cyberspace that will not have spillover effects into other parts of the bilateral relationship. These are signs of making commitment to promote security and stability in cyberspace. However, the effectiveness of these deals remains open to speculation. After President Donald Trump took office and accelerated trade conflicts with China, the hacking resumed. The two countries have already been at loggerheads over cross-strait issue, disputes about the South China Sea, a crackdown on democracy activists in Hong Kong. A much specific approach is needed to establish a framework and consensus of international norms that would enhance the cyber security in both countries. Clarifying the rules of the road, which are basis for a bilateral cyber communication, is the first step to move forward. However, the complexity of negotiations over definitions and verification protocols lie ahead. Together with Chinese institutional inefficiency and violation of intellectual property rights, it will take a while to have improvement on consensus of cyber security.
In a word, China and the U.S. maintain an important and complex relationship that covers diplomatic, economic, and military spheres. Cyberspace cuts across all levels of the bilateral relationship. China’s rapid growth injects considerable energy in cyber security. It is not just a technology problem but also a political-economic challenge. Cyber technology creates prosperity but it also facilitates cyber crime, espionage, and cyber warfare. The roles of U.S. and China is critical to the Internet and their billions of users, as well as to the overall global order in cyberspace since the U.S.-China relations is among the most important diplomatic relationship in the world today. Both sides should find a common ground to deal with the challenge to make it an opportunity to improve relations. Negotiations that focus on finding cooperative ways to define and deal with cyber issue may become a good start in the process of understanding mutual goals and enhancing mutual trust. The growing cyber space warfare capabilities indicated that the attacker with privilege in this realm could integrate such assets with both nuclear and conventional forces to generate cross-area risk. American and Chinese business leaders, cyber experts and politicians should make the cyber world a place for productive collaborations build on trust, or it will continue the drama of “a thief crying stop thief”. Elbert Hubbert said: “If men could only know each other, they would neither idolize nor hate.”
Miao Wang is a PhD Candidate at Renmin University of China