In the last year, the Obama administration and the US national security community have been ever more vocal in their anger at what they regard as state-sponsored cyber-attacks emanating from China on government institutions and private corporations.
Officially, China denies the accusations. Yet the evidence from cybersecurity companies, western governments, independent research institutes and even strategy documents published by the People’s Liberation Army, of Chinese complicity in attacks on economic targets is overwhelming. The number of significant breaches continues to proliferate with ever-more damaging consequences for those targeted. It has only been in advance of Xi’s current trip to the US that analysts have registered a marked downturn in the number of attacks.
The US and west European countries consider the targeting of industry a separate issue from political espionage. Before president Xi Jinping’s last visit to the United States in June 2013, the White House had trumpeted well in advance that president Obama had placed China’s cyber-espionage programme at the top of the agenda.
Three days before the meeting, however, Edward Snowden revealed his first secrets about the NSA and its extensive surveillance programmes. It was probably no coincidence that Snowden made his initial announcement in Hong Kong. Whether the Chinese facilitated the whistleblower’s dramatic appearance on the world stage or not, I like to imagine Xi walking into the meeting with Obama, throwing down a copy of the New York Times with its Snowden headlines and enquiring politely, “I gather you want to talk about cyber-espionage?”
Until that point, most major states had been engaging in wholesale and extensive digital spying for well over a decade. But they had all routinely denied it. After Snowden’s Hong Kong moment, nobody bothered anymore. The world’s most powerful governments, a host of minor ones and a growing body of non-state actors from the hacktivist group Anonymous, through Mexican cocaine cartels to the cyber-caliphate linked to Isis, have been caught with their fingers in the digital till of potential or actual rivals and enemies (and in some cases friends) to extract information.
Even if governments denounce such activity in public, in reality they all accept that it is no more than an extension of an organised, accepted, indeed regulated, practice between states throughout the 20th century. This is spying – no more and no less. The digital version simply multiplies the possibilities. Spies merely have a much more powerful tool at their disposal. Arguably, the very reach of cyber changes the essence of espionage as its practitioners are no longer simply investigating state secrets but gathering information about entire populations. However, no government seems very interested in making that case.
There are, however, three areas into which common-or-garden espionage spills over in a networked world: sabotage and warfare; intellectual property rights and economic espionage; and finally civil rights and surveillance.
Now, to the surprise of many, Washington and Beijing seem keen to agree on some basic ground rules of how to behave to prevent any such spillage from corroding their relations. What the outcome of this will be nobody yet knows. Their motives are different. For China the right to control content for its citizens is a key concern. For the US, the struggle to maintain the system of global intellectual property rights and the maintenance of technological supremacy are important drivers.
The Chinese are keen to reach an agreement of a “non first-use” policy of cyberweapons against other countries’ critical national infrastructure, for example transport, communications and utilities systems. The Americans want a commitment from the Chinese to stop targeting companies.
Washington officials are dampening expectations that any concrete agreement is imminent but president Xi’s comments on this trip so far (together with the drop-off in attacks) seem to suggest that China is keen to talk. Xi specifically denounced the practice of using cyber-attacks to steal intellectual property or gain any market advantage over competitors, an issue that he has avoided in such detail hitherto.
If the two sides build upon this apparent willingness to engage with cyber-malfeasance, it will be an important and welcome first step, indeed a significant moment in trying to bring some order to the digital cacophony that reigns.
At the moment, there is no consensus on what states can and can’t do to each other, hence the free-for-all. Cyber is also seen as an area that governments can use to pressure one another. Until 2006, Britain’s Serious Organised Crime Agency enjoyed good co-operation with the Russian Interior Ministry when investigating cybercrime. Once Alexander Litvinenko, the former KGB officer turned opponent of Vladimir Putin, was poisoned in November that year, that co-operation was closed down. Dialogue on cyber issues between the US and Russia has been largely frozen since the Ukraine conflict began.
The fact that Washington and Beijing now actually want to lay down some ground rules is a very encouraging sign. Although some cyber-activists fear that this is the beginning of a system of global governance of the internet and hence interference in the web, this misses the point. Governments have been assigning themselves rights to interfere in what people can or can’t do on the internet and what level of privacy they might expect for years.
As was the case with the Helsinki accords, civil rights campaigners can build on agreements between states to defend the rights of individuals. This should be part of any system of governance of the internet that now seems very likely to emerge.