US cybersecurity cooperation with China starts at home

Cybersecurity will be a topic of discussion as US President Barack Obama and Chinese President Xi Jinping meet Friday and Saturday for a historic, informal summit at a California retreat. But with US accusations of hacking at a fever pitch and Chinese denials of state support for hackers only slightly muffled by an agreement to form a high-level working group, what would productive US-China cybersecurity cooperation really look like? For the United States, cooperation starts at home.

Cybersecurity is a confoundingly broad concept, including copyright protection, guarding trade secrets, maintaining secrecy at military contractors, protecting military and intelligence community secrets, and defending critical infrastructure from potentially deadly sabotage. Thus the United States policy community needs to define its goals with a realistic view of potential Chinese cooperation and in connection with new measures at home. Different types of cybersecurity require different perspectives.

With political and military secrets, including the work of defence contractors, neither country can realistically expect the other to stop spying. The Washington Post reported last month that Chinese hackers were suspected of accessing parts of the designs for “more than two dozen major weapons systems”. The US government can protest if it likes, but it should not be surprised. Espionage of this kind is to be expected, and these alleged incursions are unlikely to be useful topics of conversation. Instead, the United States should upgrade its system for controlling secrets, including among contractors, and hold accountable those who fail to meet strict standards. Some secrets will inevitably be lost, but stronger measures at home, including Obama’s effort to increase information sharing on attacks, can help.

The US government does have a chance to decrease the theft of corporate secrets, widely alleged to be sponsored in some cases by Chinese state entities. The US side could frame intellectual property (IP) protection as a foundation of China’s efforts to spur innovation and show that more US technology would move voluntarily into the Chinese economy if protections were strong. Since enforcement would still be a challenge in China, the US has options at home. A US or multilateral policy that bans or taxes the import of goods containing pilfered IP could directly reduce the incentive to hack in. This approach is supported by former Ambassador to China Jon Huntsman and Admiral Dennis Blair in their recent report on protecting US IP. Any such policy, however, should come with the understanding that greater Chinese investment in the United States can be positive for both economies, and that IP protection barriers must be weighed against potential upsides.

When it comes to the hacking and potential sabotage of critical infrastructure, China and the United States have the opportunity to provide much-needed momentum in an international effort to set so-called “rules of the road” for cyberspace. The world needs standards for what is fair and normal, if not legal under local law (ie regular spying), and what is beyond the pale of international norms. This means setting rules, for instance to refrain from developing the ability to sabotage another country’s life-sustaining infrastructure, such as the power grid or air traffic control. Or to never hack a hospital. It means developing cooperative mechanisms to make it easier to identify who’s behind an attack. And it means defining the extent of a state’s responsibilities to monitor non-state actors within its jurisdiction. If these two countries can come to some fundamental standards, they could serve as leaders in a global agreement – one that, unlike many international agreements, would include Chinese participation from the outset.

Each of these “rules of the road” efforts, however, will take time. For now, the US government still needs to start at home. Revelations that hackers have compromised a power plant, for instance, should trigger strong efforts to improve security of such infrastructure before they trigger international finger-pointing, especially since governments are only one potential threat. Moreover, the American people should hold their government accountable for its own alleged cyber escalations. It was reportedly the United States that “crossed the Rubicon”, as one former CIA director called it, with the Stuxnet attacks on Iranian nuclear centrifuges. Other governments can be expected to develop their own such weapons if the United States is seen as a lead saboteur.

Most importantly, the cybersecurity issue should not be reduced to a China issue, and the US-China relationship should not be reduced to the cybersecurity issue. Various governments and other groups pose security challenges online. Meanwhile China and the United States have far too much to discuss. Another bilateral working group was set up on climate change – an area of great potential for positive cooperation. The two countries have a widely acknowledged common interest in stability on the Korean Peninsula. They have a very strong common interest in global economic recovery and broad potential for mutually beneficial mutual investment. And regular old non-cyber security relations are critical for the future of each country and the Asia-Pacific region.

US policy and the government’s dialogues with their Chinese counterparts can make real progress on cybersecurity, but increasing US security will require better protections in the defence, public, and private sectors; judicious use of US commercial policy; and a consciousness of how US actions resonate around the world. These don’t have to wait for the careful and valuable discussion that continues this summer between the two governments.

Graham Webster is a Beijing- and New Haven-based US-China relations fellow at the Yale Law School China Center. He blogs at Transpacifica.net.

Follow him on Twitter: @gwbstr