Cybersecurity is a nascent but growing factor in Sino-U.S. deterrence and security dialogues and brings new challenges for how best to deter, counter, and respond to an attack. In the twelfth installment of the Arms Control Seminar Series, Christopher Painter, coordinator for cyber issues within the U.S. Department of State, Dong Qingling, lecturer at the University of International Business and Economics (UIBE), Tan Youzhi, head of the department of foreign affairs at UIBE, Huang Rihan, associate research fellow at the Beijing University of International Relations, and Ren Jingjing, senior researcher at the Chinese Academy of Social Sciences, explored Sino-U.S. challenges and cooperation on cybersecurity. Carnegie’s Lora Saalman moderated.
Changing Cyber Identity
Cybersecurity issues have migrated from individual hackers to transnational groups, argued one U.S. expert. He noted that in the past criminals wanted to advertise their exploits, while now they tend to try to remain hidden.
- Frequency: While acknowledging the unlikelihood of a cyber war, one U.S. expert noted that cyber attacks represent a daily and pressing concern at all levels, from personal to institutional to national.
- Propaganda: One of the Chinese participants asked how propaganda fits into the rubric of cybersecurity, while another lamented the use of the web to spur upheaval. A U.S. participant responded that the Internet serves an important function as a marketplace of ideas, allowing for greater self-expression that facilitates discussion and exchange.
- Terrorism: Terrorists have begun to see computer networks as a means to target critical infrastructure as well as a tool for recruitment, said one U.S. expert. A Chinese participant agreed, arguing that China, the United States, and all countries share common areas of weakness, particularly in transportation, water, and electricity infrastructure.
- Scale: One of the Chinese experts asked whether hackers had the resources to engage in large-scale attacks. Hackers are frequently a lone individual that organically gathers others into a larger group, in contrast to a military or government initiative that would be likely to have a clear goal from the start.
- Third Parties: A Chinese scholar expressed the concern that a third party could provoke crisis or conflict between two countries if their activities are misconstrued as emanating from a government. He advocated strengthening the technology for determining attribution and the legal framework for prosecuting cyber crimes.
Responding to Cyber Attack
One of the primary difficulties encountered in the realm of cybersecurity is attribution, noted a U.S. participant. This is compounded by the fact that cyber attacks are by nature asymmetrical, as an unaffiliated individual can launch an attack that would have far-reaching effects.
- Protocols: A Chinese expert emphasized that cybersecurity is a national and international concern that demands greater coordination and integration. A U.S. expert suggested the U.S. national cybersecurity initiative and protocol is a means of coordinating among national and international law enforcement in response to threats.
- Working Groups: The internet has provided the basis for communication, social growth, and innovation, but cyber attacks threaten the very openness of the system, argued a U.S. participant. As a result, fifteen countries within the United Nations have established a working group to address cybersecurity issues, and more than a dozen countries have published Internet security protocols over the past year, he added.
- Policy Integration: One of the Chinese experts argued that technology and policy lack integration, resulting in ineffective cybersecurity measures. Citing concerns over the U.S. release of the International Strategy for Cyberspace and Strategy for Operating in Cyberspace in 2011, he questioned whether or not principles of deterrence could be applied to cyberspace. He added that the U.S. policy of using a military attack to retaliate against a perceived cyber attack is fundamentally flawed and dangerous.
- Scenario Building: A Chinese expert suggested the need for a national and international systematic discussion of risks and scenarios to better coordinate responses to attempts by hackers of both terrorist and non-terrorist origin to interrupt the flow of information.
- Transparency: One U.S. expert noted that transparency is inherently part of the fabric of interaction on cybersecurity. He cited the exchange of points of contact, conduct of tabletop exercises, as well as sharing of doctrines and strategies as part of this framework.
- Common Norms: Commonly recognized norms and a long-term stable environment in which every country has a stake are crucial components of cybersecurity, said one U.S. participant. A Chinese scholar added that Track-II engagement would assist in building these norms from the base upward.
- Mutual Trust: Citing different values, ideologies, and languages, Chinese experts posited that the lack of mutual trust between China and the United States is a major stumbling block for coordinating cybersecurity efforts. One expert detailed the dispute over Google and its level of openness in China as an example. He argued that if overall Sino-U.S. relations improve, then cybersecurity relations would improve.
Ongoing Cyber Challenges
- Asymmetry: Several Chinese experts emphasized the level of asymmetry between China and the United States when it comes to cyberspace, noting greater U.S. reliance and concerns over a “Cyber Pearl Harbor.” However, they also maintained that the number of Chinese Internet users has come to far exceed that of the United States, making China also vulnerable to cyber attacks.
- Criticism: Several Chinese experts noted that the United States relies on criticism rather than persuasion when it comes to engagement on cybersecurity, diminishing the chances for meaningful collaboration. One suggested that China and the United States instead engage at the technological level to integrate best practices and establish cooperative cybersecurity centers, similar to the centers of excellence on nuclear security.
- Legal Means: One of the Chinese scholars noted that until technological means and defensive measures are mature enough to determine the origin of cyber attacks and to defend against them, legal means remain the best way to deter and confront cyber attacks. Several Chinese experts advocated creating legal tools to regulate cyberspace, defining such terms as cyber attack and cyber war, exploring existing or new UN conventions, and developing a framework for a Sino-U.S. cybersecurity treaty.
Discussants: Zhai Dequan, Li Hengyang, Qiu Zhenwei, Ceng Xianglai, William Flens, Monika Chansoria, Li Deshun, Kasandra Behrndt-Eriksen, Long Tao, Liang Zhenwu, Xiong Wei