When President Trump and President Xi Jinping meet for the first time next month, exploring avenues for further constructive cyberspace cooperation between China and the United States should be amongst the issues they discuss
Assessing China’s Proposal for International Cooperation on Cyberspace
The arcane issue of cybersecurity has received front page media attention of late. Most recently, WikiLeaks published documents which purport to show, according to WikiLeaks, “the scope and direction of the CIA's global covert hacking program.” The program is comprised of a “malware arsenal and dozens of ‘zero day’ weaponized exploits against a wide range of U.S. and European company products…which are turned into covert microphones.” Smart TVs, iPhones, Windows PCs, and Internet routers, including routers supplied by Chinese vendors, were apparently targets of the CIA’s product weaponization program.
Even more shocking is news from WikiLeaks that the CIA itself has been hacked. WikiLeaks reported that “the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.”
Perhaps in part to counter U.S. accusations in the past that individuals and entities in China have hacked U.S. corporate and government computer facilities, China reacted swiftly to the WikiLeaks report. Chinese Foreign Ministry spokesman Geng Shuang said, "We urge the U.S. side to stop listening in, monitoring, stealing secrets and internet hacking against China and other countries." Mr. Geng added that China would protect its own networks, and was willing to work with others toward what he called "orderly cyberspace."
As it turns out, the Ministry of Foreign Affairs and the Cyberspace Administration of China have recently released a document entitled, “International Strategy of Cooperation on Cyberspace.” While China’s international strategy document looks towards the ultimate goal of “a rule-based global governance system in cyberspace,” it is not styled as a legalist code of conduct. Nor does it call for a legally binding multilateral treaty or convention. Rather, it articulates a core set of principles to reflect countries’ “intertwined interests” in “the interconnected cyberspace.” Cyberspace should not be “a place beyond the rule of law,” the document states.
UN Secretary General spokesman Stephane Dujarric described the Chinese international strategy document on cyberspace cooperation as "a very important report," adding that "China has a big role to play" in connection with global cyberspace governance. Responding to a question at his daily news briefing at UN headquarters in New York, Mr. Dujarric said "it is obviously a very important report and I know a lot of effort has gone into it."
In its document, China seeks to outline an approach in which national sovereignty and international cooperation can co-exist with respect to cyberspace. The “International Strategy of Cooperation on Cyberspace” advocates the principles of peace, sovereignty, shared governance and shared benefits in international exchange and cooperation in cyberspace. With respect to militarization of cyberspace, the document states: “The tendency of militarization and deterrence buildup in cyberspace is not conducive to international security and strategic mutual trust.”
China makes a point in declaring that “no country should pursue cyber hegemony”
China makes a point in declaring that “no country should pursue cyber hegemony” in its international strategy document, likely having the United States in mind while not saying so explicitly. While discussing the importance of developing its own information and communications technology industries, China also calls for the international community “to work together…so that the Internet will be a place of open resources and shared responsibilities governed through cooperation.” China proposes that countries work together, for example, to harness innovation in helping achieve the Sustainable Development Goals agreed upon by the UN’s member states in 2015, and “ensure that people across the world can share the benefits of Internet development.”
China advocates “multi-party participation” in moving towards any sort of international platform for cyberspace cooperative governance. Such parties would be headed by countries' respective governments, particularly with regards to security and other public policies, but include the participation of “international organizations, Internet companies, technology communities, non-governmental institutions and individual citizens.”
China sees “a leading role” for the United Nations “in coordinating positions of various parties and building international consensus.” Unfortunately, however, despite its attempts for decades to facilitate agreement among the member states on a global framework for shared multilateral governance of cyberspace, including cybersecurity, the UN’s record to date does not bode well.
The United Nations First Committee on Disarmament and International Security has included the issue of information security in its discussions since 1998. Starting in 2004, the UN has also convened successive groups of governmental experts to “examine the existing and potential threats from the cyber-sphere and possible cooperative measures to address them.” The UN has also considered international codes of conduct proposed by various member states, including Russia and China, for the purpose of developing international norms to govern use of cyberspace and prevent potential threats. Nothing tangible has been achieved by the UN to date, however.
UN convention containing rules and norms to regulate cyberwarfare
During his last press conference as UN Secretary General, Ban Ki-moon still expressed hope that something at the international level could be done, but offered no specifics. Responding to my question regarding what concrete steps he would recommend that the United Nations take to galvanize member states' support for an effective UN convention containing rules and norms to regulate cyberwarfare, he said, “I sincerely hope that the United Nations' concerned department and agencies will look into this matter very seriously and try to have international conventions, so that we can prevent such kind of misuse of privilege of technologies, cyber technologies.”
A legally binding international convention or treaty to prevent misuse of cyber technologies is highly unlikely to happen. Among other things, ideological differences over the degree of governmental regulation of the Internet in the name of “security,” including the circumstances in which imposing restrictions on access and content can ever be justified, have prevented international consensus. That gap is not something one can simply paper over with diplomatic jargon. Member states will also be loathe to share their most sensitive technologies and information, or submit to intrusive monitoring.
Moreover, cyber disarmament is no more realistic in today’s world than nuclear disarmament. Given the fact that cyber weapons are computer programs that can be readily misappropriated and copied, even a nuclear weapons style non-proliferation treaty would have little practical chance of success in the cyberspace sphere.
The fact is that no country will give up its inherent sovereign right to defend itself with its most advanced resources, including the use of covert cyber resources, to collect intelligence and to deter or defeat any adversary that seeks to harm its vital national interests.
In the United States, for example, Presidential Policy Directive (PPD) of October 20, 2012 outlined the nation’s “Cyber Operations Policy." The PPD stated that the U.S. “reserves the right, consistent with applicable law, to protect itself from malicious cyber activity that threatens U.S. national interests,” including the use of what the Directive referred to as “Offensive Cyber Effects Operations.”
The Pentagon has issued documents of its own concerning cyberwarfare strategies.
While the Trump administration’s executive order on cybersecurity is still in draft form, it reportedly will highlight actions to improve the government’s own risk assessment and remediation of the cybersecurity of its networks, an even more urgent task in light of the reported hacking of the CIA’s facilities. It is also expected to focus more attention on enhancing the cybersecurity efforts of critical infrastructure owners and operators deemed to be at greatest risk of attacks and potentially affecting public health or safety, economic security, and national security.
For its part, while China’s International Strategy of Cooperation on Cyberspace would discourage militarization of cyberspace, it reserves the right for China to “expedite the development of a cyber force and enhance capabilities … to prevent major cyber crisis, safeguard cyberspace security and maintain national security and social stability.”
China is addressing cybersecurity within its borders with a new Cyber Security Law, which is scheduled to take effect in June of this year. Not surprisingly, China has taken a more centralized, government-centric approach to cybersecurity within its own borders than the United States to date, although there are significant parallels in the areas of protection of personal information and critical infrastructure.
China’s new law reflects the long-standing importance that China has attached to the protection of its own national security in cyberspace as a sovereign right. Its new law is designed to enhance protection of China’s vital information infrastructure facilities and key network equipment from cyberattacks and hacking originating both from within and from outside the country. The law requires network operators to adopt stringent “measures to safeguard network security and operational stability, effectively responding to network security incidents, preventing cybercrimes, and unlawful activity, and preserving the integrity, secrecy and usability of online data.” Of special concern is the security of “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people's livelihood, or the public interest.”
The WikiLeaks disclosures are likely to make even more difficult any significant cooperation between China and the U.S. on highly sensitive military and national security matters. However, targeting areas that can benefit from international cooperation does not have to mean sacrificing national sovereignty over cybersecurity.
In this connection, the United States and China reached a cybercrime and cyberespionage agreement in 2015, involving the exchange of information between law enforcement investigators and avoidance of government action that would knowingly facilitate the cyber-enabled theft of intellectual property. Chinese hacking thefts of American corporate intellectual property secrets have reportedly dropped off considerably since.
Protecting financial systems, commercial ports, and civilian nuclear energy systems from third-party threats
The agreement has served as a first step towards establishing a mechanism for valuable information exchange and discussing cybercrime issues of mutual interest, which in turn has led to the introduction of a Sino-U.S. cyber hotline. It may also provide a stepping stone to exploring other mutually beneficial areas of cooperation.
For example, cooperation can extend to further collaboration in preventing terrorists from using the Internet to spread propaganda or to plan, finance and coordinate terrorist attacks, within the constraints of conceptual differences in determining what constitutes extremist propaganda versus legitimate dissent.
Moreover, a report prepared by a team at Columbia University’s School of International and Public Affairs found “three specific areas that are minimally contentious in terms of national security with the highest incentives for cooperation – namely, protecting financial systems, commercial ports, and civilian nuclear energy systems from third-party threats.”
When President Trump and President Xi Jinping meet for the first time next month, exploring avenues for further constructive cyberspace cooperation between China and the United States should be amongst the issues they discuss. Such direct negotiations between and among the major players in cyberspace would be more fruitful than relying principally upon the United Nations to achieve an elusive “global consensus.”
Joseph A. Klein, CFP United Nations Columnist -- Bio and
Archives |
Comments
Joseph A. Klein is the author of Global Deception: The UN’s Stealth Assault on America’s Freedom.
