China Might Negotiate Cybersecurity

March 14, 2013 Topic: Cyber SecurityCyberwar Region: China

China Might Negotiate Cybersecurity

The West shouldn't have completely ignored a Sino-Russian bid to set international rules for cybersecurity.

Instead of responding to its offer to limit cyberattacks, the Obama Administration has chosen to berate China.

The BBC reports that in a recent television interview, President Obama “upbraids” China, telling George Stephanopoulos that the United States will have “some pretty tough talk” with the Chinese over their failure to abide by international norms in cyberspace. Washington has strong reasons to protest China’s widespread industrial espionage and penetration of our civilian and military networks, including even those that govern U.S. infrastructure.

But calling on China—in March 2013—to help formulate and enforce new rules of international conduct in cyberspace, without even acknowledging that China provided a detailed and surprisingly reasonable proposal for exactly that in 2011, is astonishing. It seems that the White House and the peripatetic new secretary of state—who seems out to collect even more frequent-flier miles than Secretary Clinton—are left without time to work out a China policy and did not even do their homework. Or the White House is playing to the home galleries rather than paying mind to China’s sensibilities and, in this case, ignoring the valid contributions China has made to the much-needed international dialogue on cybersecurity.

This week the Obama Administration heated up its rhetoric against China over the issue of cyberattacks, stating that American corporations are increasingly voicing, “serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.” National Security Advisor Tom Donilon called for military-to-military dialogue and stronger economic ties with China, but noted that both were undermined by mistrust in the realm of cybersecurity. He called on China to recognize “the urgency and scope of this problem and the risk it poses”; take “steps to investigate and put a stop to these activities”; and “engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”

Donilon made no mention of the “International Code of Conduct for Information Security,” a draft resolution introduced by China, Russia, Tajikistan and Uzbekistan to the UN General Assembly in September 2011. The following excerpts illustrate that if one did not know which nations submitted this proposal, one could easily assume that 95 percent of the draft code was composed by Western nations led by the United States. The preamble “[recognizes] the need to prevent the potential use of information and communication technologies (ICTs) for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security.” It suggests the following code.

Each State voluntarily subscribing to this Code pledges:

To comply with the UN Charter and universally recognized norms governing international relations, which enshrine, inter alia, respect for the sovereignty, territorial integrity and political independence of all states, respect for human rights and fundamental freedoms, as well as respect for diversity of history, culture and social systems of all countries.” [emphasis added]

Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security […]

To cooperate in combating criminal and terrorist activities which use ICTs including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment […]

To fully respect the rights and freedom in information space, including rights and freedom of searching for, acquiring and disseminating information on the premise of complying with relevant national laws and regulations […]

To settle any dispute resulting from the application of this Code through peaceful means and refrain from the threat or use of force.

(You can read the full text here.)

The proposal was largely dismissed by Washington and its Western allies as an attempt by authoritarian governments to legitimize restricting the flow of information online in order to stamp out dissent and bolster their regimes. Jason Healy of the Atlantic Council wrote that “[t]he overall sense from the US government seems to be that this covers old ground in an attempt to score points and regain the initiative for a more repressive Internet.” Michael Posner, assistant secretary at the U.S. State Department’s Bureau of Democracy, Human Rights and Labor, stated that the Code “would shift cyberspace away from being a multi-stakeholder, people-driven model – to a system dominated by centralized government control. Not a good idea. An online world where more and more countries begin policing content for ideological correctness…would extinguish the promise of technology to drive global understanding and the free exchange of information, ideas, and innovation.”

These and other such comments ignore that this was only a draft resolution and should be treated as an opening gambit in negotiations leading up to an Internet code of conduct, which could be added to rules of the global liberal order promoted by the United States. True, the line about protecting “social stability” and “spiritual and cultural environments” might be seen as justifying censorship, but this language could be challenged and amended.

Critics may argue that such rules are useless because they cannot be enforced. However, exactly the same objections were raised when some (myself included) called for agreements with USSR on limiting the number and kinds of nuclear arms. Both nations formulated such rules and found very effective ways to verify that they are closely heeded. There is no a priori reason to hold that this kind of regime could not be achieved in the cyberspace, and surely not before even trying.

Indeed until very recently we were warned about the attribution problem—that in cyberspace you are very often unable to determine where an attack originated from, and hence cannot punish or deter attackers. Well, just a few weeks ago, Mandiant, a small, private company retained by the New York Times, was able to determine not only which country and city attacks on American networks came from—but from which building. Moreover, the names and photos of three of the hackers were published in the company’s detailed report, “Advanced Persistent Threat 1: Exposing One of China’s Cyber Espionage Units.”

There are many reasons for the United States to be concerned about Chinese cyber attacks. But if the administration is serious about trying to find new international rules that could limit such attacks by mutual agreement, the situation calls for less berating and more diplomacy. Fortunately, in this case, we have a very sound draft to work with if we are to start cyber-peace negotiations.

Amitai Etzioni served as a senior advisor to the Carter White House; taught at Columbia University, Harvard and The University of California at Berkeley; and is a university professor and professor of international relations at The George Washington University. His latest book is Hot Spots: American Foreign Policy in a Post-Human-Rights World.

Image: Flickr/Accretion Disk/Luke Jones. CC BY 2.0.