MENUMENU

Cybersecurity expert: U.S.–China cybercrime agreement ‘a major step forward’

Stylized Locks with Ones and Zeros

‘They made some significant progress in doing this.’

The agreement between the United States and China to take cybercrime more seriously and develop norms for cyberspace represents “a major step forward,” according to one of the world’s leading experts on cybersecurity.

“They made some significant progress in doing this,” James Lewis, a senior fellow at the Center for Strategic and International Studies, told the Daily Dot. “They really got more than I thought they were going to get.”

President Barack Obama announced Friday morning that the two countries were forming a working group to track their cooperation in responding to cybercrime; establishing a hotline to resolve disputes over sharing information related to those crimes; and creating a “senior experts group” to discuss potential cyber norms that they could jointly support.

“It’s not like we’re going to wake up Monday morning and the problem will be fixed.”

U.S. law-enforcement agencies, facing a growing tide of cyberattacks emanating from China, have repeatedly requested assistance from Chinese officials to investigate those crimes. But Beijing has continually stonewalled the U.S. government, ignoring most of its requests.

Lewis said that Friday’s agreement to more closely track those requests was a promising development, but he cautioned that the real test would be whether China became more responsive to the requests.

“In 2013, the FBI asked China for assistance 11 times,” Lewis said. “In nine of those cases, the Chinese did not respond. That’s a number we need to watch. How many requests are there? How many times do they actually respond?”

At a joint press conference with Obama on Friday, Chinese President Xi Jinping said that his government “will take seriously the U.S. provision of any information” alleging that Chinese citizens conducted malicious cyber behavior. China, Xi said, wanted to turn issues of cyberspace into “a growth source rather than a point of confrontation.”

Lewis warned that it would be “a challenge” for Xi to implement China’s part of the new cyber agreement, given that state-sponsored cyber aggression is a well-established part of China’s strategy for global influence.

“It’s not like we’re going to wake up Monday morning and the problem will be fixed,” he said. “It will take time, and if the U.S. tracks what progress they make and how [good] they are at implementing the agreement, this could really improve things over the long term.”

China’s new approach to cyber collaboration likely resulted in part from the threat of U.S. sanctions against its citizens and businesses. The Obama administration prepared those sanctions in response to the Office of Personnel Management data breach, an intrusion that exposed the personal information of more than 22 million people, mostly government workers, and that U.S. officials have privately tied to Chinese hackers.

The U.S. could still levy those sanctions, especially if it determined that China was not living up to its end of this new agreement.

“What I was told is that sanctions are still on the table,” Lewis said, “and a lot depends on how well the Chinese live up to their agreement here.”

The Obama administration has already fired one legal salvo at China over computer hacking. In May 2014, the Justice Department indicted five Chinese military hackers for stealing or conspiring to steal trade secrets from American power companies.

“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” FBI Director James Comey said at the time. “With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.”

One part of the new agreement calls for U.S. and Chinese officials to study the United Nations Group of Governmental Experts’ 2015 report on cyber norms, raising the possibility that the two countries will build on that report’s basic framework for conduct in cyberspace. Lewis, who helped write the report as the lead U.S. representative at the talks, praised both countries for putting the contentious question of norms on the table.

“What I was told is that sanctions are still on the table, and a lot depends on how well the Chinese live up to their agreement here.”

Moving onto stickier cyber issues is “going to be hard,” he said, “because the Chinese will maybe not be so willing to expand what they’ve given. But those things will be on the table for discussion, and I know that they’re looking forward to a continued dialog.”

China has been reticent to appear to bow to U.S. demands during its regional rise. Even as he met with U.S. officials and business leaders during this week’s state visit, President Xi continued to assert his country’s right to protect itself in cyberspace and regulate domestic Internet activity. But pressure from the Americans, particularly in the wake of the OPM hack, appears to have reached the point where Beijing felt it had to concede something.

Lewis credited the 2014 indictments and the threat of sanctions with convincing the Chinese leadership to accept a modest cyber accord. “They’ve decided,” he said, “that the U.S. isn’t going to put up with things anymore.”

Illustration by Max Fleishman | Remix by Jason Reed 

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.