Network Security

U.S.-China Cyber Agreement: Flawed, but a step in the right direction

Treaties and official agreements between nations designed to solve a particular problem are notoriously tricky to create and then police, but measuring their success is normally pretty simple. Either they work well, or not at all. What has come to be called the U.S.-China Cyber Agreement, however, has not fallen neatly into either category. The general consensus in government and private circles is that the number of cyberattacks emanating from China appears to have declined, though in fact those attacks are still taking place. “Clearly it has been a success. The Chinese hacking of U.S. entities has gone down,” said Rep. Ted Lieu (D-Calif.) with the caveat that “there are still cases of cyberespionage and hacking every day with some coming from China.” Lieu's overall assessment of the deal was agreed upon by others who cited recent testimony from federal law enforcement officials that despite the agreement Chinese hacking is still alive and well. “As Director of National Intelligence James Clapper mentioned in his testimony on January 5, China has not stopped conducting cyberespionage against the U.S. and our businesses,” Rep. Will Hurd (R-Texas) told SC Media. Shelley Westman, senior VP, alliances and field operations for the enterprise and cloud data security software Protegrity also pointed to Clapper's comments as an indicator that the agreement is not working out in America's favor. “As we learned from the recent U.S. Senate hearing, top intelligence officials say that China continues to run cyber-spying operations against American businesses, despite China's promises to halt those efforts,” she said. The fact that a yes or no answer cannot be given to the question of whether or not the agreement has solved the hacking problem, or even helped limit it, is telling. Historically, this has not been so and has not required Congressional testimony to point out whether a treaty or agreement has worked well. The Treaty of Versailles that officially ended World War One did not have a positive outcome helping create the underlying causes of the Second World War. However, the Strategic Arms Limitation Talks (SALT) Agreement signed on May 26, 1972 had a direct impact on the number of nuclear weapons kept by the former Soviet Union and the United States and was also the first step in a series of strategic arms treaties signed by the two superpowers. SALT, yes. Versailles no. U.S.-China agreement, sort of. According to the document that Obama and Jinping shook hands over, Hurd, Lieu and Westman should not be noticing any Chinese cyberincursions. The September 2015 agreement, which is just one small part of a much larger document covering a range of subjects, contains several provisions including:
  • Agreeing that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.
Perhaps most importantly the agreement states “the United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigations to the other side, as appropriate.” There are signs that at least some lip services is being paid by forces within China itself to limit the number of attacks that country has launched against the U.S. and other nations. A report by FireEye in June 2016 said the number of attacks fell by about half between late-2015 and mid-2016, from 25 down to 13. FireEye credited Jinping for implementing sweeping reforms that helped muzzle Chinese military hacking, along with finally being publicly confronted by the U.S. for its cyber activities for this move. “We suspect that this shift in operations reflects the influence of ongoing military reforms, widespread exposure of Chinese cyber operations, and actions taken by the U.S. government, the report stated. There is another way to look at this change. Brad Bussie, director of product management at STEALTHbits Technologies, chimed in that the treaty simply pushed China to be more clever in crafting attacks against the U.S. “If anything, it forces the nations to be more creative,” he said. “Sure, the traffic coming from China directed at the United States has decreased, but traffic from other nations has dramatically increased. I think of this like outsourcing your cyberattacks.” Bussie noted that setting up proxies to obfuscate an attack's origin is not difficult and is akin to putting lipstick on a pig. “The main thing to remember here is that treaties like the one with China and the future treaty with Russia are basically panacea. On the surface, people will sleep a little better thinking that Russia won't take down our electrical grid. The reality is, nothing has changed. Attacks and the origin of the attacks have simply become harder to detect, which is what really should keep us up at night,” he said. The idea that the Chinese leadership decided upon its own, for whatever the motive, to enact some changes was picked up by Rep. Lieu. One of the reasons he believes China was willing to enter into the agreement with the U.S. was it did not realize the benefits it would receive. He said that during a visit to China last year [shortly after the agreement was signed] it became clear to him that China had not recognized the importance of protecting its own intellectual property rights. As shortly as 10 years ago China was not developing its own technology to the point where it had to worry about others stealing their ideas. However, when Jinping and other leaders came to the conclusion that China would also benefit from inking the agreement it made entering it that much easier. The fact that the agreement, and other extenuating circumstances, has at least somewhat curbed negative Chinese cyberactivity against the U.S. is something to build upon, but it also should not give America any sense of confidence that it is now safe. “This doesn't mean the hacks won't continue so we still have to work on building our cybersecurity,” Lieu said, adding that when either law enforcement or the intelligence community does find evidence of a cyberattack from China, or other nation, that sanctions be put in place as punishment. Rep. Hurd wholeheartedly agreed on the need for sanctions and pushed the thought even further calling for retaliatory measures being taken when needed. “There must be clear and concise consequences for cyberattacks undertaken against our government and our businesses,” Hurd said, “That being said, retaliatory efforts as a form of deterrence is important, but we MUST ensure the adequate defense of our networks, that means making sure that the top cyber professional in each agency, the CIO, is qualified, competent, and have the power to defend their agencies against cyberattacks.” Westman pointed out a very obvious problem with this, or any, agreement. Mainly that by their very nature people willing to break the law are not the most trustworthy and are rarely constrained by governments. “As we know, the bad guys don't follow the rules. Even if treaties are followed perfectly by the governments that sign them, there will always be rogue actors within those countries who ignore the treaty or feel it doesn't apply to them,” she said, adding that the best the treaty can be considered is a good first step. As Westman said the September 2015 agreement was a good first step for the United States and China, but that does not mean similar deals or more formal treaties on cybersecurity would work with other problem nations. Say Russia. Lieu stated he would support a cyber agreement with any country that supports the rule of law, he did not think it would work with Russia. “Russia is a very different place than China. It has a smaller economy and less IP and so less of a reason to abide by any such agreement,” he said. He noted that the apparent success Russia just had in infiltrating the Democratic National Committee and its Republican counterpart give it more, not less, reason to continue its hacking activities against the United States. Russia will take the lessons learned and do this again and again. We have to be extremely vigilant,” Lieu said

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.