Last week’s understanding reached between Chinese President Xi Jinping and US President Barack Obama highlighted the attempt to mitigate the growing tension between the countries over espionage. In response, a series of commentaries applauded the agreement for its deterrent effect, and view it as a sign of détente or simply a good first step. This agreement, coupled with Xi’s meeting with top US CEOs, has been interpreted as growing collaboration in both the public and private domains. In contrast, as yesterday’s Senate hearing exemplified, many in and out of the national security view it as a hollow agreement that will not alter Chinese behavior in the cyber domain. Below are three key areas that, when analyzed, illustrate the need to maintain a healthy dose of skepticism when it comes to Sino-American relations in the cyber domain.
An Inflated Threat
Many contend that the Chinese threat to US interests in the cyber domain is inflated because there has yet to be physical destruction as a result of malicious digital activity, or because China has yet to convert the stolen information to their advantage. These arguments often rely on the nebulous term cyber war, which is the wrong gauge of the threat to US national interests. The absence of war does not imply peace. In contrast, conflict in the cyber domain is very similar (although dramatically different by the three Vs: velocity, volume, and variety) to economic conflict of the mercantilist era, where economic warfare was an extension of politics and part of the escalatory path to military conflict. For instance, it’s quite unlikely that Lockheed Martin or Dupont (among numerous private and public organizations) would agree that the Chinese threat is inflated. Similarly, while there has not been physical destruction, intrusions into critical infrastructure already exist and could lead to sabotage during times of heightened tensions. Similarly, the aggregation of health records, background checks, and travel records, to name a few, together provide a vast network view of US citizens that can be used for recruitment, blackmail, and exploitation of vulnerabilities. Just because the full extent of the possible has not occurred, it does not imply that the preparation of the operating environment is not well underway.
The Tech Community Embraces China
From Cloudflare’s venture with Baidu to Microsoft’s partnerships with politically connected Chinese companies to Google’s latest partnership with Huawei to make the Nexus 6P, one might believe the tech community is openly embracing the world’s largest market. However, the growing concerns of US companies over IP theft and increased restrictions on doing business in China, have led to relations that are increasingly deteriorating. Last week’s forum in Seattle organized by Xi to bring together Chinese tech CEOs with their US counterparts illustrates these growing tensions as well as challenges with doing business in China. For instance, there were notable absentees on the invite list, which is apparent in the forum’s class picture, which lacks Google, Twitter and Uber CEOs. Moreover, this forum normally does not require CEO level attendance, but China threatened regulatory scrutiny that would negatively impact the organizations if the invited companies did not send CEO level representatives, rendering this a mandatory forum if the companies did not want to potentially encounter retaliation. Furthermore, this summer’s announcement that China will be inserting cybersecurity police into tech companies is indicative of their ongoing push for greater control of the internet, which runs counter to the internet freedoms and global norms promoted by the US government and tech companies alike. The tech community increasingly is coming to grips with the tradeoff of access to the largest market with the acknowledgement that the Chinese government could exploit their technologies as part of its ongoing censorship campaign. In addition, China’s crackdown on VPN access, and use of US partnerships to build domestic competitors is evidence of the Chinese strategy to replace all foreign technologies with domestic counterparts by 2020. This is hardly the warm embrace corporations seek.
Deterrence & Credible Commitments
The notion that last week’s agreement could be a deterrent fails to comprehend that deterrence depends on credible commitments, which are strongly lacking in the Sino-American relationship. Xi’s stance that China does not steal IP or PII from the US, despite the ever-growing list of intrusions, sparks little confidence when it comes to his ability to commit to the agreement. Those in the national security community as well as tech community have a hard time taking him at his word. This skepticism is expounded when noting that the agreement was negotiated while under the threat of sanctions. Leaders are self-interested actors, and Xi was able to shape the agreement to stall (temporarily?) sanctions while enabling him to maintain his stance that China does not conduct cyber espionage. Finally, the agreement not only lacks any compliance mechanism, but it also fails to address the theft of PII and is nebulous in so many areas that the Chinese government can easily continue to lean on proxy actors in and outside of government to feign ignorance regarding any upcoming identification of an intrusion. Clearly, this is not what is meant when discussing deterrence, as there has been little to no impact on the decision calculus of the Chinese, which is at the core of successful deterrence.
Discussion of détente is as ridiculous as comparing Chinese open economic policies to Glasnost, or their anti-corruption campaign to Perestroika. Obviously, it’s important diplomatically to seek to prevent the growing intrusions, but it’s naïve to believe this might be the first step at achieving a deterrent effect. As yesterday’s Senate Armed Services Committee hearing demonstrated, there is little faith in the agreement, and therefore it likely will soon be forgotten as soon as the next major breach is revealed. In that regard, the aspect of the past week that may have the longest media cycle is not so much the idea of a plausible détente, but rather the attire of Silicon Valley’s CEOs, who stunned the Twitter-sphere by proving they do in fact own suits.