Policy paper based on proposal

Strengthening the United States Cybersecurity Relationship with China

Policy Paper Project

Jane Doe

GOVT 2305-2XXX

Dr. J. Mark Skorick

Spring 2018

Word Count (1636)

The United States and China are intense competitors for global dominance. The U.S. and China are the two largest economies in the world and the two nations are in constant economic competition. The two nations also compete politically and ideologically, with China being a communist state with harsh restrictions on freedom of speech and the U.S. being a representative democracy with strict protections for freedom of speech. As China seeks to surpass the United States in economic dominance, they have also become strong competitors in cyberspace (Maker 16). Nations and people around the globe have become increasingly interconnected via cyberspace. This has led to cybersecurity becoming fundamentally necessary for nations to address. Although the United States and China have already implemented an agreement, the U.S. should work to implement a more robust cybersecurity agreement with China.

In the United States, it is estimated that losses due to cyber espionage are approximately $338 billion dollars and that between 2015 and 2017 Chinese cyber attacks targeted numerous industries including Infrastructure, Energy, Healthcare, and Technology (Iasiello 57). United States federal organizations have investigated numerous incidents of Chinese attacks on American corporations (Maker 16). In 2014, a United States grand jury even indicted five members of the Chinese military’s People’s Liberation Army (PLA) for hacking major U.S. companies (Lindsay 8). Despite these documented incidents, the U.S. has been hesitant to publicly attribute cyber attacks to China (Maker 16-17). Even after it was discovered in April 2015 that Chinese hackers had infiltrated the systems of the United States Office of Personnel Management and gained access to the information of more than 22 million government employees, then President Barack Obama, the White House, and the United States government would not formally acknowledge China’s involvement in the cyber attacks (Maker 17-18).

In September 2015 just a few months after the discovery of the breech at the Office of Personnel Management, U.S. President Obama and Chinese President Xi Jinping entered the two nations into a cyber agreement. This agreement stated that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors” (Iasiello 69). Essentially the brief agreement was stating that the two governments would not hack corporations or the commercial sector of the opposing government for economic gain and they would corporate with respective investigations by the other government into any hacking that was discovered.

One major flaw of the US-China Cyber Agreement is that it only addresses hacking in the commercial sector for economic advantage. It also fails to specifically address hacking for governmental purposes (Maker 19). This is especially troubling for two reasons. First, China had already conducted a breech in the government sector when its’ hackers attacked the Office of Personnel Management. This agreement does nothing to address that cyber attack. Second, the lines between the commercial and government sectors are blurred in both China and the United States. The Chinese government owns 12 of the largest companies in China (Steinberg). In the United States, 80% of the nations critical national infrastructure (CNI) is owned or operated by commercial industry (Stoddart 811). In addition, the United States awards contracts for defense, supplies, information technology, etc. to commercial sector corporations. It can be inferred that this agreement, would protect not only China and America’s commercial sector but also a portion of their government sectors. However, if either country were hacking a commercial sector business, they could easily state they were not hacking it for economic advantage but instead for governmental purposes, which are not covered in the agreement (Steinberg).

Other flaws in the US-China Cyber Agreement are that the agreement does not define terms or standards, there are no clear methods for enforceability of the agreement, and there are no measurements to confirm each nation is adhering to the agreement (Steinberg). This leaves a wide opportunity for “misinterpretation, misunderstanding, and abuse” of the agreement (Steinberg). Overall the US-China Cyber Agreement simply does not do enough to curtail China’s continued cyber attacks on American commercial and government interests. As noted by Chris Porter, an intelligence strategist for FireEye, “the total threat from China didn’t decrease [after the agreement], it just changed shape” (Greenberg). China has continued to push the limits of the agreement by not only hacking American government and commercial entities but also by pursuing numerous spying initiatives (Greenberg). With China continuing to pose a cyber threat, the United States needs to reexamine and strengthen the existing policy regarding Chinese cyber attacks.

In any policy regarding China in cyberspace, the United States’ first course of action must be to strengthen its’ own cyber defenses. Strengthening of the nations cyber defenses needs to include working with key technical experts and lawmakers to establish best practices, standards, and protocols to deal with cyber threats (Maker 3). Technical experts can provide assistance in the upgrading of systems, the use of new tools or applications in cyber defenses, and threat assessment (Maker 3). Strengthening America’s cyber defenses and establishing strong cybersecurity practices at home allows America to have a strong foundation for establishing cybersecurity foreign policies (Iasiello 68).

In addition to establishing strong cyber defenses in America for dealing with the cyber threats from China, there are two possible ways in which the United States can address the issue further. First, the United States could take a militaristic approach to cyber attacks. In a NATO meeting held in Warsaw, Poland in July of 2016, NATO allies agreed that cyberspace was the fifth domain of warfare (Stoddart 827), adding to the already established domains of land, sea, air, and space (Maker 6). In the Second Edition of the United Kingdom’s Ministry of Defense’s “Cyber Primer”, it is argued that any cyber operation that results in an equivalent effect as a physical operation would meet appropriate qualifications for reactionary armed conflict under the international Law of Armed Conflict (LOAC) (Stoddart 831). With this interpretation the United States could take military actions to stop, to prevent, or to retaliate against cyber attacks made by China or any other government.

Although military action or the threat of military action in response to cyber attacks may solve the issue, there are considerable drawbacks. First, the response time to a cyber attack is delayed due to the complexity of investigating the cause and origin of the attack. Second, once a cause and origin are identified it is difficult to determine the motivation of the attacker. Third, attacks conducted by nonstate organizations like terrorist organizations from inside the country of origin are problematic when it comes to where to aim the military response (Stoddart 831-832). The U.S. aiming an attack at a nonstate organization within a country, could potentially cause a response from the state itself. Finally, the biggest problem with a militaristic approach to cyber attacks is the military action itself. War is always expensive, in both money and lives, so approaching every cyber attack with a military response could be extremely costly.

The second way the United States can address cyber threats from China after establishing strong internal cyber defenses is to enter into a more robust cybersecurity agreement with China. This agreement would fix the shortcomings of the current agreement. The agreement would not only limit cyber attacks on the commercial sector but also on the government sector. The agreement would clearly define what attacks would be viewed as cyber espionage into government entities, cyber espionage into commercial entities, and what attacks would be viewed as an attempt to take down critical national systems of both countries like power grids, military installations, or government offices.

The agreement would also provide clear consequences for violation. Cyber espionage by either country on any level would result in economic sanctions (Maker 37). Both nations would agree that cyber attacks aimed at taken down critical national systems would be met not only with harsh sanctions in all areas but also possible military force, should the attack be deemed sufficient in scale. The idea being that of the “Cold War stability-instability paradox”, “mutual vulnerability to nuclear retaliation inhibits nuclear war” (Lindsay 46). In this instance mutual vulnerability to harsh sanctions and military force, inhibits the cyber attacks of either nation.

In addition to the first action of strengthening America’s cyber defenses at home, entering into a revised cybersecurity agreement with China is the best of the two options to deal with Chinese cyber attacks. The approach is best for ensuring non-physical confrontation, loss of life, and is the most cost effective. The revision of the agreement will take extensive time and would involve not only both nations governments but also key representatives from their commercial sectors. This will ensure that the agreement is drafted to meet the needs of all parties. While this agreement is being revised, the United States needs to invest money and resources into strengthening the nation’s cyber defenses. In addition, this new revised cyber agreement between the United States and China could serve as a basis for similar agreements between other nations.

The United States should not continue to tolerate Chinese aggression in cyberspace. Chinese state actors have already been indicted on cyber espionage against U.S. corporations and have attacked U.S. government entities like the Office of Personnel Management without being held accountable for their actions. China continues to make cyber attacks against the United States even after the two nations entered a cyber agreement. The ramifications of the United States failure to stop Chinese cyber attacks on U.S. entities and failure to punish China when they have been proven as the originator of a cyber attack, may lead to China taking bolder steps to attack more critical United States targets in the future. The United States must act now to protect the nation’s cyber landscape.

Works Cited

Greenberg, Andy. “China Tests the Limits of Its US Hacking Truce.” The New York Times, 31

Oct. 2017.

Iasiello, Emilio. "China's Three Warfares Strategy Mitigates Fallout from Cyber Espionage

Activities." Air & Space Power Journal: Afrique Et Francophonie, vol. 8, no. 4, 2017 4th Quarter, pp. 56-77. EBSCOhost, dcccd.idm.oclc.org/login?url=http://search.ebscohost.com.dcccd.idm.oclc.org/login.aspx?direct=true&db=a9h&AN=126727003&site=ehost-live.

Lindsay, Jon R. "The Impact of China on Cybersecurity." International Security, vol. 39, no. 3,

Winter 2014/2015, pp. 7-47. EBSCOhost, doi:10.1162/ISEC_a_00189.

Maker, Simran R. “New Frontier in Defense: Cyberspace and U.S. Foreign Policy – A National

Committee on American Foreign Policy Report.” The National Committee on American Foreign Policy, May 2017.

Steinberg, Joseph. “10 Issues with the China-US Cybersecurity Agreement.” Wired Magazine,

27 Sep. 2015.

Stoddart, Kristan. "Live Free or Die Hard: U.S.-UK Cybersecurity Policies." Political Science

Quarterly, vol. 131, no. 4, Winter 2016/2017, pp. 803-842. EBSCOhost, doi:10.1002/polq.12535.

5