Measuring Cybersecurity Success at the Summit

If press reports are accurate, it is a welcome development that the United States and China (in response to the threat of sanctions) have begun negotiations on cyber security in preparation for the upcoming summit. The Obama administration has a unique moment of leverage on cyber security with China and must be careful not to squander it. We cannot expect the summit to “fix” the problem – this will be a long process if it is serious – but we can look for certain outcomes that can demonstrate whether these presidential talks point to progress or are just another gesture.

— If the only thing to emerge is an endorsement of the 2015 UN Group of Government Experts Report, hold your applause. The United States and China agreed to this report in June and presidential endorsement does not greatly improve the situation. The norms in the report, while useful, do not deal with the principle source of tension with China – espionage and theft of intellectual property – and the UN Report includes annoying language proposed by Russia and aimed at the United States that any accusation of hacking must be “substantiated.”

— An agreement not to attack critical infrastructure in peacetime is of symbolic value only. Neither China nor the United States intends to attack the other’s critical infrastructure in peacetime. This language is already in the June UN Report.

— A Summit endorsement of a ‘Code of Conduct” for cyberspace would be a major U.S. concession to the Chinese that the United States should not give without some significant and verifiable benefit in return. The code was drafted by Russia and China and its principle aim is to diminish the application of human rights and free access to information. If a reference to the Code of Conduct appears, the United States could try to argue that it meant some other code, but this nuance will be lost on most of the world which will perceive that the initiative in cyber security is shifting to Russia and China.

—If there is no reference to cyber espionage and no process to work on it, any summit agreement has not addressed the most important source of tension between the two countries. The Chinese will likely not want any reference to espionage in any document – no country would – but language that talks about the need to continue discussions to address other significant issues between the two counties and which identifies a process to do so would indicate success.

— If the summit agrees to simply restart the bilateral cyber security working group, it will indicate a lack of seriousness on China’s part. The working group was seen by China as a concession to the United States intended to channel American discontent into harmless exchanges. It was not senior enough to reach agreement and not connected to any larger negotiation that could have produced agreement. A working group is useful only if it is subsidiary to political-level talks.

— The Summit would be successful if it was able to define and initiate a political level negotiation (e.g. at the sub-cabinet level), like the arms control negation with the Soviets in the 1970s and 1980s. These talks should be open ended. A corollary would be to create regular military-to-military talks on cyber security between the Peoples Liberation Army and senior U.S. military officials. The Chinese have resisted such talks even though it is the PLA that is largely responsible for hacking. The Foreign Ministry has not been a serious interlocutor on cyber security. Given the difficulty of the problem, the lack of trust, and the importance of cyber espionage to powerful constituencies in China, the most tangible result would involve agreement on process since there is really no near-term “fix.”

— Cyber security can’t be addressed in a vacuum. It is not sui generis but a product of the larger security and trade issues that dog the evolving bilateral relationship. At a minimum, there should be a recognition that China’s new, restrictive laws and rules that apply to American tech companies are as important a part of the cyber security problem as critical infrastructure protection and a serious negotiation must address them. This means that anything that emerges from the summit must create linkages (another term from the arms control lexicon) among issues that the United States currently keeps separate – critical infrastructure, intellectual property protection, governance and trade. This broad approach runs counter to the bureaucratic division in the U.S. government, but it will be more difficult to reach a sustainable agreement if they are not included in any agenda. This, of course, argues for a senior, political level negotiator who can transcend bureaucratic stovepipes.

There is always a temptation at summits to focus on deliverables and to prefer good news to bad, but this gives the other side an advantage and settling on a “good news” deliverable means the problem of cyber security will continue to be a source of tension and any agreement will be ineffective and unsustainable. The best outcome would be to begin a serious, senior level negotiating process that addresses the full range of issues. The worst outcome would be one that endorsed already-agreed report language and restarted unproductive working level discussions. The summit will not solve the cyber security problem, but if it is done right, it can be the beginning of a solution.