Sony Hack Provides an Opportunity to Resume China-U.S. Cyber Dialogue

By Chuanying Lu

President Obama and President Xi  shown during a bilateral meeting in the Netherlands, April 2014. Source: U.S. Embassy The Hague's flickr photostream, U.S. Government Work.

President Obama and President Xi shown during a bilateral meeting in the Netherlands, April 2014. Source: U.S. Embassy The Hague’s flickr photostream, U.S. Government Work.

The Sony hack provides an opportunity for Chinese and American decision makers to rethink their cyber policies and bilateral cyber cooperation strategy. Cyber-attacks are a new threat from a new domain, which cannot be resolved through traditional methods.

Is the Sony hack a cyber-attack, cyber terrorism, or even a cyber-war? Cyber experts differ on their assessment. In the real world, the differences among attack, terrorism, and war are quite clear. We can categorize them either from the actors or from targets, while in the cyberspace, there is no clear boundary among all these behaviors. But the U.S. government had to find clarity before fighting the attacker, which in this case President Barak Obama said was North Korea.

President Obama used the term “cyber vandalism” to describe North Korea’s behavior. Vandalism is not a new word. However, using cyber vandalism, as opposed to the other terms mentioned above, speaks to the dilemma the Obama administration now finds itself in over this incident. As David Rothkopf wrote in Foreign Policy, “the president has sought to send a message that whatever response the United States will undertake in response to the North Korean attack will be proportional.”

President Obama immediately issued new trade and diplomatic sanctions to 10 North Korean government officials and three organizations. However, the effects of the sanctions are limited. Even the temporary shutdown of North Korea’s internet, which might also have been part of punishment, had limited implications. The reason why the Obama administration hesitates to take an aggressive action to counterstrike is obvious—the United States does not have many options available when dealing with an isolated nuclear country like North Korea. When dealing with an isolated country, even the most powerful country has trouble executing punishments. More importantly, there are still no widely accepted international rules and norms to regulate a country’s behavior in cyberspace, let alone to punish violations. The Sony hack could be the kind of problem that many countries have to confront in the future, and any government could face a challenge similar to America’s dilemma. The priority for governments should be to develop norms and rules to govern cyberspace.

Global efforts on cyberspace governance can be traced back to the 2001 World Summit on Information Society (WSIS) or even earlier. However, the process has since stalled. Major countries including China and the United States are divided into two different groups: generally speaking, countries who support cyber sovereignty and countries who stand against it. Almost 15 years later, there seems to be little hope to reach agreement on the basic principle of norm building in the near future, though complexity has grown over related issues. It is dangerous that China and the United States, the two key players in cyberspace governance, still view the other’s cyber strategies with deep suspicion.

China suspended the cybersecurity working group with the United States and almost all other dialogue channels immediately after the Department of Justice (DOJ) indicted five People’s Liberation Army (PLA) officers for economic espionage.

Though China asked its U.S. counterparts several times to provide evidence, the U.S. government did not provide evidence and decided to proceed with the indictment without informing China in advance. China believes the United States violated the diplomatic consensus by using a humiliation tactic to deal with the cyber-dispute.

This incident has significantly deepened bilateral distrust on cyber affairs. At the recent World Internet Conference in China, there was no U.S. official among the participants. When I asked cyber policy makers from both sides to describe the current bilateral relationship, the Chinese expressed their disappointment and anger, while the Americans used the word frustration. Neither side appears ready to talk.

The Sony hack provides an opportunity to resume U.S.-China cyber dialogue. Cybersecurity is a common threat for all governments, which calls for a joint response. The Sony hack or other kinds of cyber terrorism will become major challenges for national security. Terrorists could use any country’s internet infrastructure as a proxy to launch cyber-attacks. Therefore, information sharing, joint investigation, and cooperation on anti-intrusion technologies are indispensable for any country in countering cyber terrorism. In addition, given the complex and interdependent nature of cyberspace, China and the United States have no other alternative but to work together. Experts and even policy makers have failed to set the record straight about the many prevailing misperceptions of cyber policy in the media. The truth is, we are not only interdependent, but we are also interconnected and cannot be separated. U.S. IT companies, such as CISCO, Microsoft, Apple, Intel, Qualcomm, IBM, and Oracle, take the biggest share in China’s market and are part and parcel of China’s internet infrastructure. Meanwhile, Huawei, ZTE, and Lenovo have entered the U.S. market, hiring local employees and operating under American laws and regulations. Baidu, Alibaba, and Tencent, referred to as the BAT in China, are all listed on NASDAQ, whose shares are held by Chinese, American, and global investors.

Lastly, China and the United States should create a new mechanism for dialogue. The cyber security working group is a failed test to build trust. Part of the reason may be that the United States pushed too hard under this framework or it is not ready to change its stance after the Snowden revelations. Additionally, China’s ineffective high-level coordination mechanism to deal with cyber security issues and limited professional knowledge of cyber security impeded effective communication during the dialogue. Though President Xi Jinping set up a new organization to tackle cyber security, development issues, and cyber diplomacy in February 2014, the Central Internet Security and Informationtization leading group, it unfortunately did not stop the indictment process.

To resume talks, China and the United States should take several steps to conduct multi-tiered dialogues among different departments. First, top leaders of the two countries should lay down general principles on cyber issues instead of focusing on specific cases, so as to set the stage for future cooperation. Second, there should be direct talks between departments, including foreign affairs, law enforcement, industry, and military. Military-to-military dialogue is extremely important because they are not only the decision makers but the most powerful cyber policy implementers. Overall, without communication among all the disparate decision making departments, there will be no real trust in cyberspace.

As the story of the Sony hack continues to play out, it is time for China and the United States to do something to make it clear who should be held accountable and how to prevent such violations from happening again.

Mr. Lu Chuanying is a research fellow at Shanghai Institute for International Studies. He currently is a visiting fellow with the Freeman Chair in China Studies at CSIS.


Leave a Reply

Your email address will not be published. Required fields are marked *