Cyberspace may get its first arms agreement: Internet security pact on the table
The countries are discussing what could be the first arms control
accord for online attacks on critical infrastructure.
The United States and China are negotiating what could become the
first arms control accord for cyberspace, embracing a commitment by
each country that it will not be the first to use cyberweapons to
cripple the other’s critical infrastructure during peacetime,
according to officials involved in the talks.
While such an agreement could address attacks on power stations,
banking systems, cellphone networks and hospitals, it would not, at
least in its first version, protect against most of the attacks that
China has been accused of conducting in the United States, including
the widespread poaching of intellectual property and the theft of
millions of government employees’ personal data.
The negotiations have been conducted with urgency in recent
weeks, with a goal to announce an agreement when President Xi
Jinping of China arrives in Washington for a state visit on
Thursday. President Obama hinted at the negotiations last Wednesday,
when he told the Business Roundtable that the rising number of
cyberattacks would “probably be one of the biggest topics” of the
summit meeting, and that his goal was to see “if we and the Chinese
are able to coalesce around a process for negotiations” that would
ultimately “bring a lot of other countries along.”
But a senior administration official involved in the discussions
cautioned that an initial statement by Mr. Obama and Mr. Xi might
not contain “a specific, detailed mention” of a prohibition on
attacking critical infrastructure. Rather, it would be a more
“generic embrace” of a code of conduct adopted recently by a working
group at the United Nations.
One of the key principles of the United Nations document on
principles for cyberspace is that no state should allow activity
“that intentionally damages critical infrastructure or otherwise
impairs the use and operation of critical infrastructure to provide
services to the public.” The goal of the American negotiators is to
have Chinese leaders embrace the principles of the United Nations
code of conduct in a bilateral agreement with Washington.
But it seems unlikely that any deal coming out of the talks would
directly address the most urgent problems with cyberattacks of
Chinese origin, according to officials who spoke on the condition of
anonymity to describe continuing negotiations.
Most of those attacks have focused on espionage and theft of
intellectual property. The rules under discussion would have done
nothing to stop the theft of 22 million personal security files from
the Office of Personnel Management, which the director of national
intelligence, James R. Clapper Jr., recently told Congress did not
constitute an “attack” because it was intelligence collection —
something the United States does, too.
The agreement being negotiated would also not appear to cover the
use of tools to steal intellectual property, as the Chinese military
does often to bolster state-owned industries, according to an
indictment of five officers of the People’s Liberation Army last
year. And it is not clear that the rules would prohibit the kind of
attack carried out last year against Sony Pictures Entertainment,
for which the United States blamed North Korea. That attack melted
down about 70 percent of Sony’s computer systems.
Sony is not, by most definitions, part of the nation’s “critical
infrastructure,” although the Department of Homeland Security does
include “movie studios” on its list of critical “commercial
facilities,” along with stadiums, museums and convention centers.
Still, any agreement to limit cyberattacks in peacetime would be
a start. “It would be the first time that cyber is treated as a
military capability that needs to be governed as nuclear, chemical
and biological weapons are,” said Vikram Singh, a former Pentagon
and State Department official who is now vice president for
international security at the Center for American Progress.
Within the Obama administration, the effort to design “a set of
norms of behavior” to limit cyberattacks has been compared to
President John F. Kennedy’s first major nuclear treaty with the
Soviet Union in 1963, which banned atmospheric nuclear tests. That
accord did not stop the development of nuclear weapons or even halt
underground tests, which continued for decades. But it was a first
effort to prevent an environmental disaster, just as this would be a
first effort by the world’s two biggest economic powers to prevent
the most catastrophic use of cyberweapons.
Joseph S. Nye, a Harvard professor known for his studies of
American power, said the concept of a “no first use” doctrine for
cyberattacks had been “gestating for some time” in a variety of
international forums. “It could create some self-restraint,” Mr. Nye
said, but he added that the problem was, “How do you verify it, and
what is its value if it can’t be verified?”
That problem goes to the heart of why arms control agreements in
the cyberspace arena are so much more complicated than better-known
agreements covering nuclear weapons.
In the Cold War and still today, nuclear arms remain in the hands
of states, meaning they can usually be counted and their movements
observed. Cyberweapons, too, are often developed by countries — the
United States, Russia, China and Iran are among the most
sophisticated — but they can also be found in the hands of criminal
groups and teenagers, of which neither group negotiates treaties.
Moreover, it was usually clear where a conventional attack had
originated; the trajectory of a missile could be tracked by radar or
satellite. Mr. Obama himself noted this month the difficulty of
tracing a cyberattack, and thus of deterring it — or retaliating
Earlier efforts to get Mr. Xi and other senior Chinese leaders to
address cyberattacks largely failed. Mr. Obama spent a considerable
amount of time on the issue during a summit meeting with Mr. Xi at
Sunnylands, a California estate, in 2013. But even after that
session, the Chinese denied that their military was involved in
attacks, and portrayed themselves as victims of attacks from the
It was not an entirely spurious claim: Classified documents
released by Edward J. Snowden showed a complex effort by the
National Security Agency to get into the systems of a Chinese
telecommunications giant, Huawei, though the United States
maintained that the effort was for national security surveillance,
not for the theft of intellectual property.
The recent Chinese movement on cybersecurity can be traced to
several events, officials say.
The Office of Personnel Management breach, which went undetected
for roughly a year, was traced to Chinese sources, and one official
said evidence had been presented to Chinese officials. In August,
Susan E. Rice, Mr. Obama’s national security adviser, took a trip to
Beijing to meet with Mr. Xi and other officials, and used it to
increase pressure on China, suggesting that newly devised economic
sanctions could be imposed. Mr. Obama referred to that possibility
in two recent speeches, suggesting that he would hold off only if
there was progress with Mr. Xi.
This month, a high-level Communist Party envoy, Meng Jianzhu, who
is responsible for state security, came to Washington and met with
Ms. Rice, several American intelligence officials and the director
of the F.B.I., James B. Comey. That session focused on coming up
with some kind of agreement, however vaguely worded, that Mr. Obama
and Mr. Xi could announce on Friday.
For the United States, agreements limiting cyberweapons are also
problematic. The country is spending billions of dollars on new
generations of weapons, and in at least one famous case, the
cyberattacks on Iran’s nuclear enrichment site at Natanz, it has
American cyberwarriors would be concerned about any rules that
limited their ability in peacetime to place “beacons” or “implants”
in foreign computer networks; these are pieces of code that monitor
how foreign computer systems work, and they can be vital in
determining how to launch a covert or wartime attack. The Chinese
have littered American networks with similar technology, often to
the consternation of the Pentagon and intelligence agencies.
This article was written by David E Sanger from International New York Times and was legally licensed through the NewsCred publisher network.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.