Last week’s agreement between President Barack Obama and visiting Chinese President Xi Jinping to curb commercial cyber espionage is a step forward from earlier stances of denial and counterattacks. Yet many remain skeptical about the effectiveness of the agreement, including U.S. security agencies. Continuing cyber espionage by non-state actors remains likely, and the Chinese central government has limited control over provincial governments in any case, say experts from Wharton and the University of Pennsylvania Law School. At a minimum, however, the agreement reduces tensions between the two countries over cyber espionage.
One of the first major causes of the cyber espionage conflict was the so-called Operation Aurora in 2009, when malware traced to a Beijing company with ties to China’s People’s Liberation Army (PLA) affected 30 major U.S. companies including Google, Adobe and Northrop Grumman. Last year, the U.S. indicted five Chinese military officers on charges of cyber hacking and economic espionage against six U.S. companies, including Westinghouse Electric and U.S. Steel.
Then in July, a massive theft operation that is believed to have originated in China compromised the personal information of 21.5 million U.S. federal government employees. A week before Xi’s visit, an angry Obama warned of sanctions against Chinese companies that benefit from such commercial espionage.
Reduced Friction
“Any engagement on this front is a step forward because we were headed toward some nasty patches on this, [with] talk of sanctions being held in abeyance until after Xi’s visit,” said Jacques deLisle, professor of law and political science at the University of Pennsylvania Law School and director of its Center for East Asian Studies. “[Cyber espionage] was a significant source of friction with China. So, agreeing to talk about it … and making some notional commitments is at least a climb-down from the collision course.”
“Any engagement on this front is a step forward because we were headed toward some nasty patches….” –Jacques deLisle
However, deLisle and Jeffrey Vagle, lecturer at the University of Pennsylvania Law School and executive director of its Center for Technology, Innovation and Competition, were skeptical about the agreement’s effectiveness. “It’s a gentleman’s agreement,” said Vagle, noting that it is not a treaty or a legally binding agreement. “There is enough wiggle room in the language of the agreement so it could be easy for either party to squeeze out through one of these loopholes.” (Vagle and deLisle discussed the agreement on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Obstacles to Implementation
Wharton emeritus professor of management Marshall W. Meyer predicts a difficult implementation process for the agreement. “It is full of ambiguity. What’s the line between government and business? Also, especially in China, which government are we talking about? As you know, the central government can’t control everything the regional governments do.” He noted further that the U.S. defense community has said “the only thing that works in this game is deterrence, so we are going to be in the deterrence business.” How does that play out? “Tit for tat. You steal from us, we’ll steal from you.”
Meyer pointed out that historically, China has been decentralized. “The central government didn’t so much enunciate policy as it watched what works locally and selected the winners as national policy.” He noted that Xi has actively sought to consolidate more control over local governments. “But still, there are limits to that control.” He addded that while the Chinese central government controls a little more than a hundred state-owned enterprises (SOEs), the large majority of SOEs are under the control of local governments.
“In China … the central government can’t control everything the regional governments do.” –Marshall W. Meyer
Wharton management professor Minyuan Zhao also was skeptical. “There are not a lot of teeth in this agreement, and neither country has a good track record, so the level of trust will be low. [However,] sometimes a formal report like this can be a stepping stone towards more meaningful actions, such as concrete collaborations on anti-espionage technologies, or an active search for areas where the interests of the two countries are aligned.” On that point, Obama stated at a press conference on September 25 after signing the agreement, “We’ll work together, and with other nations, to promote international rules of the road for appropriate conduct in cyberspace.”
Facing Realities
According to Meyer, “There’s always a possibility that both sides realized it’s a no-win” in economic cyber espionage. “Everyone loses in these games. There are those in China who will argue that respect for intellectual property is absolutely critical to their economic development. If intellectual property is fair game, domestically or internationally, then the incentives to innovate and do the things that will be used to turn around the Chinese economy are just not going to be there.”
DeLisle was underwhelmed by the Obama-Xi agreement also because existing provisions in the World Trade Agreement already oblige member countries to protect foreign intellectual property. “This is merely an affirmation that the two countries are going to do something about it. As Obama said, we’ll see if actions follow the words.”
Gray Areas
DeLisle noted the agreement leaves “a big zone in the middle” — the thin line between cyber spying for national security (not covered by the agreement) or for intellectual property, trade secrets and so forth to gain a business advantage. Technology often is dual-use — for civilian and military purposes. “In the modern context, international relations is not just about war; it’s about figuring out where economies are going and where national strength is based on economic advancement is going,” deLisle said.
“This is less about cyber security or cyber crime; it is about economic growth and economic stability.” –Jeffrey Vagle
Vagle pointed out that international espionage is hard to measure, and that it is true even more so of cyber espionage. Espionage by third parties is also a concern. “As we know from past stories, not only in China but in other countries as well, there are many quasi state actors who perform this sort of espionage that are not necessarily affiliated with any nation-state but they might provide information back and forth,” he said. “If the Chinese government could say that it didn’t have anything to do with [a certain cyber theft], then are they off the hook?” Against the backdrop of Operation Aurora and the suspected role of the PLA, he wondered if cyber economic espionage would now be moved offshore or to quasi state actors or a third party.
Positive Outcomes
On the brighter side, Vagle said the agreement obligates both countries to act in the event of a cyber attack. “It gets rid of some of [the] attribution problem that we have been running into,” he added, noting that in the case of a breach into Sony last December, it wasn’t easy to pin the blame on North Korea. DeLisle agreed and said it “takes the sting out of” the countries blaming each other for consciously being involved in or enabling economic cyber espionage.
The agreement is useful at a time of increased conflicts between China and U.S. businesses. According to DeLisle, a big area of concern for China is “the souring attitude” of American and other foreign high tech companies toward the Chinese business market. “[However,] it’s hard to turn away from those 2.6 billion eyeballs — two eyeballs per Chinese,” he said. “But there are real costs to being there. Some of them are genuine theft costs, which may be greater if you are present there or expose yourself, but it also means a reluctance to place R&D facilities there.” U.S. businesses are continuing to invest in China even as they have those concerns, he added.
Similarly, China also needs the U.S. and Europe and the rest of the world, said Vagle. “The economic realities behind this [agreement] are enormous — that is the elephant in the room. This is less about cyber security or cyber crime; it is about economic growth and economic stability.”