Source: Cipher Brief
The U.S. and China are rapidly sliding into a full-court confrontation in and over cyberspace. This portends serious risks and disadvantages for both sides in light of their economic and technological interdependence. It is bound to have even greater reverberations internationally, given that both countries serve as the world’s leading cyber powers, measured in their technological and industrial base, as well as in the scope of their commercial, defense and security applications. In light of their shared interests in geopolitical stability and the digital economy, the U.S. and China should better reflect whether they can more constructively manage their competition in and over the cyber domain.
Diverse factors push the two powers along a negative path. Some stem from the deterioration of the overall bilateral relationship, especially in the trade domain. Others are inherent in the growing tensions caused by China’s increased influence in neighboring areas in Asia, backed by its newly acquired capabilities, pitted against the U.S.’ focus on sustaining its established alliances and security dominance. But cyber dynamics exacerbate all of these tensions, most importantly, the fierce competition emerging between the two nations and their tech industries as China’s cyber prowess gradually catches up with that of the U.S.
Drivers of deterioration in bilateral relations in the political, economic, and security realm are far easier to note than to rectify. Some of the actions both sides undertake in response to developments in these realms are patently counter-productive, destabilizing, even outright escalatory. This is a classical “security dilemma” where two parties, each feeling endangered by the other, take actions to secure themselves but in practice, both are left worse off. Political echo chambers now amplify anxieties on both sides.
The U.S. commonly approaches cyberspace as an area of great vulnerability, not merely a source of strength. Its weakness stems from being one of the most digitally-connected countries in the world. These vulnerabilities will persist as the digital economy and networked society increasingly displace or at least diminish the role of physical contacts. It is both impractical and impossible to identify and address all of the vulnerabilities that exist. Hence, the costs of being attacked by an able cyber power are high. This is why the Chinese threat alongside the Russian one, appears almost overwhelming. But the Chinese threat looms larger because the U.S. market, as well as its industry, have become so heavily dependent on the Chinese supply chain for parts and components, which has the potential of being manipulated.
It is against this backdrop that multiple concrete activities of acute concern to the U.S. have been widely attributed to China. These include conducting extensive commercially-motivated cyber espionage against U.S. intellectual property and trade secrets worth of hundreds of billions of dollars. This theft is believed to have caused extensive loss of jobs and undermined U.S. business competitiveness. Other threats involve aggressive cyber espionage against the U.S. government, critical infrastructure and defense contractors, which are said to not only compromise highly-sensitive information (in part, to fuel Chinese technological and military modernization) but also to heighten the risk that the penetration of the networks could be leveraged by China at will, to inflict serious damage. In the military realm too, China is said to be gearing up to use offensive cyber operations to undermine U.S. force projection to the Asian theater as a cost-effective means to bolster its deterrence and its defense of allies.
China is also widely believed to be developing back doors, or at least the option for using them, in Chinese components, telecommunication products, and services that are offered globally, leveraging its authorities under its national security law to force Chinese vendors to comply and is forcing U.S. companies to hand over precious IP in order to gain access to the Chinese market. China can then use this property (and reverse engineer U.S. products) to compete against U.S. vendors. Moreover, Americans argue that China’s heavy subsidization of significant industries including IT, have given it an unfair advantage. Denying access or imposing impossible demands on leading U.S. tech companies and social networks that wish to operate in the Chinese market is similarly unfair trade practice. In addition, the U.S. also takes issue with China’s use of the internet Great Firewall to shield Chinese citizens. Paired with extensive internet controls, blockage of access to certain websites and ever larger categories of information, China seeks to undermine free speech. Finally, the U.S. objects to China’s position and collaboration with other countries (most prominently Russia) to advance the United Nations-sponsored discussion around global norms that it considers adversarial, including advocacy of a rigid definition of cyber sovereignty and a conception of the applicability of international law to cyberspace which it sees as designed to constrain U.S. employment of its cyber prowess.
Unsurprisingly, Chinese discussions of these issues paint an almost diametrically-opposite picture, in large part, manifesting a mirror image of U.S. concerns. China views itself as a large cyber power with an impressive number of netizens as well as wide and increasingly diverse application of ICTs, but not presently a real match for the U.S. It attributes its relative weaknesses in the cyber domain to massive dependence on foreign sources for core-internet technologies as well as key software and hardware. Broad circles in China find it both irritating and disconcerting that products from U.S. companies such as Cisco, IBM, Intel and Oracle are widely used in China’s critical information infrastructure, while President Donald Trump considers banning Huawei and ZTE products for use by government agencies and telecommunication providers in the U.S. The fear from China is that American and other foreign technology suppliers could decide at will, or in response to U.S. government pressures, to deny support to Chinese buyers or terminate access and supply, thereby causing mayhem in China. Chinese scholars cite Microsoft’s 2014 decision to terminate support for Windows XP, as well as the USG’s decision (eventually reversed by President Trump) to ban Chinese telecommunication company ZTE from buying U.S. components it heavily relies on to make smartphones and other devices.
China views with alarm the internet’s inherent potential to disseminate rumors and harmful information that could stir up domestic unrest and undermine its social and political cohesion. It fears that Western countries may employ such practices to project and disseminate their ideology and values, as they believe was the case with Twitter and other social platforms during Iran’s 2009 election fraud protest. Moreover, the Chinese strongly believe that the U.S. itself is quite aggressive in spying on its own population and those of other countries, as well as in restricting the free flow of information on the internet.
Another cause of concern for the Chinese is the imbalance of resource allocation in cyberspace. Thirteen named authorities which operate root servers are geographically located in the West. The Internet Corporation for Assigned Names and Numbers (ICANN) has maintained a close connection to the U.S. government even after the expiration of its contract with the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) in 2016. Chinese officials worry that an imbalance could lead to sudden withdrawal of top-level national domain-name registration and resolution, which would cause China to be instantly cut off from the internet.
China also sees itself as a victim of continuous cyberattacks in large numbers, including from the U.S. Yet, for a variety of reasons associated with its more modest capacity to detect and attribute such attacks, China prefers to keep a lower profile over them. The U.S. is intensely warning its allies against the use of telecommunications equipment from Huawei to avoid “serious espionage risks”, but the Chinese find these allegations both ironic and disingenuous given the revelations contained in the documents leaked by Edward Snowden, resulting in reporting that the National Security Agency (NSA) had earlier penetrated Huawei networks.
More fundamentally, U.S. official statements define China as a “competitor” and “rival” in general and highlight the larger-than-ever strategic threat it poses in cyberspace. But, Chinese widely perceive the U.S. to be obsessed with maintaining absolute superiority and security in cyberspace, as part of a general determination to stifle China’s global rise. A vivid example is the U.S.-led campaign within and beyond the Five Eyes alliance to shut out Huawei from tenders for 5G telecommunication equipment worldwide as a necessary step to avoid security risks. But in the Chinese perspective, such efforts, together with the recent detention of Huawei’s CFO Meng Wanzhou in Canada at the behest of the U.S. government, reflect U.S. aggressiveness to contain China.
We have no way of gauging whether the cyber security concerns of either party are fully warranted (and in equal measure), but undoubtedly both do believe they face genuine security threats. However, what is unnecessary and harmful is the current trend of making the concerns publicized, hyped and heavily politicized. China and the U.S. presently represent the two biggest players in the field. Both, along with many others, will face ominous consequences if they remain on the current trajectory that elevates short-sighted national economic and security interests to the top of the agenda. For example, while the campaign to block Chinese high-tech equipment from western markets will severely harm the Chinese IT giants and its economy writ large, it will also deny western customers cutting-edge telecommunications technology and leave them with few and more expensive alternatives. What’s worse, the message other Chinese companies read into it is they ought to withdraw their business in the U.S. as soon as possible since this is a politicalized decision rather than commercial competition. Chinese competitiveness will take a hit as a result, but the U.S. economy also will suffer losses of sales, market share, and even some strategic leverage. Allowing multiple governmental agencies (as well as national technological champions) to pursue diverse and entirely uncoordinated agendas that further erode bilateral trust is a recipe for national harm as well as widespread collateral global damage.
Arresting these disconcerting dynamics ought to be a matter of priority for both governments. This would be a difficult challenge under the best of the circumstances, given the number of domestic actors and divergent interests involved in this domain. Some early progress toward that end can be achieved by launching a quiet, systematic bilateral inter-agency cyber security dialogue between the two parties. It should aim to refine, build on, and greatly expand the 2015 Xi-Obama understandings in several ways:
- define a handful of targets, like critical information infrastructure, integrity of financial data, nuclear weapons command and control, that would be off limits for assertive cyber operations;
- clarify further what would constitute commercially driven cyber espionage that both sides would refrain from;
- renounce (and enforce within their national jurisdiction) any effort to compromise the integrity of ICT and ICS products bound for the international market;
- explore ways for harmonizing data privacy requirements for commercial vendors.
Finally, and most critically for the prosperity of the digital economy, the parties should strive to agree on mutual recognition of the other’s certification of ICT and ICS COTS and products, other than those bound for sensitive governmental applications. Which should be predicated on both nations and their relevant vendors subscribing to a commitment to refrain from any systematic tampering in these products and to maintain comparable high standards of safety and integrity. Such arrangements, inspired by those that already exists elsewhere from drugs to aerospace, should entitle these products and their vendors to bid unhindered for commercial contracts in both markets.
The perspectives offered in this piece may be controversial, and some of the recommendations are undoubtedly contentious. They are meant to underscore the urgency to zoom out from the specific bilateral skirmishes affecting the perspectives of both sides and appreciate where the broad present trends might be leading both nations and affecting the global digital economy. And to propose for active consideration several directions that could help transform an increasingly confrontational relationship into one combining a healthier mix of normal competition and cooperation, alongside smaller (inevitable) pockets of rivalry.