If agreed, it could become the first arms control accord for cyber-space, with each country committing not be the first to use cyber-weapons to cripple the other's critical infrastructure during peacetime. “It would be the first time that cyber is treated as a military capability that needs to be governed as nuclear, chemical and biological weapons are,” Vikram Singh, vice president for international security at the Center for American Progress was reported by the NYT as saying.
The deal is likely to happen despite both sides still accusing the other of spying – an allegation highlighted by the recent publication of a report called project *Camerashy. Camerashy has been produced by ThreatConnect Inc and Defense Group Inc which have partnered to share threat intelligence about the Chinese military grade signals intelligence Unit 78020 and the Advanced Persistent Threat (APT) group known as “Naikon”.
On Wednesday, Obama reportedly told the Business Roundtable that the rising number of cyber-attacks would “probably be one of the biggest topics” of the summit meeting, and that his goal was to see “if we and the Chinese are able to coalesce around a process for negotiations” that would ultimately “bring a lot of other countries along”. Xi Jinping was reported in the WSJ saying: “China and the United States share common concerns on cyber-security. We are ready to strengthen cooperation with the US side on this issue."
During the recent eighth annual meeting of the US-China Internet Industry Forum, Reuters reports Lu Wei, China's top Internet regulator, as saying: “We are on the same boat...The only choice we have is to cooperate.” And he hinted that the two countries were set to reach some kind of agreement on cyber warfare, banning attacks on infrastructure in peacetime.
However, even if the deal is done, it's likely to have little meaningful impact on either side's cyber-spying, says Thomas Rid, at the department of War Studies at Kings College London, who described the agreement as “symbolic”. In response to the suggestion of an agreed, 'no first strike on critical infrastructure in peace time' He told SC that: “There is no money to be made from damaging critical infrastructure – and China is not actually taking down America's grid – so agreeing not to do something that isn't happening anyway is a feel-good strategy that has little effect on the breaches that are happening.”
He also questions whether a more substantive agreement would have been possible anyway, saying: “Ultimately the question is whether some cyber-attacks emanating from China could be a form of corruption which the Chinese government is trying to stop?” The implication being that some acts of espionage, including pre-positioning of monitoring software, could be carried out by elements of the army – and others – working for their own financial gain.
Consequently, Rid says the Chinese government: “...will be careful to avoid promising anything they can't deliver upon.”
So it's no surprise that US press have been advised that any deal may not contain “a specific, detailed mention” of a prohibition on attacking critical infrastructure. Rather, it would be a more “generic embrace” of a code of conduct adopted recently by a working group at the United Nations, similar to the guidelines in the Tallinn Manual.
While the agreement may address attacks on power stations, banking systems, mobile phone networks and hospitals, its first version would not protect against most of the economic IP and personal data attacks that China has been accused of conducting in the United States, including theft of 22 million personal security files from the US Office of Personnel Management. .
Director of national intelligence, James R Clapper Jr, told the US Congress that the OPM hack did not constitute an “attack” because it was intelligence collection — something the United States does, too. Classified documents released by Edward Snowden showed a complex effort by the National Security Agency to get into the systems of a Chinese telecommunications giant, Huawei. And the Stuxnet attack on Iran's nuclear industry is widely attributed to the US (and Israel) – but with no verification.
During remarks at George Washington University on Monday, national security adviser Susan Rice warned China on Monday that state-sponsored cyber-espionage must stop, saying: "It puts enormous strain on our bilateral relationship, and it is a critical factor in determining the future trajectory of US-China ties."
Last year the US Department of Justice indicted five Chinese military hackers for cyber espionage against US companies, but despite evidence to the contrary, the Chinese president denies that China has been initiating cyber-attacks on the US, telling the WSJ: "The Chinese government does not engage in theft of commercial secrets in any form."
He added: "Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.”
Attribution and verification thus remain key issues in enforcing any agreement. Joseph S Nye, a Harvard professor explained in the NYT that “no first use” doctrines “create some self-restraint,” but he added that the problem was, “how do you verify it, and what is its value if it can't be verified?”
President Obama also noted last week the difficulty of tracing a cyber-attack, and how to retaliate with confidence.
In an email to SCMagazineUK.com, Dave Palmer, director of technology, Darktrace, commented: “These talks are a reminder that attributing cyber-attacks is still incredibly difficult. As threats continue to get more sophisticated, it is not getting easier either. We have to accept that we may never know who hacked us, but we can strive to know when we have been hacked, using advanced technology – and early enough so that we can stop or minimise the effect. For advanced threat actors, only an immune system type approach will be capable of detecting subtle, stealthy activity, which happens under the radar of traditional security controls.”
There are also concerns that any agreement should not limit cyber-reconnaissance work, implanting ‘beacons' in the networks of potential future adversaries – something many intelligence services do.
*Talking to SCMagazineUK.com about the publication of the Camerashy report, Amar Singh, interim CISO and founder of Give-a-day charity and Cyber Management Alliance, commented: “The level of detail in the report, how it managed to identify an individual, should help politicians understand how much cyber effort China and others use for political ends. And (regardless of the proposed agreement), cyber-espionage is set to increase – more to gain advantage than to cause damage. Readers of the report will be left in no doubt that cyber-espionage is alive, it's real, and there will be more."