When the world’s two biggest computing superpowers say they’ve agreed to curb computer hacking, such a declaration ought to count as a turning point in the history of cybersecurity.
Don’t get your hopes up.
If past is prologue, September’s ballyhooed U.S.-China cybersecurity pact will likely be remembered as just another feel-good moment during which politicians mug for the cameras and play statesmen.
After his meeting with U.S. President Barack Obama, China President Xi Jinping said his country is opposed to the theft of commercial secrets. The White House, spinning the agreement as major progress, said the sides had agreed not to “conduct or knowingly support cyber-enabled theft” of intellectual property.
Yet the ink on the agreement was not even dry when a new report described an operation hackers affiliated with the Chinese government conducted against a Massachusetts subsidiary of Samsung Electronics called LoopPay.
LoopPay representatives, who learned about the attack in August, said the intrusion began months earlier. So technically, China didn’t violate its fresh pledge to abide by the straight and narrow. But time will tell.
Chinese government representatives have been stating their opposition to cyberespionage since at least 2010, when they denied state involvement in cyberattacks against Google. More recently, when U.S. officials blamed China for a hack of the Office of Personnel Management, which resulted in the data theft of more than 20 million federal employees, the Chinese Foreign Ministry blew a gasket, announcing that it was “irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”
China does not differentiate between cyberespionage aimed at uncovering military and political secrets, and cybertheft of business plans and intellectual property.
I’m sure they were shocked, shocked to learn of the charges—just as they were when security researcher Mandiant revealed links between the Chinese army and hackers who had launched 141 cyberattacks against companies since 2006. They gave the same “who, me?” response after the Justice Department charged five Chinese military officers with conducting espionage against U.S. corporations and a labor organization. Each time, Beijing dismissed the allegations as groundless and depicted China as the real hacking victim.
Sophisticated hackers can easily disguise their tracks, affording China a considerable amount of plausible deniability. So in the event of future cyberattacks emanating from China, U.S. officials have two options: Take China’s leaders at their word, or call them a pack of liars.
The agreement provides for information exchanges, legal cooperation, and a “hotline for the escalation of issues.” It also includes a joint pledge to “further identify and promote appropriate norms of state behavior in cyberspace.”
But is any of this likely to be a harbinger of fundamental change? In Congressional testimony, James Clapper, the government’s director of national intelligence, was asked whether he was optimistic that the deal would stop Chinese cyberattacks. “No,” he replied.
He has reason to be skeptical. As others have documented, China does not differentiate between cyberespionage aimed at uncovering military and political secrets, and cybertheft of business plans and intellectual property.
Although the agreement may prohibit China from cyberespionage for commercial gain, it’s essentially a gentleman’s agreement filled with language loopholes that China—or the United States, for that matter—can easily wriggle through, notes Jeffrey Vagle, a lecturer at the University of Pennsylvania Law School and executive director of its Center for Technology, Innovation and Competition.
If Chinese officials, for example, ever get an urge to hack the State Department, the Pentagon, or a Secretary of State’s server—wherever the location—there’s nothing in this deal to give them pause. This isn’t a treaty or some other legally binding document. There’s nothing in the fine print related to cyberespionage to protect the national interest, and there are no real teeth in this agreement; it is more or less unenforceable.
Right now, the best you can say is that the two presidents found a polite way to dress up something with little substance as a major news event. That’s quite a feat, but it’s not going to do much to improve cybersecurity.