Source: China Military Science
Abstract
Against the background of rapidly deteriorating U.S.-Chinese relations in cyberspace, Ariel (Eli) Levite and Lyu Jinghua have just published an article in China Military Science, the premier journal of the Chinese Academy of Military Science. The article explores how this deterioration could endanger the larger international political economy, and what China and the United States could do to reverse the negative trends.1
Introduction
Cyberspace has evolved in recent years to become a critical area of international relations, much as the high seas and aerospace did in earlier centuries. Cyberspace may be even more important for international relations going forward because cyberspace is global, not easily demarcated into domestic and international spheres, and cuts across almost all human activities. Indeed, as an ever-larger percentage of human activity migrates to cyberspace, individuals, groups, corporations, and nation-states are becoming increasingly dependent on it. Taken together these trends endow activities and developments in and through cyberspace with an ever-greater capacity to affect the lives and fortunes of all. What happens in cyberspace can help or harm the order and well-being within states as well as the stability and prosperity of the international system writ large.
The United States has been on the forefront of the cyber revolution from day one. China is a relative latecomer to this domain, but it is rapidly catching up. This is not an accident but rather the outcome of a conscious Chinese strategy. On numerous occasions in recent years, the Chinese leadership in general and President Xi Jinping in particular have gone to great lengths to acknowledge and analyze developments in the cyber domain, to articulate the Chinese perspective on cyberspace governance with Chinese characteristics, and subsequently to promote the development of a strategic thought “keenly grasping the historic opportunity for informatization development in a bid to build the country’s strength in cyberspace.”2 Xi has underscored the centrality of this front for China’s development, noting that “the development of cybersecurity and informatization should contribute to China’s drive to develop a modernized economy and achieve high-quality development, and to the new model of industrialization, urbanization, and agricultural modernization.” He elaborated further on his cyberspace vision, saying that “efforts should also be made to develop the digital economy, promote deep integration between the internet, big data, artificial intelligence, and real economy, and make the manufacturing, agriculture, and service sectors more digitalized, smart, and internet-powered.”3
China thus seems determined not to be left behind in cyberspace. The United States, for its part, shows no lesser resolve to retain and leverage its edge in this vital domain, both in political-security and economic-industrial terms. And this competition is clearly impacting but is also affected by the broader tensions in the U.S.-China trade relationship, which have seen sharp twists and turns in recent months. Developments in the course of 2019 would determine whether these two great powers create a more enduring basis for collaborations on cyber economic and security matters, or just as easily slide further into a global competition, rivalry, possibly even outright confrontation in these domains. The sheer size and resources of the United States and China mean that whichever way their relationship goes, it will inevitably reverberate globally.
This research analyzes the stakes and considers the prospects for constructive U.S.-China relations in and over the political-military aspects of cyberspace. Which, in turn, would have especially profound implications for the digital economy, as the recent suspicions over Chinese (Huawei) 5G telecommunication equipment already manifests. The authors examine the serious challenges that stand in the way of realizing positive outcomes, and explore ways that these might be overcome.
The Transformation of the System
Throughout the Cold War, security considerations largely dwarfed economic concerns in the shaping of international relations. U.S.-Soviet relations laid at the core of the international system, and nuclear weapons both influenced and symbolized the international agenda.
Those days and conditions are long gone. Economic interests (with their social implications) are primary, even if security interests still lurk in the background at all times, adding complexity and at times urgency. On a daily basis, cyber matters have displaced nuclear ones at the top of security agenda. And China has risen to the top of the international system, in effect becoming the preeminent strategic U.S. counterpart.
China’s economic power, measured not only in overall national statistics but also in terms of its industrial prowess (including in information technology) is now second only to the United States. In some areas, China already has (or soon will) surpass the United States. These gains reflect the massive resources and large domestic markets as well as the unbridled, centrally coordinated, ambition driving China’s security and economic vision. To assess power and influence in the international system, it is necessary to factor in economic and industrial might, military and security power, and political drive to shape institutions and outcomes. Such assessment suggests that for the foreseeable future, China and the United States will separately and together occupy a leading role in setting the rules in the international system and influencing its core dynamics. This will be especially and most obviously true in cyberspace. More specifically, China and the United States will be the leading forces in acquiring, sustaining, and leveraging the power of data and communications in the economic and security domains.
Chinese and U.S. Vested Interest in Cyberspace Collaboration
The post–World War II era was largely characterized by Pax Americana, a period in which the United States was the global leader in setting up international institutions and enforcing systemic rules. This U.S. role benefited the entire system, and at times exacted a real toll on the United States. The country also reaped rich benefits in return. The rules of the system served its long-term strategic interests.
This era of Pax Americana is rapidly waning.4 In a trend that dates back to Barack Obama’s administration and has greatly accelerated under President Donald Trump, the United States no longer seems willing to absorb the mounting costs associated with being the preeminent international rule maker. It is increasingly relinquishing the role of building and sustaining the norms and multilateral (especially multinational) institutions that have undergirded the international order for the past seven decades.
True, the United States has not (yet?) fully absorbed or accepted the implications of resigning itself to the foreign policy role of “leadership from behind” widely ascribed to Obama’s thinking,5 or even the far narrower conception of interests embodied in Trump’s formula of putting “America first.” Nor is there a solid consensus behind such an approach within the U.S. political establishment. That produces vacillations and inconsistencies in U.S. actions and policies. In practice, notwithstanding Trump’s professed preferences, to the contrary the United States has not entirely given up on multilateral arrangements and institutions, ranging from NATO and the WTO (or narrower multinational treaties such as NAFTA or its presumed successor USMCA, or a trade pact with Europe) to environmental treaties and accords (manifest most recently in the UN in the Katowice Climate Change Conference), even as it strives to revise or renegotiate some of them to better serve its interests.6 But at least for now the United States, far more than in recent decades, seems strongly inclined to strike bilateral rather than multilateral deals, reflecting Trump’s judgment that the former enable it to maximize its international bargaining power thereby better serving its narrower conception of self-interest.
China, for its part, has largely benefited in recent decades from the relative stability the United States has endowed on the international systems, facilitating China’s “peaceful rise.” Notwithstanding the gains it has reaped from this regime, China has chafed at the U.S. effort to retain international rules and arrangements that were developed when China was not present and powerful around the negotiating table. Yet for all of China’s grievances, China has been readily joining existing multilateral institutions, such as the WTO, while is still defining its long-term systemic interests, and agonizing over its capacity to assume the role of system stabilizer, beyond in select geographical areas and functional domains.
In practice, China now manifests a dual track approach: aiming to build new or invigorate relatively recent multilateral accords in which it can play a major role such as the Shanghai Cooperation Council, the Belt and Road Initiative, and the Asian Infrastructure Investment Bank, while seeking to leverage its membership in established institutions to increase its influence on the directions they pursue. In parallel, it is intensely engaged in an effort to build or enhance bilateral cooperation arrangements with ever larger number of partners, starting with Asia but now also spanning across Europe, Latin America, and Africa. While nominally the latter are presented as partnerships rather than alliances (which China’s policy formally renounces), in practice they serve a similar function, demonstrating in the process both the scale of China’s global ambitions and its ability to translate its economic clout into favorable economic and security arrangements. To once again quote Xi: “China has actively developed global partnerships and expanded the convergence of interests with other countries. China will promote coordination and cooperation with other major countries and work to build a framework for major country relations featuring overall stability and balanced development.”7
This brief summary of trends suggests that the general international orientation of both the United States and China may actually be converging, both nations opting for an array of multilateral and bilateral arrangements. What holds promise that such convergence in approach would yield bilateral U.S.-China cooperation rather than confrontation is their strongly shared belief in the importance of the digital economy and the imperative to allow it to grow and prosper. The United States has explicitly endorsed such a vision in the new USMCA, Trump’s crown trade accord, while President Xi has been far more explicit in his speech in the most recent Communist Party Congress. There he pledged that China “will strengthen basic research in applied sciences, launch major national science and technology projects, and prioritize innovation in key generic technologies, cutting-edge frontier technologies, modern engineering technologies, and disruptive technologies. These efforts will provide powerful support for building Chinas strength in science and technology, product quality, aerospace, cyberspace, and transportation; and for building a digital China and a smart society.”8
The Loss of Trust and the Risks of Confrontation
Compatible visions of the digital economy and comparable power in generating, processing, and using data make the United States and China natural partners to team up and devise understandings to shape cyberspace and its uses in ways that serve their respective national interests and global stability. Yet shared interests and even lofty intentions are no guarantee for collaboration. Both states have their own particular interests in what China sees as informatization and the United States as cyber. Some of these divergent interests or preferences are rooted in different societal values. Others are grounded in specific political and security concerns and requirements that are not only different in the two countries but also at times almost diametrically opposed. For example, the two differ radically on the role of government, let alone the party, in management of cyberspace, freedom of speech (and censorship), citizens’ privacy, and cyber sovereignty.9
Differences are not confined to the general approach toward internet governance. The two countries also seem to think differently about the militarization of cyberspace, the application of international law to cyberwarfare, and the legitimate scope and purpose of cyber espionage. These differences are profound and threaten to undermine the otherwise rosy prospects for bilateral collaboration in cyberspace. They are manifest in the growing suspicion between the United States and China over the security of products made by Chinese vendors of advanced telecommunications equipment; the promotion of the “made in China 2025” policy; and the promotion by China of data retention rules. These reflect the profound mutual distrust on everything associated with cyberspace, data, and well beyond, such as their integration with artificial intelligence technology. This distrust is only deepened by the broader, escalating bilateral trade disputes. Taken together, these trends could threaten the international digital economy writ large, as well as the fragmentation of the internet. Distressingly, they increasingly undermine overall trust in the bilateral relationship.
The risks inherent in this situation are even greater when one considers parallel developments in the security domain. Tensions have been rising between the United States and China over the growing U.S. concern over Chinese military capabilities and modernization, and issues ranging from Taiwan and the East China Sea to the South China Sea and beyond.10 China has similar concerns stemming from the United States’ own military modernization and policies adopted by the United States from Asia Pacific rebalance to Indo-Pacific Strategy and the militarization of space. All these hold serious potential for conflict between the United States and China. If conflict erupts, it would certainly reverberate far and wide. One of the earliest and most destabilizing venues for conflict would be cyberspace, thanks to the potential military utility of early employment of cyber assets. Cyber actions in these scenarios also hold serious escalatory potential, complicating the challenges of keeping conflicts below the level of outright military confrontation and could gravely exacerbate the task of managing such crises.
Toward China–U.S. De-confliction in Cyberspace
Severe friction as well as profound distrust are certainly disconcerting but they do not necessarily prevent the United States and China from cooperating to prevent the most destabilizing sorts of actions in and through cyberspace. Indeed, some of the sources of tension could also act as incentives to find constructive channels for de-confliction and trust building.
The modern history of arms control may provide a useful guide here. During the Cold War, arms control became a major paradigm for managing great power relations. It was an important means for preventing rivalry and distrust between the United States and the Soviet Union (and subsequently Russia) from spilling over into outright confrontation and an uncontrolled arms race. Naturally, the focus then was predominantly on nuclear weapons and their means of delivery, and on mechanisms to expeditiously address potentially escalatory misunderstandings.
For multiple reasons, cyber does not lend itself to similar measures. Cyber capabilities mostly are dual purpose (far more than nuclear technology) and largely invisible. The key players in cyberspace, unlike nuclear powers, are private sector entities. Verification of commitments pertaining to cyberspace is anywhere between difficult to impossible. Cyber weapons are also viewed as eminently usable compared to nuclear weapons, with certain applications designed, certainly by the United States, to have discriminate, localized, and/or transient effects.
Yet for all the striking differences between cyber weapons and nuclear weapons, the core logic and goals of arms control still apply to cyberspace. Arms control seeks to reduce the likelihood of war, the damage of war if it does occur, and the costs in peacetime of preparing for war. The potential of cyber to precipitate and escalate confrontations and conflicts suggests that the mechanism itself for dialogue and understanding embodied in arms control is even more compelling in the cyber domain in general, and in the U.S.-China context in particular.
Obstacles to Chinese-U.S. Confidence-Building Measures in Cyberspace
If the logic is compelling and the circumstances potentially at least fortuitous, what difficulties stand in the way of developing such mechanisms? What barriers must be overcome to develop concrete understandings that could help build some confidence between China and the United States in cyberspace?
First, stability in cyberspace is, to an important degree, hostage to the broader bilateral U.S.-China relationship. It generally holds true that stability in any area of interstate relations can hardly be achieved in one domain as a stand-alone matter, because confidence depends on a wider array of interests and perceptions. But the cyber sphere is especially difficult to detach from other considerations. Cyber is now simultaneously a barometer of interstate relations, a force that influences these relations, and a domain shaped by them. These factors naturally make cyber susceptible to fluctuations in the general climate in the relations between nations.
During the more than four decades since the establishment of diplomatic relations between China and the United States in 1978, mutual trust between the two nations has grown on the reciprocal commitment to maintain a relatively stable relationship. This trust has played an important role in enhancing cooperation and managing conflicts. It is this spirit that has made it possible to overcome acute sensitivities and difficulties to reach a first of its kind U.S.-Chinese understanding on cyber matters during Xi’s visit to the United States in 2015. This understanding, which has at least initially been largely effectively implemented, has helped launch the process of extending the mutual trust between the two nations also to cyberspace. But the lack of follow up coupled with creeping doubts in the United States that these understandings are being fully honored have capped the positive momentum of building cyberspace trust.
In parallel, disconcerting developments have recently occurred on the political and economic and security fronts. The Trump administration’s aggressive trade policies toward China have been very poorly received in China. Recent tightening of the review of Chinese investments in the United States by the Committee on Foreign Investment in the United States is both a symptom of the growing mutual distrust and a force reinforcing it.11 Meanwhile, the goals, pace, and direction of Chinese modernization plans in general and in the military realm in particular are heightening U.S. anxiety about Chinese intention and threat. Similarly, Chinese watch with concern some of the corresponding U.S. defense plans. Taken together, these are leading many observers in both countries to conclude that “strategic competition between China and the US has loomed large, prompting their relations to take a dark turn,”12 and that “relations between the U.S. and China are destined to get worse before they get better.”13
Absent at least some easing of tensions on trade issues and other political issues, it is unlikely that more cooperation on cyber rules of the road can be fostered. Breaking this vicious cycle and easing bilateral tensions on the broader political and economic issues is now not only an urgent issue in and of itself, but also highly conducive to developing stability in cyberspace as well.
Beyond large contextual factors, there are other obstacles to building trust in U.S.-Chinese cyberspace. These emanate from cyber-specific issues. To begin with, notwithstanding the common aspects in the attitudes to cyber and cyberspace, real differences exist in the respective national views on the main goals of cyber strategy. China firmly believes that the United States not only possesses the most advanced cyber technology base and cyber defensive and offensive capability but also enjoys unparalleled administration in the allocation of cyber resources. It suspects that this advantage may be encouraging the United States to seek multifaceted goals in its cyber strategy, going well beyond the protection of critical infrastructure (most recently expanded to the capacity to counter influence campaigns14) and internet freedoms. China suspects that the abiding U.S. goal is outright cyber dominance. China, like other nations but perhaps even more so because it has so much at stake, is also confused by the frequent priority changes in U.S. cyber policy. Such discontinuities are especially unnerving for a Chinese leadership that itself is characterized by remarkable continuity in its approach and dreads abrupt changes.
The Chinese leadership also sees itself as relatively consistent in its orientation toward cyberspace and persistent in its aims: to develop a “digital China” that would boost the people’s sense of fulfillment and speed up China’s modernization.15 Yet that is not how the United States presently views the Chinese cyber posture. The United States seems ever more anxious about both the perceived goals as well as the level of sophistication of the Chinese cyber activities. The United States notes that Chinese ambitions extend beyond aggressive cyber espionage (which the United States reluctantly concedes goes both ways, and seems willing to tolerate other than when conducted for commercial benefits). It sees the massive Chinese emphasis on cyber capabilities to contribute to anti–access/area denial (A2/AD) as a grave threat to its military force projection capacity in the Asian region, and an unsettling tool of preemption.
More broadly, cyber security assumes different meanings in the two nations. This seems on the surface awkward because both countries attach considerable importance to cybersecurity, and manifest heightened anxiety about its vulnerabilities. Both also recognize that in such an offense-dominant domain as cyberspace, the most advanced countries are also the most vulnerable ones. The United States even explicitly views cybersecurity as its Achilles’ heel.16 Yet China and the United States still manifest sharp differences in their perspectives on what are the highest cybersecurity priorities and where the main threats are coming from. The Chinese can relate to the heightened U.S. concern on cybersecurity as it pertains to critical infrastructure. But they profess to be unable to comprehend the present U.S. hypersensitivity on cybersecurity as it pertains to ICT and ICS supply chain integrity issues. Both sides now legitimately profess a higher priority to cybersecurity generally and the integrity of ICT products in particular, yet view each other’s attitude in this realm with profound suspicion. This seems like a classic replay of the security dilemma.
China, like many other nations, but even more so because of its industrial base, views the U.S. attitude toward security of the ICT supply chain as a reflection of the U.S. interest in achieving absolute security for itself.17 More broadly, it finds the overall U.S. conception of cybersecurity unacceptable. China sees the core of cybersecurity as technological security, widely interpreted to mean self-sufficiency rather than dependence on imports from the United States.18 Chinese President Xi Jinping reiterated the necessity and urgency to achieve breakthroughs in core information technologies on several occasions. For the Chinese, the recent drama over the ZTE case not only reflected the fact that China lags behind in this area and is vulnerable to U.S. action but also forced China to be more committed to independent technical research and development in cyberspace.
The difference in perspective on cyberspace security in fact runs even broader and deeper, rooted in part in a conceptual divide on addressing cyber governance. Both China and the United States advocate for cyber governance rules domestically and internationally, but their contrasting approaches to these governance issues always breed misunderstandings and arouse suspicions on the other side. For example, cyber sovereignty as put forward by China does not mechanically apply the traditional concept to cyberspace. Instead, it views sovereignty as the respect for the right of each government to choose its own path for cyber development and internet policy. Its conception of cyber sovereignty does, in fact, go much further to assert the right of all nations to equally participate in cyber governance, to oppose cyber hegemony, and reject any interference through the internet in the internal affairs of other countries19. It disapproves conducting, indulging, and supporting any actions that may endanger other countries’ cybersecurity.20
This expansive sovereignty concept, however, has been consistently criticized, in fact rejected outright by the United States. The United States is opposed to this approach not merely on security, economics, and effective international governance grounds, but also on ideological ones. It sees this Chinese approach as directly contrasting with its cherished and widely held belief in the freedom of speech and the spread of democracy. The United States believes that the Chinese concept of cyber sovereignty is equivalent to the right to censor information locally in China as well as to deny access to the Chinese market to global U.S. companies operating in cyberspace.
Several recent instances suggest how deep these cyber disagreements run, and how they breed deep distrust of the respective intentions. China for its part appears to have misread the motivation behind the United States’ repeal of the net neutrality rule. Both U.S. proponents and opponents of the change saw it as an exclusively domestic affair affecting solely the way domestic businesses connect consumers to the internet and charge them for services. But in China, a rumor spread that the change was intended to authorize the U.S. administration, when necessary, to launch cyber attacks against China and cut down on China’s internet access. Conversely, in the United States, the leading interpretation of the early drafts of the Chinese Cybersecurity Law and other related regulatory guidelines (that eventually went into effect in June 2017) was that they were intended to reinforce the government’s legal authority to require of U.S. companies wishing to operate in China comprehensive transparency measures (such as on sharing with the Chinese government their source code and encryption) in addition to surrendering intellectual property to the Chinese authorities.21 In the same vein, the recent detention in Canada of the Huawei CFO on extradition request by the United States for alleged illicit financing of exports to Iran, was widely viewed in China as one more U.S. power play in the battle for cyber hegemony.
In practice all of these contrasting perceptions, misperceptions, and interpretations of national interests between China and the United States make cyber stability difficult to accomplish. In fact, distressingly they translate these days not merely into profound mistrust but also into a fierce bilateral security confrontation that colors their commercial competition. It naturally spills over also into the diplomatic realm, a factor that has contributed to the inability of participating nations to advance the UN Group on Governmental Experts (UNGGE) process in 2017. This trend obviously bodes ill for the future, for both countries, and more generally for the international system writ large. Recognizing the costs and risks involved in such dynamics, we now turn our attention to consideration of possible steps that might still prove possible to avert or at least weaken these disconcerting developments in cyberspace.
What Rules of the Road Might Still Prove Possible (and Desirable)?
The United States and China already have in place several formal platforms for cyber dialogue, ranging from bilateral ones (like China-U.S. Law Enforcement and Cybersecurity Dialogue) to multilateral ones (like discussions and cooperation in the framework of the ASEAN Regional Forum, the Interpol Asia and South Pacific Working Party on IT Crime, and obviously the UNGGE). They have also been party to some common cybersecurity principles agreed upon at the level of the G20. Informally, track 1.5 and track 2 dialogues also abound, including ones involving multiple stakeholders such as the Guanchao Forum. So venues and platforms to promote bilateral Chinese-U.S. collaboration in cyberspace are not in short supply. What is acutely needed are concrete steps that are viable even under the currently charged circumstances that could help transform the corrosive bilateral dynamics on cyber matters. Where are these to be found? Several options come to mind here.
First, progress on building a common glossary of cyber terminology. A necessary first step to achieve progress on building some bilateral trust in cyberspace is to facilitate clearer understanding of the respective parties’ policies and obligations, thereby helping to calibrate expectations and avoid misunderstandings. This undertaking requires an effort that is far greater than merely compiling translations of cyber terms between Mandarin and English. Presently, China and the United States often use the same cyber terms or at least similar ones but understand their meanings quite differently. And even different governmental agencies in the same country use diverse definitions for cyber terms and actions (in many cases, influenced by sharply distinct domestic purposes) or interpret them in widely different ways. And the key terms and definitions in cyberspace evolve rather quickly as understandings of the phenomenon and technology change.
Thus, an important first step would be to have each side share with the other its own official definitions of key terms as they pertain to cyber actions of mutual relevance. At a minimum, each side could better understand what the other side thinks and means when employing these terms. A more ambitious undertaking in the same vein would see both nations developing common or shared definitions of these terms that would help diminish the space for misunderstandings whether certain actions they undertake are consistent with their interpretation of obligations they have taken upon themselves to do or refrain from certain cyber actions (for example, to refrain from commercial espionage). Obviously even mere bilateral discussions on these seemingly arcane issues would have value in their own right. The value of this exercise to diminish unintentional distrust and risky misunderstandings between the two parties should not be underestimated, especially if one is to aim for more ambitious bilateral understandings on the rules of the game in cyberspace.
In this context, it is important to note that although the term cyberspace has been used for almost forty years, there is no shared understanding of concrete terms related to what cyberspace constitutes,22 let alone over malicious and other purposeful, legitimate, but contentious cyber activities. The most fundamental terms relevant to cyber conflict, such as defensive and offensive operations in cyberspace, cyberwar, cyber attack, and cyber weapons, are not understood in the same way in Washington and Beijing. Such a set of terms is always viewed as the premise and basis for negotiations. In April 2011, a joint report on critical terminology related to cybersecurity was published by EastWest Institute and Moscow State University.23 There are other useful sources one could draw on to begin preparing such a glossary.24 For example, a draft report produced by the Carnegie Endowment for International Peace’s Cyber Policy Initiative surveys pertinent U.S. cyber operations terms with precisely this U.S. and Chinese audience in mind.25 But until now, unfortunately, there is no officially sanctioned product available for this purpose between the Chinese and U.S. governments. For example, common understandings or at least deliberations of what could constitute armed attack provide the basis for discussions on land, sea, air, and space power and conflicts, even if no consensus ultimately emerges. Let us add that such exercises have proven useful in the past in various arms control contexts, and could undoubtedly play a constructive role in this context, too.
Second, exercise of self-restraint in certain cyberspace operations. To avoid unintentional confrontation is undoubtedly the primary common interest of China and the United States in political-military dimensions of cyber relations. Self-restraint by these major powers is a necessary foundation to achieve this goal. Since they require no prior interstate negotiations, formal ratification, or agreed verification measures, these could be put in place relatively quickly and could also be communicated to the other party quietly. They thus provide a constructive way to get started that has value in and of itself, and could hopefully also make it possible to transform such unilateral undertakings into more explicit and binding bilateral (and/or multilateral) understandings and agreements.
In the cyber domain, there is a rich menu of self-restraint measures to choose from. The GGE, for instance, put forward quite a few suggestions for norms of self-restraint such as that states should refrain from attacking critical infrastructures;26 and states should refrain from impairing the work of CERTs. (Both the U.S. government and GGE further clarified that CERTs should not be used in offensive operations.27). Yet the GGE, even when most successful, only produced a UN report of the deliberations of a group of governmental experts. Its recommendations are useful, but they are not representing the official views of the states involved, let alone formally binding on any of the governments whose experts participated in the exercise, even if they agree (which they often do not) on the interpretation of what these recommendations actually mean.
There also is a plethora of other proposals in the same vein both in the GGE report and elsewhere. For example, Microsoft (as part of its Digital Geneva Convention proposal) has urged governments to “exercise restraint in developing cyber weapons and ensure that any that are developed are limited, precise, and not reusable.”28 The U.S. government has gone to great lengths to put forward a comprehensive policy on its Vulnerability Equities Process, which could inspire other nations to follow suit.29 Jason Healey has put forward several proposals for the United States to exercise self-restraint that surely could be equally applicable to China as well. These include such measures as exercising “exceptional restraint of US cyber operations, stressing that those campaigns are conducted under tight command, control, and legal review,” and exercising similar measures of self-restraint such as on the conduct of “cyberattacks on nuclear power plants or electrical transmission and distribution systems.”30 Carnegie’s Cyber Policy Initiative has gone further to add to the list a bilateral (possible extending to other P-5 states later) ban on cyber attacks against the command and control infrastructure for their nuclear forces. It also proposed “exercising extreme restraint in undermining trust in the integrity of key categories of data central to international stability, starting with financial data.”31
Another possible area for self-restraint pertains to conducting preemptive cyber attacks. The underlying rationale here is similar to the concern about “launch on warning” in the nuclear context, but assumes potentially greater relevance in the U.S.-China cyber context.32 It has to do with the incentives for both sides to attack the other early in a crisis, launching preemptive cyber attacks against the other, fearing the consequences of behaving more patiently.
For China the concern here resides with the prospect that the United States might be inclined to leverage its superior offensive cyber tools, as well as warning, and attribution capabilities to launch preemptive cyber strikes against Chinese assets, aiming to remove or diminish the Chinese potential to obstruct U.S. military deployments to East Asia in defense of its allies. For the United States, the corresponding concern is that presumably otherwise inferior China could be incentivized to preemptively cyber strike the U.S. logistics and transportation backbone in order to forestall or at least delay precisely this type of U.S. deployment to the region, in effect complementing its A2/AD capacity against such U.S. force projection. The escalatory potential inherent in both options and the dynamics these engender are very real and quite dangerous. Both parties may wish to retain considerable freedom to engage in these or similar cyber offensive actions, especially when the stakes are so high and the operational incentives to do so seem so appealing. But the risks of unintentional cyber crisis and escalation to full blown conflict in this scenario are so profound that they should nonetheless incentivize both China and the United States to consider, at a minimum, self-restraint in undertaking such preemptive military cyber attacks.
If there is one single area that seems especially urgent to consider for such an exercise of restraint, it is that of cyber attacks on nuclear command and control infrastructure on the other side. To appreciate this risk, one only needs to consider the reality that the United States and China are not formally bound to a policy of mutually assured destruction, the United States enjoys a vastly superior force, while the PLA Rocket Force (formerly known as Second Artillery), the principal Chinese nuclear weapons delivery arm, performs conventional missions (as for example would be the case in the event of a conflict over Taiwan) alongside nuclear ones. And both sides (though China far more so) maintain a tight veil of secrecy over their nuclear command and control systems (enhancing the prospects of inadvertent attack on them), while intelligence operations to monitor these networks might be misinterpreted as attacks on them, or at least attack preparations.
Third, enhance mechanisms and channels for routine as well as emergency bilateral information sharing and coordination on cyber events and notification of major military activities. This proposal builds on preexisting bilateral arrangements for sharing information, such as in the cooperation between the respective national CERTs from the two countries. However, what arrangements are now in place do not suffice to dispel misperceptions and prevent miscalculations, and avert explosive incidents especially in the political and military spheres. Blocking communications and blinding or, even worse, spoofing time and navigation systems of civilian and military assets in peacetime are especially prone to lead to escalation. While it is highly necessary to adopt mutually understood rules of the road in this sphere, a first step would be to establish or complement bilateral hotlines and other crises communications and consultation channels among both military commanders as well as high level decisionmakers with corresponding political/policy guidance to endow them with real substance.
It is also worth considering in this context how to apply the MOU on Notification of Major Military Activities in cyberspace. In this memorandum, signed by the U.S. Defense Department and Chinese Ministry of National Defense in November 2014, both sides “affirm their aspiration to establish a voluntary foundation for notifications of major military activities, such as exchange information voluntarily about their respective country’s security policy, strategy, and legal information, including the adjustment of respective national defense policies and strategy, by providing briefings and information about speeches, major government publications such as White Papers, strategy publications, and other official announcements related to policy and strategy,” and allow for “observation of military exercises and activities that should be voluntary and occur within the existing framework of bilateral U.S.-China military relations.”33 Similar voluntary exchange of information, interpretation of cyber strategy and publication, and invitation from either side to observe cyber exercises hosted or co-hosted by the other side could be one part of confidence-building efforts in cyberspace.
Fourth, endorse nationally and encourage companies operating in their national space to subscribe to some core principles that guarantee the integrity of ICT and ICS products they produce and the supply chain supporting them end to end.34 This is both critical for national security purposes and highly conducive to the prosperity of the digital economy nationally as well as globally. While both parties and the leading suppliers of such products internationally have, on occasion, had the incentive to behave otherwise, the prospect of the balkanization of the internet and its supply chain has currently become very real. The distrust it sows has broad and profoundly deleterious implications. Unnecessarily so because there are ways to address legitimate national security requirements for knowledge without compromising the integrity of such critical products. In a way, this is a very concrete (albeit narrower and deeper) operationalization of the recommendation both national experts endorsed in the 2015 GGE report.
The Way Ahead
The road to hell, it is often said, is paved with good intentions. While there is no dearth of sound ideas for de-confliction in cyberspace, China and the United States have nonetheless experienced and will most likely continue to go through periods of intense friction triggered by a series of policies adopted and actions their governments undertake to assert their sovereignty and promote their respective national interests. But at the most fundamental level both parties do have a common interest in working together to effectively manage and control their differences, avoid military conflicts, and build together a more benign international environment. Serious military conflict may be caused by not only traditional security issues in hotspot regions, but also by friction in the newer security domains, especially space and cyberspace.
Crisis in cyberspace presently holds particularly ominous prospects for escalation between China and the United States for several reasons. First, there is the attribution challenge. Mutual suspicions, which currently run high on both sides, may result in flawed attribution of the responsibility for malicious cyber activity and result in miscalculated response. Second, cyber offense is viewed as an asymmetric tool by less advanced countries. Both China and the United States present tempting targets for some risk-takers to launch cyber attacks, trying to hit-and-run. As cyber threats are always imminent and often anonymous, they might lead to misunderstanding between the two big powers. Third, nations that benefit most from cyberspace, such as China and the United States, are also the ones most vulnerable to cyber attacks. This fact results in a higher potential that they may be inclined to be preemptive in the event of a cyber threat. Fourth, the U.S. government’s professed doctrine to retaliate with all appropriate means to cyber attacks may be useful for deterrence purposes. But if actually implemented, it could also gravely escalate an ongoing crisis. Retaliation may quickly lead to discharge of fire in physical domains in response to cyber incidents or, at a minimum, to Chinese anxiety that this may be the case regardless if warranted, and the implementation of corresponding Chinese measures in anticipation of such U.S. action.
But none of this is truly inevitable. The hard-core security, economic, and political interests of both states do align. China has been most explicit that this is the case and has repeatedly expressed its desire to maintain a stable relationship with the United States. In his report delivered at the 19th National Congress of the Communist Party of China, Chinese President Xi Jinping advocated the idea of fostering “a new type of international relations and build[ing] a community with a shared future for mankind, which included building a framework for major country relations featuring overall stability and balanced development.”35 Furthermore, the International Strategy of Cooperation on Cyberspace issued by China in 2017 emphasized the importance of peace and stability in cyberspace, listing it as one of the nine action plans. This document clearly declared China’s commitment to “participate in bilateral and multilateral discussions on confidence-building measures, take preventive diplomatic measures, and address various cyber security threats through dialogue and consultation.”36
What’s more, China professes a positive attitude toward playing an active role in promoting global cyber governance. To build a community for a shared future in cyberspace, which is an integral part of the community with a shared future for mankind, international cooperation on cyber governance is indispensable. Xi reiterated the “general trend and common aspiration of the people to promote the reform of the global cyberspace governance system by sticking to a multilateral approach with multi-party participation from the government, international organizations, internet enterprises, technology communities, non-governmental institutions, and individuals.”37 China supports UN efforts to adopt resolutions regarding information and cybersecurity and actively takes part in the processes of UNGGE; promotes cooperation among member states in SCO, BRICS, and ARF; and consistently enhances bilateral partnerships on cybersecurity. Following a consensus reached with the United States in 2015 during Xi’s visit, China has signed cybersecurity agreements with five other countries in three years, including the UK, Australia, Russia, Brazil, and Canada. From this perspective, more cooperation with the United States in the political-military dimension could not only improve bilateral relations but also set examples for further cooperation with international society.
The U.S. government undoubtedly shares the same ambition to develop constructive governance of cyberspace, and is also wedded to a vision for doing so that combines multilateral instruments with bilateral U.S.-Chinese ones. Even the otherwise mercurial Trump has weighed in to ease the sanctions his administration has imposed on ZTE for violating U.S. law, as a personal gesture to Xi, and has more recently professed similar willingness to step in once again to resolve the extradition case of a Huawei senior official. He has done so even in the face of vociferous opposition from some security hawks in the United States. But compatibility of interests, lofty visions, and even ad hoc constructive steps will not suffice here. They have not been sufficient thus far to prevent the downward spiral in trust between the two nations. So what is ultimately necessary is a grand bargain, inevitably at the presidential level. Not quite at the same scale as when former U.S. president Richard Nixon opened to China but quite similar to the one struck originally between Obama and Xi in 2015, albeit one that subsequently goes much further in its implementation mechanisms. Only such action could open the way for the two nations to break the current impasse and start implementing constructive steps of the nature contemplated above.
Let us be clear. This is not about trading core national security interests of either party. In fact, quite the reverse, it is about safeguarding them. Similar to the reciprocal steps presently being discussed between the United States and China in the bilateral trade area, it is merely about prioritizing concerns and interests. Some of the steps that could facilitate such a grand bargain reside altogether outside the security realm, such as in the domains of trade and investments. Others might be in the security realm but outside cyber, such as on progress toward North Korea’s denuclearization. But ultimately there also has to be at least some cyber component of the grand bargain for it to have the desirable effect in cyberspace.
What we put forward for consideration here is a cyber quid pro quo that derives its inspiration from the overall Chinese approach toward cyberspace stability as outlined by Xi. As we envisage it, what would be required would be for both sides to undertake reciprocal gestures of goodwill toward cyber stability. Toward that end, the United States could be expected to move toward accepting, in some form, the Chinese concept of cyber sovereignty, thereby addressing the primary Chinese anxiety about domestic stability. To be more explicit, the U.S. contribution would be to show deference to the Chinese government and people on how they wish to govern cyberspace domestically. In return, the United States could expect China to reciprocate its goodwill by accepting to apply rather different rules to international cyber rules of the road generally, and to its cyber conduct toward the United States in particular.
In practice what we have in mind is that the United States would not endorse but would nonetheless explicitly recognize the right of China, as it is presently inclined, to apply what is now a rather intrusive cyber monitoring regime internally in the interest of ensuring domestic stability. For its side, China would explicitly accept (once again without necessarily endorsing) that the United States applies its own conception of international cybersecurity and self-defense in both peacetime and at times of war. This would require China to be receptive to U.S. cyber sovereignty concerns by taking far more assertive measures to enforce its policy of preventing and punishing the use of Chinese territory, by any party, to conduct cyber attacks against the United States (and others), and to recognize that cyber weapons use in wartime would be governed by the same rules that apply to the employment of other weapon systems in self-defense.
We believe that such understandings are compatible with both nations’ separate as well as common core interests in and beyond cyberspace. Such understandings would greatly benefit the international community, precisely in the ways envisaged by Xi at the 19th Communist Party Congress. Xi has already taken the first bold step in this direction in his historic 2015 cyber understanding with Obama, true to the famous adage from Lao Tzu that “the journey of a thousand miles begins with a single step.”38 The time has now come to undertake the next step in cyberspace.
Notes
1 An earlier, Mandarin version of this article was published by China Military Science, one of the most renowned academic journals in the PLA that is sponsored by China Association for Military Science and PLA Academy of Military Science. As the Mandarin version was published in October 2018, there are some updates and small tweaks in the English version issued here.
2 President Xi Jinping speech to a national conference on the work of cybersecurity and informatization. See: “Xi Outlines Blueprint to Develop China’s Strength in Cyberspace,” Xinhua, April 21, 2018, http://www.xinhuanet.com/english/2018-04/21/c_137127374.htm.
3 Ibid.
4 Matthew P. Goodman, “From Rule Maker to Rule Taker?” PacNet 54, August 1, 2018. See https://www.csis.org/analysis/pacnet-54-rule-maker-rule-taker.
5 While this conception of leadership is most associated with late South African president Nelson Mandela, it is actually widely ascribed to the thinking of Obama. For the origins of the quote see Josh Rogin, “Who Really Said Obama Was ‘Leading From Behind’?,” Foreign Policy, October 27, 2011, at https://foreignpolicy.com/2011/10/27/who-really-said-obama-was-leading-from-behind/. And for a most cogent argument about its wider relevance see Charles Krauthammer, “The Obama Doctrine: Leading From Behind,” Washington Post, April 28, 2011, at https://www.washingtonpost.com/opinions/the-obama-doctrine-leading-from-behind/2011/04/28/AFBCy18E_story.html?utm_term=.762328a0beec.
6 Trump has now repeatedly imposed tariffs on import-invoking clause 232 of the Trade Adjustment Act of 1962, which allows the president to block imports that he deems threatening to national security. This act, unlike other trade laws, does not require a president to secure a congressional approval for such action nor a review by the independent U.S. International Trade Commission. And such action is even permissible under the World Trade Organization, which grants heads of state extraordinary leeway to take pretty much any trade action they want in the name of national security. While the circumstances under which this legal authority has recently been invoked by Trump makes the practice seem questionable, it has made it possible for Trump to reconcile his aversion to some existing trade deals with operating under WTO rules, so the United States remains committed to the WTO. Furthermore, extensive domestic pressure in the United States is presently building up to scale back or at least condition some of the president's authority to operate in this manner.
7 President Xi Jinping’s speech delivered at the 19th National Congress of the Communist Party of China, October 18, 2017.
8 Ibid.
9 For an illuminating comparison of their respective approaches to cyberspace see Xu Peixi, “Nine Areas of Disputes in the Debate on International Cyber Norms,” an occasional paper published by the China Institute for international Strategic Studies.
10 For the latest official U.S. annual report echoing many of these concerns see https://media.defense.gov/2018/Aug/16/2001955282/-1/-1/1/2018-CHINA-MILITARY-POWER-REPORT.PDF.
11 See for example Chris Stewart, “CFIUS Reform Will Assist in Countering the Long-Term National Security Threat That China Poses,” Hill, August 3, 2018 at thehill.com/blogs/congress-blog/foreign-policy/400272-cfius-reform-will-assist-in-countering-the-long-term.
12 Cui Liru, “Washington Has Altered Dynamics of China-U.S. Relations by Redefining China Strategically,” China-US Focus, July 25, 2018, https://www.chinausfocus.com/foreign-policy/common-ground-between-the-us-and-china.
13 A view expressed by Graham Allison, in “America and China: Destined for Conflict or Cooperation?,” National Interest, July 30, 2018, https://nationalinterest.org/feature/america-and-china-destined-conflict-or-cooperation-we-asked-14-worlds-most-renowned-experts.
14 “National Security Strategy of the United States of America,” White House, December 2017, 35, https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf. There are quite a lot of analyses on this topic, such as Robert J. Butler, “Testimony: Countering Russian Influence in the United States Elections Process,” Cyber Subcommittee of the Senate Armed Services Committee, February 13, 2018; Chris Demchak, “Defending Democracies in a Cybered World,” Brown Journal of World Affairs 14, no. 1 (Fall/Winter 2017); and
Richard J. Harknett, “Testimony: Department of Defense’s Role in Protecting Democratic Elections,” Cyber Subcommittee of the Senate Armed Services Committee, February 13, 2018.
15 “Xi Leads China in Building Cyberspace Strength,” Xinhua, April 19, 2018, http://english.qstheory.cn/2018-04/19/c_1122708361.htm
16 Richard Clarke, interview, Frontline, PBS, March 18, 2003, available at: http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html.
17 Speech by Major General Hao Yeli, vice president of the China Institute for Innovation and Development Strategy, in International Security Conference 2015, available at: http://www.aqniu.com/industry/10493.html.
18 “中国工程院院士倪光南:网络安全的核心是技术安全” DOIT, June 14, 2018,https://www.doit.com.cn/p/308861.html
19 A useful analysis of the Chinese outlook on cyber sovereignty and the possibility of finding a common ground with the United States and others is provided by Hao Yeli, “Unity of Opposites in Cyber Sovereignty as per Three-Perspectives Theory,” in an occasional paper published by the China Institute for international Strategic Studies.
20 Speech by Chinese President Xi Jinping at the Second World Internet Conference, December 16, 2015.
21 For a review of the draft document see Zunyou Zhou, “China’s Draft Cybersecurity Law,” China Brief 15, no. 24 (December 21, 2015): https://jamestown.org/program/chinas-draft-cybersecurity-law/. And for a much more comprehensive Western analysis of the cybersecurity legislation see “An Overview of the Data Protections and Security Regimes of the People’s Republic of China,” Steptoe and Johnson LLP, May 2017, https://www.steptoe.com/images/content/6/2/v4/6266/China-Data-Protection-Regime-Overview-05112017-Final.pdf.
22 Does it indeed refer to the physical, logical, and cognitive dimensions as the U.S. defense establishment is often inclined to suggest?
23 EastWest Institute and the Information Security Institute of Moscow State University, “The Russia‐U.S. Bilateral on Cybersecurity – Critical Terminology Foundations,” April 2011. See http://www.ewi.info/cybersecurity-terminology-foundations.
24 See for example Tim Maurer, “Global Cyber Definitions Database,” New America, http://cyberdefinitions.newamerica.org/.
25 Steven Nyikos, unpublished U.S. glossary, Cyber Policy Initiative, Carnegie Endowment for International Peace, 2017.
26 “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” UN General Assembly, July 22, 2015, 12, http://www.un.org/ga/search/view_ doc.asp?symbol=A/70/174&referer=/english/&Lang=E.
27 Ibid.
28 “A Digital Geneva Convention to Protect Cyberspace,” Microsoft Policy Papers, 2017, 1. See https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QH.
29 See Kate Charlet, Sasha Romanosky, and Bert Thompson, “It’s Time for the International Community to Get Serious about Vulnerability Equities,” in Lawfare (blog), November 15, 2017: https://www.lawfareblog.com/its-time-international-community-get-serious-about-vulnerability-equities.
30 Jason Healey, “Restraint Is the Best Weapon Against Chinese Hacks,” Christian Science Monitor, September 9, 2015, https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0909/Opinion-Restraint-is-the-best-weapon-against-Chinese-hacks.
31 Tim Maurer, Ariel Levite, and George Perkovich, “Toward A Global Norm Against Manipulating the Integrity of Financial Data,” Lawfare (blog), March 28, 2017, https://www.lawfareblog.com/toward-global-norm-against-manipulating-integrity-financial-data.
32 For an elaborate description of the grounds for concern and the specific scenario at hand see David C. Gompert and Martin Libicki, “Cyber Warfare and Sino-American Crisis Instability,” Survival 56, no. 4 (2014): 7–22, DOI: 10.1080/00396338.2014.941543
33 “Memorandum of Understanding Between the United States of America Department of Defense and the People’s Republic of China Ministry of National Defense on Notification of Major Military Activities Confidence-Building Measures Mechanism,” November 2014.
34 For an elaboration of what the national and corporate obligations in this area might look like, as well as what regime could be built to apply them, see Ariel E. Levite, “Rebuilding Trust in the ICT/ICS Supply Chain: Government Restraint and Corporate Active Trust Building,” Carnegie Endowment for International Peace, forthcoming.
35 Xi Jinping’s report delivered at the 19th National Congress of the Communist Party of China, October 18, 2017.
36 Ministry of Foreign Affairs and the Cyberspace Administration of China, International strategy of cooperation on cyberspace, March 2017.
37 “Xi Outlines Blueprint to Develop China’s Strength in Cyberspace,” Xinhua, April 21, 2018, http://www.chinadaily.com.cn/a/201804/21/WS5adb0909a3105cdcf6519b2c.html.
38 President Xi has actually reminded us of this precious Chinese adage in a speech at the Opening Ceremony of the Belt and Road Forum for International Cooperation, May 14, 2017. Importantly, he also reminded us on that occasion that similar wisdom has been widely accepted elsewhere as well.
