Sign Up

Cyber Security: All China’s Fault?

China is not the only party responsible for bilateral strife in cyber relations.

August 30, 2015

China is not the only party responsible for bilateral strife in cyber relations.

The realm of cybersecurity and cyber foreign relations is still a relatively new domain and one that is often poorly understood by many policymakers. It is usually treated as a highly specialized area of policy, despite the huge role it already plays in most aspects of everyday life.

Cybersecurity also has a large impact on world affairs. Recalling a choice term from an earlier era of combative international relations, it is no exaggeration to say that détente in cyberspace is vital to stability and safety.

This term is very much apropos, not least because the command and control of nuclear armed missiles depends in part on a “securable” cyber space.

And while the core détente pairing back then was between the United States and Russia, with Europe playing a constructive intermediary role at the time, today’s “détente” pairing is between the United States and China.

Both powers say they want dialogue and cooperative behavior on cyberspace issues – but something is keeping them apart.

Who’s at fault?

Recent news headlines – in particular the theft of personal data of more than 20 million U.S. citizens in the records of the federal government’s Office of Personnel Management (OPM) – make it appear that the frosty relations on cyber issues are all China’s fault.

As the U.S. government reports credibly, China is engaged in an unceasing and highly successful cyber espionage campaign against the United States, its government and economic interests.

Yet to manage the threat from China, there has to be effective diplomacy. To get to that point, we need to answer two rather intriguing questions:

  • Could poor cyber relations with China also be the fault of the Americans for some reason?
  • Or maybe both sides are fueling each other’s dangerous behavior?

For starters, in the diplomatic realm there is no other relationship on cyber issues like it. China and the European Union (EU) get along quite well on cyber issues, including joint research through OpenChina ICT.

Certainly, there is less acrimony and less overt suspicion between these two powers. Russia and China, for their part, have signed an agreement to limit hacking against each other.

This is quite surprising, given that Russia trusts China even less than it trusts the United States on cyberspace issues. Beyond Russia, China’s relations with India and Japan are not so bad in this field either.

All of which demands an answer to this question: If China has been able to keep business-like relations with all other partners on cyber issues, in spite of its rampant cyber espionage against them, then why is its cyber relationship with the United States so much worse than with other major powers?

Why is only the United States a problem

At one level, the present state of affairs can be explained easily and positively for the United States. It can (afford to) be more strident in its diplomacy than any other Western country because it is more powerful.

In addition, relative to most countries that are getting along better with China in cyber affairs, the United States also puts more stock in certain issues of principle, such as human rights protections in cyberspace or theft of intellectual property.

Washington also believes that it has to stand up to China on such issues, not least because of the way in which China’s power is disturbing American allies in the Pacific. This is, after all, one motivation of the “rebalance” in U.S. strategic policy.

At another level, the style and tone of current U.S. cyber diplomacy toward China looks surprisingly messy. This is unexpected because U.S. diplomacy toward China under Obama has generally been very impressively organized and thought through.

The best way to understand the current situation is to point to several negative factors which, in their sum total, undermine the coherence of U.S. cyber diplomacy. They include:

  • A misplaced U.S. sense of moral outrage which, in turn, arises from the mistaken belief that there are unambiguous norms in cyberspace – as if there really were a black letter law like the Ten Commandments, so to speak – that China is flagrantly violating
  • Failure to appreciate China’s deep insecurity in cyberspace (its internal and external security dilemmas)
  • Lack of knowledge of the detail of U.S. cyber espionage and cyber military operations against China (the “need to know” principle keeps the detail totally concealed even from some key players in the U.S. administration who shape cyber diplomacy toward China). In addition, there is no net assessment readily available
  • Unresolved inter-departmental turf disputes (e.g., the Pentagon or NSA skewing the cyber debate for institutional interests)
  • Inflation of the threat from China’s theft of intellectual property (as argued by Jon Lindsay and me)
  • A failure to give due weight to the consideration that most cyber systems are inherently vulnerable and cannot be secured against a determined cyber adversary
  • The emergence of the U.S. cyber security industry as a lobby group that is very alert to all of the above and plays it for commercial gain (e.g. the Mandiant report)
  • A lack of understanding of how dependent China is on the U.S. and Allied supply of communications and information technology
  • An almost hysterical relationship between the two major political parties inside the United States on national security issues
  • A mass media environment that is all too receptive to cyberspace dramas and anti-China stories.

Need for an anti-China argument

This Democratic Administration is particularly susceptible to some of those traps. Deep down, it feels that China is morally bankrupt.

On the economic front at home, it needs an anti-China argument to help buttress its defenses in the face of mass social dislocation arising from the erosion, resurgence and restructuring of the U.S. manufacturing industry.

Consider, for example, the 2014 decision to bring court indictments against five PLA personnel for cyber espionage. The court action rather unexpectedly named the Allied Industrial and Service Workers International Union (a.k.a. United Steelworkers) among the victims.

The labor movement, a key Democratic constituency, has been a particularly active opponent of Administration policy toward China on off-shoring of the manufacturing industry (and other issues such as exchange rate manipulation and human rights).

Then there is the eternal Washington “logic” of bureaucratic politics. Consider this. On the one hand, security chiefs all across the United States already have staggeringly large budgets and resources at their disposal.

On the other hand, it is very difficult for them to admit that their technical skills and technologies have not been good enough in most cases to stop China’s cyber thievery.

Would it be surprising therefore for all of them to fall unconsciously into finding a common public scapegoat, a “whipping boy,” a strategy that downplays other bad cyber actors, such as Russia, Israel, France and even Iran? Enter the China blame game.

This is not to say by any means that China is without fault. Far from it. But what is equally undeniable is that the impact of the China cyber threat relative to other threats is exaggerated by the U.S. cybersecurity community.

The other side of that same coin is that the U.S. capabilities and reach into Chinese networks is conveniently belittled – and strategically obscured.

Major U.S. media, always interested in their ratings and click statistics, are all too happy propagators of that one-sided threat world.

Industry as a middleman

What is particularly ironic, given all the U.S. charges against China, is the deep integration of the cyber industry sectors of the two countries. China depends on the United States for its own cyber power.

Meanwhile, leading U.S. suppliers of communications and information technology are heavily dependent on China in their supply chain or even as a source of final manufacturing.

Their level of involvement in China is so deep that they have even lobbied against U.S. sanctions on China for cyber espionage.

What is to be done?

The challenge from here on out is to begin to unravel this entanglement of influences and to base U.S. cyber diplomacy on a more sophisticated notion of everything that is actually playing out.

The détente experience of Soviet-U.S. relations in the Cold War era suggests that less outrage about espionage and a more nuanced appreciation of its limited impacts relative to the larger military threats could lead to better – more realistic – relations.

If both sides choose to hype the “irresponsibility” of the other side, nobody really wins. the only winners will be those who are keen on undermining a constructive, future-oriented relationship.

As the EastWest Institute, Henry Kissinger and Jon Huntsman have argued, cyber détente with China is possible. If America’s European Allies, Japan, India and Russia can do it, why does the U.S. policy toward China on this issue have to look – and feel – so very different?


US and China, both say they want dialogue and cooperative behavior on cyberspace issues.

US security chiefs won’t admit that their technology wasn’t able to stop China’s cyber thievery.

The US cybersecurity community exaggerates the impact of the China cyber threat.