The realms of cybersecurity and cyber foreign relations are still relatively new — and often poorly understood by many policy makers. Unfortunately, the digital world continues to be treated as a highly specialized area of policy, despite the huge role it already plays in most aspects of everyday life.
Since cybersecurity has such a large impact on world affairs, officials are desperately struggling to find both strategies to manage it and the right vocabulary to talk about it. To resurrect a term only a few decades old, it is no exaggeration to say that a world power detente in cyberspace is vital to stability and safety. It is a term that’s apropos, not least because the command and control of nuclear-armed missiles depends in part on a securable digital space.
Detente was forged between the United States, Western Europe, and the Soviet Union after decades of Cold War tension, and under the threat of a nuclear exchange. Today — with the stakes less deadly, but nonetheless important — detente is badly needed between the United States and China. Both powers say they want dialogue and cooperation on cyberspace issues, yet the two countries are still worlds apart. Chinese President Xi Jinping’s first state visit to the United States this fall will put this issue front and center yet again.
Recent news headlines — in particular the theft of personal data of more than 20 million US citizens in the records of the federal government’s Office of Personnel Management — make it appear to the American public that the frosty relations on cyber issues are all China’s fault.
To be sure, as the US government reports credibly, China is engaged in an unceasing and highly successful cyberespionage campaign against the United States, its government and economic interests.
Yet, this public tension with China is an international outlier. China and the European Union get along quite well on cyber issues, including joint research through the OpenChina-ICT project. Russia and China, for their part, have signed an agreement to limit hacking against each other. This is quite surprising, given that Russia trusts China even less than it trusts the United States on cyberspace issues. Beyond Russia, China’s relations with India and Japan are not so bad in this field either.
If China has been able to keep business-like relations with all other partners on cyber issues, in spite of its rampant cyberespionage against them, then why is its cyber relationship with the United States so much worse than with other major powers?
At one level, the answer is obvious: The United States can afford to be more strident in its diplomacy than any other Western country because it is more powerful. In addition, relative to most countries that are getting along better with China in cyber affairs, the United States also puts more stock in certain issues of principle, such as human rights protections in cyberspace or theft of intellectual property.
Washington also believes that it needs to stand up to China on such issues, not least because of the way in which China’s power is disturbing American allies in the Pacific. This is, after all, one motivation of the rebalance in US strategic policy.
Even so, the style and tone of current American cyber diplomacy toward China looks surprisingly messy. This is unexpected: US diplomacy toward China under Obama has generally been very impressively organized and thought through.
US perceptions about China in cyberspace hinge on a few mistaken beliefs. They include the notion that there are unambiguous norms in cyberspace that China is flagrantly violating; a failure to appreciate China’s deep insecurity in cyberspace; a lack of knowledge of America’s extensive cyberespionage and cyber military operations against China; and an inflation of the threat from China’s theft of intellectual property.
Of course, the US cybersecurity industry as a lobby group is very alert to all of the above and plays it for commercial gain. Yet officials rarely note that most cybersystems are inherently vulnerable and cannot be secured against a determined cyber adversary.
This is not to say by any means that China is without fault. Far from it. But what is equally undeniable is that the impact of the China cyberthreat relative to other threats is exaggerated by the US cybersecurity community.
All of this is particularly ironic, given the deep integration of the cyberindustry sectors of the two countries. China depends on the United States for its own cyber power. Meanwhile, leading American suppliers of communications and information technology are heavily dependent on China in their supply chain or even as a source of final manufacturing. Their level of involvement in China is so deep that they have even lobbied against US sanctions on China for cyber espionage.
The challenge from here? To unravel this entanglement of influences and to base future cyber diplomacy on a more sophisticated notion of the world as it is.
The Soviet-US detente in the Cold War era suggests that less outrage about mutual espionage, and cultivating a more nuanced appreciation of its limited impacts relative to the larger military threats, could lead to better — more realistic — relations.
Greg Austin is a professorial fellow at the EastWest Institute and author of “Cyber Policy in China.”
Clarification: Due to an editor’s error, an earlier version of this column did not specify that this September is President Xi’s first state visit to the United States.