The US-China cyber agreement still matters, but it’s not enough

Earlier this month, the U.S. and China reaffirmed a two-year-old commitment to refrain from state-sponsored cyberattacks on one another’s private sector companies.

The new pact was announced to relatively little fanfare as part of the first U.S.-China Law Enforcement and Cybersecurity Dialogue (LECD) on October 4 – the same day that ousted Equifax CEO Richard Smith testified before the Senate Banking Committee on the company’s massive data breach, and the same week that Facebook handed over Russia-linked political ads to Congress. In a week dominated by cybersecurity headlines threatening American economic and political stability, the outcomes of the LECD barely registered.

{mosads}Even in this rapidly evolving landscape of cyber threats, the U.S.-China cyber pact is still relevant – it’s a rare example high-level policy pressure producing a cyber agreement that has achieved some measurable degree of success. But it alone can’t fix the very real U.S. concerns regarding Chinese cyber capabilities. Here’s why we should still be paying attention.

What the agreement means

The original cyber agreement with China resulted from a September 2015 summit between President Obama and Chinese President Xi Jinping. At the time, the U.S.-China relationship was fraught with tension stemming from cyber disputes on both sides: a U.S. cybersecurity firm had released a report linking nearly a decade of corporate intellectual property theft to a Chinese military-supported hacker outfit. Shortly thereafter, the America’s own mass surveillance activities were revealed with Edward Snowden’s disclosures about NSA programs. A few months later, the U.S. indicted five Chinese military officials on criminal charges for cyber espionage, and President Obama issued an executive order allowing individual sanctions for “malicious cyber-enabled activities.” Later that same month, the U.S. Office of Personnel Management (OPM) detected an unprecedented breach of 22 million federal employee records that was later attributed to China.

In this context, any consensus with China on cyber issues was at least a nominal step forward. The agreement states that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property … with the intent of providing competitive advantages to companies or commercial sectors.” A mix of optimism and cynicism accompanied the announcement.

It’s true that there are significant loopholes. Neither side renounced “traditional” cyber espionage, or even intellectual property theft for purposes other than economic gain. But the pact both recognized corporate cyber espionage as a persistent threat to the relationship, and established basic communication and accountability mechanisms.

Why it matters

The 2015 agreement matters primarily because, for the most part, it worked. In the first year after the pact, both public and private sector analysts noted a precipitous drop in economic espionage cyberattacks on U.S. firms originating from Chinese actors. At the time, CrowdStrike co-founder Dmitri Alperovitch told NBC News that the drop-off in hacks was “the biggest success we’ve had in this arena in 30 years.” Though other sources indicate that the decline in China-based corporate hacks started before the agreement in mid-2014, the downward trend continued to extend after it was enacted. China seems to have stuck to the letter of the agreement.

It’s also a positive sign that the agreement has endured as a basis for dialogue now, even as both China and the U.S. have launched massive overhauls in their respective approaches to governing cyber operations. In a chaotic sector and across political transitions on both sides, this is one point of stability.

Where it falls short

Quite simply, this agreement won’t prevent all hacks or espionage originating from China. It targets a very specific subset of intrusions – state-sponsored, targeting intellectual property, motivated by private sector benefit — and ignores other cyber issues that have since come to the fore (like cyberattacks on critical infrastructure or election tampering, for example).

And while it’s true the agreement has effectively curbed Chinese intrusions into U.S.-based companies for the purposes of intellectual property theft, it cannot address government intrusions into private firms’ systems under the auspices of the country’s 2016 Cybersecurity Law. That domestic regulation requires all digital companies operating in China — even U.S.-based multinationals like Apple, Google, and Amazon — to comply with regular government security reviews of hardware and software, as well as making their services available as requested for “national security” purposes. Tapping into China’s market of 731 million internet users, then, already requires U.S. companies to assent to a certain amount of Chinese government access.

Finally, the nature of cyber threats has evolved considerably in the 24 months since the U.S-China agreement was inked. Other state actors, notably Russia and North Korea, have demonstrated their ability to conduct large-scale cyber intrusions. The nature of the target has shifted as well: A growing pool of personally identifiable data has emerged alongside corporate intellectual property as a lucrative prize for hackers.

Reaffirming this agreement may be a small step in the right direction, but the U.S. has significant work ahead to build a more comprehensive cyber defense infrastructure.

Kaelyn Lowmaster (@TheLowmaster) is the principal analyst for One World Identity, an independent research and advisory firm focused on identity.