Cyber Defense Review

No-Hack Pacts – Beijing Assumes a Global Leadership Role

By Emilio Iasiello | January 12, 2016

Introduction

Following up on its historic “no-commercial hack pact” with the United States, China has entered into a similar agreement with the United Kingdom and is working on a similar deal with Germany. Capitalizing on these developments, in November 2015, senior level representatives of the G20 pledged not to engage in cyber-enabled economic espionage to support their respective commercial interests.[1] While it seemed highly improbable that common ground was going to be able to be reached between East and West, in a span of months the leading economic powers, as well as some of the more offensive capable cyber states, identified that cyber espionage for financial advantage was a line that all agreed not to cross in the future. Beijing’s position in each of these endeavors projects the image of a country looking to down play its previous suspected cyber espionage activities by promoting no hack agreements to demonstrate its commitment to preserving stability in cyberspace while assuming a leadership role from which it will help influence future cyber decisions of the international community.

China as Global Cyber Security Leader

While seemingly groundbreaking, this is not the first time China has reached terms on a “no hack” agreement with a foreign state. In May 2015, China and Russia made a similar promise, only theirs went a step further in agreeing to jointly counteract technology that may “destabilize the internal political and socio-economic atmosphere,” “disturb public order” or “interfere with the internal affairs of the state.”[2] This comes as little surprise as China and Russia share comparable views with regards to information security and both have collaborated previously on proposed nation state code of conduct in cyberspace that they presented before the UN General Assembly in September 2011[3] with a revised code in January 2015.[4]

While the G20 communiqué did not reach the depth of consensus as the China-Russia bilateral, two important outcomes were achieved in Turkey: one, the member states clearly separated cyber-enabled espionage for commercial interest competitive advantage from activities that supported national security interests; and two, all agreed that that international law statutes applied to cyberspace.[5] While the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security provided similar recommendations in their 2015 report,[6] this marked the first time the world’s leading economies found common ground on the need to secure information and communications technologies to preserve continued economic growth.

The results from the G20 is significant from the perspective that of the 20 nation states represented, several of them are believed to be significant cyber powers that have been suspected of carrying out various levels and volumes of hostile cyber activities. While Chinese and Russian cyber activities have been well documented, some of the other G20 member governments are also believed to be engaged in similar espionage efforts against foreign targets. According to the 2011 Office of the National Counterintelligence Executive report, France was identified as a perpetrator of commercial espionage.[7] One news source cited Germany for conducting similar activities against France.[8] Canada is suspected of engaging in cyber exploitation against Brazil.[9] Even the United States, according to a news report, has admitted to spying on economic targets but not to benefit US firms,[10] a fine nuance the US believes separates it from some of the other countries engaged in the practice.

Furthermore, if recent news reporting is accurate, the intrusion against Italy’s notorious Hacking Team – the company that sells invasive cyber tools to governments and law enforcement and intelligence services – a pastebin dump[11] of stolen Hacking Team information revealed that at least five other nation states on the G20 have acquired technology to conduct activities consistent with cyber surveillance and intrusion, a number that could be higher based on commentary from a South Korean intelligence official.[12]

The US threat of sanction imposition against China can certainly be viewed as the catalyst for Beijing to pre-emptively arrest hackers prior to President Xi Jinping’s September state visit to the United States.  The strategy proved successful; the meeting occurred without either side losing face and the no commercial hack pledge allowed the US to shelve the sanctions for the time being. Shortly thereafter, China reached out to the United Kingdom and Germany to negotiate similar agreements. By engaging these governments directly, China may have neutralized any potentially similar punitive repercussions from the very states that have previously publicly admonished suspected Chinese cyber espionage.

Taken collectively these incidents of cyber espionage, as well as exposure of governments engaged in surveillance activities, likely influenced the 20 richest countries – and therefore potentially biggest targets for commercial cyber espionage – to agree to abstain from “commercial theft of intellectual property, trade secrets, or confidential business information.” More importantly, they have thrust China into a leadership position in brokering these types of arrangements. While China’s pact with the US may have been influenced by the possibility of  retribution, Beijing and not Washington, prompted similar agreements to be negotiated with the United Kingdom and Germany. Much of the language expressed in the G20 communiqué is similar to  earlier agreements intimating that Beijing may have had a hand in crafting the terms and conditions.

Despite such progress, skeptics remain of China’s sincerity, such as one security company’s reporting suggesting that Chinese espionage activity is still targeting US companies even after Beijing made its pact with Washington.[13] Although some like U.S. Cyber Command’s deputy commander[14] believe that abatement will transpire over time, Beijing will have to continue to demonstrate its commitment toward influencing a reduction of such activity, as well as cooperate with foreign governments on cyber-criminal matters. If it does this, Beijing will continue to build the trust of the international community, gradually dimming the bright lights that have long shone on its cyber malfeasance.

At the end of the day, China has achieved a notable success; while not admitting any involvement in hacking, Beijing demonstrates its willingness to work with Western governments on the very issue with which it is blamed, a thematic contrast to perceptions that it is unreachable on these issues. More importantly, these agreements portray Beijing as a leader that is proactively addressing cyber espionage activities, especially with those countries it is believed to have pervasively targeted.

Conclusion

This puts Beijing in a favorable position when it meets with the US in December 2015 at the first ministerial-level discussions on cyber security since Beijing cut off talks after the 2014 Department of Justice indictment[15] of five People’s Liberation Army officers for economic espionage. Instead of coming to the table as a perceived aggressor, China can come as an equal partner in influencing remaining cyber areas of question – such as Internet governance and other areas of nation state codes of conduct – that have as of yet no consensus driven resolutions. The opportunity is there for two cyber powers to provide the necessary leadership in cyberspace and set the course for others to follow.  China has not only brought itself out from the cold, but is positioning itself for a prime spot by the fire.

 

References

[1] Ellen Nakashima, “World’s Richest Nations Agree Hacking for Commercial Benefits Is Off-Limits,” The Washington Post, November 16, 2015, https://www.washingtonpost.com/world/national-security/worlds-richest-nations-agree-hacking-for-commercial-benefit-is-off-limits/2015/11/16/40bd0800-8ca9-11e5-acff-673ae92ddd2b_story.html.

[2] Olga Razumovskaya, “Russia and China Pledge Not to Hack Each Other,” The Wall Street Journal blog, May 8, 2015, http://blogs.wsj.com/digits/2015/05/08/russia-china-pledge-to-not-hack-each-other/.

[3] United Nations General Assembly, “Letter Dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan, and Uzbekistan to the United Nations Addressed to the Secretary-General,” A/66/359, September 14, 2011, https://ccdcoe.org/sites/default/files/documents/UN-110912-CodeOfConduct_0.pdf.

[4] United Nations General Assembly, “Letter Dated 9 January 2015 from the Permanent Representatives of China, the Russian Federation, Tajikistan, and Uzbekistan to the United Nations Addressed to the Secretary-General,” A/69/723, January 13, 2015, https://ccdcoe.org/sites/default/files/documents/UN-150113-CodeOfConduct.pdf.

[5] G20 Leaders Communiqué, Antalya Summit, November 15-16 2015, http://www.gpfi.org/sites/default/files/documents/G20-Antalya-Leaders-Summit-Communiqu–.pdf.

[6] “UN Group of Governmental Experts: Developments in the Field of Information and Telecommunications in the Context of International Security,” Council of Foreign Relations, July 22, 2015, http://www.cfr.org/internet-policy/un-group-governmental-experts-developments-field-information-telecommunications-context-international-security/p36949.

[7] “Foreign Spies Stealing US Economic Secrets in Cyberspace,” Office of the National Counterintelligence Executive, October 2011, http://www.ncsc.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf.

[8] Melodie Bouchaud, “Germany Accused of Spying on France and Engaging in Industrial Espionage on Behalf of NSA,” Vice News, April 30, 2015, https://news.vice.com/article/germany-accused-of-spying-on-france-and-engaging-in-industrial-espionage-on-behalf-of-nsa

[9] “Canada Busted in Industrial Espionage Targeting Brazil,” WashingtonsBlog, October 7, 2013, http://www.washingtonsblog.com/2013/10/canada-busted-in-industrial-espionage-in-brazil.html.

[10] Ellen Nakashima, “World’s Richest Nations Agree Hacking for Commercial Benefits Is Off-Limits,” The Washington Post, November 16, 2015, https://www.washingtonpost.com/world/national-security/worlds-richest-nations-agree-hacking-for-commercial-benefit-is-off-limits/2015/11/16/40bd0800-8ca9-11e5-acff-673ae92ddd2b_story.html.

[11] “Hacking Team Client Renewal,” Pastebin, July 5, 2015, http://pastebin.com/MP8zpQ26.

[12] Raphael Satter, “Hacking Team Hacked: Italian Firm’s Breach Puts Spies in Hot Seat, “San Jose Mercury News, July 16, 2015, http://www.mercurynews.com/business/ci_28493455/hacking-team-hacked-italian-firms-breach-puts-spies.

[13] Ellen Nakashima, “China Still Trying to Hack U.S. Firms Despite Xi’s Vow to Refrain, Analysts Say,” The Washington Post, October 19, 2015, https://www.washingtonpost.com/world/national-security/china-still-trying-to-hack-us-firms-despite-xis-vow-to-refrain-analysts-say/2015/10/18/d9a923fe-75a8-11e5-b9c1-f03c48c96ac2_story.html.

[14] “China Still Trying to Hack U.S. Firms Despite Xi’s Vow”.

[15] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” Department of Justice, Office of Public Affairs, May 19, 2014, http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.