U.S.-China Cyber-security Agreement Lacks Teeth, Has Holes

NEWS ANALYSIS: An agreement between the nations not to conduct economic espionage holds promise, but only if adequate sanctions are part of the discussion, security experts say.

U.S.-China cyber-security agreement

When President Xi Jinping arrived in Washington, D.C., last week, the U.S. government had already started threatening to levy sanctions against China for continuing to aid, and in many cases sponsor, domestic hackers in efforts to steal sensitive information from the U.S. government and companies.

Yet an 11th-hour agreement between China and the United States promises to put a halt to any government cyber-operations designed to boost domestic industries. In a joint press conference, President Obama and President Xi pledged that both countries would eschew economic espionage in the future.

"Both governments will not be engaged in or knowingly support online theft of intellectual properties," President Xi told assembled press. "And we will explore the formulation of appropriate state, behavior and norms of the cyber-space."

The agreement falls short in many areas, however. For one, both countries are promising only not to conduct economic espionage. Cyber-espionage conducted for national-security reasons remains a legitimate activity. The recent compromises of the U.S. Office and Personnel Management and health insurance provider Anthem—companies that both could justifiably be considered valid national-security targets—were attributed to Chinese actors and are still targets today.

For that reason, government agencies and companies will not see any respite because of the agreement. Rather, they will both have to beef up their defenses because attackers have no reason to stop, Dmitri Alperovitch, co-founder and CTO of security services firm CrowdStrike, told eWEEK.

"I think with the OPM breach—that's on us," he said. "You cannot blame the Chinese for trying. Our own people have said they would have done the same thing, if they had a chance."

As long as the costs are worth the benefits, such attacks will continue, Alperovitch said.

More significantly, the agreement has very little structure, although few details have been provided to the media. The agreement fails to define the boundaries of what constitutes economic, versus national, espionage and fails to discuss penalties for exceeding those boundaries. Without the former, any nation can claim that an attack is for national security reasons.

But more importantly, without a framework for sanctions or other policy measures to punish countries that hack other nations, cyber operations will continue to target government agencies and companies, said Jason Healey, a senior fellow with the Cyber Statecraft Initiative at the Atlantic Council, a policy think-tank. In a report published in September, the analyst group estimated that burgeoning cyber-crime and cyber-espionage could cost the worldwide economy up to $90 trillion in unrealized benefits.

While the U.S.-China agreement on economic espionage has set the stage for further discussions, it needs stiff penalties to deter each side from crossing the newly drawn lines. Deterrence, in general, requires that the participants worry that they will be caught and, if they are caught, they will face meaningful punishment. Without those two conditions, deterrence is not possible, Jen Ellis, senior director of community and public affairs for Rapid7, told eWEEK in a recent interview.

"So when you look at it in that context, the reality is that deterrence is pretty unlikely to work for cyber," Ellis said. Attributing hacks to specific actors or nations is difficult, and levying punishment when the economies of China and the United States are so intertwined is unpalatable for politicians on both sides, she added.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...