A New Cyber State of Affairs

Clear your calendars…or, at least the ones on your phone and computer. Thanks to a presidential proclamation, this October is once again National Cybersecurity Awareness Month (NCSAM). For those not familiar with the annual tradition, NCSAM is a time to encourage safe cyber practices. As President Obama explained, it is a chance to “enhance our national security and resilience” with Internet mindfulness and responsibility. With the continuing coverage of former Secretary of State Hillary Clinton’s Server-gate and recent talk of a new information-sharing bill in the Senate, it seems October could not have come soon enough.

The Internet influences every aspect of modern society. For hours each day, individuals interact with each other on the web, creating content and sharing ideas around the world. Independent of physical location, the Internet is a place where users can inspire action and be heard. In the Age of the World Wide Web, change is greater than countries and power stretches beyond state borders.

Despite this reality, though, states today continue to govern the Internet on their own terms. Just two weeks ago, we learned of a new cyber agreement reached between the United States and China. As much as the Internet is a shared space of individual influence, states are still the ones calling the shots. For them, the World Wide Web is nothing more than a web of self-interested sovereign control.

The United States and China have a complicated history in cyberspace. After years of suspected espionage, a report released in 2013 found that of all the intellectual property theft against American companies, 80 percent of it was from China. That same year, the cybersecurity company Mandiant released an analysis connecting Chinese cyberespionage to a special unit of the People’s Liberation Army (PLA). Acting on this information in 2014, the US Justice Department indicted five members of the PLA for their hacking of American firms.

This conflict is by no means one-sided either: Documents released by whistleblower Edward Snowden two years ago credit the National Security Agency with breaking into the systems of Chinese telecom company Huawei. Perhaps it was these uncomfortable revelations that made American officials so hesitant to blame China for its suspected role in the stealing of over 20 million personal records at the Office of Personnel Management this summer. No matter who was responsible for that breach, though, it is clear that tensions have been mounting between China and the United States over the last few years.

It was under these tense circumstances that President Xi Jinping traveled to the United States two weeks ago. After spending several days talking with tech companies in Silicon Valley, he arrived in Washington for meetings with President Obama and other senior level officials. On Friday, September 25, building on earlier negotiations between the two countries, Xi joined Obama in the White House Rose Garden for an important announcement.

As President Obama put it, the leaders had come to “a common understanding on a way forward,” reaching a new compromise on their activities in cyberspace. To start, the United States and China agreed to cooperate in their fight against cybercrime by working together to share information and launching investigations through their national Computer Emergency Readiness Teams. In a move reminiscent of Cold War conduct, Obama and Xi also approved the creation of a “hotline for the escalation of issues” between the countries. And to top it off, China and the United States committed themselves to future dialogues on issues of cybersecurity and to continue to develop “appropriate norms of state behavior…within the international community.”

As much as the Internet is a shared space of individual influence, states are still the ones calling the shots. For them, the World Wide Web is nothing more than a web of self-interested sovereign control.

Perhaps the most significant statement to come out of the US-China negotiations was in relation to commercial espionage. In an unanticipated declaration, Obama affirmed that “neither the US [n]or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property.” With this statement, the two largest economic forces in the world set new standards for appropriate business behavior in the Digital Age.

Despite these announcements, though, the US-China negotiations have faced strong criticism over the last several weeks. Director of National Intelligence James Clapper, for example, is skeptical that cyberthreats will actually decrease. Referencing President Ronald Reagan’s famous phrase on nuclear agreements with the Soviet Union, Clapper believes the United States would have to “trust but verify” any cooperation with the Chinese.

The problem is that the Obama-Xi announcement leaves little room for any verification mechanisms. Considering China’s record of denying government support for cybertheft in the past, it is not hard to imagine the country’s leaders refuting their accountability again. The new agreement also raises concerns over China’s commitment to reform in the first place. Many believe it was “the threat of U.S. sanctions on [Chinese] citizens and business,” which Obama emphasized during the talks, that pressured President Xi into cooperation. If China only came to the table because of American pressure, then its support for a joint agreement is just an effort to avoid economic sanctioning; there will be little stopping the Chinese from continuing their clandestine Internet activity moving forward. And even if we assume China is fully committed to this deal, there are few tools for enforcement. Without full attribution on the Internet, it will be incredibly difficult for any country, China included, to track instances of cybertheft within their borders.

Beyond verification, there are many other things missing from this agreement. The deal makes no mention of state-sponsored attacks on critical infrastructure, nor does it properly restrict the cyberarms that can be used by either side. When it comes to international norms, President Obama and President Xi did not even endorse the recent suggestions laid out by the UN Group of Governmental Experts earlier this year. Instead, they simply “welcomed” its ideas and announced their own, separate bilateral agreement on cyber-enabled economic espionage.

In this way, China and the United States have succeeded in advancing their vision of a state-centric cyberspace. Ignoring the international community in favor of multi-stakeholder governance, they went ahead with their own interests, defining norms on their own terms. For the United States, this bilateral agreement represents an opportunity to restrain the rise of China, and for China, the chance to gain credibility by appearing to conform to international norms. Still, the agreement may not actually have that much to say about cybersecurity, and it may not be able to verifiably deter espionage. No matter how effective the deal proves to be, though, there is no denying its influence in putting states at the helm of Internet control.

This, of course, has many implications for the future. State-centric Internet means an Internet more susceptible to domestic government surveillance and a web more prone to politically motivated, foreign cyber attacks. For many people, a state-centric web also means more state censorship and the suppression of free expression online. Harvard Professor Joseph S. Nye, Jr., in an article last year, highlighted this consequence of country-level Internet control, making specific reference to China. Concerned with stability and security, the Chinese government has a system in place for information monitoring, a “Great Firewall” of censorship. Once “a harbinger of the end of government controls,” the Internet is quickly becoming a haven for government influence.

As National Cybersecurity Awareness Month, this October is a time to think about safe and secure practices on the Internet. Two weeks ago in Washington, President Xi and President Obama did just this. Announcing a new agreement on espionage, they sought to limit theft between the two states and promote safer practices in cyberspace. For them, though, Internet security is not a matter of global community or individual opportunity. As long as governments are in control, the World Wide Web will remain nothing more than a web of states.