China’s Foreign Minister was right to say that China and the U.S. are not in a cyberwar. It is not in China’s interest to attack the U.S. or destabilize Wall Street, as the high degree of economic interdependence means an attack would harm China as much as the U.S. But this is not the same as saying all is well in cyberspace. There is real risk to both the bilateral relationship and to China’s relations with the rest of the world. The issue is not war, but cyber espionage. Cyber espionage exacerbates tensions and the situation will get worse until this changes.
The list of actions attributed to China in cyberspace is long. Australia says Chinese hackers broke into the Parliamentary email accounts of the Prime Minister and eleven other Ministers. Angela Merkel complained to Hu Jintao about Chinese intrusions into her office. French officials attribute recent backing incidents that took the preparatory documents for the G-20 Summit to China. The UK’s Domestic Security Service warns that hacking is a normal business practice in China and UK companies entering into negotiations will be targets. Canada says China hacked its leading finance agencies. South Korea says Chinese hackers took defense acquisitions plans and related technology. India ascribes numerous hacking incidents to China.
There are too many reports from too many sources over too long a period for this to be a coincidence. Most Chinese are unaware of these incidents, which are not reported in China. China is not always well attuned to international sentiment. This reflects the government's introspective nature and China’s controlled media. But China knows it has a problem – it was Chinese officials who put cybersecurity on the agenda of the recent bilateral Strategic and Economic Dialogue.
Both China and the U.S. use the internet for espionage and both will use it in military conflicts. Other countries do so as well. There is a damaging asymmetry, however, that hurts relations and increases the risk of dispute or conflict. China uses cyber espionage to advance its economic agenda. China is not the only country to engage in economic espionage against the United States, but it is the noisiest and least careful in its spying and it is the only country to combine cyber espionage with non-tariff barriers to trade, industrial subsidies, and other national programs that damage competition.
Western companies and governments once tolerated Chinese efforts to acquire technology illicitly. Access to the China market was worth the risk. Companies thought they could manage the risk to their intellectual property. The internet has changed that by significantly increasing the scope for economic espionage. The size of the losses can be measured only imprecisely, but if Chinese companies paid for the IP they took, the bill would run into the billions of dollars. We are not talking about piracy, with illegal copies of consumer software or some cartoon character. This is illegal entry into another company’s network and the exfiltration without permission of proprietary information. The U.S. is not the only victim – a German estimate puts that nation’s IP losses at $20 billion (in an economy a fifth the size of the U.S.), most attributable to cyber espionage and much of it attributed by the Germans to China.
Better cybersecurity requires China to make fundamental choices about its economic relations with developed countries, the strength of its WTO commitments and, ultimately, whether the U.S. is a partner or an opponent. The U.S. also faces difficult decisions as well, on trade and internet freedom policies that sometimes are in conflict. The need for choices on both sides means that progress in resolving important and potentially damaging cybersecurity issues could be difficult and slow, and the most complicated decisions lay before China..
China’s approach to cybersecurity policy reflects tensions and conflicting goals. China believes it can gain asymmetric military advantage through untrammeled cyber attack, but it fears the new U.S. cyber command. Economic espionage provides a technology boost, but will put bilateral relations at risk. China wants indigenous innovation but is undecided as to whether to force the use of Chinese technology or to cooperate with the west and accept western technologies that may have back doors. Access to information over the internet brings political risk, but restricting access will damage competitiveness in research and business.
China is not monolithic, and agencies and interests groups compete with each other. Chinese companies and individuals engage in cyber espionage – sometimes at the behest of the government and sometimes in their own interest. But the notion that private hackers can operate without government sanction for any length of time in a country that has put so much effort into controlling the internet is difficult to accept.
Cybersecurity is best seen as another chapter in China’s long effort to rejoin the international community, and in the international community’s effort to accommodate a major new power without sacrificing fundamental interests. There are many possible avenues for cooperation. Law enforcement cooperation could expand for bank fraud. Transparency and confidence-building measures can reduce the chance of inadvertent military conflict. Nevertheless, tensions over cybersecurity will continue to grow until China brings the core issue – economic espionage – under control. This risk that the cybersecurity issue will spill over into the larger trade arena or exacerbates increasing military tensions suggest that faster progress is essential.
James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at the Center For Strategic & International Studies, where he focuses on technology, national security, and the international economy.