The recent Sony hack in response to The Interview provides an opportunity for Chinese and American decision makers to rethink their cyber policies and bilateral cyber cooperation. Recently, there have been too many comments and opinions in the press discussing how the U.S. and China should respond respectively. Most of the views, however, neglect the fact that cyber-attacks are a new threat coming from a new domain, which could not be resolved through traditional thinking and methods. Here, I would like to define cyber security from a theoretical perspective, share my observations on Chinese and U.S. cyber polices, and then try to put forth a framework on how China and U.S. cooperate on cyber security.
Was the Sony hack a cyber-attack, cyber terrorism or even a cyber war? Cyber experts differ in their prognostications, but the U.S. government has to make it clear before fighting the attacker, which President Obama said was North Korea. In the real world, the differences among attack, terrorism and war are quite clear. We can categorize them either from the actors or from targets, while in the cyberspace, there is no clear boundary among all these behaviors.
President Obama used the term “cyber vandalism” to describe North Korea’s behavior. Vandalism is not a new word. However, using cyber vandalism not other terms mentioned above speaks to the dilemma the Obama administration now finds itself in over this incident. As David Rothkopf wrote in Foreign Policy, “the president has sought to send a message that whatever response the United States will undertake in response to the North Korean attack will be proportional.”
The reason why the Obama administration hesitates to take action to counterstrike is obvious—the U.S. does not have many options available in dealing with an isolated nuclear country like North Korea. Ironically, we are living in an interdependent world. When dealing with a self-isolated country, even the most powerful country runs out of wit punish it. We have to admit that the world is not ready to embrace the cyberspace, although it has completely changed our life, including international relations. More importantly, there are still no widely accepted international rules and norms to regulate a country’s behavior, let alone punish violations. Sony’s hack could be the kind of problem that countries have to confront in the future, and America’s dilemma could be the challenge facing any government. The priority for governments is to develop norms and rules in global cyberspace governance.
Global efforts on cyberspace governance could be traced back to the 2001 World Summit on Information Society (WSIS) or even earlier. However, the process of the cyberspace governance has since stalled. Major countries including China and the U.S. are divided into two different groups: generally speaking, countries who support cyber sovereignty and countries who stand against it. Almost 15 years on, there seems to be little hope to reach agreement on the basic principle of norm building in the near future, though complexity has grown over related issues. What is dangerous is that China and the U.S., the two key players in cyberspace governance, still view each other’s cyber polices and strategies with deep suspicion.
China had suspended the cyber security working group with the U.S. and almost all other dialogue channels immediately after the DOJ indicted five PLA officers for economic espionage. The indictment was unnecessary and played up China’s threat in terms of cyber security. China has asked its U.S. counterparts several times to provide evidence, The U.S. government, for its part, rejected and decided to indict without informing China in advance. This incident has only deepened their distrust on cyber affairs. At the recent World Internet Conference in China, there was no U.S. official among the participants. When I asked cyber policy makers from both sides to describe the current bilateral relationship, the Chinese expressed their disappointment and anger, while the Americans used the word frustration. Both sides are not ready to talk.
Now the Sony hack provides an opportunity to resume their cyber dialogue. First, cyber security is a common threat for all governments, which calls for a joint response. The Sony hack or other kinds of cyber terrorism will become major challenges for national security. Terrorists could use any country’s Internet infrastructure as a proxy to launch cyber attacks. Therefore, information sharing, joint investigations, and cooperation on anti-intrusion technologies are indispensable for any country in countering cyber terrorism.
In addition, with such a complex and interdependent cyberspace, China and the U.S. have no other alternative but to work together. There are many misperceptions about each other’s cyber policy in the media. Experts and even policy makers have failed to set the record straight. The truth is we are not merely interdependent; we are indelibly interconnected. U.S. IT companies such as, CISCO, Microsoft, Apple, Intel, Qualcomm, IBM, Oracle, not only take the biggest share in China’s market, but are also part and parcel of China’s internet infrastructure. Meanwhile, Huawei, ZTE, Lenovo have entered the U.S. market, hiring local employees and operating under American laws and regulations. Baidu, Alibaba and Tencent, the “BAT” as we call them in China, are all listed on the NASDAQ, whose shares are held by not only the Chinese but also American citizens and global investors.
Lastly, China and the U.S. should create a new mechanism for dialogue. The cyber security working group is a failed test to build trust. Part of the reason may be that the U.S. pushed too hard under this framework or it is not ready to change its stance after Snowden revelations. Anyway, it is hard and unnecessary to resume the same old mechanism under the current situation.
To resume the talks, China and U.S. should take several steps to conduct multi-tiered dialogues among different departments. First, top leaders of the two countries should lay down general principles on cyber issues instead of focusing on specific cases, so as to set the stage for future cooperation. Second, there should be direct talks between departments, including foreign affairs, law enforcement, industry, and military.
Military to military dialogue is extremely important, as they are not only the decision makers, but also the most powerful cyber policy implementers. Overall, without communication among all these decision making departments, there will not be real trust in cyberspace.
As the story of Sony hack continues to play out, it is time for China and the U.S. to do something to make it clear who should be held accountable and how to prevent such violations from happening again.
