Nearly a decade of international incidents resulting from cyberattacks between Chinese and American actors, both public and private, has made urgent the need for norms that restrain state conduct online. Alleged attacks on Google’s corporate infrastructure that were believed to originate in China put a damper on Sino-US relations during 2010, when several other American corporations – and defense contractors among them – claimed foul play. Accusations of high-level hacking continued with the 2014 indictment of five People’s Liberation Army officers by a United States Federal Grand Jury on charges of commercial theft and a 2015 data breach that targeted information related to more than 21 million federal employees.
There are existing precedents for the establishment of norms that limit the progress of potentially dangerous global developments, like the Australia Group agreement on chemical weapons and the Missile Technology Control Regime, concerning aerospace advances. Cyber security presents daunting obstacles to the development of such norms, though, not least of all because cyberattacks are effectively espionage. Intelligence gathering, for the most part, has evaded the reach of international law; even relatively incapable states tend to oppose its regulation. If the international community continues to classify covert cyber activity as a form of intelligence gathering, existing mores suggest that hacking will continue to take place. Currently, there is no sufficient distinction in international law or norms to be made between simple system breaches and more malicious actions that damage or destroy systems, and that will almost certainly become necessary for the United States and China alike.
Take, for example, the use of a sophisticated computer virus to physically impede the progress of Iran’s uranium enrichment program. The virus, called Stuxnet, was introduced to the Natanz Nuclear Facility indirectly via an employee’s USB thumb drive. Though the virus is reported to have been developed by the United States and Israel for the purposes of inflicting physical harm on Iranian systems, its digital form and indirect introduction into the facility’s systems raise questions about whether it falls under United Nations Article 51 as an “armed attack.” The 2014 hack of Sony Pictures, believed to have been conducted by North Korean operatives, poses a related problem: if the damage caused by the hack was considered an armed attack, the United States would have sufficient grounds in international law to retaliate.
The greatest source of complication on this matter is that states are not the sole actors capable of consequential cyberattacks. Non-state cyber actors, to an extent far beyond that of their offline counterparts, are still able to challenge the monopoly on “violence” that has characterized state viability from Hobbes to Weber. A group or individual equipped with the right hardware and expertise can inflict damage indiscriminately without any guarantee of detection or retribution. The democratized threat of cyberattack, then, introduces two likelihoods: First, that states will continue to develop cybersecurity capabilities with which to defend against and effectively dominate non-state actors, and second, that states with mature cyber capabilities and few deterrents will be tempted to make cyber weapons part of a broader, more mainstream arsenal.
At present, the confounding variable is ambiguity in the demarcation between public and private actors in China. Beyond the obvious concerns of which actors are state-sponsored or state-controlled, the Chinese government’s growing capacity to limit, monitor, and shape the online behavior of its citizens and companies raises questions about the state’s active involvement – or at least complicity – in seemingly private cyberattacks. A privately sanctioned hack for the purpose of stealing intellectual property, for example, may be construed as state-level espionage if the sophistication of the Chinese surveillance state precludes plausible deniability. Private hackers nevertheless remain a huge problem in China: Chinese companies reported a spike of nearly one thousand percent in cyberattacks on their systems between 2014 and 2016.
In sum, the urgency of dominating genuinely private actors and necessity of limiting the state’s exposure to blame for the deeds of non-state affiliates demand that the Chinese government consolidate the nation’s cyber security capabilities. The 2015 National Security Law provides the pretext for sweeping policy changes rooted in the interest of national security writ large, which allows for the restructuring of China’s cyber security policy. As noted by the cyber security firm FireEye, consolidation of offensive capabilities under central military control has led to a pattern of fewer, more sophisticated hacks, suggesting that cyberattacks will be deployed less tactically than in the past.
China must either establish norms it feels ready to keep, or risk unpredictable retaliation. Simple hacks of intellectual property have grown more consequential in the age of data supply chains and enterprise-level cloud computing. A hack of Tesla’s data would present the U.S. government with a difficult case to interpret: in addition to the road safety concerns presented by a hack on Tesla’s software systems, there would be concerns of data breach at companies that share data with Tesla, like the aerospace contractor SpaceX and energy provider SolarCity.
In the event of a targeted attack sanctioned by any government today, retaliation could take on a variety of guises, regardless of the norms in place. Unlike the recent chemical weapons attack in Syria, which broke longstanding norms and agreements, a cyberattack’s impact on victims is both debatable and largely private, and any retaliation would be equally difficult to assess. A physical attack can be measured by damage or casualties and be easily decried, creating the rationale for a proportionate response to be measured in equal terms. Cyberattacks inflict damage that is not as easily quantified, and that presents a challenge for the establishment of any norms less stringent than a full ban.
In the near future, then, China should expand its focus beyond the scope of the 2016 cybersecurity law and develop an updated legal code that clarifies the government’s position on both public and private aggressors. Articles 64 and 66 of the new cybersecurity law, set to take effect in June of this year, outline the penalties for network providers who violate its terms, but not for hackers. A broad crackdown on private hackers and a codification of cyber policy with regard to existing international law is the next step in avoiding international conflict, both online and off.