Professional Documents
Culture Documents
0922 Measuring Cybersecurity Success at The Summit SJ CSIS
0922 Measuring Cybersecurity Success at The Summit SJ CSIS
MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies
1/4
9/23/2015
MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies
argue that it meant some other code, but this nuance will be lost on most of the world
which will perceive that the initiative in cybersecurity is shifting to Russia and China.
If there is no reference to cyber espionage and no process to work on it, any summit
agreement has not addressed the most important source of tension between the two
countries. The Chinese will likely not want any reference to espionage in any document
no country would but language that talks about the need to continue discussions to
address other significant issues between the two counties and which identifies a process
to do so would indicate success.
If the summit agrees to simply restart the bilateral cybersecurity working group, it will
indicate a lack of seriousness on Chinas part. The working group was seen by China as a
concession to the United States intended to channel American discontent into harmless
exchanges. It was not senior enough to reach agreement and not connected to any larger
negotiation that could have produced agreement. A working group is useful only if it is
subsidiary to political-level talks.
The Summit would be successful if it was able to define and initiate a political level
negotiation (e.g. at the sub-cabinet level), like the arms control negation with the Soviets
in the 1970s and 1980s. These talks should be open ended. A corollary would be to create
regular military-to-military talks on cybersecurity between the Peoples Liberation Army
and senior U.S. military officials. The Chinese have resisted such talks even though it is
the PLA that is largely responsible for hacking. The Foreign Ministry has not been a
serious interlocutor on cybersecurity. Given the difficulty of the problem, the lack of
trust, and the importance of cyber espionage to powerful constituencies in China, the
most tangible result would involve agreement on process since there is really no nearterm fix.
Cybersecurity cant be addressed in a vacuum. It is not sui generis but a product of the
larger security and trade issues that dog the evolving bilateral relationship. At a
minimum, there should be a recognition that Chinas new, restrictive laws and rules that
apply to American tech companies are as important a part of the cybersecurity problem
as critical infrastructure protection and a serious negotiation must address them. This
means that anything that emerges from the summit must create linkages (another term
from the arms control lexicon) among issues that the United States currently keeps
separate critical infrastructure, intellectual property protection, governance and trade.
This broad approach runs counter to the bureaucratic division in the U.S. government,
but it will be more difficult to reach a sustainable agreement if they are not included in
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html
2/4
9/23/2015
MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies
any agenda. This, of course, argues for a senior, political level negotiator who can
transcend bureaucratic stovepipes.
There is always a temptation at summits to focus on deliverables and to prefer good news
to bad, but this gives the other side an advantage and settling on a good news
deliverable means the problem of cybersecurity will continue to be a source of tension
and any agreement will be ineffective and unsustainable. The best outcome would be to
begin a serious, senior level negotiating process that addresses the full range of issues.
The worst outcome would be one that endorsed already-agreed report language and
restarted unproductive working level discussions. The summit will not solve the
cybersecurity problem, but if it is done right, it can be the beginning of a solution.
James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at
the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies
(CSIS), a private, tax-exempt institution focusing on international public policy
issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific
policy positions. Accordingly, all views, positions, and conclusions expressed in
this publication should be understood to be solely those of the author(s).
2015 by the Center for Strategic and International Studies. All rights reserved.
Links
1. http://csis.org/expert/james-andrew-lewis
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html
3/4
9/23/2015
MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html
4/4