9/23/2015

MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies

Measuring Cybersecurity Success at the

Summit
By James Andrew Lewis[1]
Sep 21, 2015
If press reports are accurate, it is a welcome development that the United States and
China (in response to the threat of sanctions) have begun negotiations on cybersecurity
in preparation for the upcoming summit. The Obama administration has a unique
moment of leverage on cyber security with China and must be careful not to squander it.
We cannot expect the summit to fix the problem this will be a long process if it is
serious but we can look for certain outcomes that can demonstrate whether these
presidential talks point to progress or are just another gesture.
If the only thing to emerge is an endorsement of the 2015 UN Group of Government
Experts Report, hold your applause. The United States and China agreed to this report in
June and presidential endorsement does not greatly improve the situation. The norms in
the report, while useful, do not deal with the principle source of tension with China
espionage and theft of intellectual property and the UN Report includes annoying
language proposed by Russia and aimed at the United States that any accusation of
hacking must be substantiated.
An agreement not to attack critical infrastructure in peacetime is of symbolic value
only. Neither China nor the United States intends to attack the others critical
infrastructure in peacetime. This language is already in the June UN Report.
A Summit endorsement of a Code of Conduct for cyberspace would be a major U.S.
concession to the Chinese that the United States should not give without some
significant and verifiable benefit in return. The code was drafted by Russia and China and
its principle aim is to diminish the application of human rights and free access to
information. If a reference to the Code of Conduct appears, the United States could try to
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html

1/4

9/23/2015

MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies

argue that it meant some other code, but this nuance will be lost on most of the world
which will perceive that the initiative in cybersecurity is shifting to Russia and China.
If there is no reference to cyber espionage and no process to work on it, any summit
agreement has not addressed the most important source of tension between the two
countries. The Chinese will likely not want any reference to espionage in any document
no country would but language that talks about the need to continue discussions to
address other significant issues between the two counties and which identifies a process
to do so would indicate success.
If the summit agrees to simply restart the bilateral cybersecurity working group, it will
indicate a lack of seriousness on Chinas part. The working group was seen by China as a
concession to the United States intended to channel American discontent into harmless
exchanges. It was not senior enough to reach agreement and not connected to any larger
negotiation that could have produced agreement. A working group is useful only if it is
subsidiary to political-level talks.
The Summit would be successful if it was able to define and initiate a political level
negotiation (e.g. at the sub-cabinet level), like the arms control negation with the Soviets
in the 1970s and 1980s. These talks should be open ended. A corollary would be to create
regular military-to-military talks on cybersecurity between the Peoples Liberation Army
and senior U.S. military officials. The Chinese have resisted such talks even though it is
the PLA that is largely responsible for hacking. The Foreign Ministry has not been a
serious interlocutor on cybersecurity. Given the difficulty of the problem, the lack of
trust, and the importance of cyber espionage to powerful constituencies in China, the
most tangible result would involve agreement on process since there is really no nearterm fix.
Cybersecurity cant be addressed in a vacuum. It is not sui generis but a product of the
larger security and trade issues that dog the evolving bilateral relationship. At a
minimum, there should be a recognition that Chinas new, restrictive laws and rules that
apply to American tech companies are as important a part of the cybersecurity problem
as critical infrastructure protection and a serious negotiation must address them. This
means that anything that emerges from the summit must create linkages (another term
from the arms control lexicon) among issues that the United States currently keeps
separate critical infrastructure, intellectual property protection, governance and trade.
This broad approach runs counter to the bureaucratic division in the U.S. government,
but it will be more difficult to reach a sustainable agreement if they are not included in
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html

2/4

9/23/2015

MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies

any agenda. This, of course, argues for a senior, political level negotiator who can
transcend bureaucratic stovepipes.
There is always a temptation at summits to focus on deliverables and to prefer good news
to bad, but this gives the other side an advantage and settling on a good news
deliverable means the problem of cybersecurity will continue to be a source of tension
and any agreement will be ineffective and unsustainable. The best outcome would be to
begin a serious, senior level negotiating process that addresses the full range of issues.
The worst outcome would be one that endorsed already-agreed report language and
restarted unproductive working level discussions. The summit will not solve the
cybersecurity problem, but if it is done right, it can be the beginning of a solution.
James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at
the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies
(CSIS), a private, tax-exempt institution focusing on international public policy
issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific
policy positions. Accordingly, all views, positions, and conclusions expressed in
this publication should be understood to be solely those of the author(s).
2015 by the Center for Strategic and International Studies. All rights reserved.

Links
1. http://csis.org/expert/james-andrew-lewis

Get a free Evernote account to save this article and

view it later on any device.
Create account

chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html

3/4

9/23/2015

MeasuringCybersecuritySuccessattheSummit|CenterforStrategicandInternationalStudies

chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html

4/4