The relationship between the United States and China in cyberspace has been anything but chummy lately. Many in this country see China as a major source of sophisticated attacks against our commercial and government infrastructures. China responds that it’s not coming from them, and that they are getting hacked also.
This has resulted in a poisonous atmosphere that the EastWest Institute calls a “serious challenge” to the friendship and prosperity of both countries. “Such accusations and arguments have fueled escalations so that the relationship is now strained, making even routine dialog apprehensive,” says a report produced for EWI’s recent World Cyberspace Cooperation Summit IV. “Neither side is comfortable with the policies and practices of the other.”
The paper, written by Karl Frederick Rauscher and Zhou Yonglin, offers what they call “practical, down to earth guidance” for normalizing cyber relations between the two countries. What it boils down to is, “stuff happens;” cyberspace is no different from any other political or diplomatic domain and each country should accept that.
The report does not address who is responsible for launching attacks against whom, and nowhere does it suggest that either side stop hacking the other. But it does acknowledge that unrestrained hacking for criminal or political purposes strains relationships. Both the United States and China are rich in potential targets and attack platforms, and the prevailing tone of discussion between them has been one of suspicion and blame. Ten recommendations are offered to help establish trust and develop effective countermeasures to improve cybersecurity.
The initial recommendations establish a framework of trust, based both on formal policy and behavior. “Each party is evaluated based on adherence to its stated policy and plan of action.” These are basic steps, the authors say, but basics to date have been neglected, creating a crisis environment.
The remaining recommendations define how each country addresses threats and national interests in cyberspace. The most interesting are:
- Separate critical humanitarian assets in cyberspace. This would remove noncombatants from the line of fire in a cyberwar, much like giving institutions such as hospitals special status in a war zone so that they are not attacked.
- De-clutter espionage expectations. Basically, this means accept the fact that espionage will occur in cyberspace and that national security assets will be targets, just as in the real world. We might not like it, but we have learned to live with it in the three-dimensional world, and can live with it online as well.
- Prepare sufficiently, react quickly and summarize seriously. In other words, defend adequately rather than just complaining after the fact of a breach.
What the report essentially recommends is extending existing models for political and diplomatic relationships into cyberspace. These models are based on a recognition that every nation will act in its own self-interest. The interests of nations often will conflict, but we can deal with that if we know what to expect. We should have frank statements of what those self-interests are in cyberspace so that we know what to expect and can make decisions about what is acceptable.
Human history demonstrates that political and diplomatic relationships can fail, resulting in military action. But it also shows that these relationships can avoid war, as in the case of the major superpowers since 1945. The recommendations in the report might not stop any hacking, but they could help produce a healthier environment for addressing the issue.