The US will not be entering into a cyberarms accord with China, said the State Department’s Coordinator for Cyber Issues, insisting that recent news reports of such negotiations were “erroneous.”
“I don’t think it makes sense to have a cyberarms treaty,” Chris Painter told an audience at an event Thursday on America’s strategy in cyberspace hosted by The Christian Science Monitor’s Passcode.
Ahead of Chinese President Xi Jinping’s visit to Washington, The New York Times reported that the US and China were negotiating what could become the first arms control accord of the digital realm – sparking questions from lawmakers on Capitol Hill in recent weeks about whether the US should seek an international agreement to control the use of cyberweapons.
But reports of negotiations on this front, Mr. Painter said, were “never true.”
In fact, he continued, defining what constitutes a weapon in cyberspace makes the idea of a formal treaty or agreement extremely complex. “I don’t know what a cyberarm is,” Painter said. “There’s a lot of dual-use technology.” A piece of code, he continued, “could be used for malicious purposes, research purposes, defense purposes.… How do you actually control that piece of code?”
While President Xi’s visit last week did not herald a cyberarms accord, Washington and Beijing did announce a high-level agreement stipulating that neither country would use cyberespionage to steal – or support the theft of – intellectual property.
This agreement with China, which the US blames for stealing American trade secrets for the benefit of its private sector, is “very significant,” Painter said.
“Never before had we had a commitment from the Chinese government that that was something impermissible and shouldn’t be done,” Painter said.
The agreement was also a head-scratcher for a number of US analysts, who say they were surprised that China would agree to such restrictions.
Martin Libicki, senior management scientist at RAND Corp., wonders: Why would China – which views intellectual espionage as a key economic strategy – agree to such measures limiting its behavior? One way to explain it, Mr. Libicki said at the Passcode event, is that “they have no intention of abiding by these things.”
What’s more, China’s official position has long been to deny it carries out economic espionage, Libicki said. “So for the Chinese president to come in and say, ‘We’re not going to do this’ isn’t much of a surprise, because they deny doing anything.”
Outside the theft of intellectual property, US officials are still grappling with what, precisely, constitutes a significant cyberattack. “We don’t see cyberwarfare often,” Painter noted. “You could argue that we haven’t seen it at all.”
The Pentagon, for its part, is reluctant to describe what constitutes an act of cyberwar – versus an act of cyberconflict or espionage. At the Passcode event, Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes admitted the line between an act of war and a serious act of cybervandalism is “squishy.”
When considering whether the military should get involved to defend the country from a true cyberattack, the threshold might include loss of life, destruction of property, or significant economic consequences, Mr. Hughes said. For the time being, though, acts of cyberwar and possibly military responses “will be evaluated on a case by case basis as decided by the president.”
But companies should not take matters into their own hands to “hack back” even if it means retrieving stolen information, since there is a risk of escalating the conflict, Hughes said. “While I recognize the threat private companies are under, they should leverage law enforcement and, in some cases, the support the Department of Homeland Security provides,” he said. “If a private company were to [hack back] – even if it’s just disrupting the data that has already been stolen – there’s the potential for a misunderstanding of what that is by a foreign entity or a foreign government, which further escalates what’s happening. That would make it difficult for the Department of Defense.”
Yet the prospect of an attack that could damage key critical US infrastructure – destructive cyberattacks that countries including China, for example, likely have the means to carry out – is less likely than the headlines might suggest, experts say.
There have been relatively few actual cyberattacks, RAND’s Libicki said.
“We’ve seen a number of attacks that have basically been used to trash computers,” Libicki said. There have been two cyberattacks used to “break something,” he added: Stuxnet, which targeted Iran’s nuclear facilities, and an attack on a German blast furnace reported late last year. None of these attacks, however, created costs that exceeded $100 million, he estimated – whereas full-scale damage that could be caused by true cyberwarfare, on the other hand, could run “easily” into the billions of dollars.
To call what is taking place in the cyber realm right now “cyberwar,” Libicki said, is “at the very least, grossly premature.”