Shock over the Office of Personnel Management hack will have hardly subsided by the time Chinese President Xi Jinping arrives in Washington later this month to meet President Obama.
Since China is the leading suspect in the breach that compromised the most intimate details on more than 20 million people, this may not seem like the best time for President Xi's first state visit. But when it comes to deescalating a growing cyberconflict between Beijing and Washington, the visit comes at a critical moment.
If the Obama administration practices some smart diplomacy – and ignores US hardliners calling for blood – it's possible to reach a concord to reduce tensions and dramatically increase stability between the two nations. If the US looks to “retaliate against” or “punish” China, as security hawks are advocating, then the situation may escalate out of control.
Legitimately or not, China appears to feel that its own digital spying practices are reciprocal to US actions. From its point of view, China is as much a victim as an aggressor when it comes to cyberattacks. After all, former National Security Agency contractor Edward Snowden leaked documents in 2013 that appear to confirm China is a top target of US clandestine cyberoperations. Those revelations emerged nearly simultaneously with the first Xi-Obama summit.
So, instead of sanctioning Chinese entities suspected of cyberattacks or any other kind of retaliation over the OPM hack, Obama should use the Chinese visit to broker a strategic deal with Xi.
First, Obama can highlight the exceptional restraint of US cyberoperations, stressing that those campaigns are conducted under tight command, control, and legal review; carried out according to approved requirements; and subject to independent oversight by other government branches. Significant disruptive attacks require the president’s personal approval.
The US has recently proposed cyberoperation norms that include not attacking computer emergency response teams or critical infrastructure out of wartime. Regardless of any Chinese actions, Obama should emphasize that the US will abide by these norms: It's simply what great powers do.
Second, the president could offer other areas where the US will exercise restraint such as cyberattacks on nuclear power plants or electrical transmission and distribution systems – all of which are incredibly escalatory. The only reason to intrude into such systems is to take them down during wartime. Going after Chinese financial targets is perhaps similarly unwise (though surely tempting).
As some in Washington argue, perhaps the OPM hack was so aggressive that it exceeds acceptable norms when it comes to retaliation over cyberattacks. Still, for Beijing to suppress these kinds of intrusions, the US may need to agree to dampen its own offensive cyberoperations aimed at China. Without international laws governing espionage, informal agreements can exist to maintain stability between nations.
During the cold war, the Soviet Union and the US agreed not to kill the other side's spies. Violations were met with swift reciprocation. These are the "unwritten practice of civilized relations between special services," as expressed by one (Russian) participant.
To some US hardliners, these options may seem like naïveté or surrender. With our national manliness challenged, they say now is the time to attack, not show restraint.
Unfortunately, the history of cyberconflict shows that such aggression worsens national security. There are few examples of nations backing down after an attack. Rather, adversaries improve capabilities and counterattack. But in this case, if Washington tries to coerce Beijing with threats or punishment, expect China to respond in kind, continuing the escalatory spiraling of a classic security dilemma.
Obama should work to reduce digital tensions. If that fails, then both Xi and the international community will recognize that the US retaliated only after seeking the peaceful option.
The US has far more interests in common with China today than it did with the Soviet Union during the cold war. The two presidents may never have a better opportunity to find comity to improve stability in cyberspace and decrease the chances of escalation in the interests of both nations.
Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and senior fellow at the Atlantic Council. Follow him on Twitter @Jason_Healey.