Last month’s cybersecurity agreement between the United States and China, if nothing else, could serve as a model for future treaties.
So say several security policy experts, who contend that after years of alleged Chinese cyberespionage on U.S. government agencies and companies, the countries’ agreement not to target each other with Internet-enabled commercial espionage is a huge step, even if it lacks specificity and enforceability.
The agreement is, “by design, narrow and ambiguous,” said Jonathan Mayer, a cybersecurity researcher at Stanford University. “It only attempts to address commercial trade secret theft with government complicity. And [China’s] position has long been that it doesn’t engage in that activity.”
Any such deal would be difficult to enforce, Mayer added. “Even if the federal government successfully detects and attributes an online intrusion [to the Chinese government], there aren’t many, if any, effective responses available,” he said.
Still, the agreement is “unambiguously progress,” Mayer said. “It might result in fewer intrusions, or intrusions of lesser magnitude, or intrusions with lesser government sanction. And even if the practical impact is nil, at minimum, the U.S. and [China] are more candidly confronting this important problem. That’s a good thing.”
Joseph Nye, a professor focused on foreign policy at Harvard University, agreed that the deal could have a practical impact for U.S. companies and Internet users.
“We should begin to see some results in the coming year,” Nye said, adding that if the United States doesn’t observe a marked reduction in cyberattacks emanating from China, it should consider sanctions.
Other security and policy experts don’t foresee any tangible results.
A major problem with any such agreements is the difficulty of attributing the source of attacks, said Dwayne Melancon, CTO of security vendor Tripwire.
“Sophisticated cyberattackers have become so good at hiding their true identity that it can be difficult (nearly impossible, in fact) to prove who an attacker is,” he said. “That would make meaningful enforcement of this kind of agreement very challenging and error-prone.”
“My God, it’s the first time the U.S. and China have agreed upon something in cyberspace. That’s enormous.” — Bruce Schneier, cybersecurity expert
Cyber-nonaggression treaties could open up new avenues of espionage, Melancon added. “This scheme seems ripe for fraud, such as one group setting up another group to take the fall for actions they didn’t commit.”
The problem with pinpointing attackers “will never be solved so completely that anyone should feel comfortable accepting a conclusion that a particular country, company, or individual is at fault in a compromise,” said Brian Behlendorf, an open-source programmer and investor. “We have to get used to this ambiguity in the long term.”
Governments should focus their cybersecurity resources on bolstering coordinated defensive efforts like US-CERT and on fixing problems such as out-of-date Web servers, Behlendorf recommended.
“We are not talking about sophisticated fixes, but the scale of the challenge is one where governmental resources and priority could be very helpful,” he said. “Mutual nonaggression treaties just don’t feel worthwhile beyond the PR value.”
The agreement may lack substance and teeth, said cybersecurity and privacy researcher Bruce Schneier, but it’s still a big deal.
“My God, it’s the first time the U.S. and China have agreed upon something in cyberspace,” he said. “That’s enormous.”
Because it initiated long-term talks about cybersecurity and espionage between the two countries, Schneier added, it could serve as a template for future talks.
“Even though it’s probably going to be observed more in the breach than in the compliance,” he said, “It’s something, and you’ve got to start somewhere.”