CYBERSPACE IS a virtual infrastructure where communication is based on the Internet and computer systems, with increasing influence on matters such as the military, the economy, and technology. As global reliance on software technology grows, however, new threats emerge to take advantage of the computerized networks’ vulnerabilities. Unlike traditional international conflict with clear spatial and temporal boundaries, the decentralized, virtual territory of cyberspace creates new challenges for international governance. To solve the complications of diplomacy, national defenses, and economic competition, cybersecurity will require a paradigm shift.

The recent development of cyber threats

   Nowadays, cyber-attacks have become a more prevalent factor affecting international relations. The conflict between China and the United States expanded to the realm of cyberspace in the early 2000s. In 2005, a series of cyber-attacks allegedly from China dubbed “Titan Rain” breached U.S. and U.K. government servers[1]. This was only the beginning; the 2010 Google security breach and a five-year hacking scheme into 72 international organizations, “Operation Shady RAT,” were all attributed to Chinese cyber criminals[2]. Most recently, in 2021, Microsoft accused Hafnium, a group allegedly sponsored by the Chinese government, of infiltrating their email servers. The news shocked many as Microsoft is a leader in cloud-based cybersecurity. Because many organizations worldwide use Microsoft’s servers, the security breach is predicted to have far-reaching consequences for thousands of companies[3].

   However, cyber-attacks between the United States and China are not one-sided. According to Time, Snowden's leak of classified U.S government documents in 2014 revealed that the National Security Agency (NSA) had invaded the servers of Chinese technology giant Huawei. Moreover, China’s National Computer Network Emergency Response Technical Team (CNCERT) asserted in 2019 that the majority of cyber-attacks on China were from the United States. They claimed that over 14,000 servers had been compromised by U.S. bots since the previous year[4]. Although the extent of government involvement in these attacks remains unclear, tensions between the United States and China continue to grow.

Actions by the United States and China

   The Obama administration was the first to create a legal framework for cybersecurity between the United States and China. President Obama was adamant about stopping Chinese cyber-attacks, calling them “acts of aggression” and threatening to impose sanctions on Chinese hackers. After failed attempts at bilateral dialogue from 2013 to 2014, the two countries convened in 2015 to create the U.S.-China Cyber Agreement. Both sides promised not to knowingly support cyber-espionage against each other for economic purposes and to work together to identify cybercrime[5].

   However, the hostility between the United States and China increased rapidly during the Trump administration. Citing national cybersecurity concerns, the U.S. authorities restricted Chinese businesses in the United States. Huawei was put on the U.S. trade blacklist in 2019, Business Insider reported, and the video app Tiktok and the messaging app WeChat were almost banned as potential threats to American users’ privacy. The aggressive stance of the administration further soured U.S.-Chinese relations.

   The Chinese government’s stance toward U.S. accusations has always been that of denial. When U.S. authorities accused Chinese military officials of stealing U.S. trade secrets under government sponsorship, China’s foreign ministry denied the allegations and criticized American “hypocrisy”[6]. According to AP News, the Chinese government claimed the many allegations from the United States were unfounded attempts to smear China’s reputation. In fact, Chinese officials claimed that their weaker cybersecurity infrastructure makes them an easy target for foreign cyber-attacks. In an interview with the Yonsei Annals, however, Professor Daryl Bockett (Prof., International Studies) expressed cynicism about China’s claims of innocence, citing the prevalence of mutual espionage in international society. “[Even if the cybersecurity analysts] are not right all the time, they can’t be wrong all the time,” he added. Even if there is no conclusive evidence proving China is behind a specific attack, the consistent attribution to China by experts makes it reasonable to take the Chinese government’s claims with a grain of salt.

   Despite the dubious claims of innocence, China seems genuinely invested in strengthening its own cybersecurity defenses. Before the 2015 Agreement, China proposed various measures to prevent foreign computer viruses from spreading and protect their domestic Internet servers. Afterwards, the Chinese government made a similar bilateral deal with the United Kingdom and passed a Cyber Security Law in 2017, aiming to protect sensitive data from cyber-attacks[7].

Types of cyber threats

   Economic competition is an important element of the tensions between China and the United States. The 2015 Agreement’s objective that set apart government-sponsored economic espionage from other cyber threats reflects the growing concern around the former. Many Advanced Persistent Threats (APT)—long-term, undetected cyber assault campaigns of prolonged espionage by one organization—are assumed to be from China. These technically advanced hacker groups focus on stealing confidential information from companies and the U.S. military for financial profit. For example, APT41 and APT27, groups suspected to be sponsored by China, target high-tech commercial industries. Their attacks range from intellectual property theft to virtual currency manipulation[8]. The APTs usually go after multiple organizations instead of a single target, and U.S. companies often fall victim to such attacks. These cyber-attacks can incur substantial financial losses on a national scale. In 2018, the Center for Strategic and International Studies concluded that the cost of information stolen by Chinese hackers from American companies over two decades was about $600 billion. Chinese companies can avoid paying research costs and jump straight to manufacturing new products with stolen technology; coupled with government subsidies, Chinese companies may gain a decisive edge. The loss of potential profit, along with reputational damages of a security breach, can heavily impact companies’ place in the global market, which would then affect each country’s leverage in the race for economic dominance.

   Another important aspect of cybersecurity is its obvious military dimension. Bockett noted that every country engages in espionage to an extent, especially for national security, so the existence of cyber infiltration into military servers is not surprising. These attacks ranged from spying to outright destruction of confidential data, according to Acquisition Review Quarterly. For instance, Snowden’s leaks in 2015 revealed that Chinese hackers stole confidential data on F-35 fighter jets from American defense giant Lockheed Martin Corp[9]. The Pentagon also accuses China of hacking U.S. military servers. The command and control network responsible for disseminating orders is especially vulnerable to cyber-attacks. A single successful attack may compromise the entire system, immobilizing the military and revealing critical information about defense measures and weapons systems, including nuclear weapons.

Setbacks in cybersecurity

   The differences between cyberspace and the real world often make it harder for countries and companies to protect themselves. “The problem of attribution,” for instance, increases uncertainty. Because cybercriminals can manipulate electronic devices and servers across borders, there are realistic difficulties in identifying the source, intentions, and affiliation of the attacks. This makes it easy to frame another party or deny accountability. 

   To make matters worse, the cybersecurity industry suffers from a shortage of manpower and expertise in the field. The number of unfilled jobs related to cybersecurity was estimated to be 3.5 million in 2021 worldwide[10]. The Diplomat also reported that China’s cyber defense technology and workforce have not kept pace with the rapid growth of Chinese power and interests. The lack of technological proficiency amongst politicians also poses an obstacle to effective policy-making. Due to the lack of in-depth knowledge about cyber activity, most government officials are incapable of producing effective policies to counter future threats. Many point out that governments tend to be slow when it comes to establishing laws concerning new cyber threats; by the time new policies are put in place, they can quickly become outdated compared to ever-evolving technologies.

Challenges in cooperation

   The 2015 U.S.-China Cyber Agreement was intended to be a legal framework for cooperation between the two countries. U.S. officials claimed that cyber-attacks from China had actually decreased following the arrangement. However, in 2018, the NSA asserted that China violated the terms of the deal, an accusation that the Chinese government denied[11]. The results of diplomatic treaties, therefore, are mixed so far. “The main limitation [of cybersecurity deals] is because it is in cyberspace. Arms control [in the traditional sense] doesn’t work in cyberspace,” Bockett explained. He clarified that unlike traditional arms control with tangible and visible progress, cyber activity is only observed through behavior. For example, the results of traditional arms control agreements could be verified by counting the number of weapons that a country had. The secrecy surrounding cyber warfare capabilities and the fact that cyber-attacks can be launched through regular computers makes it impossible to discern whether parties are meeting their treaty obligations.

   The situation is made worse by the fact that it is much easier to launch a cyber-attack than defend against one. The Internet, by design, facilitates the rapid flow of information better than it can track down its movement. Cybercriminals are capable of launching a targeted cyber-attack in seconds, whereas the defender does not know when, where or by whom they will be attacked. Administrative authorities are more accustomed to dealing with traditional threats within normal time frames; cyberspace's fast-paced nature makes it difficult for them to respond to cyber-attacks adequately. This imbalance, coupled with uncertainty surrounding the capabilities of adversaries, creates a highly volatile situation where arms control becomes impossible. “Both countries feel they have more to gain from continuing to launch or prepare various cyber-attacks against the other,” Bockett explained. This is why there is an endless stream of cyber-attacks between the United States and China. 

   China, in particular, has no incentive to fully commit to an international agreement. “The incentive structures work very much in China’s favor. China has the advantage to gain by [...] hacking, relative to all their competitors,” Bockett claimed. Although the Chinese economy is rapidly growing, American corporations and government agencies are technologically more advanced. China’s economic gains from commercial cyber-espionage outweigh the diplomatic risks of being exposed.

   This dilemma is exacerbated by both countries’ struggle to agree on the basic “norms,” or agreements of appropriate behavior, of cyber activity. Establishing international norms of cyber activity is the essential starting point for cybersecurity treaties, but China and the United States differ greatly in their approaches. For example, the line between the public and private sectors is not as clearly defined in Chinese society, where many private enterprises are sponsored or owned by the state[12]. From a Chinese perspective, there may be no distinction between security-related espionage and economic espionage. The extent of government knowledge or authority over the illicit cyber activities of Chinese companies will be hard to determine, making it difficult to establish a standard norm that both countries can agree on.

What’s next?

   The extent to which the U.S. approach to cybersecurity will change under Biden is yet to be determined. The re-evaluation of Trump’s ban on TikTok and WeChat signals a more agreeable, or at least less flammable, approach towards China. However, Bockett predicted that there would not be “a lot of differences in substance.” Keeping Chinese power in check will be the major foreign policy goal of the United States for the foreseeable future, making cooperation in cybersecurity difficult. In fact, Reuters reported that many of Biden’s policies, such as restricting Huawei’s suppliers, are similar to those of the previous administration.

   Despite this, there are areas of cybersecurity where both sides have an incentive to cooperate. Cybersecurity and U.S.-China Relations by Kenneth Lieberthal and Peter W. Singer suggested the two governments could find common ground in shared threats from other sources despite their differences in political systems and cyber activity practices. Stopping attacks from third-party cybercriminals, the report claimed, or gaining the ability to accurately discern active threats from unrelated activities are beneficial for both countries and could be improved upon together.

   Bockett suggested that the “best-case scenario” for ending Chinese economic cyber-espionage was China sharing the same level of interest as the United States in stopping economic espionage. Although China has more to gain by hacking U.S. companies at the moment, he explained, “those incentive structures could change once Chinese technologies start leading the world.” The moment China stands on an equal footing or even surpasses the U.S. in terms of technological progress, Chinese companies and institutions will become the major target of economic cyber-espionage. This will give China an incentive to prevent attacks through multilateral initiatives. 

   At the moment, the prospects of a successful long-term cybersecurity deal between the United States and China seem distant. Navigating the complex and increasingly important realm of cybersecurity is a difficult task, yet both parties will have to learn to show restraint and compromise if any sort of stability is to be achieved. Whether the United States and China will ultimately be able to solve the issue remains to be seen.

[1]Council on Foreign Relations

[2]Reuters

[3]Business Insider

[4]Cybersecurity Insider

[5]EveryCRSReport

[6]The Guardian

[7]KPMG

[8]Fireeye

[9]Daily News

[10]Cybercrime Magazine

[11]Reuters

[12]Lawfare