US-China agreement is cyberpeace for our time, in public anyway
On September 30, 1938, British prime minister Neville Chamberlain landed at Heston Aerodrome, stepped off his British Airways Lockheed Model 14 Super Electra, and delivered a speech explaining the importance of his historic negotiations with the German chancellor, Adolf Hitler.
The Munich Agreement, which "settled the Czechoslovakian problem", and the Anglo-German Naval Agreement, were "only the prelude to a larger settlement in which all Europe may find peace," he said.
Later that day Chamberlain gave a second speech, in London, which included the words for which he will be forever remembered: "I believe it is peace for our time. We thank you from the bottom of our hearts. Go home and get a nice quiet sleep."
Featured
Just 336 days later, German tanks rolled across the border into Poland. You know how it goes after that.
On September 25, 2015, US president Barack Obama stepped out of the White House into the Rose Garden, and delivered a speech explaining the importance of his historic negotiations with the Chinese president Xi Jinping, who was standing at his side.
As the White House fact sheet explains, the negotiations covered everything from AIDS to Afghanistan, from food security to wildlife trafficking -- and of course national security. The big-ticket items were cybersecurity, and economic and commercial espionage.
"The United States and China agree that neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors," the White House said.
"Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic."
The US and China will establish "a high-level joint dialogue mechanism on fighting cybercrime and related issues". They'll establish "a hotline for the escalation of issues that may arise" while responding to requests for cooperation in investigations of cyber incidents. And they agreed to hold the first meeting of this joint dialog before the end of 2015, and then twice a year.
Obama is smarter than Chamberlain. He didn't claim that these latest US-China agreements would ensure peace, only that the two countries had agreed on a way forward.
"[G]reater prosperity and greater security -- that's what American and Chinese cooperation can deliver. That's why I want to say again, the United States welcomes the rise of a China that is peaceful, stable, prosperous, and a responsible player in global affairs. And I'm committed to expanding our cooperation, even as we address disagreements candidly and constructively," Obama said on Friday.
"Let me mention some specifics. First, with respect to our economic relationship, we agreed to step up our work toward a high-standard bilateral investment treaty that would help level the playing field for American companies. We've committed ourselves to a set of principles for trade in information technologies, including protection of innovation and intellectual property. President Xi discussed his commitment to accelerate market reforms, avoid devaluing China's currency, and have China play a greater role in upholding the rules-based system that underpins the global economy -- all of which are steps we very much support," he said.
"I raised once again our very serious concerns about growing cyber-threats to American companies and American citizens. I indicated that it has to stop. The United States government does not engage in cyber economic espionage for commercial gain. And today, I can announce that our two countries have reached a common understanding on the way forward... So this is progress. But I have to insist that our work is not yet done."
Obama had praise for China, but it was laced with veiled threats if they don't continue to play nice. The US would "continue to use all of the tools at our disposal to protect American companies, citizens and interests," he said. That seems pretty clear to me.
Now Obama was speaking to the home crowd, so he had to make America sound tough. But governments don't make laws banning things people never do. Nor do they make a big deal out of international agreements unless they're deeply worried. And America is worried.
US supremacy is built upon technological advantage, and in the digital age technology is easy to steal. China's Chengdu J-20 Dragon stealth fighter, for example, was developed astoundingly quickly, and seems to have combined the best bits of the US F-35 and F-22 designs -- because China probably stole that technology.
Now that's the alleged theft of military technology, and nothing in last week's agreement will stop that. But America is just as worried that it could lose its advantage in technology generally -- just as the world gears up to produce the Internet of Things.
As this column reported in July, some former US government officials are so worried that they want to allow cyber espionage victims to hack back.
Getting China on board to stop economic espionage is a big win, because it helps America promote the idea of an "international norm" against the activity. As the Council on Foreign Relations' blog Net Politics reminds us, much of the rest of the world isn't so keen on this "norm". There's no indication that such a norm exists in law, in either binding international law, or in so-called "soft law", such as United Nations declarations, statements of principles, codes of conduct, and action plans.
"International law contained no serious restrictions on espionage and did not distinguish between traditional and economic espionage. This problem led to attempts to find footholds in other areas of international law, such as the principle of non-intervention and World Trade Organization agreements, but these efforts -- whatever the merits of their legal analyses -- did not change state practice," said Net Politics.
"Part of the new US strategy on protecting trade secrets included advancing the norm against economic espionage in US diplomacy, including in negotiations for trade agreements. Snowden's disclosures, which started in June 2013, damaged this project. The disclosures tarnished US credibility, revealed US intelligence collection against foreign companies and commercial sectors to inform diplomatic and trade negotiations, and gave China ammunition against US complaints about its cyber behavior."
With China now on board with this norm, that's changed.
That's huge.
Unless it's all just words, and in 336 days from now the Chinese cybertanks cross the cyberborders into Silicon Valley.
Either way, Telstra's chief information security officer (CISO) Mike Burgess will be annoyed. In June, he railed against the cyber attribution distraction.
But if we're taking sanctions against a country that's accused of economic espionage, we have to get that attribution right. That means more work for CISOs, or the naughty countries might get away with a shrug and simply saying: "Sorry, Barry, it wasn't us."
And who knows? It's even possible that China or the US might agree in public to ban economic espionage, but do it in secret anyway. No wait, that'd never happen.