The US National Security Strategy (NSS) categorizes America's relationship with China and Russia as being competitive. For the sake of discussion, I want to focus on the US-Sino relationship, particularly within the cyber realm.

America's National Cybersecurity Strategy (NCS) closely aligns with the NSS in that our technological capabilities will be aimed at protecting the homeland and part of this will be ensuring we have a competitive edge over our adversaries (namely Russia and China). Most notably, the NCS declares that the US will "defend forward" in the cyber domain, a stark departure from previous rhetoric which stressed restraint. Already there has been some pushback on this stance, including China which has (as it has done in the past) criticized the US as "militarizing cyberspace."

China has responded in kind by developing the PLA's own cyber capabilities and establishing the Strategic Support Force to handle cyber operations domestically and abroad. My question is this: while competition is important and we should continue to innovate and outperform adversaries, and in a system where cyber espionage is quite rampant, is there any potential room for strategic cooperation between the US and China within the cyber domain? Common sense would dictate that the most sustainable strategy would be one where the two strongest players in the international system work together in some fashion, even if they have significantly different views.


a year ago

Hi kevnev! Great question--there have been cybersecurity agreements between the U.S. and China in the past, but I think the main challenge is enforcement [1]. It's going to be tough to cooperate, share technology, or come to agreements on any of these capabilities if there aren't real incentives to honor those agreements (that goes for both sides, but China seems to have more of an incentive to steal technology, as it is playing catch-up as far as military technologies go).

At this point, the incentives and disincentives for cyber cooperation are asymmetric. It benefits China to steal trade secrets or proprietary technologies, and China's post-WTO experience has taught it that while all companies complain about IP theft, the size and promise of the Chinese market mean that multinationals don't consider IP theft a dealbreaker, but perhaps a cost of doing business. As such, it's not as if very many multinational companies are threatening to pull out of China. It's hard to figure out how to cooperate when there's so much push and pull in how the U.S. and Chinese governments have treated the private sector [2].

Finally, given all the money that the U.S. and China have invested into operations like Stuxnet and the recently reported Apple/Amazon breach [3], it's hard to see the two countries agreeing on a rules-based cyber framework that puts an end to any of the covert cyber operations. There's just been too much finger-pointing in the past few years, and I'd guess that military leaders would prefer to keep the capabilities and tools they've developed, rather than promise not to use them.

This dynamic could definitely change if there's some common enemy that the U.S. and China face in the cyber realm (and that's definitely a possibility, given the relatively low cost of developing formidable cyberthreats); I just don't see that common threat emerging in the short-term.

TL;DR -- The U.S. and China have already invested a lot into defense/offensive cyber capabilities, and they're not likely to want to give those capabilities up. The status quo does not suggest restraint on either side. Global firms don't want to leave the China or U.S. markets, so there's no economic incentive to implement new rules, either.

[1] [2] [3]

a year ago

Really great feedback, Josiah, thank you. I agree that there is asymmetry between the incentives and disincentives as of right now. I like the point about having a common enemy or threat between the two countries changing this dynamic.

As of right now, taking everything you said into account, there really isn't much overlap between the two countries for agreement. A report from RAND even displayed how China's behavior in cyber matters much more to US policymakers than the other way around, at least when it comes to cyber espionage aimed at economic targets(1).

Hypothetically, if the two countries were to enter into some kind of international cyber governance agreement, there would clearly have to be some incentives. How the US and China would frame this agreement and "pitch" it to one another would matter. As of right now, China perceives the rules-based system championed by the US as explicitly disadvantageous for China, whereas the US perceives China as striving for a lawless, power-centric cyber world order seeking to undermine US influence(2). These perceptions may be adjusted if a mutually beneficial, low risk agreement or framework could be established.

For starters, what if the two mutually agreed to establish no-go zones of cyber attacks? While not as urgent as say the economic targets, we could start with critical infrastructure targets as being off-limits. Both countries would arguably benefit from this, and it can serve as the basis for building cyber confidence between the them as well. Entering into an agreement focused on critical infrastructure may serve as the foundation for further cyber agreements. I don't think we need to necessarily make the agreements about giving capabilities up, because as you said, neither party will want to pursue that.

(1) (2)