In the years-long chicken match over Chinese cyber spying, Beijing just blinked.
The U.S. and China on Friday pledged not to use their governments to steal trade secrets and confidential business information solely for commercial gain. The U.S. doesn’t spy on foreign companies for the benefit of American businesses, so the deal was always about getting China to stand down. And its pledge to do so came after the White House threatened repeatedly to sanction Chinese companies that either stole secrets from American firms or benefitted from rampant computer hacking.
“China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks,” President Xi Jinping said in a joint press conference with President Obama at the White House. “Now, we have already, and in the future, we will still, through the law enforcement authorities, maintain communication and coordination on this matter, and appropriately address them.”
That carefully-worded statement was itself a significant political victory for the Obama administration. In the weeks prior to Xi’s visit to Washington, the White House had pressed the Chinese leader both to acknowledge the United States’ long-held concerns that economic espionage threatens the U.S. economy and to commit to investigating computer hacks on U.S. companies, two individuals familiar with negotiations preceding Xi’s visit told The Daily Beast.
The White House got that much—and some more. China and the U.S. will now form a committee of sorts, composed of senior-level officials from each other’s law enforcement, intelligence, and security agencies, to share evidence of economic cyber spying.
The agreement “marks a significant step forward in the relationship and makes the near-term risk of sanctions less likely,” according to Samm Sacks, a China analyst with the Eurasia Group in Washington. “The fact that Beijing agreed to this language is an unexpected breakthrough only made possible because the Obama administration demonstrated that it was extremely serious and willing to move forward with sanctions imminently, unless Beijing made public concessions.”
The White House got some words on paper, too. The two countries “agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” the White House said in a statement outlining the deal.
Hacks like the one against the U.S. Office of Personnel Management, in which Chinese cyber spies made off with more than 22 million records on current and former government employees, are still fair game. But the White House never wanted to eliminate those, because the U.S. intelligence community also steals state secrets from China.
Forcing China to recognize that there are different kinds of spying marked a “watershed moment,” Dmitri Alperovitch, the the co-founder of cybersecurity company CrowdStrike, told The Daily Beast. “This is the first time the Chinese have made a distinction between espionage for national security purposes and economic gain.”
All that can be true, and yet, the experts noted, turn out to be largely irrelevant if China doesn’t live up to its end of the agreement. And while Obama stood alongside Xi and praised the agreement, he didn’t sound convinced that it would last.
“We have jointly affirmed the principle that governments don’t engage in cyber-espionage for commercial gain against companies. That all I consider to be progress,” Obama said. Then, he added, “What I’ve said to President Xi and what I say to the American people is the question now is, are words followed by actions. And we will be watching carefully to make an assessment as to whether progress has been made in this area.”
“This is a really good deal,” said James Lewis, a a director and senior fellow at the Center for Strategic and International Studies. But “they have to track it closely to make sure the Chinese are following through, which is why the President mentioned sanctions a couple of times.”
“The threat of sanctions remains,” Sacks said. But that might not be enough to keep China’s powerful leader to his word.
“Internal disputes within the Chinese bureaucracy will make it difficult to fulfill President Xi’s commitments,” Sacks said. “For example, the Chinese military is the main source of cyber espionage, but is not likely to be included in the coming new joint cyber dialogue.”
That high-level committee to share cyber information notably lacks any representative from the People’s Liberation Army, which is one of the major employers of hackers going after U.S. firms. Last year, the Justice Department indicted five PLA officers for their role in stealing secrets from U.S. manufacturing companies.
“It’s unfortunate that the PLA was not named as a participant. That’s a big weakness” in the agreement, Scott Kennedy, the deputy director of the Freeman Chair in China Studies at the Center for Strategic and International Studies, told The Daily Beast. Kennedy also noted that Xi had not acknowledged that China actually engages in cyber espionage.
“We got a recognition that this is a problem,” Kennedy said. But “we never heard the Chinese say, ‘We did that, we accept that it was wrong, and we won’t do it again.’”
The agreement also only covers government-sponsored spying on companies for commercial gain, which leaves plenty of other targets to choose from, Justin Harvey, the chief security officer for Fidelis Cybersecurity, told The Daily Beast.
“This doesn’t prohibit China from conducting cyber-espionage operations to benefit their military and people,” Harvey said. They could still hack energy companies looking for resources in contested waters in the South China Sea; healthcare companies researching cures for diseases afflicting Chinese people; and any defense contractors who are making weapons for the U.S. military, Harvey said.
Sacks also noted that China could interpret the phrase “companies or commercial sectors” in the agreement not to include state-owned entities that are deemed vital to China’s national interest. So, stealing from U.S. companies and giving their secrets to Chinese state-owned companies might be ok.
There’s also wiggle room in the agreement when it comes to terms like “conduct or knowingly support.”
“‘Conduct or knowingly tolerate’” would have been a much better formulation, since the current formulation does not rule out looking the other way at rogue elements,” Herb Lin, a senior research scholar for cyber policy and security at the Center for International Security and Cooperation, wrote on the national security blog Lawfare.
In the end, Obama himself hinted at what may be the central premise in the administration’s thinking, and his rationale for why this agreement, with all its flaws, was the best deal that the U.S. could get right now.
“President Xi, during these discussions, indicated to me that, with 1.3 billion people, he can’t guarantee the behavior of every single person on Chinese soil—which I completely understand,” Obama said. “I can’t guarantee the actions of every single American. What I can guarantee, though, and what I’m hoping President Xi will show me, is that we are not sponsoring these activities, and that when it comes to our attention that non-governmental entities or individuals are engaging in this stuff, that we take it seriously and we’re cooperating to enforce the law.”
It’s a small step. But a step nonetheless.