Tribute in US–China cybersecurity relations
31 Mar 2014|

‘Hypocrisy is the tribute vice pays to virtue.’  François de La Rochefoucauld

Documents leaked by Edward Snowden last week appear to show that the National Security Agency (NSA) has secretly tapped into the networks of Chinese telecommunications company Huawei Technologies. Meanwhile, on the sidelines of the 2014 Nuclear Security Summit in Hague, Presidents Obama and Xi were vowing to cooperate on cybersecurity. These simultaneous events reveal the contradictory behaviour of major powers when it comes to their relations in cyberspace.

China’s Defence Ministry spokesman Geng Yansheng condemned the NSA activity, saying it ‘fully exposed American hypocrisy’. But playing the blame game won’t work for China; its own cyber espionage capabilities are well documented. Hypocrisy in US–China relations is eroding cooperation at the same time competition is accelerating.

Operation ‘Shotgiant’, an apparent NSA backdoor infiltration of the private company Huawei is the most recent example of cyberattacks that are undermining constructive US–China dialogue on cybersecurity. This operation attempted to validate US concerns about Huawei’s links with China’s political and military decision makers, as well as collecting signals intelligence on users of Huawei’s products. The disclosure of this espionage activity is a gift for China’s leaders. Their cyber activities, including those against commercial targets, now seem unashamedly vindicated.

But the United States views its attack on Huawei as defensible and unlike China’s operations. ‘There’s a clear distinction between intelligence activities that have a national security purpose versus intelligence activities that have a commercial purpose,’ said deputy national security advisor Ben Rhodes during an interview to discuss the recent Obama-Xi meet up. For China however, the United States is a jackal in monk’s clothing. Or, as the Chinese idiom ‘贼喊捉贼’ (zeihanzhuozei) has it: the US is a thief that will call the victim a thief in order to shift the blame.

In reality, the line between political and economic cyberattacks is increasingly blurred. There’s little apparent difference between the NSA hack of Huawei in 2007 and say, Operation Aurora, the People’s Liberation Army hack of Google in 2009. Both attacks were by government agencies against private companies. The one putative point of difference is intent. The US attack was motivated by a political objective—to uncover PRC intentions, while the Chinese attack was ostensibly motivated by an economic objective—to steal source code.

However, China’s economic growth is itself deeply political. Theft of commercial secrets can be understood in context of domestic development needs, as it can shorten gaps for innovative industries and increase the competitiveness of national companies. Economic growth, brought about by technological competitiveness is crucial to China’s domestic stability and larger strategic rise. So, in effect, both the US and Chinese attacks were politically motivated, and future attacks are likely as long as economic growth remains a national objective.

Cybersecurity issues have been at the forefront of meetings between Presidents Obama and Xi since the Sunnylands summit in California last year. But few constructive outcomes have surfaced, despite the establishment of a cybersecurity working group. Cybersecurity continues to be promoted as a major policy priority. In China, President Xi announced in February that he’s heading a new ‘leading small group on informatisation and internet security’. This group will give top-down impetus to China’s fractured internet security arena. In the US, the 2014 Quadrennial Defense Review emphasised cybersecurity, allocating $5.1 billion to it in the fiscal budget.

Efforts by China and the US to develop cyber capabilities in support of their political intentions aren’t alone. Strategic thinking about cyberspace is still a relatively new phenomenon. Across Asia, from Manila to New Delhi to Seoul, military Cyber Commands are emerging. The expansion of capabilities and the political energy given to the issue increases the risk of misadventure, and possibly conflict. More regional dialogue is needed to mitigate the dangers of escalation. Some positive steps have been taken—last week the ASEAN Regional Forum held a workshop on cyber confidence building measures in Kuala Lumpur.

Australia also needs to recognise the increasingly adversarial nature of the fifth domain. While the prospect of a future ‘cyberwar’ is unconvincing, countries seem to be putting aside their previous reservations about offensive operations. China and the US have shown they are serious about using electronic and computer-related information resources to shape their preferences. Australia’s 2013 Defence White Paper indicated the need to ‘exploit cyber power’ (PDF, p.20) and the next one—likely out in early 2015—should build on that idea.

Cyberspace has been described by Joel Brenner, former senior counsel at the NSA, as a ‘giant masquerade ball’ filled with malicious actors. Information is there for states to engage and exploit. This creates opportunities for some, and vulnerabilities for all. Australia, like the rest of the interconnected world, should be working to develop key defensive and offensive capabilities while engaging in dialogue to shape norms of behaviour. If hypocrisy really is the tribute vice pays to virtue, we should expect all countries to be paying tribute for some time yet. 

Simon Hansen is an intern in ASPI’s International Cyber Policy Centre. Image courtesy of Flickr user ionel POP.