Obama-Xi Agreement Will Not Resolve China Cybersecurity Threat

One of the most touted takeaways from Chinese president Xi Jinping’s visit to the United States last month was an agreement by the two leaders on the contentious issue of cyberattacks—and especially cyberespionage—against American targets. 

One of the most touted takeaways from Chinese president Xi Jinping’s visit to the United States last month was an agreement by the two leaders on the contentious issue of cyberattacks—and especially cyberespionage—against American targets. Particular attention has been given to a commitment Xi and U.S. president Barack Obama made to avoid engaging in or knowingly supporting acts of cybertheft for economic gain.

But while the commitment signals bilateral goodwill, there are a number of reasons to doubt its effectiveness in curbing commercial espionage and the broader problem of intrusive, destructive cyberattacks against a range of U.S. targets by entities tied to the Chinese government:

Absence of clear standards or verification mechanisms: Security experts analyzing the agreement noted its vague wording and lack of definitions for what constitutes acceptable or unacceptable activity, meaning further negotiation would be required to render the agreement effective. Similarly, no objective metrics were identified for determining whether one side or the other has followed through on its commitments. These challenges, along with the near impossibility of tracing who is responsible for most cyberattacks, will make enforcement difficult.

Omission of politically motivated attacks: More problematic from the perspective of privacy and freedom of expression was the cybertheft agreement’s focus on the economic realm. By framing the pact in this way, Obama and Xi ignored the increasingly aggressive, sophisticated, and widespread cyberattacks apparently committed by Chinese state actors against American media companies, human rights groups, individual activists, and government bodies. Thus, even if an agreement like this one had been in place for the past five years, it arguably would not have prevented attacks on Google in 2010 (which hacked rights defenders’ accounts, among other targets), media outlets like the New York Times in 2012 (seeking information on the sources for the paper’s investigation of former premier Wen Jiabao’s family wealth), or a massive denial-of-service attack against the code-sharing platform GitHub in March of this year. Nor would it have helped stem routine phishing attacks that target overseas Chinese, Tibetan, and Uighur activists and, increasingly, U.S. government personnel. 

Failure to address vulnerabilities created by China’s Great Firewall: More indirectly, any agreement that depoliticizes the Chinese government’s internet policies is overlooking the general security problems created by the Great Firewall (GFW)—Beijng’s system for monitoring and filtering internet communications between China and the outside world.

Over the past month, this issue was highlighted by two incidents in which malware infected applications on Apple’s mobile operating system. On September 17, some of China’s most popular apps—including Tencent’s WeChat and NetEase—were found to be carrying malware, affecting hundreds of millions of smartphones and marking the largest such incident to date in Apple’s history.

The apps were susceptible to intrusions because they used an alternative to Apple’s standard XCode. Analyzing why app developers might have used a less secure code, Oiwan Lam of Global Voices points out that due to the slow international internet connections in China (a direct result of the GFW’s real-time filtering), downloading XCode takes a very long time. Some programmers have consequently turned to alternatives that are more accessible from within the firewall, but also more vulnerable to malware. 

In the second incident, a malicious program targeting Apple devices was reported on October 4 by researchers at Palo Alto Networks. This time, a Chinese marketing company took advantage of internet users’ desire tocircumvent censorship to convince them to download an infected application. The malware essentially allowed the marketers to take control of users’ phones and execute certain actions, such as opening their Safari web browser to a page showing clients’ products or advertisements. 

Both of the above incidents were resolved quickly without long-term harm to consumers, but future attacks that exploit the same incentives may not prove as innocuous. Moreover, security analysts have found that the March 2015 attack on GitHub was carried out with a tool they labeled the “Great Cannon.” This weapon, which is co-located with the GFW, worked by redirecting large volumes of bystander traffic—mostly from Hong Kong and Taiwan—that was headed for search engine Baidu’s China servers and using it to swamp and paralyze the U.S.-based code-sharing website.

Ultimately, actions will speak louder than words. Over the next six months, security experts will closely track and investigate reports of cyber intrusions from China against American companies and other targets, hopefully providing evidence on whether the pace of attacks has slowed, if not ceased.

Meanwhile, the Obama administration will have two avenues—a bilateral dialogue and an ongoing response system—through which to press the Chinese government for answers and prosecutions of those found responsible for violations. The United States will also continue to consider imposing sanctions on Chinese companies found to have benefited from cyberespionage. The threat of sanctions appears to have had at least a short-term impact: On October 12, the Washington Post reported that Chinese officials had for the first time arrested hackers identified by U.S. officials.

White House fact sheet states that these new communication channels could address “malicious cyberactivities” generally. This leaves space for U.S. officials to expand the scope of inquiries beyond commercial espionage. American and Chinese internet users, civil society, and media outlets would be well served if politically driven attacks were covered, beginning with the first bilateral dialogue expected before the end of this calendar year.

In the meantime, though, security experts who have analyzed the Obama-Xi agreement appear to agree that they will not be out of work anytime soon. On September 29, security firm KnowBe4 offered a stark warning to those seeking protection from detrimental cyber intrusions originating in China: “You are still mostly on your own.”