In the aftermath of recent cyberattacks attributed to China’s government and citizens, many observers prepared for a rather uncomfortable state visit by Chinese President Xi Jinping last week. Then, as President Xi began his visit, the White House announced on September 25 what appeared to be a significant victory for corporate data security in America. “We have agreed that neither the U.S. or [sic] the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage. In addition, we’ll work together and with other nations to promote international rules of the road for appropriate conduct in cyberspace,” President Obama stated at a news conference following the announcement.
Despite the favorable optics for the countries’ two presidents, the question remains whether corporate data is truly more secure as a result of this agreement between the United States and China. It appears that the agreement is a first step – but only a ceremonial first step in effect – in the ongoing efforts to secure business data from corporate espionage.
The agreement struck with China was, in part, predicated upon the White House’s threat of sanctions in light of recent attacks. Notwithstanding the agreement, President Obama made clear that he is largely unsure of the level of cooperation to be expected from his counterpart in China. “The question now is – are words followed by actions?” President Obama said. “We will be watching carefully to make an assessment as to whether progress has been made in this area.”
Even President Xi, himself, questioned in these negotiations whether he could prevent individual actors within China from launching corporate espionage attacks. “President Xi indicated to me that with 1.3 billion people he can’t guarantee the behavior of every single person on Chinese soil. I understand that,” President Obama said. “What I can guarantee, though, and what I am hoping that President Xi will show me is that we are not sponsoring these activities and that … we take it seriously and will cooperate to enforce the law.”
The net effect of this agreement seems to be most squarely focused on critical infrastructure, including power grids, banking systems, mobile phone networks and hospitals. Surely, protection of such infrastructure is necessary. Yet the true economic advantage to be gained in cyberattacks is now primarily in the area of trade secrets theft and business data theft – and this area was sparsely addressed between the countries in any meaningful way. Essentially, China has agreed to avoid taking down the United States’ infrastructure – which was unlikely to happen in the first place – as a headline-grabbing concession without any true impact. Of course, this concession regarding infrastructure almost completely overlooks non-infrastructure corporate data security.
The problem for U.S. business is how to gauge the impact of this high-level agreement in terms of real improvements in security, given that the agreement is only for future cooperation between the U.S. and China. In light of President Obama’s own expressed uncertainty over China’s follow-through, the deal seems less like the Soviet era “trust and verify,” and something more akin to “hope and wait-and-see.” At a practical level, it seems difficult to trust that an agreement with broad goals, but not much detail, will be effective in the near term.
Some might ask, in the words of Joe Namath, “If you aren’t going all the way, why go at all?” The limitations of the new U.S.-China agreement are readily apparent. U.S. businesses must remain as vigilant as ever to combat the threat of corporate espionage. No high-level agreement between presidents will guarantee that individual actors intend to stop their efforts to profit from data theft. When conducting a cybersecurity cost-benefit analysis, it appears that little consideration – if any – should be given to the U.S.-China cybersecurity agreement. But, it is a start, and perhaps future negotiations will provide a stronger framework and greater enforcement to deter criminal acts of corporate espionage.