By Piin-Fen Kok
Tensions between the United States and China over cyber security appear to be coming to a head. A recent U.S. National Intelligence Estimate singled out China as the country most aggressively engaging in commercial cyber espionage against the U.S. private sector. Shortly thereafter, President Obama, in his State of the Union address, stressed the need to strengthen U.S. defenses against various cyber security risks including theft of corporate secrets by “foreign countries and companies” and announced an executive order to protect U.S. critical infrastructure.
Granted, the President didn’t name names, but these developments follow years of media, government, and private sector reports alleging systematic Chinese-backed misappropriation of valuable and proprietary information from the computer systems of American government, commercial, media, and academic organizations.
The latest report, by security firm Mandiant, states that an overwhelming percentage of the attacks on such American entities—commercial and non-commercial alike—can be traced back to hackers affiliated with the Chinese military.
There are many aspects of cyber security that beset U.S.-China relations, including on the military front. But commercial cyber espionage remains one of the most—if not the most—intractable, despite attempts by the two governments to address this problem at the last two rounds of the Strategic and Economic Dialogue.
The back-and-forth between both sides has generally played out in several stages. The United States alleges incidents of commercial cyber espionage by Chinese actors. China reacts by denying those allegations. It reiterates its opposition to hacking, emphasizing that it, too, is (only) a victim of such activities. Then, at times, it accuses the United States of using cyber security problems (along with several other issues) to demonize and contain China.
The result: Each side is dug into its position and no progress is made.
Clearly, America’s patience is running thin. Speaking before her departure as secretary of state, Hillary Clinton said, “We have to begin making it clear to the Chinese—they're not the only people hacking us or attempting to hack us—that the United States is going to have to take action to protect not only our governments, but our private sector, from [these kinds of] illegal intrusions.”
China, for its part, might want to rethink its standard response to the situation. One has no reason to doubt that, in a country with the largest number of Internet users, Chinese entities have themselves been subject to illicit cyber activities. China also has a right to dispute any allegations against it, but the fact that report after report says the same thing suggests, at the very least, a perceptual problem for China, if not that some or all of those reports may actually be true.
An inability to acknowledge the problem doesn’t help China’s already battered image on cyber security matters and will continue to doom the prospect of any real dialogue on this issue. More broadly, it has real implications for China’s attractiveness as a trade and investment partner, and undermines strategic trust between the world’s two largest economies.
Recognizing the potential harm to the bilateral trade relationship, the U.S.-China Business Council has urged the American and Chinese governments to address the cyber security problems faced by companies. Meanwhile, these problems only add to a host of policies and practices in China that continue to frustrate the ability of American and other foreign companies to do business on a level playing field, including inadequate protection of intellectual property rights and industrial policies favoring Chinese firms and technologies.
All these only serve to increase the costs of doing business in China, relative to its benefits, over the long run. That would be antithetical to the Chinese leadership’s efforts to boost investor confidence, particularly at a time of slowing economic growth.
Likewise, repeatedly playing the victim will only serve to reinforce perceptions in the United States—and elsewhere—that China isn’t being totally upfront about its role in cyber security. As it is, Chinese investors face a major image problem in the United States, especially in the aftermath of the October 2012 report by the House Intelligence Committee referring to Huawei and ZTE as cyber-espionage threats to American telecommunications networks.
The leaders of China and the United States have endorsed the notion of building a new type of relationship between the two powers. This new relationship entails not only working on shared interests, but also having the honesty and courage to work on difficult and divisive issues. In that regard, acknowledging the commercial cyber espionage problem for what it is would be a good start.
Piin-Fen Kok is senior associate for the China Program at the EastWest Institute.