Global Affairs

Commercial spying or state espionage?

The recent US-China pact on cyber security tries to ban commercial intelligence but it may just cause a lull before a deeper tussle ensues for control of digital information

LONDON • It is hailed as a significant diplomatic breakthrough: The recently concluded deal between the presidents of China and the United States to limit cyber espionage and cybercrime is a crucial initial step in easing the mounting tensions over cyber security between the world's two largest economies.

But unless the deal is swiftly followed by a more comprehensive and global agreement on online activities between states, the ultimate impact of the recent US-China accord may actually be negative; all that the document has provided Beijing and Washington is a brief respite and a small diplomatic opportunity to avert a far bigger showdown over cyber-security matters.

Much of the criticism heaped upon US President Barack Obama's administration for signing the cyber deal with Chinese President Xi Jinping is either unfair or widely off the mark. It is true that, earlier this year, the White House warned that it is minded to sanction Chinese companies and individuals for allegedly digitally stealing US trade secrets and intellectual property and that, in order to get the current cyber deal, Washington has suspended all these proceedings.

It is also true that the agreement between China and the US contains no enforcement mechanisms to ensure compliance; the two governments have merely agreed to "collaborate" in "examining" any incidents of cybercrime.


And it is a fact that the text of the deal remains imprecise and loosely drafted: Both sides agreed that they won't "knowingly support cyber-enabled theft", that they will investigate cybercrimes "in a manner consistent with their respective national laws" and that they will encourage "appropriate norms of state behaviour in cyberspace", all terms which allow plenty of wriggle room.

However, many international treaties specify no enforcement mechanism, relying instead on the good faith of the parties; in that respect, the Sino-American cyber agreement is hardly an exception. And plenty of treaties employ loose language; provided that there is a will, China and the US can observe discipline in the cyberspace.

Far from being a cop-out, a good case can be made that the agreement between Mr Xi and Mr Obama is trail-blazing: It creates a "high-level joint dialogue mechanism" with regularly scheduled meetings between the two nations, and a "hotline for the escalation of issues" relating to disputes over behaviour in cyberspace, a huge improvement on the current practice of the two nations merely shouting abuse at each other.


The real criticism lies elsewhere: in the US administration's assumption that there is a clear dividing line between broad cyber- espionage activities - which all nations conduct and where the US leads in technical capabilities - and using government-collected intelligence for the benefit of its civil sector firms, which the US accuses China of doing.

The current agreement is designed to ban only "commercial intelligence", which is defined by the White House as information collected "with the intent of providing competitive advantages to companies or commercial sectors". This, according to Washington, differs from economic espionage, which most states undertake in pursuit of their national interests, and which the US acknowledges it is also doing.

Stories about Chinese commercial spying are so common that they no longer even raise an eyebrow. The computer servers of multinational companies are probed on a daily basis. E-mail accounts are hacked in order to "harvest" personal data about businessmen and their families, probably in order to probe for any personal weaknesses which can then be exploited.

Western intelligence agencies have long debated whether this Chinese behaviour really enjoys the support of Beijing's top political leadership. Some analysts claimed that China's spies could not be so persistent and brazen unless they acted on explicit orders, while others have suggested that at least some of China's commercial spying operations are "cowboy" affairs, private undertakings by Chinese military staff who then sell the information they glean to China's corporate sector.

Increasingly, however, there is a consensus that China's commercial cyber hacking is systematic, and also changing in character. The information Chinese hackers now seek is no longer related just to innovative technologies and blueprints, but is increasingly directed at spying on mergers and acquisitions of Western companies, and on any commercial activities related to the trade in oil, gas and other minerals.

This is directly connected with the new emphasis of Chinese companies on overseas expansion and on moving up the trading value chain. It has the feel of a coordinated operation; Admiral Michael Rogers, the director of the US National Security Agency, responded with a blunt "yes" when asked at a recent Senate hearing in Washington whether the Chinese government actively supports computer attacks against US companies.

Be that as it may, all the recent cases of alleged Chinese espionage illustrate how difficult it is to distinguish these from either economic or commercial or just "old-fashioned" spying, which all states practise.


Take the example of Westinghouse, the giant US corporation which allegedly fell victim to Chinese cyber espionage, an episode which led last year to the unprecedented personal indictment of five Chinese military officers on charges of commercial espionage. The Chinese may be forgiven for not considering Westinghouse a civilian commercial outfit, for the company is not only one of the world's biggest manufacturers of technology for civilian nuclear reactors - never a "normal" commercial technology - but is also a major supplier of nuclear propulsion technology for the US Navy submarines, precisely the key technology which the Chinese now desperately need for their military development.

Furthermore, even if one assumes that a distinction can be made between commercial and "economic" or military espionage and even if the current cyber agreement between the US and China is respected by both sides, it only concerns the end-user of information. The Chinese and the Americans are theoretically barred from transferring information obtained through the hacking of computers to their commercial enterprises. It may be a positive step in the right direction of better cyber governance, but only a tiny step.


And, meanwhile, the problem is getting worse by the day. Security breaches cost the global economy more than US$400 billion (S$570 billion) annually, the Centre for Strategic and International Studies estimates, with Asian countries among the most hurt as a percentage of their respective gross domestic products. And South-east Asia is now one of the most targeted in the world, according to a recent report from security provider FireEye.

The US holds out the possibility of expanding its current cyber treaty with China to other similar agreements worldwide. But some top experts, such as Professor Greg Austin of the Australian Centre for Cyber Security at the University of New South Wales, argue that instead of engaging in partial agreements based on often-dubious distinctions between commercial and economic cyber espionage, the US government should promote "the concept of 'highly secure computing' ", based on "information technologies that are likely to be breached only in exceptional and rare circumstances and at high costs and risk to the attacker" as an alternative to the current model which he terms "patch and pray", under which companies rush to close security breaches in the hope that no further weaknesses exist, only to discover new ones. In short, instead of browbeating others to do no evil, the US could accomplish more by assisting its top companies to become impregnable.

And, ultimately, the US has to accept that if it wishes to promote new cyber norms and the new concept of "international information security", it also has to make some technological concessions. For, as long as the US remains determined to maintain its superiority in such fields, it must also expect all other nations to try to reduce that American superiority through all available measures.

But the Chinese should also be careful in the way they conduct themselves. For, although they may have succeeded in deflecting US anger by signing the latest cyber deal, matters are only going to get more uncomfortable for Beijing.

In Washington, there is a growing consensus that the next stage may entail direct American retaliation against Chinese activities, by engaging in offensive cyber operations. "And frankly, if we wanted to go on the offensive, a whole bunch of countries would have some significant problems," Mr Obama pointed out recently.

The scenarios under which such operations may be launched are already being rehearsed. So the current deal may represent only a lull before a much bigger tussle.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on October 12, 2015, with the headline Commercial spying or state espionage?. Subscribe