By Eimi Harris. (Originally published May 24, 2016 at the NATO Association. Re-printed with permission)
On April 27, 2016, Russia’s Safe Internet Forum hosted the China-Russia Information Communication Technology Development and Cybersecurity Forum in Moscow. Although the program predominantly established a cooperative Sino-Russian relationship on cyber security, along with a number of other cyber-related social and economic issues, it ended with Russia and China agreeing to pursue one goal in particular: the development of “ separate sovereignty of each nation in cyberspace.”
This goal becomes problematic in that it contrasts with Western notions of keeping the internet free, open, and without division by sovereignty. The United States in particular is devoted to keeping the internet open. So one has to wonder how the US and Chinese could have engaged in their own cyber agreement in 2015 despite having two distinct underlying assumptions about how to approach cyberspace.
Even with the difference in perceptions on cyber sovereignty, the Russian-Chinese and US-Chinese cyber relationships may not necessarily be incompatible if we take into consideration the main targets of each partnership.
President Obama and President Xi Jinping announced the U.S.-China Cybersecurity Agreement in September 2015, not long after the U.S. Office of Personnel Management (OPM) data breach in June 2015, in which U.S. government officials blamed Chinese hackers for stealing the personal information of 21.5 million former and present U.S. government employees. Although China denied those allegations, the OPM accusations incited what was probably the beginning of formalized diplomatic relations and normative behaviour development in cyberspace. The Cyber Agreement was comprised of four main initiatives:
- Both the U.S. and Chinese governments agreed to not conduct “cyber-enabled theft of intellectual property.” This would include trade secrets and information from private businesses and commercial sectors.
- The U.S. and China agreed to cooperate with requests for information pertaining to “malicious cyber activities” taking place within their territories or areas of jurisdiction.
- Both countries agreed to participate in norm development to regulate state activities and relationships in cyberspace.
- Both countries agreed to develop a bureaucratic framework for higher-level cyber dialogue.
What we see explicitly in the U.S.-China Cyber Agreement is voluntary cyber-restraint for the protection of economic activity. However, the agreement does not go much further beyond that. Cyber diplomacy was limited to the clauses on State cybersecurity cooperation and norm development (neither of the countries established any tangible obligations).
This contrasts with the focus of the Russian-Chinese cyber relationship. Evident from the program agenda of the Safe Internet Forum, the explicit elements of Russia and China’s cyber cooperation focuses more on cyber culture, with panels addressing the security and governance of internet communication structures, general data security, and social issues appearing on the web (like religious extremism).
China and Russia, are facing many of the same social problems online as the Western world is. However, the difference is that Russia and China have more openly used censorship and other surveillance to manage what their citizens can access on the web. These practices are likely to continue, especially where both Russian and Chinese delegates at the Safe Internet Forum expressed a need to utilize its state sovereignty and regulate information for its citizens.
But is China’s cyber cooperation with Russia principally in contradiction with the U.S.-Chinese Cyber Agreement? No – both relationships agree to cooperate in cybersecurity when necessary, but the U.S.-Chinese Cyber Agreement serves more explicitly for economic protection while the Chinese-Russian cooperation delves more into social cyber issues. With many analysts finding that China has so far complied with the economic initiative in the U.S.-Chinese Cyber Agreement, there may not necessarily be a clash in economic and social goals between the two cyber relationships.
The same cannot necessarily be said at a diplomatic level. Note that the Cyber Agreement did not explicitly deny either the U.S. or China the ability to partake in political espionnage, while the Safe Internet Forum did not discuss cyber security as a national security strategy. Between these three countries, there are strategic reasons not to address the diplomatic elements of cyber security.
The State’s major responsibility is to protect its population. Economically and socially speaking, protecting citizens’ personal data is a priority since that information is directly connected to the financial security and wellbeing of each individual; there are similar reasons to combat forces such as terrorism online. For now, China, Russia, and the United States are at a point where their current agreements cover the baseline for the security of their population in general.
On the other hand, the State is also responsible for the protection of the population from threats emanating from other territories. If protecting one’s citizens means using cyber espionnage and surveillance tactics against the governments and intelligence agencies of another state, neither China, Russia, nor the United States will want to agree on restricting the use of cyber espionnage on other states. The development of a cyber-diplomatic relationship will depend significantly on how much each country can trust the other, putting China in an interesting spot. In this case, a Russian-Chinese and a U.S.-Chinese cyber relationship may not be as easy to reconcile.
Eimi Harris is a student working towards her undergraduate degree in International Relations and Economics at the University of Toronto. Her main focus in international affairs is cyber security, particularly diplomatic relations and normative development in the cybersphere.