The International response: Do they listen to what some International Organizations say? 45

Chapter 4 Thinking bilaterally: How does the US and China address each other?

4.1 The International response: Do they listen to what some International Organizations say? 45

The United Nations International Telecommunications Union launched in 2017 its Global Cybersecurity Index (GCI) in which they measure the status of cybersecurity worldwide. It measures the commitment of Member States to cybersecurity in order to raise awareness. The 2017 index includes the surveys made to 134 States in 2016.

Member States were classified into three different categories depending on their GCI score: Initiating stage, groups 96 countries which have just started to make commitments in cybersecurity. The Maturing stage refers to 77 countries that have developed complex commitments, and have engaged in cybersecurity programs and initiatives. And the last category is the Leading stage in which 21 countries are grouped, these countries have demonstrated high commitment in the five pillars of the index.

The five pillars of the index are legal, technical, organizational, capacity building and cooperation. The legal pillar is measured based on the existence of legal institutions and frameworks dealing with cybersecurity and cybercrime, the more developed the cyber laws in the country the better ranking it has. The technical pillar refers to the existence of technical institutions and frameworks dealing with this issue. The Organizational pillar is measured based on the existence of policy coordination institutions and strategies at the national level. The capacity building pillar is measured by the existence of research and development, education and

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

training programmes. The Cooperation pillar is calculated based on the existence of partnerships, cooperative frameworks, and information sharing networks.

In the case of the United States, the Index considers that they are one of the 21 leader countries because of its high scores and legal capacity building the previously explained pillars.

For the United Nations International Telecommunications Union a notable aspect of both capacity building and cooperation in the country is the initiatives to coordinate cybersecurity among all states. It is considered as the top one country in the Americas region, with Canada and Mexico as the top second and third.

China, on the other hand, is not considered in the top three ranked countries in Asia, it is stagnated behind Singapore, Malaysia and Australia, countries which have developed its pillars to such an extent to be considered the top in Asia and the Pacific. This might be related to the fact that China purposefully distances itself from existing international agreements. It is creating parallel IT standards to work with them domestically, not really following the International standards and practices. The United States ranks as number two in the score, just behind Singapore, while China ranks as 32 in the list of 165 countries.

The United States actions in the cyberspace are bounded by its constitution, supposedly aiming at the right of freedom of speech, and by its international commitments with International Organizations such as the United Nations. On the other side, China has traditionally argued for the recognition of sovereignty as a basic principle also in the cyberspace and the need to avoid and prevent actions that could destabilize the relations.

In the case of China, together with Russia and other members of the Shanghai Cooperation Organization, they have been trying to promote for more than a decade its ideas for

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

internet governance in the world. The principle of internet sovereignty that the Chinese people are trying to promote includes two main things “first, to abstain from uninvited influence of any kind within any state’s information space and, second, to regulate the internet through an international forum, such as the United Nations’ International Telecommunication Union”(Lindsay, 2015). The first of this ideas opposes the American idea of openness and the second aims to give a more equal treatment to the issue by an independent and strong organ such as the United Nations rather than “the constellation of multi-stakeholder institutions that has historically governed internet protocols and global network management”(Lindsay, 2015).

It is clear that both, United States and China, face many similar problems, regarding cybersecurity; however, they have different views. China has more openly used its idea of sovereignty by censoring the web and strongly surveilling its citizens. For the Chinese, adapting the international openness idea on the internet represents a threat “Full freedom can bear not only a terrorist threat but also a danger to the life and freedom of citizens (…) we must pay serious attention to check and filter incoming information” (Lu, 2016).

The main difference between United States and China’s views on cybersecurity mainly concern freedom of information in cyberspace. Also, each government’s decision-making process vary; while in the case of United States, many branches are involved, the CCP basically controls every decision in the process.

4.2 United States and China Cybersecurity Dialogue

The cybersecurity dialogue between the United States and China is not different from other kinds of dialogues between these countries, it “reflects the thoroughly ambiguous relationship between

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

China and the United States, distinguished by deep economic interdependence as well as rivalry and mistrust in the security arena”(Lindsay, 2015)

The United States and China have significant differences in almost every aspect, and cybersecurity and cyberspace are not the exception. The definitions and objectives differ which makes the approach sometimes a tricky and not so easy one. For example, in the 2011 White House International Strategy for Cyberspace the US clearly argues that it will work towards creating a more open, secure and reliable information and communications infrastructure, while China traditionally argues to create the norms of what could be called the cyber sovereignty, in which states have the right to control and regulate their own cyberspace freely.

As exposed in the previous chapter, China’s rhetoric is more about how the cyberspace should be governed, making emphasis in the sovereignty of the cyberspace while it has not really offered a lot of justifications or explanations on how and why a state may conduct cyberattacks.

(Segal, 2017) China’s rhetoric is not a new one and the dialogue with the United Staes has happened accordingly.

In 2009, US President Barack Obama and Chinese President Hu Jintao established the US-China Strategic and Economic Dialogue (S&ED or 中美戰略與經濟對話 in Chinese) which is an upgraded mechanism that replaced the former Senior Dialogue and Strategic Economic Dialogue started under the George W. Bush administration . This is a high-level dialogue for the ² United States and China to discuss a wide range of regional and global strategic and economic issues between both countries.

Since April 2017, the Dialogue is renamed to Comprehensive Economic Dialogue by President

This Dialogue is important given that it has created “new habits of cooperation (…) providing more senior, more direct, and more comprehensive communication (…) [on] critical domestic and global challenges”(Kuo, 2016). This dialogue is relevant because cyber issues were part of it and is one of the precedents of the 2015 Agreement. The S&ED “will meet once per year in alternate capitals” (U.S. Department of the Treasury, 2009). It was on the seventh round of the S&ED, on June 2015, where cyber issues were featured prominently on the security side of the Dialogue for the first time. After the 2015 Agreement reached by President Obama and President Xi, the S&ED, on June 2016, welcomed the results of the first US-China High-Level Dialogue on cybercrime.

There have been other more specific and concise communication strategies between both sides, such as the one organized by the think thanks: The Center for Strategic Studies and International Studies (CSIS) and the China Institute of Contemporary International Relations (CICIR) who have held talks, where officials and experts from both the United States and China gather. The main objectives of the discussions are to reduce misperceptions and to increase transparency of both countries’ authorities and understanding on how each country approaches cybersecurity, and to identify areas of potential cooperation, including confidence-building measures and agreement on norms and rules for cybersecurity. This kind of dialogues might not represent, even though there are participation of officials coming from both governments, the real views of both governments, nevertheless, it is relevant because it is a source to see how the bilateral relation in terms of cybersecurity developed during this period of time.

The importance of these dialogues falls in the fact that even though they are not formal official communication channels between governments, they serve as a trustful source of

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

information to track down the development of the cybersecurity related issues from 2009 until 2017 given the importance and relevance of both think tanks and also the fact that it includes not only expert on cybersecurity but also government officials from both sides. Also, due to the limited open resources, this mechanism presented by these think thanks serves as a platform that has lasted for several years and the information is consistent.

The first dialogue event took place on December 17, 2009, in Washington DC. On this day, officials and experts worked together in two different sessions, the first one called Cyberspace and International Security and the second one called Multilateral and National Activities to Promote Cybersecurity.

In the first session, they both agree on saying that no nation by itself can adequately secure cyberspace. But also, there is neither an adequate policy framework to manage cooperation and conflict in cyberspace, nor a coherent lexicon to describe it. The main topics discussed in that session were three: National perspectives on cybersecurity, Principles, norms and lexicon for international security for cyberspace, and Multilateral approaches to future Estonia-like incidents.

In the case of the second session, they acknowledged that every nation faces the same problem of making cyberspace a secure environment for innovation and economic growth.

Besides that, nations face the problem of how to best build trust and assurance in key national networks. The topics discussed in that session were four: Cooperative approaches to cybercrime, Securing the global cyberinfrastructure, Confidence-building in cyberspace, and Next steps in CICIR-CSIS dialogue.

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

It was in May 2010 when the second Sino-US Cybersecurity Dialogue happened in Beijing. During this event, there were six different panels: 1.-How should we define responsible state behavior in cyberspace? 2.-How does national sovereignty apply in cyberspace? 3.-What sort of international governance structure or rules would best serve the international community?

4.-What rules are appropriate for military conflict in cyberspace? How should existing laws of war be applied? 5.-What roles do technology and trade play in cybersecurity (e.g. techno-nationalism, technological hegemony)? 6.-What is the basis for cooperation on combating cybercrime? And as we see the topics discussed are still super similar to the discussed in the previous meeting.

In the case of the third meeting, there is no information listed on the Web page of the Center for Strategic and International Studies, but I can assume it happened in the United States probably at the end of the year 2010, it is quite interesting that it jumps from the second to the fourth meeting in their official page online (consulted on June 3, 2018).

The fourth dialogue took place in Beijing and for that, the only information available is the Agenda of the day, without going deep in providing more information. They discussed the Use of force in cyberspace (like basic principles, basic concepts, criteria, and processes), Law enforcement cooperation, Supply chain and Trade issues, Governance in Cyberspace (like Institutions, Sovereignty and Responsibility, Norms), and to conclude they discussed the State-to-State trust in cyberspace.

The fifth CICIR-CSIS talks on cybersecurity happened from November 30 to December 1, 2011. This time it took place in the office of the Center for Strategic and International Studies in Washington DC. There were two sessions this time, the first one concerning the US and

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

Chinese perspectives on development in cybersecurity, their National Practices and policies for cybersecurity and the Military and Security issues in Bilateral Cybersecurity. The second session was about the Framework for International Security in Cyberspace and Building Strategic Trust in Cyberspace.

In the case of the sixth Dialogue, it happened in Beijing on the 13-14 of June 2012. This Dialogue was quite interesting, during the first day they had normal sessions discussing four different things, first the China-US Confidence building in the Cyberspace, where they were trying to identify the main causes preventing the two sides from building trust, second the International Norms and Cooperation over the Cyberspace, third the Law Enforcement Cooperation, and fourth the New Risks, New Threats then New Concepts, where it was all about defining the concepts and considering if old definitions were still adequate.

The second day was a bit different, they created two scenarios in which they had to theoretically react. In the first simulation a really powerful virus breaks out somewhere, it has a lot of power since its sophisticated and devastating. They wanted to see first, how would China and the United States immediately communicate with each other in order to prevent infections?

Second, how would China and the United States send out convincing signals in order to avoid misperception and escalation of tension? Third, would it be possible for both countries either jointly or in collaboration with other States or players, conduct effective investigations? Fourth, what would they do if after the investigations they find out that the responsibility points at non-state actors such as terrorist or if it turns out to be originated from a State? What should they do in each case?

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

In the second scenario, an accidental incident between naval vessels causes damage and leads to heightened tensions in both countries. Hackers start issuing threatening statements, and both countries detect cyber exploits against government and military networks that appear to originate in the other country, nevertheless, they are unable to determine if they come from either private or governmental hackers. In this case, hey wanted to see first, what sort of cyber incidents would be considered destabilizing or would lead to an escalation of tensions? Second, how would China and the United Staes immediately communicate with each other in order to prevent misinterpretation or escalation? Third, are there implicit signals that could be used to indicate discomfort over a particular malicious cyber activity? Fourth, how do they indicate what actions are unacceptable and would trigger a damaging response? Fifth, what understandings should be put in place between the two countries in advance of any incident to better manage a future crisis and to avoid conflict?

These kind of simulation are really fruitful in my point of view, and it would be incredibly beneficial for my thesis to have access to the results and the way they dealt with the issue, but since those documents are not available I can only assume what could have happened.

What I could find is a Joint Statement released after the sixth meeting by both the CSIS and CICIR. In this joint statement, they point out three main things: the areas of agreement, the unresolved areas and the next steps both states need to go.

Both countries have a shared interest in avoiding the misperceptions and miscalculations that could lead to conflict, they also share the same interest in finding measures that can be suggested to the two governments to reduce tensions in the cyber arena. They also found out after the simulations that both Staes have formal processes for dealing with cyber crises, but

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

there is no identified channel of communication, reason why they agree that creating a formal approach to communicating in a crisis would be useful and necessary. Both the CICIR and CSIS have similar views on the risk posed by non-state actors and the need to limit their capabilities in the cyberspace.

One of the issues that remain unsolved is the question regarding what sort of behaviors could be regarded as an attack or war in cyberspace, there are also areas of ambiguity involving the scope, duration, and effect of cyber actions and those issues also need to be clarified not only by the United States and China but internationally. The treatment of proxy forces also remains an outstanding issue affecting the discussion of norms and codes of conduct.

After the first six meetings both institutions form both countries acknowledge that the dialogue has already provided a place for informal discussion among the respective governments but it is not enough, it should be broadened. That’s why they propose that in order to carry out official discussions over this issue, additional channels at high levels should be set up between the two governments. Government to government discussions would create a better environment to create better and effective bilateral crisis communication channels, also if both governments have high official meetings it would help increase the public awareness.

On December 4-5, 2012 the seventh Dialogue took place in Washington DC. This Dialogue copied the same style as the previous one, leaving the first day for discussion and the second for the Scenarios-based Discussions. On the first day, they US representatives explained their perceptions on China’s cybersecurity policy while the Chinese representatives also provided their perceptions of the US cybersecurity policy. After that, they both provided their own perceptions of the international cyber environment.

‧

國

立政治大學

‧

N a

tio na

l C h engchi U ni ve rs it y

During the second session, they discussed the future of interdependence between the United States and China: the implications of cybersecurity, the boundaries of acceptable behavior in cyberspace and at the end each side provided a description of the requirements for stability in the cyberspace and also measures that could enhance it.

The fact that they replicated the model form of the previous session makes me believe that they saw it as a good exercise to see and measure how the states would react under certain circumstances. This time there were 4 scenarios: In the first one, Iran experiences a range of cyberattacks and suspects Israel and the United States are behind them. Iran asks China for technical assistance while Israel asks the United States for assistance. The main question is can the US and China cooperate in managing this situation and defusing this cyber battle kind of situations? In the second scenario, each country discovered that its energy pipelines have been probed and mapped for possible cyber attacks, each suspect the other is responsible. In the third scenario authorities from both countries found a serious vulnerability with a widely used IT product. In the fourth scenario, the United Kingdom announces that cyber espionage has reached intolerable levels and calls for a global conference of leading nations since the current institutions such as the WTO are ineffective, would both countries agree that a new approach is

在文檔中網路安全與美中關係：理論的分析 - 政大學術集成 (頁 51-63)