In the agreement, the Chinese address a category of cyber hacking that has deeply troubled the U.S. and become a serious irritant in the U.S.-China relationship, i.e., hacking engaged in or supported by a government to provide competitive advantages to the nation’s companies (see prior blog post here). U.S. policymakers over the years have found it difficult to get the Chinese to acknowledge even that there is such a distinct category, as separate from espionage, which all countries may practice. Further, the U.S. and China agreed, importantly, that neither country’s government will conduct nor support any such commercially-motivated hacking, and will cooperate to address it. While the Chinese government has previously denied engaging in this behavior and continues to do so, this is an explicit acknowledgment such behavior is wrong and actionable. Ultimately, whether this agreement is effective likely will be determined more by China’s conduct as assessed by U.S. companies, forensic experts and the U.S. government, including with the help of intelligence agencies, than by the government dialogue and cooperation the parties pledged to undertake, especially since the U.S. might not always want to document its “proof” that particular actions should be attributed to China in order to avoid compromising sensitive intelligence information. That’s not to say, however, that the available senior-level government-to-government follow-up that was agreed won’t be beneficial for a number of purposes. This agreement effectively commits the Chinese President on these issues and raises the stakes for China in a major way, perhaps recognizing that the U.S. already viewed the stakes in this way. This agreement does not necessarily mean, however, that the U.S. won’t take action against Chinese companies who have already become the beneficiaries of the cyber-theft of valuable U.S. company information.
Excerpt from the White House fact sheet
-
Cybersecurity-
- The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory. Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
- The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
- Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic.
- The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue. The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States. This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side. As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests. Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.