Rules of virtual engagement

陈小将

Recently, China's cyber security agencies and companies have disclosed information on public attribution of cyberattacks against network facilities in China by the United States. This has changed the two countries' previous stance on issues related to public attribution of cyber activities. In the past 10 years, it was the US government and businesses that frequently publicly accused China of alleged cyberattacks.
The shift from being the accused to the accuser is a result of China attaching greater significance to the role of public attribution. The China-US competition in the field of public attribution will gradually turn into a long-term campaign and is likely to be a new friction point in the realm of cyber security. Therefore, strengthening crisis management is equally important for both sides. As a matter of fact, two problems exist when it comes to public attribution — how to establish widely supported norms that clearly define what types of cyber activities should be considered unacceptable, and how to reach a consensus on issues related to public attribution.
First and foremost, the China-US disputes over public attribution derive from their vastly different perspectives on cyberattacks. The Chinese side thinks that any form of cyberattack is unacceptable, while the US thinks that since online intelligence-gathering activities are inevitable, what's important is to regulate such activities and reach a consensus.
However, the lack of enforceable international laws or widely supported standards and norms that clearly define what types of cyber activities should be deemed illegitimate has made it fairly difficult to credibly question such activities. And the establishment of international norms faces multiple difficulties. Some countries have divergent views on key categories of cyber behavior and have different interpretations of even the handful of norms supported by the United Nations Group of Governmental Experts. Even if they did agree on behavioral standards, they would find it difficult to monitor and enforce them.
From the US' point of view, since intelligence-gathering activities in the real world cannot be banned, cyber espionage should be allowed. The US has been resisting efforts to broadly prohibit certain types of cyber intrusions and potential attacks. Moreover, the dividing lines between cyber espionage and other offensive forms of cyber actions are so blurred that they are difficult to delineate and effectively cope with. Thus, the international community — including the US and China — still needs to clarify what types of cyber behavior should be deemed illegitimate or irresponsible.
Second, countries can hardly reach a consensus on issues related to public attribution. This is because public attribution often fails to provide sufficient evidence, nor does it provide a legal basis for the accountability or responsibility. Also, there are major technical challenges in identifying who authorized the detected cyber operations, and also legal challenges in defining the circumstances in which a government should be held legally accountable for such actions.
Therefore, China and the US should carry out sustained dialogue, strengthen dispute management, and roll out confidence-building measures.
To start with, the two countries should reach a consensus on the fundamental principles of crisis management. In the face of more frequent conflicts in the cyber domain covering a wider range of fields, China and the US lack a basic consensus on crisis management. This reflects their deep-seated differences in their strategic intentions in cyberspace and cyber military security policies. The flawed bilateral communication mechanism hinders bilateral cooperation in cyberspace crisis management. China and the US should, on the diplomatic front, attach greater significance to meeting the basic requirements of cyber crisis management, including correctly understanding the other's interest demands in cyberspace and accurately assessing the other's cyber policy intentions.
On top of that, China and the US should push forward the establishment of norms for regulating cyber conduct. Norms for responsible (or irresponsible) conduct could help reduce the risk of unintended effects on targeted networks and beyond, and minimize collateral damage and opportunities for cyber criminals to exploit tools, among other benefits.
Last but not least, as a confidence-building measure, China and the US should establish an international coordination mechanism to combat ransomware attacks. Ransomware is among the most serious cyber challenges that both countries are confronted with, therefore a good starting point for bilateral cooperation. Such cooperation will deliver concrete benefits at a relatively low cost, help build confidence between the two countries in the cyber domain, and encourage other countries to take stronger action against ransomware.
The author is a professor and director of the Research Center for International Cyberspace Governance at the Shanghai Institutes for International Studies. The author contributed this article to China Watch, a think tank powered by China Daily.