Bilateral Discussions on Cooperation in Cybersecurity

Editor’s Note:  The following is the English language text from a joint statement by the China Institute of Contemporary International Relations and the Center for Strategic and International Studies.  The orginal text in Chinese and English may be found here.

Bilateral Discussions on Cooperation in Cybersecurity

China Institute of Contemporary International Relations (CICIR) –

Center for Strategic and International Studies (CSIS)

June 2012

Since 2009, CSIS and CICIR have held six formal meetings on cybersecurity (accompanied by several informal discussions), called “Sino-U.S. Cybersecurity Dialogue.”  The meetings have been attended by a broad range of U.S. and Chinese officials and scholars responsible for cybersecurity issues.  The goals of the discussions have been to reduce misperceptions and to increase transparency of both countries’ authorities and understanding on how each country approaches cybersecurity, and to identify areas of potential cooperation, including confidence building measures and agreement on norms and rules for cybersecurity. A number of ideas for cybersecurity cooperation have been put on the table by CSIS and CICIR. Our agreements have directly promoted cybersecurity cooperation between the two countries, while our differences will require further discussion.

Areas of General Agreement

The discussions have emphasized a shared interest in avoid the misperceptions and miscalculations that could lead to conflict, and in finding measures that can be suggested to the two governments to reduce tensions in the cyber arena.  We found the initial level of misperception to be high and the discussions have begun to reduce that by frank discussion of intentions and issues.

Both CICIR and CSIS believe that confidence building measures in the cyberspace are the antidote to strategic mistrust.  These could include traditional confidence building measures such as increased transparency on cyber doctrine, reciprocal visits among civilian and military officials, formal exchanges of information on threats, descriptions of decision-making processes, and joint exercises.  During the two dialogues held in 2011, U.S. officials briefed on the U.S. International Strategy for Cybersecurity, the DOD Strategy for Operating in Cyberspace, and the DHS “Enabling Distributed Security in Cyberspace.”  Chinese officials briefed on the China-Russia cosponsored International Code of Conduct for Information Security. Additionally, CICIR also elaborated China’s internet policy based on The State Council Information Office White Paper on China’s Internet Policy.

In the last meetings, attending government observers participated in three simulations where each side described how it would react to a cyber contingency.  It has shown that both countries have formal processes for dealing with cyber crises, but there is no identified channel of communication.  Both sides believe that a formal rather than ad hoc approach to communicating in a crisis would be better – even if this meant just know who to call. It is noted that China, Japan and the Republic of Korea have a formal coordinating process that allows their three national CERTS to exchange technical information.  A similar formal process between the U.S. and China CERT would be useful and necessary.

CICIR and CSIS share similar views on the risk of “third party” non-state actors (such as terrorist groups) and the need to limit their acquisition of cyber capabilities.  Related to this, both sides have the same opinion on the value of increased cooperation on cybercrime (including financial crime, fraud and child pornography) and the talks have produced useful exchanges between law enforcement officials in both countries.   While there is agreement on the benefits of cybercrime cooperation, implementation is difficult.  Existing bodies for law enforcement cooperation meet infrequently and requests for investigative support are not always answered.  This seems to reflect procedural difficulties as much as political obstacles.

Both CICIR and CSIS have explored ideas for cybersecurity that would be based on both international law and on the creation of norms for responsible behavior in cyberspaces.  CSIS drew attention to the norms found in the U.S. International Cybersecurity Strategy.  Both CICIR and CSIS proposed a number of specific measures for responsible international conduct, but these will require further discussion and refinement.   CICIR’s suggestions for a Code, introduced at the last meeting, had four elements:

• Restrict weaponization of cyberspace (by which they meant restrictions on the development of special software like Stuxnet).  This would include pledges not to use cyber warfare and refrain from developing a cyber range and cyber weapons.
• Respect rights of countries to manage relevant networks and oppose hegemony in cyberspace.  Sovereignty is the basic principle for agreement.  The internet is transnational and global – but it consists of sovereign states – so we need to accept the basic principles of sovereignty of states. The real and networked worlds are connected, so the rules of the real world must apply to cyberspace.  One Chinese participant noted that “internet freedom can’t jeopardize national security”
• Increase mutual trust through pledges not to use cyber warfare and refrain from developing a cyber range and cyber weapons.
• Create an international management body to ensure equitable distribution of internet resources.  This could be accompanied by a UN investigative body, modeled after the IAEA, to review and investigate cyber attacks and determine attribution.  This UN body could also deal with proxies.

The CSIS discussion of norms and confidence building to increase stability has focused on several topics.  These include ideas for greater transparency, such as direct dialogue between the two governments, stability and risk reduction measures, acceptance of the applicability of the existing laws of armed conflict, observance of existing commitments on the protection of intellectual property, adherence to the Budapest Convention on cybercrime, and state responsibility for actions in cyberspace by individuals resident in their territory.

There have been discussions of supply chain security.  Both CICIR and CSIS note a “mirror imaging” of supply chain concerns between the two governments.  Both believe that the other will seek to exploit the supply chain to introduce vulnerabilities in to networks and infrastructures.   Supply chain security touches on difficult issues like the nature of indigenous innovation and the role of national and international standards, and while there is a general willingness to find ways to increase trust in a global supply chain, the development of specific ideas acceptable to both governments to do this will require considerably more discussion and involvement of experts in related areas.

Unresolved Areas

CICIR has raised the idea of a “no-first-use” agreement among major cyber powers and, more recently suggested that mutual vulnerabilities in cyberspace are useful as a basis for cooperation.  CICIR has also proposed the idea of civilian sanctuaries, and a prohibition of cyber attacks against purely civilian targets.

CSIS has noted than the existing Laws of Armed conflict, and the rules of proportionality, discrimination, and the distinction of legitimate military targets already provide a framework for protecting civilian targets.  The line between civilian and military infrastructure is blurred, but the concept of the protection of civilians can be found in the Geneva and Hague conventions, which CSIS proposes that all nations agree to observe in cyberspace.

Extensive discussions have been done over the question of what sort of behaviors could be regarded as an attack or war in cyberspace. Both CSIS and CICIR agreed that the threshold for calling an event in cyberspace an attack should be high – not everything bad that happens in cyberspace is an attack or the use of force.  most malicious activities in cyberspace do not involve attacks and warfare.  At the same time, there are areas of ambiguity involving scope, duration and effect of cyber actions  that need to be clarified internationally.

CICIR reckons the importance of the Budapest Convention on Cybercrime, appreciates the positive attitude of the Council of Europe in fighting cybercrimes and promoting international judicial cooperation over cybersecurity, and acknowledges the constructive role of the Convention in certain aspects. However, CICIR points out that the Budapest Convention, which was formed in 2001, fails to adequately reflect the significant concern of the developing world in fighting cybercrime. Additionally, there exists inevitable concern over violation of sovereignty and incompatibility with domestic legislations caused by transnational collection of evidence.   Thus CICIR advocates a new international convention on cybercrime being drafted through both bilateral and multilateral efforts and by authorized GGE within the UN framework. CSIS has stressed the inadequacy of other arrangements for dealing with cybercrime when compared to the Budapest convention, and suggested that it was very unlikely that they US would ever accept a cybercrimes initiative handled by the ITU.  Therefore the U.S. will vigorously promote other countries adopting the Budapest Convention.

The treatment of proxy forces – private hackers acting as agents of the state – remains an outstanding issue that affects discussion of norms and codes of conduct.  CSIS believes that the U.S. will require some agreement to constrain proxies as part of any larger agreement or CICIR proposed Code of Conduct.

CSIS has pointed out that while nations seek to extend sovereign control into cyberspace, U.S. actions are bound by its Constitution, which guarantees the right of free speech, and by its international commitments, including the UN Charter on Human Rights.  Given the complex nature of questions on national sovereignty in cyberspace, this topic needs further discussion.  CICIR has discussed the need for recognition of sovereignty as a basic principle for cybersecurity and the need to avoid or prevent actions that could be destabilizing. There have been useful exchanges of contrasting views on the nature of ICANN, the ITU and internet governance.

Next Steps

CICIR and CSIS both acknowledge that the existing dialogue already provides a venue for informal discussion among the respective governments and this should be broadened.

In order to carry out official discussions over cybersecurity, we suggest that additional official channels at high levels should be set up between the two governments.

CERT-to-CERT cooperation should be put into practice quickly.

Effective bilateral crisis communications channels should be created.

We agree to create greater public awareness of the discussions over cybersecurity, perhaps including separate meeting with the private sector in the future.

CICIR and CSIS plan to jointly publish a research report covering issues under discussion, an agenda for future cooperation and issues in cybersecurity within a year and this could increase awareness of the progress made to date.