On September 25, 2015, the White House issued a “Fact Sheet” summarizing the outcome of the meetings between President Xi and President Obama with respect to areas in which the United States and Chinese governments agreed “to work together to constructively manage our differences” and decided “to expand and deepen cooperation.” While additional detailed documents have not been released, the Fact Sheet includes several points that address cybersecurity related issues, focusing on strengthening bilateral relations:
- Enhanced Criminal Cooperation: China and the U.S. agreed to greater cooperation in order to enhance law enforcement activities in both countries aimed at mitigating criminal cyber-related activities. Types of enhanced cooperation contemplated include timely responses to requests for information and assistance. Further cooperation was agreed to regarding requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from respective territories. Notably, both countries agreed to such cooperation only in a manner consistent with their respective “national laws and international obligations.”
- Use of Stolen Intellectual Property: China and the U.S. agreed not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
- Development of International Norms: In both the Fact Sheet and subsequent remarks by President Xi and President Obama, there appears to be recognition of the need for the development of comprehensive norms governing nation-state cyberspace activity within the international community. The Fact Sheet expressly references the July 2015 report of the United Nations Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security, indicating that the two countries welcome the report, which addresses norms of behavior and other crucial issues for international security in cyberspace.
Ongoing Bi-lateral Cyber Meetings:
The countries further agreed to establish a high-level bilateral mechanism to discuss “cybercrime and related issues.” The Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate from the Chinese side, while the U.S. side will be represented by the Secretary of Homeland Security and the U.S. Attorney General, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies. The purpose of these bi-annual meetings appears to be the airing of “malicious cyber activities” that cause particular concern on each side and to review the timeliness and quality of responses to requests for information and assistance. The countries also agreed to put into place a so-called “hotline” dedicated to cyber related issues. For Chinese and U.S. companies, the agreement prohibiting either state from using cyber-enabled actions to steal intellectual property, “with the intent of providing competitive advantages to companies or commercial sectors,” is a notable development. The agreement may serve to mitigate a possible escalation in tensions between the two countries. The agreement for ongoing bilateral cyber-meetings also provides a forum to discuss “malicious cyber activity,” which will undoubtedly include cyber-enabled misappropriation of intellectual property. Although the agreements are a significant step to de-escalate current tensions and to improve communication and cooperation, it is important to note that the agreement does not appear to prohibit any cyber-related activity on the part of either country. The agreed upon limitations in the agreement focus on how each country may use information obtained from such activity, and the limitations only extend to providing “competitive advantage” to companies or commercial sectors. It is unclear as to whether and how this will actually reduce cyber-enabled state or state-backed activity. Press reports continue to indicate that both China and the U.S. engage in state-sponsored cyber-enabled activities that affect private businesses under motives of “fair competition” or “national security.” While this alert does not seek to analyze the underlying national or international legal authority of such undertakings, we simply note that by explicitly agreeing to such a narrow scope of illegitimate state activity, it may result in activities that fall outside of those areas that are expressly prohibited by the agreement. The immediate and long-term benefits to businesses from the agreement remain uncertain. Since businesses have significant challenges with respect to identifying sophisticated cyber threat actors and, more importantly under the agreement, the motive of cyber threat actors who penetrate corporate information technology networks, the agreement outlined in the Fact Sheet does little to lower the increasing legal, regulatory, and financial burden being placed on businesses, particularly in the U.S., to respond to these types of cyber-attacks and network intrusions. Additionally, the outcome of the bilateral meeting notably does not address complex issues presented by legal developments such as China’s proposed Cybersecurity Law, which would mandate foreign companies to disclose source code. Further, it is important to note that no enforcement mechanism was established to reinforce or oblige either country to adhere to any agreements. On a more positive note, the move toward greater cooperation and collaboration implied in two of the four elements of the statement may well be a small opening that could lead to a reduction in non-state sponsored cyber-enabled criminal activity. In the recent past, we have observed significant impediments in the transnational collaboration between U.S. and Chinese law enforcement entities under the existing agreement of Mutual Legal Assistance in Criminal Matters. Hopefully, the statements of cooperation and ongoing high-level dialogue between senior government officials will create a mechanism for timely and effective actions by law enforcement to reduce the level and scope of cyber-enabled criminal activity, as businesses in both countries would benefit from such a development. Beyond solely addressing non-state criminal matters, the bilateral arrangement to install a dedicated communication channel should be viewed as very positive, as it could assist in rapidly deescalating a variety of cyber-related activities, including a large-scale incident against critical infrastructure that may appear to be emanating from individuals associated with one of the two countries. Finally, it appears from the agreement noted in the Fact Sheet that both countries have recognized the importance of international coordination around cyber-enabled activities and the need for a general multilateral framework to develop appropriate norms of behavior. Whereas it is unclear whether either party would agree to a comprehensive international normative framework surrounding cybersecurity, the commitment to identify and promote such commonalities is an important symbol to the international community. The acknowledgement of the important work undertaken in this area by the UN Group of Governmental Experts also serves to promote the UN’s role an appropriate vehicle for future dialogue.
The agreements announced in the Fact Sheet should be acknowledged as a positive step in what heretofore has been a rapport in the area of cybersecurity largely defined by accusation and denial. Monitoring how these agreements are implemented in practice by both sides is important to assessing whether there will be meaningful progress in the bilateral cybersecurity relationship. A potentially more important barometer of commitment to mutually beneficial cybersecurity between the countries also will come from how domestic legislation in the area of cybersecurity in China is implemented. As we discussed in a separate client alert, China’s domestic national security and cybersecurity laws are undergoing a dramatic reformation. The agreements coming out of the summit, noted above, did not include any mention of these national developments. Tracking and analyzing how the Chinese government implements these new laws may be an even more important signal as to whether the agreements announced in the Fact Sheet are primarily just a symbolic, diplomatic success or a more substantial redefinition of the relationship in the area of cybersecurity between the two countries.