Will China Deliver on Its Promise to Stop Hacking American Businesses?

After weeks of threats that the United States was on the verge of imposing sanctions on China for its alleged theft of American trade secrets, President Barack Obama stood next to Chinese leader Xi Jinping in the Rose Garden Friday and declared that the two countries have reached a “common understanding” on ending the plunder of intellectual property in cyberspace.

China has consistently denied that it carried out such actions, but Friday’s statement by the two leaders is the first sign of progress on an issue that threatened to torpedo the highly anticipated meeting between the two leaders. A White House fact sheet said that “the United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

The White House also said that China and the United States agreed to cooperate more fully in the investigation of cybercrimes, would work together to establish a set of agreed norms for state conduct in cyberspace, and agreed to set up a ministerial-level meeting to discuss cybersecurity issues that would meet twice a year.

If China delivers on its commitments — a big if — the agreement could ease attacks on American businesses and ease what has been significant irritant in relations between China and the United States. Obama sounded a note of caution. “The question now is: Are words followed by actions?” he said. “We will be watching carefully to make an assessment as to whether progress has been made in this area.”

For the White House, Friday’s commitment by China to halt activity that Obama has long described as unacceptable is a clear victory, one that delivers a major commitment from Beijing without having had to use sanctions to extract it. The Obama administration’s ongoing effort to promulgate a deterrence strategy for cyberspace has in recent weeks focused on whether to slap China with sanctions, and Friday’s announcement appears to indicate that Beijing was at least somewhat responsive to those threats and viewed the summit’s successful conclusion as far more important than maintaining denials that it is not engaged in IP theft. Cybercrime and espionage is estimated to cost the U.S. economy between $24 billion and $120 billion annually.

The agreement, as described by the White House, represents a limited, though significant measure of progress on an issue that has bedeviled Obama’s efforts to forge closer links to the world’s second-largest economy. “It’s a major step forward,” said Jim Lewis, a widely consulted cybersecurity expert at the Center for Strategic and International Studies. “They’ll of course have to verify that the Chinese live up to it and that there are consequences if they don’t.”

Dmitri Alperovitch, whose security firm CrowdStrike has documented Chinese cyber attacks, called the agreement “an inflection point” in the relationship in cyberspace between China and the United States. “To now have formal acceptance by China that there is a difference between economic espionage and governmental espionage is a big deal.”

Indeed, even if it would decrease attack on American businesses, Friday’s agreement says nothing about espionage targeting military or government servers, such as the recent breach of the Office of Personnel Management. That attack, which U.S. officials privately say was carried out by Chinese hackers, resulted in the exfiltration of the personal information of some 21.5 million people, including documents compiled during background checks for current, prospective, and former government employees seeking security clearances. On Wednesday, OPM revealed that the breach included the theft of 5.6 million fingerprint records, up from its previous estimates of 1.1 million.

China has consistently denied its involvement in that attack and other breaches of U.S. servers. Indeed, prior to departing for the United States, Xi, using terms remarkably similar to those used by Obama on Friday, said in an interview with the Wall Street Journal that “the Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way.”

Bold-faced denials such as these, even as security experts have documented sophisticated cyberattacks being carried out by Chinese operatives, have some observers questioning whether China will deliver on Friday’s commitments. “There’s much less here than meets the eye,” said Patrick Cronin, the senior director of the Asia-Pacific Security Program at the Center for a New American Security. “We can hold up and use these statements as benchmarks. Those are good things to have. They’re not finished products.”

Whether China can reduce the number of cyber attacks on U.S. businesses goes to the heart of the big-picture problems currently facing the country. Beginning in 2006, China officially sought to foment innovation in order to move up the global value chain, but had only limited success. Developing such an economy requires intensive investments and research and development, and the theft of intellectual property emerged as quick and dirty way to make technological shortcuts.

Now, facing a slowing economy, Chinese leaders have recognized that the country must accelerate its transition from an export-led economic model toward one that increasingly features technological innovation and value-added goods. And as Chinese firms have become gradually more innovative — China is the world leader in patent applications — the country’s top officials are learning that intellectual property theft can be a double-edged sword.

“If one accepts President Xi as honestly reflecting his plans for his military and foreign intelligence service hacking teams, then I believe he is making a strategic shift. Rather than stealing commercial secrets from Western companies, I believe President Xi intends to pursue more joint ventures with foreign firms and also acquire foreign firms,” said Richard Bejtlich, chief security strategist at FireEye, a prominent network security firm. “If one does not accept President Xi’s statements as true, then one might assess that President Xi believes his forces can evade U.S. detection and attribution capabilities. China’s operational security has traditionally been poor overall, but they have improved over the last few years.”

There is the risk that Friday’s agreement may just herald the beginning of a new era: More covert, deniable Chinese cyber operations. “If there is a slowdown [in hacking], China is probably moving their espionage operations to proxy groups, the way that Iran and Russia operate,” said Justin Harvey, the chief security officer at Fidelis Cybersecurity. “Attribution is difficult with state-sponsored attacks because of the the lack of physical evidence connecting the person to the virtual crime. China can always find a patsy within the country, arrest them and claim ‘mission accomplished,’ if they’re caught by the U.S. on a cyber-attack.”

JIM WATSON/AFP/Getty Images