Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

McConnell: U.S.-Russia Cyber Feud Not Just About Cyber

Speaking to Christian Science Monitor, EWI's Bruce McConnell points out that suspected Russian cyber attacks, the decision to leak DNC and Clinton campaign emails to WikiLeaks, could fall into a gray area when it comes to cyber conflict. “If they had just stolen the information and not done anything with it publicly it wouldn't be such a big deal. The big part was not cyber,” said McConnell.

Click here to read the full story,

The China-U.S. Cyber Spying Deal: Where Are We Now?

The September 2015 agreement helped depoliticize cyber issues between the two nations.

It has been over a year since Chinese President Xi Jinping and U.S. President Barack Obama agreed to refrain from “conducting or knowingly supporting commercial cyber-espionage” for “commercial advantage” in September 2015. According to open source information, the agreement helped reduce cyberattacks coming from China on U.S. intellectual property. However, it is important for two other reasons. 

First, the agreement helped to depoliticize and depolarize discussions on cyber issues between the two countries. On the one hand, by concluding the agreement the U.S. administration has assuaged concerns of the private sector and wider public that it is not doing enough to counter Chinese cyberattacks. On the other hand, the Chinese government (i.e. Xi Jinping) reportedly has been utilizing the agreement to push for reforms and weed out corruption within the People’s Liberation Army and the intelligence services. (Some analysts believed that rogue actors within the PLA and intelligence services are responsible for a large share of sophisticated cyberattacks against U.S. targets originating from China.)

Second, the agreement led to a number of promising new diplomatic initiatives. In September 2015, in addition to the cyber spying agreement, China and United States also agreed to promote appropriate norms of state behavior in cyberspace, and to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. In May, the first Sino-U.S. Senior Experts Group convened to discuss international norms in cyberspace. In June 2016, China and the United States held their second round of bilateral talks on cybercrime in Beijing. Both sides agreed to the so-called “U.S.-China Cybercrime and Related Issues Hotline Mechanism Work Plan.” According to the Cyberspace Administration of China, a new Sino-U.S. cyber hotline is now functional. Both countries also conducted a tabletop exercise in April and are slated to hold a second exercise by the end of the year.

It is important to recall where the U.S.-China cyberspace relationship stood prior to the deal.

The two countries experienced a sharp deterioration of mutual understanding after the U.S. Justice Department indicted five members of the People’s Liberation Army for malicious activities in cyberspace in May 2014 in an effort to stem the tide of Chinese state-sponsored cyberattacks on U.S. critical information infrastructure.

This in turn led Beijing to freeze official discussion of bilateral cyber issues and included suspending participation in the U.S.-China Cyber Working Group (although quiet diplomatic dialogues between both countries continued throughout the period).

Concurrently, Beijing accused Washington of duplicity based on the 2013 revelations of Edward Snowden on U.S. cyberespionage activities worldwide. The United States in turn, insisted that it had the right to conduct cyberespionage for national security purposes, whereas it insisted that China was violating international norms with its massive commercial cyberespionage effort.

While contacts at the technical level (e.g., between Computer Emergency Response Teams) persisted throughout the period, the diplomatic impasse made any substantial progress on cyber policy questions all but impossible. 

The September 2015 Sino-U.S. agreement ostensibly reversed this downward trajectory.

However, as I noted elsewhere (See: “What Does 2016 Hold for China-US Relations in Cyberspace?”), the recent progress cannot deduct from the fact that cyber tension persists between China and the United States. One sign is the continuing militarization of cyberspace by both sides: 

In 2015, the United States and China also stepped up the cyber arms race. In May of last year, China issued its first ever “Military Strategy” emphasizing the importance of cyberspace for future military operations. In 2015, the Pentagon issued a new “Cyber Strategy,” and Cyber Command issued a new planning document, titled “Beyond the Build.” In addition, the Pentagon issued a new Law of War Manual, in which the pre-emplacement of “logic bombs” in an adversary country’s networks and information systems is advocated.

Having said that, the agreement, as outlined above, is without a doubt an important step towards depoliticizing bilateral discussions on cyber issues between China and the United States. It has helped stabilize their shaky relationship on an issue that is a critical competitive point and may open the door for further engagement on additional key aspects of cybersecurity. 

 

Franz-Stefan Gady is a senior fellow at the EastWest Institute. His research interests include civil-military relations, military affairs, cyber-diplomacy, and the politics of South Asia.

The views expressed in this post reflect those of the author and not that of the EastWest Institute.

China Cyber: Stepping Into the Shoes of a “Major Power”

In November 2016 the Cyberspace Administration of China (CAC) hosted the third “World Internet Conference,” in the ancient water town of Wuzhen, near Shanghai. The CAC is the organization that staffs the Central Leading Group for Internet Security and Informatization, which is chaired by President Xi Jinping and coordinates Chinese cyberspace policy across the government. This year’s conference was smaller than last years (1,600 vs. 2,000 participants), more focused and substantive, and generally more serious. It included a large expo featuring dozens of Chinese cyber companies and several major U.S. firms.

The conference is the flagship of Chinese cyber gatherings, as evidenced by the substantial infrastructure investment made in the past year, including a new capacious and functional conference center. This “Wuzhen Conference” is here to stay, not least because of the personal attention of Jack Ma, whose Alibaba is headquartered in nearby Hangzhou.

One major innovation this year was the involvement by CAC of other ministries to run various tracks of the conference, such as Mobile Internet, Internet+Logistics, and Digital Economy. This shift deepened the content and participation across the public and private Chinese cyber establishment.

Although the conference opened with a video from Xi Jinping, and was presided over by CAC Minister Xu Lin (who has replaced the flamboyant Lu Wei), Western governments continued the practice of not sending senior representatives. One reason for this has been chronically late decisions from the Chinese setting the date of the conference. But a more substantive reason for Western reluctance is the concern that the Chinese would see senior Western participation as an acknowledgement of China’s leadership role in cyberspace policy, and, worse, an endorsement of Chinese cyber policies.

The Chinese are aware of these concerns and are working to mitigate them. As a first step, a year ago, the CAC established a multi-stakeholder international advisory committee, co-chaired by Jack Ma and former ICANN chief Fadi Chehade. The committee remains a work in progress, but progress there is. The CAC consulted with the committee on the overall design of the conference, although the agenda and participants remained the CAC’s decision at the end. More importantly, the CAC made a significant change in the public face of the conference.

In previous years the organizers have attempted with varying success to publish a statement of conclusions of the conference, feeding Western concerns about capture. This year the CAC made two changes. First, there is no conference statement. Instead, there is a statement from the advisory committee. Second, the process used to develop that statement was, in the words of Chehade, “a model of participatory process.” Indeed, drafts were circulated well in advance and most of the dozens of comments were accepted.

The results are notable both in the general scope of the statement, which avoids highly contentious issues such as internet freedom, and in particular – in two paragraphs which read as follows (emphasis added):

Third, many countries will continue to pay high attention to cybersecurity and to make generally accepted international Internet rules on the basis of respecting national sovereignty in cyberspace, while recognizing the need for cooperation and agreement based on the UN Charter and international law and fundamental principles of international relations and international cyberspace matters. International norms and regulations will become the common aspiration of international society.

Fourth, multilateral and multi-party participation will become the norm for internet governance. Governments, international organizations, Internet companies, technology communities, civil organizations, academia, and individuals will all take positive actions to safeguard and promote deepening pragmatic cooperation on building the Internet shared and governed by all, and together contribute to its sustainable development.

The term “national sovereignty in cyberspace” replaces a long-used and controversial term “cyberspace sovereignty.” The new language expresses more clearly the obvious point that states should and will exercise responsibility to make cyberspace safer and more secure within their borders. At the same time, it removes the impression that any state should seek hegemony in global cyberspace.

Similarly, the term “multi-party participation,” followed as it is by a list of constituencies that others call “multi-stakeholder,” represents an important shift. The word used for “party” here is 方(fang), which means person or side. Thus the Chinese are signaling their acceptance of the reality that creating a safe, secure, open and efficient Internet requires the participation of many interests, not just states.

Small but important shifts like these illustrate a larger reality. China is becoming a major power on the global stage. As it steps into those shoes, at least in cyber, it is paying attention to the larger implications of its words and actions. This seems to me a promising development.

2016 Nextgen Essay Contest Winners Announced

The EastWest Institute (EWI) is excited to announce the winners of this year’s Nextgen Essay Contest, which generated entries from around the world.

Participants submitted their essays to examine and recommend viable ideas to address challenging issues facing the world nowadays. Based on scoring by the three esteemed judges, these three essays were proven to be well-structured and scored high in all of the four criteria—meticulously supported, original and creative, viable, and popular among our Facebook fans.

Congratulations to:

First Place:
“A ‘New Cold War?’ Hardly”
Christopher Estep
Kansas, USA

Second Place:
"Win cyberwar by playing it safe"
Nicolas Zahn
Zurich, Switzerland

Third Place:
"Wars? It´s about resources – stupid!"
Audrey Simango
Mutare, Zimbabwe

The EastWest Institute would also like to congratulate the seven other finalists: 

Nwankwo Guzorochi

Liaofan Mohanty

James Brumbaugh

Usamah Adenowo

Leo Asuquo

Lorenzo Lombos

Adeniruju Treasure
 

EWI will post the three winning essays over the course of this week. EWI will also publish the seven finalists essays on the Nextgen website in the coming weeks. Be sure to contribute to the Nextgen blog and see you at the 2017 Nextgen Essay Contest!

Bruce McConnell Talks "A Buyers Guide" to Wall Street Journal

Bruce McConnell, who leads EWI’s Global Cooperation in Cyberspace Initiative, speaks exclusively to Wall Street Journal about the breakthrough document that seeks to manage cybersecurity risks in acquiring technology products and services.

Microsoft Corp. and Chinese technology giant Huawei Technologies Co. are feeling the heat from each other’s government.

Chinese antitrust regulators are investigating Microsoft, and Huawei has been shut out of the U.S. telecommunications-equipment market over concerns it might be a front for cyberspying.

None of that is good for business. And now the two have joined forces in a “buyers guide,” meant to allay fears that each new information-technology contract poses a cybersecurity threat. Aimed at governments and corporations shopping for information- and communications-technology products and services, it was produced in cooperation with the nonprofit EastWest Institute.

Rather than reviews and rankings, this buyers guide offers a discussion of security issues in technology development, manufacturing, distribution and supply-chain management. It is part of a broader effort to shift the global cybersecurity debate away from what trade groups describe as protectionist initiatives triggered by political tensions between governments.

It offers “five principles,” the first being, “Maintain an open market that fosters innovation and competition and creates a level playing field for ICT providers.”

“This is an attempt to create objective criteria for buying technology products and services,” said Bruce McConnell, vice president of the EastWest Institute, which is based in New York.

Microsoft and Huawei are the two principal supporters of the EastWest working group that compiled the guide. Microsoft was represented by Angela McKay, its cybersecurity policy and strategy director; Huawei, by Andy Purdy, chief security officer of Huawei’s U.S. unit.

“If we simply think about the countries of origin (of technology vendors), we are not going to protect ourselves adequately,” Mr. Purdy said in an interview.

Microsoft representatives declined to comment.

While the companies are trying to separate cybersecurity issues from national politics, both the U.S. and China can point to episodes that suggest cyberspying is a genuine threat.

China has intensified efforts to reduce its industries’ dependence on U.S. technology vendors since Edward Snowden revealed in 2013 that Washington uses U.S. tech products for espionage. It is drafting cybersecurity regulations that would require equipment used by the government and state-owned enterprises be “secure and controllable.”

U.S. trade groups contend that Beijing is using cybersecurity as an pretext to favor domestic companies.

But the U.S. government has also played the cybersecurity card. A 2012 congressional report suggested that Huawei’s telecom networking gear could be used by the Chinese government to spy on Americans. Huawei, a Shenzhen-based company founded in 1987 by a former Chinese army engineer, has denied the allegations.

Huawei, one of the world’s largest makers of telecom equipment and smartphones, has been trying to emphasize its role in the tech industry’s efforts to increase the security of wireless networks and other products. Over the past few years, it has published cybersecurity white papers to communicate its views on the challenges and how to address them.

“Businesses on both sides are frustrated by continued friction between the U.S. and China,” said Duncan Clark, chairman of Beijing-based consulting firm BDA China, who has worked with many Chinese companies including Huawei.

There are, however, some signs of changes in the debate.

Earlier this year, a Chinese government committee that is defining cybersecurity standards allowed Microsoft, Intel Corp., Cisco Systems Inc. and International Business Machines Corp. to take part in drafting rules rather than just participating as observers, The Wall Street Journal reported last month.

EastWest’s Mr. McConnell said the buyers guide doesn’t aim to eliminate national-security concerns. The question, he said, is how much of the protectionism is based on security considerations and how much on the desire to promote homegrown companies.

“This is the first step,” he said. “You can at least advance a conversation.”

 

Click here to read the article on Wall Street Journal.

The "Buyers Guide" can be accessed in full here.

Purchasing Secure ICT Products and Services: A Buyers Guide

This Buyers Guide is intended to help the buyers, suppliers, and users of information and communications technologies better understand and address the cybersecurity and privacy risks inherent in information and communications technology (ICT) products and services. These individuals include senior executives and members of their governing boards and parent organizations, chief information and information security officers, risk management professionals, acquisition officers, insurers, auditors, other third-party risk evaluators, and design, manufacturing and supply chain professionals. The Guide provides these three overarching recommendations for ICT buyers and suppliers:

1. Engage in a dialogue about risk management.

2. Use questions in this Guide to frame the dialogue.

3. Rely on international standards to increase confidence in the results.

Read the full report here.

The official press release is available here

Pages

Subscribe to RSS - Cyberspace Cooperation