During his visit to Washington, D.C., this week, Chinese President Xi Jinping was expected to sign an historic “cyber arms agreement” with the United States, under which each would agree to adhere to U.N.-established norms of online behavior, the most important of which was not to attack the other’s infrastructure during peacetime, the New York Times reported on Saturday. But in a conference call with reporters today, an Obama administration spokesman scaled back expectations for that agreement, considerably.
“I don’t want to suggest that, you know, we’ve reached an arms control agreement here,” said Ben Rhodes, the White House deputy national security advisor for strategic communications.
The sentiment was seconded by Dan Kritenbrink, the senior director for Asian affairs at the National Security Council. “I would be reluctant to raise expectations about an agreement along the lines of what you just described,” he said. “That would be a long-term goal. We’re a long ways from getting there.”
That’s fine and good since any such agreement was purely “symbolic” in its value, wrote James Andrew Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Neither “China nor the United States intends to attack the other’s critical infrastructure in peacetime,” he wrote in an op-ed on ths CSIS site.
The agreement would have been nearly impossible to verify anyway, Harvard Law School professor Jack Goldsmith argued at Lawfare. . Unlike planes and aircraft carriers, offensive cyber capabilities are developed in secret, with carefully hidden budgets.
Even the symbolic value of the deal was limited; the U.S. wouldn’t have committed to much that it hasn’t already. Adm. Michael Rogers, the head of U.S. Cyber Command, the outfit charged with creating cyber offensive capabilities, has publically said that United States would follow the rules of war in using offensive cyber weapons. “Remember, anything we do in the cyber arena … must follow the law of conflict. Our response must be proportional, must be in line with the broader set of norms that we’ve created over time. I don’t expect cyber to be any different,” he said in April.
Defining ‘Critical Infrastructure’
At least one analyst doubted that the sides might even have been able to agree on the scope of its core issue. Shannon Tiezzi, writing for The Diplomat, wrote that “such a deal is unlikely to actually spell out a definition of what constitutes ‘critical infrastructure.’ That lack of clarity also plagued a 2015 report from the United Nations Group of Governmental Experts on Information Security (GGE), which included a list of “norm, rules, and principles’ for state behavior in cyberspace.”
In many ways, “critical infrastructure” remains a catch-all for everything from water treatment plants to banks to manufacturing. And potential attacks on it have preoccupied Washington since then-Defense Secretary Leon Panetta first uttered “cyber Pearl Harbor.”
It’s a tradition that NSA head Admiral Michael Rogers continued last November when he testified, “There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that. To enter our systems, to enter those industrial control systems, and to shut down, forestall our ability to operate, our basic infrastructure,” he said, “It enables you to shut down very segmented, very tailored parts of our infrastructure.”
To date, China appears to have no history of staging such attacks. Indeed, the most famous cyber-physical infrastructure hack remains the Stuxnet attack on Iran’s Natanz nuclear facility, widely attributed to but never claimed by the United States.
So how big a threat to critical infrastructure is China, really? Jonathan Pollet, founder of Red Tiger Security, says: too big to ignore, too small to panic over.
“China poses a very significant threat to U.S. critical infrastructure — but I say that with an asterisk,” Pollet told Defense One in an email. “At the present time, most security analysts don’t foresee China deliberately using its cyber capabilities to disrupt services in the U.S. or cause physical harm. For now, they are actively mapping our networks within the power grid, industrial facilities, oil/gas facilities, etc. They are doing this for multiple reasons, but the two main ones are to put them in a better position for any future military conflict with the U.S. and to steal U.S. R&D and other competitive information.
“However, given China’s moves in the South China Sea, we should discount the possibility of a future military conflict with China — or one of its proxies. Were this to happen it is highly likely they would utilize their cyber assets.”
Pollet has written that a Chinese attack on infrastructure would be difficult, but hardly impossible. Yet it is unlikely, he wrote, if only because it would reveal too much about China’s capabilities.
That sort of behavior is uncharacteristic of the way Chinese actors operate online. Take a look at the OPM breach, and before that, the one against Anthem, the nation’s second-largest insurer, or any of the many industrial espionage incidents that the U.S. has attributed to China. They all share something important: the malware was designed to avoid detection so as to keep stealing data as long as possible.
None of this is to suggest that U.S. infrastructure is secure from online attacks. It isn’t, an issue that represents the single most urgent online security threat facing the nation and one for which there is no single easy fix. But unless a larger war breaks out between the United States and China, Beijing isn’t likely to turn off your lights.
Drama aside, the fact that the White House and Beijing are a “long way” from even a symbolic agreement not to hack each other’s infrastructure says a lot about the distance between the two sides on basic language for what is and what is not normal online behavior.