The rise of Asia is one of the most significant developments in the twenty-first century geopolitical landscape. Pundits who dubbed the twentieth century the “American Century” are now predicting that the twenty-first century will be the “Pacific Century.” Asia’s ascendance is driven in large part by the return of China, whose economic and political might has been growing at unprecedented speeds, to a position of international prominence. China’s re-emergence as a significant global player has heightened the importance of the bilateral relationship between the U.S. and China, the two largest economies in the world. These two countries, which feature markedly different political systems and cultures, have an unprecedented opportunity to cooperate in reshaping global norms in the name of the greater good. To do so, however, they will have to overcome numerous bilateral disputes, many of which are grounded in divergent views on ethics.
Human rights and climate change are two of the most prominent areas where divergent Chinese and American views, determined in large part by differing stances on various ethical questions, are inhibiting cooperation. In this essay, however, we would like to examine another issue that looms large in both US-China ties and international relations writ large—cybersecurity. Though commonly conceptualized as a strategic geopolitical issue, we contend that its underpinnings are comprised by series of ethical considerations. Moreover, we believe that addressing some of these fundamental ethical considerations will provide a better framework for easing bilateral tensions and promoting cooperation than surface-level tit-for-tat negotiations and public naming and shaming.
Cybersecurity is an issue that has rapidly ascended in importance in the US-China relationship. U.S. military and security officials are increasingly wary of the adversarial effects of potential cyber warfare. In his confirmation hearings for the post as Secretary of Defense in 2011, Leon Panetta warned, “the next Pearl Harbor that we confront could very well be a cyber attack.” China is widely assumed at both the popular and elite levels in the U.S. to be the biggest initiator of cyber attacks on U.S. government, business, and media networks. On the Chinese side, the view is a bit different. Chinese officials, too, feel that they are victims in the cyber realm and note that a considerable proportion of malicious cyber activities globally have originated from computer hosts located in the U.S. This latent sense of US-China distrust in the realm of cyberspace is dangerous as it can exacerbate the broader strategic distrust about each other’s current and future intentions, brewing hostility that is threatening to the health of the most important bilateral relationship in the world.
Cybersecurity is an important geopolitical issue, but framing it in pure strategic terms neglects its core—a series of basic ethical considerations. Economically, these include questions about the ethics of espionage targeting private sector entities as well as, more generally, the ethics of intellectual property. In the politico-military realm, cybersecurity raises general ethical questions about intelligence gathering and reasonable diplomatic and military responses to intrusions and attacks that occur in the cyber realm.
Cybersecurity is a new issue, a global issue, and an important issue. Breaking it apart into its ethical underpinnings provides a framework for effectively addressing it at the bilateral level. Bilateral cooperation can, in turn, drive a broader global conversation on creating a system of norms that provides for a more secure cyber realm.
The role of cybersecurity in US-China relations
Cybersecurity has quickly catapulted to the top of the US-China bilateral agenda. The two sides, however, have expressed very different understandings of the situation, making resolution of the dispute difficult. While some nascent forms of dialogue have begun, a grander vision for addressing the problem is needed. We believe that vision can be found in isolating the ethical dilemmas at the core of the issue.
Stories on suspected attacks from Chinese hackers—whether government-affiliated or not—have been prevalent in the U.S. media in recent years. In 2010, The New York Times reported that investigators had tracked cyber attacks on Google to Shanghai Jiao Tong University (SJTU) and a vocational school in eastern China. The most notorious case came in 2011, when a McAfee white paper documented Operation Shady RAT, an ongoing series of cyber attacks since mid-2006 that have hit at least 72 organizations, including defense contractors, businesses, the United Nations, and the International Olympic Committee. According to McAfee, the Internet security company that executed the investigation, the operation was “a five-year targeted operation by one specific actor” and the targeting of athletic oversight organizations around the time of the 2008 Beijing Olympic Games “potentially pointed a finger at a state actor behind the intrusions.” This state actor is widely presumed to be China. More recently, the security firm Mandiant released a report stating that cyber spying collaboration had been discovered between SJTU and the People’s Liberation Army (PLA). According to Mandiant, several papers on computer network security and intrusion detection were co-authored by faculty at SJTU and researchers at PLA Unit 61398, an allegedly operational unit actively engaged in cyber espionage.
The media’s activism coupled with American private sector angst has spurred a U.S. government response. Recognizing the severity of the problem, the Department of State has elevated the issue to a place of prominence in its annual strategic dialogue with China. The White House has also taken notice. In early March, President Obama and National Security Advisor Tom Donilon both publicly criticized China for its role in supporting cyber attacks and cyber espionage targeting U.S. networks. President Obama also conveyed his concerns personally to Xi Jinping during a phone call to congratulate Xi on his recent installment as China’s president. More recently, Donilon stated that cybersecurity should be included in all major US-China bilateral economic discussions. The U.S. perspective is clear—China is at fault and needs to rectify its wrongdoings.
With the U.S. publicly denouncing China’s alleged role in cyber attacks on American organizations, Chinese officials and public intellectuals have responded in several ways. Some highlight the uncertain nature of attributing cyber attacks to a particular entity since a hacker can take control of another computer in nearly any country to launch malicious cyber activity without the owner even being aware of it. Others react with rage, condemning the U.S. side for making “groundless” accusations and “carrying a Cold War mentality.” To them, this is simply another American plot to demonize China. Still others point out that China is a major victim of cyber attacks. In December 2011, several of China’s most popular online shopping, microblogging, social networking, and gaming websites were hacked, leaking the account information for more than 100 million usernames, passwords, and emails. According to He Rulong, spokesman of the Chinese Embassy in London, 6,747 overseas servers were found to have controlled more than 1.9 million mainframes in China with Trojans or botnets in February and March of this year. Who do these Chinese officials and pundits identify as the initiators of these attacks? The U.S. According to a 2009 Xinhua News report, about 40 percent of cyber attacks on Chinese computer systems in 2005 originated in the U.S.
While the issue of cybersecurity has become one of great importance in US-China relations, steps to address it remain rudimentary in nature. On April 13, U.S. Secretary of State John Kerry announced that the two sides had agreed to establish a cybersecurity working group. A little over a week later, the Chairman of the U.S. Joint Chiefs of Staff, General Martin Dempsey, convened a joint conference with Chinese general Fang Fenghui, who pledged to work with the U.S. because the consequences of a major cyber attack “may be as serious as a nuclear bomb.” Gen. Fang, the chief of the PLA General Staff and a member of the Central Military Commission, indicated that he would be willing to establish a cybersecurity “mechanism,” with the caveat that progress might not be swift.
These steps toward dialogue are positive in nature, but they are only small bricks in the construction of bridge that needs to extend across a great divide. One challenge to improving the bilateral dialogue can be found in the framing of the issue itself: cybersecurity is typically couched within a strategic geopolitical context. We contend that viewing cybersecurity as simply a strategic and technological matter, however, proves restrictive, neglecting the fundamental ethical questions at its core. Identifying these ethical questions not only adds further nuance to our respective understandings of the issue, but also provides a framework for addressing it.
Cybersecurity and ethics: the economic aspect
One example of the ethical foundations of cybersecurity can be found in the economic aspects of the issue. The American mainstream media and U.S. government statements have painted this as a fairly straightforward problem—China is stealing precious intellectual property from American companies. Yet a closer look at the issue yields a measure of its complexity. More specifically, norms regarding the ethics of economically motivated cyber espionage remain underdeveloped and viewing the procurement of commercial data as pure theft fails to take into account cultural considerations regarding the ethics of intellectual property protection.
In recent months, numerous reports have been released identifying China as a thief—the illegal procurer of sensitive American proprietary information. It is important to note however, that even assuming these reports are accurate and China does procure economic data from American firms through cyber espionage, the People’s Republic is not alone in doing so. Indeed, a recent U.S. National Intelligence Estimate notes that France, Russia, and Israel have engaged in hacking for economic intelligence. The diversity of these countries—a democracy, an authoritarian regime, and a democracy founded on religious grounds—is indicative of the fact that relevant norms on cyber espionage are neither universal nor well-established. Such a fact creates an area of ethical fuzziness that makes assertions of right and wrong as regards economic cyber espionage problematic.
More importantly, the issue of economically motivated cyber espionage is underwritten by difficult questions regarding intellectual property. This is a longstanding area of contention between the U.S. and China, but one worth rehashing. In short, different cultures employ different practices of idea attribution, a reality which is all-too-often overlooked. American academic papers frequently feature hundreds of footnotes; many serious papers by Chinese scholars employ only a few footnotes. Who is right? Do Americans excessively individualize the production of knowledge, losing sight of its true social value, or do Chinese academics understate the role that individuals play in creating ideas? And what role does culture and tradition play? In the U.S., students are encouraged at a very young age to “think outside the box” as well as to “find your own way of learning.” Americans are taught to use the ideas presented to them to chart their own, unique course forward. In China, by contrast, students learn primarily through rote memorization—the consumption of knowledge and later reproduction of it on standardized tests. Such a system has its roots in the ancient practice of imperial examination, in which prospective officials proved they were worthy of governing by demonstrating their mastery of the content and style of Confucian wisdom. Examinees sometimes spent a lifetime in preparation, memorizing the work of sages such as Confucius and Mencius so as to reproduce it in essays that were notoriously rigid in form. In other words, in China, imitation can be not only the sincerest form of flattery, but also the sincerest form of respect. This cultural norm, in turn, influences conceptions of the ethics of intellectual property itself, posing questions like: Is intellectual property itself always ethical, particularly when one takes into account the disparities in wealth, healthcare, and access to technology it can create? And shouldn’t the true value of knowledge be founded on its social impact and not a financial measure?
These ethical considerations make the U.S. accusation that China is a thief problematic, not only from the perspective of “right” versus “wrong,” but also in terms of finding common ground from which to address the cybersecurity issue. Both sides, then, could benefit from taking a step back to look at core ethical questions about economically motivated cyberespionage: a) what are the international norms in this area and what should they be? And b) how should intellectual property be conceptualized and how should its protection be encouraged?
Cybersecurity and ethics: the politico-military aspect
Ethics also stand at the core of considerations regarding cybersecurity’s politico-military dimensions. Important ethical questions in this realm include: What type of interstate cyber espionage is acceptable? And what are ethical forms of response to incidences of cyber espionage and cyber attack?
At a fundamental level, espionage of any type stands on questionable ethical footing. That being said, in practice states both acknowledge and allow espionage to occur. Such espionage, however, is not without its own set of ethical guidelines. One prominent example of this was the so-called “Moscow Rules”—the tacitly agreed to set of regulations for interstate espionage between the U.S. and Soviet Union during the Cold War. Defense Group International Vice President James Mulvenon, among others, has noted that these rules simply do not exist in the cyber realm. Without these mutually constituted social guidelines on ethics in the practice of espionage, how are state cyber intelligence agents supposed to determine what is permissible as opposed to what “crosses the line?”
On the military front, ethical questions regarding appropriate responses to incidents of cyber espionage and cyber attack also stand prominent. Here, the consequences of an unclear ethical framework for response entail huge risks. Cyber warfare is an extremely new tactic. Thus, the issue of appropriate and proportional response remains an important and uncharted territory. If U.S. intelligence operatives hack into a Chinese military network and destroy plans that are integral to China’s construction of its new aircraft carrier, what is an ethical response? Can Chinese intelligence agents respond by launching a cyber attack on an American bank that wreaks widespread havoc, thereby hurting the U.S. government’s economic position? More alarmingly, what happens if a cyber attack by one side on the other is deemed so damaging that a conventional military response is taken into consideration?
Here, again, the dialogue between the U.S. and China would benefit from a clear focus on a series of ethical questions. Without ethical guidelines on interstate espionage and emergency response mechanisms, bilateral mutual distrust stands to grow and the potential for a major military conflict, in the cyber or conventional realm, remains perilously high.
China, the U.S., and cybersecurity: the opportunity
By focusing on the ethical underpinnings of the cybersecurity issue, the U.S. and China can chart a path forward in addressing the bilateral dispute. As the two most significant players in international cyberspace, the two sides can expect dividends from cooperating in establishing norms in the cyber realm. Since strategic mistrust regarding cybersecurity has a spillover effect on overall bilateral relations, cooperation in setting norms on permissible cyberspace behavior can help ease tensions between the two countries. Moreover, US-China bilateral collaboration in addressing the issue can serve as a critical step towards promoting multilateral efforts aimed at ensuring a more secure cyber realm.
The task of bridging the divide between Chinese and American understandings of cybersecurity is not an easy one. Tensions are high and the stakes—the health of the bilateral relationship and the safety of the cyber realm—are even higher. Nevertheless, there is a path forward for the two countries and it can be found in a consideration of the fundamental ethical questions that constitute the issue of cybersecurity itself. By clarifying their respective views on a series of simple ethical questions, the U.S. and China will increase mutual understanding, creating a more conducive environment for dialogue. This dialogue, in turn, will make possible agreements on certain new norms in the cyber realm.
Ultimately, the U.S. and China are only two countries in a complex international system. They alone cannot solve problems involving multiple stakeholders. By working to create new norms, however, they can mature the multilateral dialogue on issues like cybersecurity, helping to make possible global solutions to important global problems.
Robert D. O'Brien
University of Oxford