A Sino-American Cyber Security Agreement: Crisis Composed of Danger and Opportunity? Commentary
A Sino-American Cyber Security Agreement: Crisis Composed of Danger and Opportunity?
Edited by:

JURIST Guest Columnist Kevin Govern of Ave Maria School of Law discusses the latest cyber security agreement between China and the US…

It is a longstanding fiction that the Chinese word for “crisis” is composed of elements that signify “danger” and “opportunity.” Nevertheless, in the realm of science fiction writing, author William Gibson coined the term “cyberspace” in his short story, “Burning Chrome,” before most of the public had a concept of, let alone actual experience with, using networked computer systems. Science fiction has given way to cyber reality, with 42.3 percent of the world’s population using the internet on a regular basis, some 741 percent growth between 2000-2014 alone. At the same time, cyber weapons and cyber warfare are among the most dangerous innovations in recent years. Cyber weapons can imperil economic, political and military systems by a single act, or by multifaceted orders of effect, with wide ranging potential consequences. A non-exclusive list of some notable past cyber incidents includes but is not limited to:

· 1994: Chechen rebels use Internet-enabled propaganda [PDF] in the Russo-Chechen war.
· 1999: Serbian hackers try to disrupt NATO military operations that clogged NATO’s e-mail server with 2,000 messages a day.
· 2007: Syrian air defense was reportedly disabled by a cyber attack moments before the Israeli Air Force demolished an alleged Syrian nuclear reactor; massive cyber attacks experienced by Estonia, with most of the compromised and attacking computers located within the US but attributed to Russia.
· 2008: Russo-Georgian war with integrated cyber and conventional operations.
· 2009: the whole of Kyrgyzstan was knocked offline during a time of domestic political crisis.
· 2010: Stuxnet worm attacking Iranian nuclear centrifuges identified as most sophisticated state-sponsored malware.
· 2014: Release of confidential data belonging to Sony Pictures Entertainment, including employee personal information, e-mails, copies of (previously) unreleased Sony films and other information, via a hack believed to be of North Korean origin, and two major breaches reputedly by China of US government databases exposed sensitive information about at least 22.1 million people, including not only federal employees and contractors but their families and friends.
· 2015: A Chinese attack targeted personal emails of “all top [US] national security” officials just days after a “spear-phishing” attack of suspected Russian origin on the Pentagon’s joint staff email system, which exposed some 4,000 civilian and military employees.

The US Director of National Intelligence, James Clapper, recently told the House Intelligence Committee the next phase of escalating online data theft most likely will involve the manipulation of digital information, with a lower likelihood of a “cyber Armageddon” of digitally triggered damage to catastrophically damage physical infrastructure.

On September 25, 2015, during the state visit of Chinese President Xi Jinping, the US and China signed a Memorandum of Understanding [PDF] on a range of global, regional and bilateral subjects. According to a statement from the White House, the two countries now

“agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

Many details are left to be determined, though, in the “common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community,” including, but not limited to, which acts in cyberspace would be tantamount to an act of war.

In this era of great cyber danger and opportunity, my colleagues and co-editors Jens Ohlin from Cornell Law School and Claire Finkelstein from the University of Pennsylvania Law School and I had the privilege of contributing to and editing a book that assembles the timely and insightful writings of renowned technical experts, industrial leaders, philosophers, legal scholars and military officers as presented at a Center for Ethics and the Rule of Law roundtable conference entitled Cyberwar and the Rule of Law.

That work, Cyber War—Law and Ethics for Virtual Conflicts, explores cyber warfare’s moral and legal issues in three categories, pertinent to any cyber security agreement that may be concluded, not just the present Sino-US accord. First, it is critical to address foundational questions regarding cyber attacks. What are they and what does it mean to talk about a cyber war? State sponsored cyber warriors as well as hackers employ ever more sophisticated and persistent means to penetrate government computer systems; in response, governments and industry develop more elaborate and innovative defensive systems. There are valid alternative views concerning whether the laws of war should apply, whether transnational criminal law or some other peacetime framework is more appropriate, or if there is a tipping point that enables the laws of war to be used. Secondly, cyber security challenges traditional conceptualizations of the law of war, or jus in bello, in determining how they might be applied to cyber-conflicts, in particular those of proportionality and necessity. It also investigates the distinction between civilian and combatant in this context and studies the level of causation necessary to elicit a response, looking at the notion of a “proximate cause.” Finally, it is essential to analyze the specific operational realities implicated by cyber warfare technology employed and deployed under existing and potential future regulatory regimes.

On the national and foreign policy front, individual freedom of expression and privacy considerations must be balanced against national sovereignty and security concerns in the enforcement of the Convention on Cybercrime, just as they should be for any future Cyber Weapons Convention or cyber security agreements that China, the US, or any other nations conclude. From a technical perspective, the prospect of increased cyber oversight, regulation and protection appears increasingly challenging but more imperative than any prior time in history, yet as the Brookings Institute has aptly observed [PDF], improved engagement between China and the US on cyber security will likely have a positive impact in establishing global cyber security norms and implementing mechanisms, as well as other shared concerns, like global finance and the environment. For the above reasons and more, any cyber security agreement concluded will be indispensable to prescribing limits, if not proscribing, cyber warfare, and will have dramatic significance to national and homeland security and foreign affairs of each nation.

Professor Govern began his legal career as an Army Judge Advocate, serving 20 years at every echelon during peacetime and war in worldwide assignments involving every legal discipline. In addition to currently teaching at Ave Maria School of Law he has also served as an Assistant Professor of Law at the US Military Academy and teaches at California University of Pennsylvania and John Jay College. He is an coeditor of and contributing author to Cyber War—Law and Ethics for Virtual Conflicts (Oxford University Press, 2015). Unless otherwise attributed, the conclusions and opinions expressed are solely those of the author and do not reflect the official position of the US Government, Department of Defense, or Ave Maria School of Law.

Suggested citation: Kevin Govern, Cyber Security Agreement China: Crisis Composed of Danger And Opportunity?, JURIST – Academic Commentary, Sept. 28, 2015, http://jurist.org/academic/2015/09/Kevin-Govern-cyber-security.php

This article was prepared for publication by Marisa Rodrigues, Assistant Editor for JURIST Commentary. Please direct any questions or comments to her at commentary@jurist.org

Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.