One of the most touted takeaways from Chinese President Xi Jinping’s (習近平) visit to the US last month was an agreement by the two leaders on the contentious issue of cyberattacks — and especially cyberespionage — against US targets. Particular attention has been given to a commitment Xi and US President Barack Obama made to avoid engaging in or knowingly supporting acts of cybertheft for economic gain.
However, while the commitment signals bilateral goodwill, there are a number of reasons to doubt its effectiveness in curbing commercial espionage and the broader problem of intrusive, destructive cyberattacks against a range of US targets by entities tied to the Chinese government:
Absence of clear standards or verification mechanisms: Security experts analyzing the agreement noted its vague wording and lack of definitions for what constitutes acceptable or unacceptable activity, meaning further negotiation would be required to render the agreement effective.
Similarly, no objective metrics were identified for determining whether one side or the other has followed through on its commitments. These challenges, along with the near impossibility of tracing who is responsible for most cyberattacks, are likely to make enforcement difficult.
Omission of politically motivated attacks: More problematic from the perspective of privacy and freedom of expression was the cybertheft agreement’s focus on the economic realm. By framing the pact in this way, Obama and Xi ignored the increasingly aggressive, sophisticated and widespread cyberattacks apparently committed by Chinese state actors against US media companies, human rights groups, individual activists and government bodies.
Thus, even if an agreement like this one had been in place for the past five years, it arguably would not have prevented attacks on Google in 2010 (which hacked rights defenders’ accounts, among other targets), media outlets like the New York Times in 2012 (seeking information on the sources for the paper’s investigation of former Chinese premier Wen Jiabao’s (溫家寶) family wealth), or a massive denial-of-service attack against the code-sharing platform GitHub in March of this year. Nor would it have helped stem routine phishing attacks that target overseas Chinese, Tibetan and Uighur activists and, increasingly, US government personnel.
Failure to address vulnerabilities created by China’s Great Firewall: More indirectly, any agreement that depoliticizes the Chinese government’s Internet policies is overlooking the general security problems created by the Great Firewall (GFW) — Beijing’s system for monitoring and filtering Internet communications between China and the outside world.
Over the past month, this issue was highlighted by two incidents in which malware infected applications on Apple’s mobile operating system. On Sept. 17, some of China’s most popular apps — including Tencent’s WeChat and NetEase — were found to be carrying malware, affecting hundreds of millions of smartphones and marking the largest such incident to date in Apple’s history.
The apps were susceptible to intrusions because they used an alternative to Apple’s standard XCode.
Analyzing why app developers might have used a less secure code, Oiwan Lam (林藹雲) of Global Voices (全球之聲) said that due to the slow international Internet connections in China (a direct result of the GFW’s real-time filtering), downloading XCode takes a very long time.
Some programmers have consequently turned to alternatives that are more accessible from within the firewall, but also more vulnerable to malware.
In the second incident, a malicious program targeting Apple devices was reported on Oct. 4 by researchers at Palo Alto Networks. This time, a Chinese marketing company took advantage of Internet users’ desire to circumvent censorship to convince them to download an infected application. The malware essentially allowed the marketers to take control of users’ phones and execute certain actions, such as opening their Safari Web browser to a page showing clients’ products or advertisements.
Both of the above incidents were resolved quickly without long-term harm to consumers, but future attacks that exploit the same incentives might not prove as innocuous.
Moreover, security analysts have found that the attack in March this year on GitHub was carried out with a tool they labeled the “Great Cannon.”
This weapon, which is colocated with the GFW, worked by redirecting large volumes of bystander traffic — mostly from Taiwan and Hong Kong — that was headed for search engine Baidu’s China servers and using it to swamp and paralyze the US-based code-sharing Web site.
Ultimately, actions speak louder than words. Over the next six months, security experts are to closely track and investigate reports of cyberintrusions from China against US companies and other targets, hopefully providing evidence on whether the pace of attacks has slowed, if not ceased.
Meanwhile, the Obama administration has two avenues — a bilateral dialogue and an ongoing response system — through which to press the Chinese government for answers and prosecutions of those found responsible for violations. The US would also continue to consider imposing sanctions on Chinese companies found to have benefited from cyberespionage.
The threat of sanctions appears to have had at least a short-term impact: On Monday, the Washington Post reported that Chinese officials had for the first time arrested hackers identified by US officials.
A White House fact sheet states that these new communication channels could address “malicious cyberactivities” generally. This leaves space for US officials to expand the scope of inquiries beyond commercial espionage. US and Chinese Internet users, civil society and media outlets would be well-served if politically driven attacks were covered, beginning with the first bilateral dialogue expected before the end of this year.
In the meantime, though, security experts who have analyzed the Obama-Xi agreement appear to agree that they will not be out of work anytime soon.
On Sept. 29, security firm KnowBe4 offered a stark warning to those seeking protection from detrimental cyberintrusions originating in China: “You are still mostly on your own.”
Sarah Cook is a Senior Research Analyst for East Asia at Freedom House and director of its China Media Bulletin.
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing