One of the most touted takeaways from Chinese President Xi Jinping’s (習近平) visit to the US last month was an agreement by the two leaders on the contentious issue of cyberattacks — and especially cyberespionage — against US targets. Particular attention has been given to a commitment Xi and US President Barack Obama made to avoid engaging in or knowingly supporting acts of cybertheft for economic gain.
However, while the commitment signals bilateral goodwill, there are a number of reasons to doubt its effectiveness in curbing commercial espionage and the broader problem of intrusive, destructive cyberattacks against a range of US targets by entities tied to the Chinese government:
Absence of clear standards or verification mechanisms: Security experts analyzing the agreement noted its vague wording and lack of definitions for what constitutes acceptable or unacceptable activity, meaning further negotiation would be required to render the agreement effective.
Similarly, no objective metrics were identified for determining whether one side or the other has followed through on its commitments. These challenges, along with the near impossibility of tracing who is responsible for most cyberattacks, are likely to make enforcement difficult.
Omission of politically motivated attacks: More problematic from the perspective of privacy and freedom of expression was the cybertheft agreement’s focus on the economic realm. By framing the pact in this way, Obama and Xi ignored the increasingly aggressive, sophisticated and widespread cyberattacks apparently committed by Chinese state actors against US media companies, human rights groups, individual activists and government bodies.
Thus, even if an agreement like this one had been in place for the past five years, it arguably would not have prevented attacks on Google in 2010 (which hacked rights defenders’ accounts, among other targets), media outlets like the New York Times in 2012 (seeking information on the sources for the paper’s investigation of former Chinese premier Wen Jiabao’s (溫家寶) family wealth), or a massive denial-of-service attack against the code-sharing platform GitHub in March of this year. Nor would it have helped stem routine phishing attacks that target overseas Chinese, Tibetan and Uighur activists and, increasingly, US government personnel.
Failure to address vulnerabilities created by China’s Great Firewall: More indirectly, any agreement that depoliticizes the Chinese government’s Internet policies is overlooking the general security problems created by the Great Firewall (GFW) — Beijing’s system for monitoring and filtering Internet communications between China and the outside world.
Over the past month, this issue was highlighted by two incidents in which malware infected applications on Apple’s mobile operating system. On Sept. 17, some of China’s most popular apps — including Tencent’s WeChat and NetEase — were found to be carrying malware, affecting hundreds of millions of smartphones and marking the largest such incident to date in Apple’s history.
The apps were susceptible to intrusions because they used an alternative to Apple’s standard XCode.
Analyzing why app developers might have used a less secure code, Oiwan Lam (林藹雲) of Global Voices (全球之聲) said that due to the slow international Internet connections in China (a direct result of the GFW’s real-time filtering), downloading XCode takes a very long time.
Some programmers have consequently turned to alternatives that are more accessible from within the firewall, but also more vulnerable to malware.
In the second incident, a malicious program targeting Apple devices was reported on Oct. 4 by researchers at Palo Alto Networks. This time, a Chinese marketing company took advantage of Internet users’ desire to circumvent censorship to convince them to download an infected application. The malware essentially allowed the marketers to take control of users’ phones and execute certain actions, such as opening their Safari Web browser to a page showing clients’ products or advertisements.
Both of the above incidents were resolved quickly without long-term harm to consumers, but future attacks that exploit the same incentives might not prove as innocuous.
Moreover, security analysts have found that the attack in March this year on GitHub was carried out with a tool they labeled the “Great Cannon.”
This weapon, which is colocated with the GFW, worked by redirecting large volumes of bystander traffic — mostly from Taiwan and Hong Kong — that was headed for search engine Baidu’s China servers and using it to swamp and paralyze the US-based code-sharing Web site.
Ultimately, actions speak louder than words. Over the next six months, security experts are to closely track and investigate reports of cyberintrusions from China against US companies and other targets, hopefully providing evidence on whether the pace of attacks has slowed, if not ceased.
Meanwhile, the Obama administration has two avenues — a bilateral dialogue and an ongoing response system — through which to press the Chinese government for answers and prosecutions of those found responsible for violations. The US would also continue to consider imposing sanctions on Chinese companies found to have benefited from cyberespionage.
The threat of sanctions appears to have had at least a short-term impact: On Monday, the Washington Post reported that Chinese officials had for the first time arrested hackers identified by US officials.
A White House fact sheet states that these new communication channels could address “malicious cyberactivities” generally. This leaves space for US officials to expand the scope of inquiries beyond commercial espionage. US and Chinese Internet users, civil society and media outlets would be well-served if politically driven attacks were covered, beginning with the first bilateral dialogue expected before the end of this year.
In the meantime, though, security experts who have analyzed the Obama-Xi agreement appear to agree that they will not be out of work anytime soon.
On Sept. 29, security firm KnowBe4 offered a stark warning to those seeking protection from detrimental cyberintrusions originating in China: “You are still mostly on your own.”
Sarah Cook is a Senior Research Analyst for East Asia at Freedom House and director of its China Media Bulletin.
Concerns that the US might abandon Taiwan are often overstated. While US President Donald Trump’s handling of Ukraine raised unease in Taiwan, it is crucial to recognize that Taiwan is not Ukraine. Under Trump, the US views Ukraine largely as a European problem, whereas the Indo-Pacific region remains its primary geopolitical focus. Taipei holds immense strategic value for Washington and is unlikely to be treated as a bargaining chip in US-China relations. Trump’s vision of “making America great again” would be directly undermined by any move to abandon Taiwan. Despite the rhetoric of “America First,” the Trump administration understands the necessity of
In an article published on this page on Tuesday, Kaohsiung-based journalist Julien Oeuillet wrote that “legions of people worldwide would care if a disaster occurred in South Korea or Japan, but the same people would not bat an eyelid if Taiwan disappeared.” That is quite a statement. We are constantly reading about the importance of Taiwan Semiconductor Manufacturing Co (TSMC), hailed in Taiwan as the nation’s “silicon shield” protecting it from hostile foreign forces such as the Chinese Communist Party (CCP), and so crucial to the global supply chain for semiconductors that its loss would cost the global economy US$1
US President Donald Trump’s challenge to domestic American economic-political priorities, and abroad to the global balance of power, are not a threat to the security of Taiwan. Trump’s success can go far to contain the real threat — the Chinese Communist Party’s (CCP) surge to hegemony — while offering expanded defensive opportunities for Taiwan. In a stunning affirmation of the CCP policy of “forceful reunification,” an obscene euphemism for the invasion of Taiwan and the destruction of its democracy, on March 13, 2024, the People’s Liberation Army’s (PLA) used Chinese social media platforms to show the first-time linkage of three new
Sasha B. Chhabra’s column (“Michelle Yeoh should no longer be welcome,” March 26, page 8) lamented an Instagram post by renowned actress Michelle Yeoh (楊紫瓊) about her recent visit to “Taipei, China.” It is Chhabra’s opinion that, in response to parroting Beijing’s propaganda about the status of Taiwan, Yeoh should be banned from entering this nation and her films cut off from funding by government-backed agencies, as well as disqualified from competing in the Golden Horse Awards. She and other celebrities, he wrote, must be made to understand “that there are consequences for their actions if they become political pawns of