Dissecting China’s Global Bilateral Cybersecurity Strategy

Is China making nice in the cyberworld or is the company blowing smoke up our legs?

Over the course of the past two years, we have seen China sign multiple bilateral cybersecurity agreements with countries that all could classify as potential adversaries and pursue high-level dialogue when agreements are a step too far. These countries include Russia (May 2015), United States (October 2015), Germany (November 2016), Australia (April 2017) and Canada (May 2017).

But do these bilateral agreements really slow down the Chinese information acquisition apparatus? Let’s see.

China and Russia

Taking a look at the Russia-Sino bilateral agreement, the agreement pledged to put in place a variety of trust and confidence building measures, according to the analysts at RussiaDirect. Their analysis of the agreement:

“These threats include the use of technology

  • to carry out acts of aggression aimed at the violation sovereignty, security and territorial integrity of states,
  • to interfere in the internal affairs of states,
  • to cause economic damage,
  • to commit crimes, including data breach, for terrorist purposes, or;
  • to disseminate information that “harms political and socio-economic systems, or
  • the spiritual, moral and cultural environment of other states.”

Well, the Russia-China agreement might as well have been written with disappearing ink, as it did not take long for China to begin its systematic engagement with Russian entities in the cyberenvironment. By September 2015, Russian telecommunications and military entities were targeted by Chinese entities, according Proofpoint.

Then in August 2016, Kaspersky researchers noted that from January to July of that year, more than 194 attacks originating from China have targeted Russian industries, including aviation, defense and nuclear.

If you’re Russia, you’re scratching your head and wondering what the hell is going on, given the agreement between the two countries. If you are the rest of the world, especially one that has experienced Russia’s cyberprobes, you’re probably saying, “Karma is a wonderful thing.”

China and the United States

The U.S.-China cybersecurity accord was signed during the Sept. 24-25, 2015, visit of President Xi Jinping of China to the United States. Then-President Obama noted that the Chinese “theft of trade secrets is an act of aggression and has to stop” and threatened sanctions should China not take the accord seriously (noting his April 1, 2015 Executive Order 13694).

The agreement called for both sides to refrain from stealing trade secrets or engaging in cybermischief targeted against private sector entities. The accord left wide open activities directed against the public sector entities. Not explicitly noting that nation state espionage will continue, but by omitting the requirement to refrain, the expectation is that such activity may continue.

China did not disappoint. It has been eating the United States’ lunch, going after trade secrets with great regularity. Just last month a Chinese national walked into a Massachusetts high-tech firm, sat down in the company’s conference room and attempted to access the company’s network. Prior to this action, he had engaged company employees via social networks and conducted surveillance.

Then, earlier this year we saw two separate HUMINT operations that targeted the State Department and Central Intelligence Agency. There is a reason nation state activity wasn’t mentioned: China had many long bets in play. IBM saw its source code walk out the door and Texas-based Trelleborg saw its undersea technology targeted.

And then there is the most damaging all data heists, the Office of Personnel Management attack and subsequent acquisition of the clearance files on those individuals who are entrusted with keeping the secrets of the United States—a targeter’s dream!  The Committee on Oversight and Government Reform’s 241-page report, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” lays it out in stark detail.

China isn’t just eating the United States’ lunch, it is eating the whole buffet.

But, perhaps all is not lost. The United States and China sat down Oct. 4 to a U.S.-China Law Enforcement and Cybersecurity Dialogue. The agenda items for these high-level discussions included: immigration, fugitives, counter-narcotics, counterterrorism and cybersecurity.

China and Australia

On April 21, China and Australia signed their cybersecurity bilateral accord. The agreement declares, “Australia and China agreed that neither country would conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage.”

Sounds vaguely familiar to the language that appeared in the U.S.-China accord.

The next month, however, saw departing Secretary of Defence Dennis Richardson comment on both China’s spying and exerting “unreasonable influence over Chinese communities and media in Australia.” Ever the pragmatist, Richardson observed, “It is simply the world in which we live.”

China and Germany

China and Germany didn’t actually sign a bilateral agreement—they agreed in early November 2016 to talk about it by establishing a “high-level security dialogue mechanism. China and Germany should deepen exchanges and cooperation in anti-terrorism, cyber-security, fighting transnational organized crimes and on judicial issues, and better safeguard security interests of the two countries.”

The German side no doubt was highly skeptical of China’s willingness to hold back its vacuuming of trade secrets from German entities. And apparently rightly so: Germany’s digital industry association BitKom issued a report noting that more than 55 billion euros is lost each year to espionage, sabotage or data theft by German industry.

Contemporaneously with BitKom’s report is the German domestic intelligence and security service’s (BfV) annual report, which calls China out specifically for its targeting of German industry, research, technology and armed forces.

China and Canada

Canada also agreed to have a dialogue with China, which the countries called, “Canada-China High-Level National Security and Rule of Law Dialogue.”

Under the dialogue, “The two sides agreed that neither country’s government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

This wording is very similar to the U.S.-China agreement, which focused on trade secrets and not national secrets.

What’s Next?

The ink is still drying on the Australia agreement, and Germany and Canada are holding talks, while the United States and Russia remain engaged in continuing dialogue specific to their bilateral accords.

We’ll check back in a few months and as events warrant, as China continues to expand its global trade footprint and seeks additional bilateral cybersecurity agreements. We’ll then take measure as to whether China has eased up on the theft of intellectual property.

In the interim, does anyone want to bet a dozen Krispy Kreme donuts against the prognostication that western companies and countries will continue to be filleted?

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 12 posts and counting.See all posts by burgesschristopher