Researchers suggest U.S, China engage on cyberattack issues

Charles Dharapak/AP

A new report proposes China and the United States discuss taboo hacking topics, such as cyberattacks, to cool cybersecurity relations before the dispute becomes as explosive as global finance.

Unlike many recent accounts condemning China for gross cyber spying, the Brookings Institution paper avoids pointing fingers at either side. In fact, much of the analysis recounts instances of computer sabotage and espionage in other countries, such as Russia allegedly bringing down Estonia's Internet and a Spanish-origin virus that infiltrated more than 12 million computers worldwide. Authors Kenneth G. Lieberthal and Peter W. Singer, both senior fellows at the Washington think tank, plan to distribute a Chinese-language version of the report to the foreign country's policymakers.

"The potentially poisoning effect of cybersecurity on the [U.S.-China] relationship is occurring at a time when there is genuine uncertainty about the degree and speed of changes in the global balance of power," they write. "Discussions of intractable arenas can deepen mutual understanding of the differing underlying assumptions and concerns that make them so difficult, and thus, to some degree, increase the prospect for addressing some of these issues -- or at least of somewhat limiting their negative effects -- over time."

The definition of a cyberattack, for instance, raises tensions between the two, with China maintaining that rumors spread over U.S. social media represent an attack and America stating that intellectual property theft by the Chinese is an attack. "There may be wide disagreement on what constitutes an 'attack,' but coming to agreement on the definition of certain types of targets could prove very useful," the authors write. "For example, mutual agreement on what constitutes 'critical infrastructure' might end up making it easier to protect such infrastructure than it is to disable it."

The researchers remark that China and the United States have confronted this linguistic divide before: "In one diplomatic meeting between U.S. and Chinese officials, when U.S. representatives first used the term 'engagement,' the Chinese were said to be baffled about whether the U.S. meant 'marriage proposal' or 'exchange of fire.' "

Joint cybersecurity conversations also should address, perhaps as a starting point, mutual concerns like child pornography, the authors recommend. Federal officials admit such discussions have taken place with the expectation that agreement on Internet fraud could mollify eventual talks on cyber espionage and Internet freedom.

When America and China engage on cybersecurity, however, the countries should sideline their existing intermediaries, the authors say.

"Since the 1970s, the U.S. State Department and Chinese Foreign Ministry have been the primary ministry level vehicles through which the two nations have managed their relationship, a natural aspect of the centuries-old practice of diplomacy . . . [but] the reality is that neither of these agencies has any significant power over their own country's internal deliberations on cybersecurity, nor any depth of expertise on the topic itself," they write.

Instead, the countries should develop a broader cadre of people who use the same cyber vocabulary, are respected by their own leadership and have trust in each other's gravitas, the researchers suggest.

Their report also tries to dispel the image of the United States as cyber victim and China as cyber avenger. The authors acknowledge the almost daily stories about alleged Chinese intrusions, including reported breaches of everything from weapons technology designs to corporate strategies to the personal emails of U.S. officials. They counter this portrait with facts on cybercrime in China, some of it happening internally and some of it originating in the United States. In December 2011, more than a dozen of China's most popular online retail and social media sites were hacked, leading to the exposure of more than 100 million Internet passwords and emails.

"It is undeniable that a large amount of malicious Internet activity emanates from or at least moves through the U.S.," the authors write. They point to studies showing that 20 of the 50 most malicious Internet service providers in the world are American. And the U.S. cyber spy force, the National Security Agency, is not just there for deterrence. "U.S. government agencies like the NSA are active and expert in cyber operations," they note.