Obama threatened sanctions, but proving responsibility for a cyberattack will be difficult.
The U.S. and China agreed Friday not to hack into companies to steal their sensitive trade secrets. But even President Obama, who announced the deal at the White House with Chinese President Xi Jinping, seemed to question whether China will stick to its word.
“The question now is, are words followed by actions?” Obama said. “We will be watching carefully to make an assessment as to whether progress has been made in this area.”
The U.S. has been pressing China for years to stop conducting cyberespionage on U.S. companies. While the U.S. defends its own vast surveillance programs, it argues there should be an international norm against stealing business secrets to benefit a country’s own companies.
Obama warned that the U.S. could impose sanctions if it finds proof of commercial espionage. He seems to be looking to follow President Reagan’s policy with the Soviet Union of “trust, but verify”—but the problem is that verifying responsibility for a cyberattack can be extremely difficult.
Adam Segal, a senior fellow at the Council on Foreign Relations who studies China policy and cyberconflict, called the agreement “significant,” but he added that China can easily claim an attack came from some lone hacker rather than the government itself. China has long denied that it is behind attacks on U.S. companies and government.
“Of course, the proof will be in the implementation,” Segal said. “The Chinese can still question attribution, and much of it could be conducted by proxies outside of the central government’s direct control.”
Obama said the U.S. would likely impose sanctions only against individuals or companies that it could prove were behind an attack. The U.S. can’t hold the Chinese government responsible for everything its citizens do, Obama acknowledged.
“President Xi, during these discussions, indicated to me that, with 1.3 billion people, he can’t guarantee the behavior of every single person on Chinese soil, which I completely understand,” Obama said. “I can’t guarantee the actions of every single American.”
But he urged China to show that it’s not sponsoring the attacks and to aggressively crack down on cybercriminals. As part of the agreement, the two nations pledged to establish a system for a “high-level joint dialogue” on cybercrime and to create a “hotline” to rapidly share information and respond to attacks.
At the press conference on the White House South Lawn, Xi argued that it is in China’s interest to reduce cybercrime. “Cooperation will benefit both, and confrontation will lead to losses on both sides,” Xi said. “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”
The agreement won praise from the U.S. tech industry, which has argued that Chinese spying has put it at an unfair disadvantage. “This announcement shows that the highest levels of government from both nations understand that cybersecurity tensions should not be a barrier to free trade and open systems of innovation,” Dean Garfield, the CEO of the Information Technology Industry Council, said in a statement. “This agreement finally starts a sustained dialogue where there was very little communication. It illustrates a spirit of cooperation on a sensitive issue, which is a positive signal to technology companies.”