Author: Lyu Jinghua, Carnegie Endowment for International Peace
Cyber relations between China and the United States have always been an integral part of the bilateral relationship. As debate on whether the two countries are entering a new Cold War intensifies, similar concerns about their cyber relations are arising: are the two destined for rivalry in the cybersphere? If so, how can cyber conflict be prevented or limited?
Despite some differences in cyberspace, convergent interests have generally been greater than divergent ones between the largest (China) and the most advanced (the United States) cyber powers. Both are tempting targets for malicious actors and vulnerable to destructive cyber attacks. So both have vested interests in fighting against cyber crimes, countering cyberterrorism and promoting cyber norms. These overlapping interests facilitated the successful completion and release of United Nations Group of Government Experts (UN GGE) consensus reports in 2013 and 2015.
But with the rapid deterioration of bilateral relations, there are signs of cyberspace behaviour following suit: less cooperation, more confrontation and higher risk of conflict. Among the potential developments, such as a new technology Cold War or failure to agree on cyber rules, the most worrisome are in the security domain.
US concerns over Chinese military modernisation and issues in the Taiwan Strait, East China Sea, South China Sea and beyond are growing. China holds similar concerns over the United States’ recent assessment that China is its primary security challenge both in a general sense and in cyberspace, and over the change in US policy direction from its ‘pivot to Asia’ to the Indo-Pacific strategy.
If conflict erupts, one of the earliest and most destabilising venues would be conflict in cyberspace. Cyber actions are more inclined to be escalatory due to the difficulties of differentiating intentions and predicting consequences. To prevent such a scenario, several precautionary measures can and should be implemented.
Although there are channels for bilateral communication and coordination, such as the High-Level Joint Dialogue on Cybercrime and Related Issues, the Law Enforcement and Cybersecurity Dialogue, and cooperation between computer emergency response teams (CERTs), they all lack the involvement of militaries. Because of this, they are far from sufficient to avert potentially explosive incidents in the security sphere.
An ongoing bilateral coordination mechanism is urgently needed. The Ministry of National Defense–Department of Defense telephone link was once used to discuss tensions in the South China Sea by the US and Chinese navies. It could be given the same function for communication in cyber crises.
To enhance information sharing and mutual understanding, it is also worth considering how to apply the Memorandum of Understanding on Notification of Major Military Activities in cyberspace. The two sides could explore similar ways of increasing transparency such as briefing each other on their cyber strategy publications, interpreting their cyber doctrines and inviting one another to observe cyber exercises.
The United States and China should exercise self-restraint in cyber conflicts and encourage similar responses from other countries as the foundation for establishing accepted rules of behaviour. To this end, rules prohibiting the use of escalatory, cross-domain deterrence measures — such as the computer worm Stuxnet that was used against Iranian nuclear facilities and the ‘Left of Launch’ cyber efforts to disable the launch of North Korean missiles — require further discussion. As do rules forbidding attacks on specific targets such as critical infrastructure, and rules regarding after-use damage control such as the function of self-destruction mechanisms.
The United States and China already have several agreed crisis management principles in place, such as sending clear signals, avoiding commitment traps and making proportionate responses. Now it is time to think about how to apply these principles in cyberspace. Cyber crisis management should become an important topic in security dialogues at all levels. To start with, think tanks can explore crisis scenarios and management measures by conducting tabletop exercises and relevant discussions.
More importantly, China and the United States need to develop a deeper understanding of one another’s critical interests in cyberspace. Both sides must behave cautiously and maintain strategic constraint to avoid eroding those critical interests, leaving enough space for either side to make concessions and ease tensions.
No matter what suspicions and differences remain, China and the United States can and should seek to cooperate, even as rivals, on conflict prevention in cyberspace.
Lyu Jinghua is a Visiting Scholar in the Cyber Policy Initiative at the Carnegie Endowment for International Peace and a retired colonel from the Chinese People’s Liberation Army.
The author greatly thanks Ariel E Levit, Senior Fellow at the Carnegie Endowment for International Peace, for his invaluable advice and insights.