U.S. – China Cyber Agreement: Trust, but Verify
The joint U.S.-China cyber agreement announced today represents the next iteration of the ongoing cyber security saga between two world powers. For many years the security industry has been advocating for this type of agreement between the two superpowers. In fact, my co-founder Dmitri Alperovitch has spent a tremendous amount of energy working with policy makers advocating for meaningful reform and deterrence. You can read more about his thoughts on this agreement here. This agreement is significant, if for no other reason, than that it represents the first time China recognizes the distinction between traditional government intelligence gathering and cyber industrial espionage. I would say that this is a win, the question now is just a matter of degree.
As recently as September 23th, 2015 President Xi Jinping said: “The Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way.”
This comes as no surprise, since even recent statements don’t need to be viewed as inconsistent with the current agreement. After all, it’s standard practice to permit the other side in any diplomatic exchange to save face. But still, even under the best of circumstances, industry is left to wonder how quickly China’s bold intelligence gathering apparatus might be dismantled, and whether China’s corporate beneficiaries of IP theft will graciously allow themselves to be weaned off their government’s illegal subsidy program.
I am hopeful this agreement represents a positive move forward towards improved global cybersecurity, but as Ronald Reagan famously said “trust, but verify.” In security we focus on assessing risk and quantifying the monetary impact. China’s economy is front and center to their national interest, to include their national security. So if you apply the same risk vs. reward concept here, historically they believed they had far more to gain by stealing intellectual property and accelerating their own interest rather than worrying about the threat of sanctions. As such, hopefully sitting behind this agreement, although undisclosed, is a carefully crafted set of sticks and carrots to ensure that China itself views this in their long term economic and security interests, rather than as a short-term act of political spin of the same variety we’ve come to expect from their repeated public denials.
This should be a feel good moment, and I am ready along with my colleagues and clients to enjoy the news but, we can’t declare victory just yet. Only time and the ability to track and understand China’s actions will tell.
So what does this mean for corporations in the United States and throughout the world? At CrowdStrike we have first hand visibility into a wide range of military and intelligence intrusion teams operating daily from within China (as well as many other state-sponsored hackers and organized crime groups). At CrowdStrike, we will continue to increase our customers’ visibility into these threats, which is paramount to understanding not just cyber exposure but overall business risk.
Will the PLA be reassigned to other duties? At CrowdStrike, we would be delighted if that was the case. Getting a major threat off the playing field would be an enormous victory, and would take a lot of noise out of the system allowing for increased focus on other threat actors. Trust, but verify will be the key to ensuring your corporation stays secure in these defining moments that intertwine cyber security with the larger political landscape.