For several years Western governments have blamed official Chinese or Chinese-government backed groups for hacking into databases of public and private organizations. But a year ago the U.S. president Barack Obama and Chinese president Xi Jinping signed an agreement not to direct or support cyber attacks that steal corporate data for economic benefit.
Now Canada wants to do the same.
A spokesman for Public Safety minister Ralph Goodale told the Globe and Mail that this country will try to get a similar agreement, which has also been negotiated between China and the United Kingdom.
The idea has the support of Ray Boisvert, a former assistant director for intelligence at the Canadian Security Intelligence Service (CSIS) who now has his own security consulting company.
“I do support this type of approach,” he said in an email to ITWorldCanada.com. “As we collectively mature in this new networked, cyber-enabled world, be it governments, the private sector or citizens, we will have to apply all types of risk reduction strategies. And of course, diplomacy should always be a first among strategic plays. It is no guarantee of success, especially without verification, but two previous agreements involving the U.S. and U.K. (and China) have recorded measurable reductions in cyber thefts of intellectual property and by extension breaches of individual privacy.
“We must do our utmost to get countries like China to enforce international laws and norms in regards to cyber security. Of course, I don’t see that being possible with Russia at the moment as, unlike China, it has demonstrated total disregard for international agreements as it sees it’s role as an unlawful, unregulated disruptor — one that has pioneered new approaches in hybrid warfare (applying pressure on governments through stealth, including the enablement of proxies to attack Western organizations and institutions). ”
Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, which represents CEOs was more cautious. “If such an agreement could be enforced, it could be a very worthwhile proposition. But we do need to look into the details – what does this cover, how will it be enforced, etc. I would be interested in finding out more about the exact terms before deciding on whether this would be a worthwhile effort.”
Curtis Levinson, a cyber security consultant and the U.S.cyber defence advisor to NATO is dismissive. “Such agreements have value only in a political and/or media sense,” he said in an email. “China has no intent to stop hacking the U.S. and most likely has no intent to cease hacking at China. The cyber ‘bad actor’ in China is the ‘Peoples Liberation Army’ (PLA) which is largely disconnected from the Central Communist Party.”
Imran Amad, a member of the advisory board of the Canadian Advanced Technologies Alliance’s cyber security council doubts Canada will reach an agreement similar to the one it signed with the U.S. “The U.S. has offensive cyber capabilities that it leveraged to get a deal. It’s also the largest economy in the world,” said Amad, a privacy lawyer with the Miller Thompson firm. “It is unclear to me what Canada can leverage vis-à-vis China in order to get similar type of outcome.”
Signing a deal and getting it implemented are two different things. In June the Wall Street Journal reported that nine months after a big ceremony at the White House the U.S. and China were still jousting over how to talk to each other. Apparently, in the months all they could agree on were temporary email addresses for exchanging communications.
Early on there were signs that the agreement was limited to controlling the official intelligence agencies of each country. “With 1.3 billion people, (the premier) can’t guarantee the behavior of every single person on Chinese soil,” Obama was quoted as saying when the deal was signed.
One of the key problems of both sides in the Internet era is having absolute proof a government agency was behind an attack on a company.
In a paper earlier this year for the National Bureau of Asian Research, Adam Segal, a fellow at the U.S. Council on Foreign Relations, and Tang Lan, a deputy director at the China Institutes of Contemporary International Relations, wrote that the two countries have significant differences in their views on Internet governance, cyberattacks, cyber-espionage and the security of information and telecom equipment sold into each others’ countries. Still, they are both worried about threats to their critical infrastructure, stopping the proliferation of cyber attack capabilities of terrorist and criminal groups.
“While the two governments have vowed to clarify responsible behaviors through bilateral and multilateral discussions, identifying common ground and cooperative projects is necessary to reduce tensions in cyberspace,” they wrote. But. they warned, failure to build on the agreement “could generate greater mistrust that spills over into other aspects of [their] relationship.”
One thing both countries want to avoid, the report and other experts note, is cyber attacks — particularly on critical infrastructure — that lead to hostilities.
The academics noted that the U.S. and China have agreed on guidelines for requesting assistance on cybercrimes or other malicious cyber activities, as well as agreeing to conduct “tabletop exercises” and to define procedures for use of a hotline.