China’s promise not to conduct or knowingly support cyber theft of Canadian corporate intellectual property for its companies is worthless, says a Canadian expert.
“I anticipate that the People’s Republic will continue to conduct state driven cyber-espionage, that Canadian Intellectual property will continue to be stolen by state organs of the People’s Republic, by Chinese universities, by Chinese businesses as well as individuals stealing for profit, and that the People’s Republic of China will loudly denounce any finger pointing in their direction as unsubstantiated and that there is no evidence,” said David Swan, the Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace and Security Science.
China signed signed a similar document with the United States in 2015, he said, but it made no difference. “There have been prosecutions of state sponsored espionage as well as industrial cyber espionage and numerous cases of intellectual property theft” since then he said. China has disclaimed all of these incidents proclaiming loudly that there is no proof, he added.
The promise is similar to ones China has also made with Britain and Australia. Experts note the promise doesn’t cover governments spying on each other, so, for example, it wouldn’t have covered the alleged theft of U.S. federal employee data by China in 2015 at the Office of Personnel Management.
On the other hand Toronto lawyer Imran Ahmad, who is also a member of advisory board of the Canadian Advanced Technologies Alliance’s cyber security council, called the move “a step in the right direction. If we look at the similar U.S.-China agreement signed under President Obama, there’s a general consensus that there has been a drop in cyber theft of corporate R&D (research and development) and intellectual property. If the same can be accomplished with the Canadian agreement, I think this is a good step forward. Also, I think the Canadian government was very good in leveraging the upcoming trade talks with China in order to get this agreement in place.”
Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, also believes the promise is real. China’s companies are increasingly creating their own intellectual property, he noted, so the government has to face the fact that it could be a target by other countries unless it promises to be straight.
“You can see it helping protect China’s own interest from an IP (intellectual property) perspective,” he said.
A number of U.S. cyber security officials say that since the 2015 promise with the U.S., the amount of suspected Chinese corporate theft seems to have fallen. In an interview during a cyber risk management conference in March, Richard Fadden, a former national security adviser to two Canadian prime ministers, said he has been told as much by a former CIA director.
Ray Boisvert, a former assistant director for intelligence at the Canadian Security Intelligence Service (CSIS) who now works for the Ontario government, told ITWorldCanada.com in 2016 that the U.S. and Britain “recorded measurable reductions in cyber thefts of intellectual property, and by extension breaches of individual privacy,” as a result of the promises from China.
In a June, 2016 report on China’s cyber capabilities, security vendor FireEye noted that from data gathered from its network devices there has been an overall decline in China-based intrusion activity against private and public sector organizations since mid-2014. Around that time Washington began taking punitive measures against China, the report notes, from indicting members of the People’s Liberation Army to raising the possibility of sanctions.
Still, there are no similar no-corporate-theft agreements with other countries including Russia and North Korea. Nor is there, despite increasing international co-operation between law enforcement agencies and the occasional prosecution of criminal hackers, is there any overall decline in cyber attacks. More worrisome to international cyber experts are attacks on national infrastructure, such as the alleged attack by Russia in 2015 and 2016 on Ukraine’s electric power grid.
The so-called cyber Wild West was the subject of a session at February’s annual RSA Conference, where international experts debated about whether cyber norms of behavior could be established to limit state-backed online attacks. Coincidentally at that conference Microsoft president Brad Smith called for a ‘Digital Geneva Convention’ on nation-state cyber behavior.
Scott Borg, CEO of the U.S. Cyber Consequences Unit, a research institute, argued that the American Wild West was tamed not by sheriffs threatening to shoot criminals but by communities that saw it was in their best economic interests to eliminate wild behavior. Similarly, he said, ideally countries should be encouraged that its in their economic interest to limit bad behavior on the Internet. The problem, he admitted, is that countries have different values and interpretations of what is a threat, and what is bad behavior.
Tom Corcoran, head of cyber threat intelligence at Zurich Insurance, said it could take centuries to get a digital Geneva Convention. But in the meantime nations will slowly learn what they can’t get away with. And a little persuasion helps: He believes China-directed corporate attacks have gone down not because of the 2015 agreement with the U.S. but because Washington educated the Chinese that the thefts were corrupting the People’s Liberation Army.
Paul Rosenzweig, founder of Red Branch Law and Consulting of Washington, D.C., said he is skeptical norms of state behavior can be created for cyber space, in part because many of what we think are norms today — don’t attack a nation’s election process — are being broken now. And even if nations agree on what bad behavior is, there are many other online threat actors who have striking capabilities.
“Norms without enforcement mechanisms are just vapourware,” he said.
In an interview panel moderator Catherine Lotrionte, director of the Institute for Law, Science and Global Security and visiting assistant professor at Georgetown University noted there has been some international progress. In 2013 a report by a United Nations Group of Experts that included representatives from a number of countries including the U.S., Russia and China agreed that some international laws, including the UN Charter, the law of non-intervention and human rights law applies in cyber space during peace time. In 2015 the group (made up of 20 states) added three new norms of behavior, including that states not target each others’ critical infrastructure during times of peace; that first responders (such as computer emergency response teams, or CERTs) not be targeted; and that if a state suffers a malicious incident from a group in another country and requests remediation help from the attacking state it won’t be denied.
However, as others note, alleged state-sponsored cyber attacks continue. And Lotrione also noted the UN documents don’t cover cyber crime. And, she added, Russia and China have refused to sign the 2012 Budapest Convention on cyber crime by arguing that it legitimizes government espionage.
Lotrionte is among those who think that rather than an international treaty or law cyber space would be better governed by a organization like the International Atomic Energy Agency, which has experts that can investigate and report on incidents. Such an agency might not be able to say a particular country launched a cyber attack, she said, but it would be able to set out the facts.
And there are accepted norms today, she said: For example, when U.S. President Barack Obama concluded Russia was behind the Democratic Party hacks he privately warned President Vladamir Putin and expelled Russian diplomats.
“It’s ironic but bad things have to happen first before states start saying publicly, ‘This is not what we like, this is not good for global stability, this is what we say is not allowed.’” There had to be terrible wars, she said, before there was a Geneva Convention.
UPDATE: As mentioned above there is a UN Group of Government Experts (GGE) that has been meeting for several years to come up with international rules of the road for cyber security. Last week behind closed doors the majority of countries reached a draft document, but it was denounced by the U.S. delegate. The delegate, Michele Markoff, the State Department’s deputy co-ordinator for cyber issues, said she sought “clear and direct statements on how certain international law” applies to States’ use international humanitarian law, international law governing states’ exercise of their inherent right of self-defense, and the law of state responsibility, including countermeasures. “The final draft of the report insufficiently addresses these issues,” she wrote.
“I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions. That is a dangerous and unsupportable view, and it is one that I unequivocally reject.”
“A report that discusses the peaceful settlement of disputes and related concepts but omits a discussion of the lawful options States have to respond to malicious cyber activity they face would not only fail to deter States from potentially destabilizing activity, but also fail to send a stabilizing message to the broader community of States that their responses to such malicious cyber activity are constrained by international law.”
The GGE’s final report has yet to be published.