Avoiding a Game of He Said, Xi Said in Cyberspace
Last Friday’s announcement that the Chinese government has agreed to stop stealing intellectual property from U.S. companies may mark a turning point in our efforts to change Chinese behavior in cyberspace.
Yet many skeptics believe the agreement lacks any mechanism for enforcement. The Wall Street Journal editorial board calls it another example of China’s “talk and take” strategy in which they eagerly engage in dialogue while not changing their behavior.
President Obama has indicated he is keenly aware of this problem, challenging Xi to show that words will be matched by action at their joint press conference.
Beyond the topline message, the agreement also includes commitments for both countries to provide assistance on investigating cybercrime. This commitment, if upheld, would be a stark departure from past Chinese behavior.
Typically, when U.S. law enforcement agencies like the FBI and Secret Service make requests of China to investigate even routine cyber crimes like credit card fraud, China does not provide the assistance. This policy of non-response has likely been to avoid a situation in which a failure to cooperate on incidents involving state-sponsored theft of intellectual property would stand out from other requests were China did provide assistance.
In other words, stonewall everybody.
If China continues this non-response policy, we will know they have failed to honor their end of the bargain (and likely respond with sanctions). The agreement builds in an escalation option through a so-called “hotline” between senior officials as well as twice annual summits to review progress.
Good as these measures are, judgment about whether China lives up to its commitments can only be made by the United States. If the United States declares that China has not responded to requests for assistance and levels sanctions, China will likely deny that they have failed to cooperate, no matter what the truth is. When that happens, the naysayers will be vindicated.
To avoid this outcome, the United States should quickly move to develop a third party, independent mechanism to process and track requests for mutual legal assistance. An existing organization, such as Interpol, or a new organization could be responsible for making first level adjudications on dual criminality (“Sorry, CN-CERT we won’t act on a takedown request for that Falun Gong webpage”), arbitrate disputes, and provide an annual scorecard on response times, arrests, and prosecutions.
This organization could also serve a broader purpose in expediting requests for legal assistance among other countries. Current processes for mutual legal assistance are slow and cumbersome, particularly for handling cybercrime.
While a country like the United States has the ability to maintain bilateral agreements and relationships with hundreds of countries, most countries do not have the resources. Moreover, even the United States, which strives to be a good partner when foreign countries make legitimate requests for law enforcement assistance, has struggled to respond quickly and efficiently.
The President’s Review Group on Intelligence and Communications Technologies stood up after the Snowden revelations found that it took an average of ten months for the United States to fulfill a legitimate request for foreign legal assistance. With renewed focus (and extra budget), the Justice Department has likely shortened this process yet the Review Group’s recommendations to streamline and automate certain aspects have yet to be actioned.
A third party organization could provide the necessary authentication and secure delivery mechanisms not only between countries but also with providers of email, web, and storage services.
Such a system could go a long way toward combatting one of the main arguments for requiring data localization--that countries need their citizens’ data kept on servers that they can access without going through this byzantine process.
We’ve seen instances when the current system worked extremely well. After the Charlie Hebdo massacre, the Justice Department expedited a French request for assistance and Microsoft produced the requested records in forty-five minutes. Leading an effort to establish a third party organization to both expedite requests and call balls and strikes in an annual report would go a long way to demonstrating our commitment to making this system work when the world isn’t watching. In the context of the China agreement, such an organization could be the linchpin in holding China accountable for their commitment to assist in investigating the next time the theft of U.S. intellectual property is traced back to a Chinese IP address.