State Department Cyber Coordinator: We don鈥檛 want a cyberarms treaty
The US will not be entering into a cyberarms accord with China, said the State Department鈥檚 Coordinator for Cyber Issues, insisting that recent news reports of such negotiations were 鈥渆rroneous.鈥
鈥淚 don鈥檛 think it makes sense to have a cyberarms treaty,鈥 Chris Painter told an audience at an event Thursday on America鈥檚 strategy in cyberspace hosted by 海角大神鈥檚 Passcode.听
Ahead of Chinese President Xi Jinping鈥檚 visit to Washington, The New York Times that the US and China were negotiating what could become the first arms control accord of the digital realm 鈥 sparking questions from lawmakers on Capitol Hill in recent weeks about whether the US should seek an international agreement to control the use of cyberweapons.
But reports of negotiations on this front, Mr. Painter said, were 鈥渘ever true.鈥
In fact, he continued, defining what constitutes a weapon in cyberspace makes the idea of a formal treaty or agreement extremely complex. 鈥淚 don鈥檛 know what a cyberarm is,鈥 Painter said. 鈥淭here鈥檚 a lot of dual-use technology.鈥 A piece of code, he continued, 鈥渃ould be used for malicious purposes, research purposes, defense purposes.鈥 How do you actually control that piece of code?鈥
While President Xi鈥檚 visit last week did not herald a cyberarms accord, Washington and Beijing did announce a high-level agreement stipulating that neither country would use cyberespionage to steal 鈥 or support the theft of 鈥 intellectual property.
This agreement with China, which the US blames for stealing American trade secrets for the benefit of its private sector, is 鈥渧ery significant,鈥 Painter said.
鈥淣ever before had we had a commitment from the Chinese government that that was something impermissible and shouldn鈥檛 be done,鈥 Painter said.
The agreement was also a head-scratcher for a number of US analysts, who say they were surprised that China would agree to such restrictions.
Martin Libicki, senior management scientist at RAND Corp., wonders: Why would China 鈥 which views intellectual espionage as a key economic strategy 鈥 agree to such measures limiting its behavior? One way to explain it, Mr. Libicki said at the Passcode event, is that 鈥渢hey have no intention of abiding by these things.鈥
What鈥檚 more, China鈥檚 official position has long been to deny it carries out economic espionage, Libicki said. 鈥淪o for the Chinese president to come in and say, 鈥榃e鈥檙e not going to do this鈥 isn鈥檛 much of a surprise, because they deny doing anything.鈥
Outside the theft of intellectual property, US officials are still grappling with what, precisely, constitutes a significant cyberattack. 鈥淲e don鈥檛 see cyberwarfare often,鈥 Painter noted. 鈥淵ou could argue that we haven鈥檛 seen it at all.鈥
The Pentagon, for its part, is reluctant to describe what constitutes an act of cyberwar 鈥 versus an act of cyberconflict or espionage. At the Passcode event, Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes admitted the line between an act of war and a serious act of cybervandalism is 鈥渟quishy.鈥
When considering whether the military should get involved to defend the country from a true cyberattack, the threshold might include loss of life, destruction of property, or significant economic consequences, Mr. Hughes said. For the time being, though, acts of cyberwar and possibly military responses 鈥渨ill be evaluated on a case by case basis as decided by the president.鈥
But companies should not take matters into their own hands to 鈥渉ack back鈥 even if it means retrieving stolen information, since there is a risk of escalating the conflict, Hughes said. 鈥淲hile I recognize the threat private companies are under, they should leverage law enforcement and, in some cases, the support the Department of Homeland Security provides,鈥 he said. 鈥淚f a private company were to [hack back] 鈥 even if it鈥檚 just disrupting the data that has already been stolen 鈥 there鈥檚 the potential for a misunderstanding of what that is by a foreign entity or a foreign government, which further escalates what鈥檚 happening. That would make it difficult for the Department of Defense.鈥
Yet the prospect of an attack that could damage key critical US infrastructure 鈥 destructive cyberattacks that countries including China, for example, likely have the means to carry out 听鈥 is less likely than the headlines might suggest, experts say.
There have been relatively few actual cyberattacks, RAND鈥檚 Libicki said.
鈥淲e鈥檝e seen a number of attacks that have basically been used to trash computers,鈥 Libicki said. There have been two cyberattacks used to 鈥渂reak something,鈥 he added: Stuxnet, which targeted Iran鈥檚 nuclear facilities, and an attack on a German blast furnace reported late last year. None of these attacks, however, created costs that exceeded $100 million, he estimated 鈥 whereas full-scale damage that could be caused by true cyberwarfare, on the other hand, could run 鈥渆asily鈥 into the billions of dollars.
To call what is taking place in the cyber realm right now 鈥渃yberwar,鈥 Libicki said, is 鈥渁t the very least, grossly premature.鈥
Watch the full video of the Passcode event.听
听
