The United States and China are working on an agreement defining rules of engagement for cyberwarfare, according to a report in The New York Times.
The negotiations are under way ahead of Chinese President Xi Jinping’s official state visit this week, with a goal to announce the accord Thursday, the Times reports.
Under the terms of the agreement, neither country will be the first to launch cyberattacks on the other’s critical infrastructure, such as power grids or cellphone networks, during peacetime.
Intelligence and defense agencies have expressed increased concern that utilities are vulnerable to a devastating attack that some have described as a “cyber Pearl Harbor.”
National Security Agency Director Michael Rogers warned lawmakers last fall that China and “one or two” other countries would be able to shut down portions of critical U.S. infrastructure with a cyberattack.
One senior official involved in the discussions warned that any announcement by President Obama and Xi this week would likely not involve “a specific, detailed mention” of the critical infrastructure accord. Instead, the two leaders will likely announce a “generic embrace” of a code of conduct recently adopted by a United Nations working group.
The U.N. guidelines include a tenet prohibiting states from engaging in cyber activity that intentionally damages critical infrastructure.
Lawmakers and officials have called for the adoption of international “rules of the road” to govern cyber warfare, an increasingly murky term that many say has no standardized meaning.
House Intelligence Committee members during a September hearing urged the intelligence community to help create international rules of engagement, similar to the Geneva Conventions.
“We don’t know what constitutes an act of war, what the appropriate response is, what the line is between crime and warfare,” Rep. Jim Himes (D-Conn.) said.
Experts say one of the factors making such determinations complex is that there are three distinct kinds of cyber intrusions: corporate espionage intended to financially benefit foreign companies, hacks intended to do damage to infrastructure and traditional intelligence-gathering efforts performed by nation-states.
Attributing a given hack to a government versus a lone actor can also be a thorny issue, because unlike other regulated tools of war — such as nuclear arms — cyberweapons are much more difficult to trace.
Officials say the new accord most likely will not address the more high-profile forms of hacking China is accused of carrying out in the U.S., including the theft of intellectual property — although that behavior is still part of ongoing discussions.
During a speech to the Business Roundtable last week, President Obama said that “industrial espionage” was part of recent negotiations with the Chinese, suggesting that his administration is prepared to retaliate, most likely in the form of economic sanctions.
Also not addressed by the critical infrastructure agreement is the alleged Chinese breach of the Office of Personnel Management (OPM), which exposed the personnel records of 21.5 million former and current federal employees.
The administration has formally declined to attribute the hack to China, experts say, because the U.S. engages in the same kind of intelligence gathering.
In September, Director of National Intelligence James Clapper pointedly informed lawmakers that the word “attack” was inappropriate for the OPM hack because it was a form of “passive” surveillance.
During the same Business Roundtable speech on Wednesday, President Obama indicated that he hoped “we and the Chinese are able to coalesce around a process for negotiations” that would “bring a lot of other countries along.”
Last weekend, a group of senior Chinese officials led by China’s domestic security chief Meng Jianzhu participated in what the White House termed a “frank and open exchange about cyber issues” with U.S. national security adviser Susan Rice.
China’s state news agency Xinhua reported that Meng reached "important consensus" with the U.S. during the meetings and that both countries agree it is “vital” they cooperate to fight cyberattacks.
China policy experts and former administration officials told The Hill the potential deal is essentially a “baby step” in ongoing diplomatic attempts to keep China at the table on cybersecurity, not an attempt to solve the underlying, fundamental disagreements on cyberattacks.
“This is a constructive development,” said Paul Stockton, the assistant secretary of Defense for homeland defense from 2009 to 2013. “It’s also very limited in terms of its intrinsic value.”
Not only would the proposed deal do “nothing to clamp down on the theft of U.S. intellectual property,” it would not stop the Chinese from continuing to map American critical infrastructure systems and develop damaging cyber weapons, added Stockton, currently the managing director of consultancy Sonecon, LLC.
This type of mapping would help Beijing officials “understand where to attack and how to attack,” Stockton said, in order to “inflict maximum damage.”
Instead, the negotiations are mostly an attempt to codify consensus on the belief that basic international law should apply to cyberspace and cyber conflict, said Zachary Goldman, executive director of the New York University School of Law’s Center on Law and Security.
“The restrictions that have been reported basically mirror traditional law of armed conflict restraint,” he said in a conference call Monday.
Xi arrives in the U.S. on Tuesday and is scheduled to give a joint press conference with Obama on Friday.
— Cory Bennett contributed