6 September 2017

How Much Work Should the US Put Into Developing Cyber Rules With China?

By Robert Farley

How deeply should the United States engage China on the development of international norms and rules of cyber-security behavior? This question is most often asked in context of an assumption of Chinese bad faith; Beijing, as one of the world’s best-known practitioners of cyber-espionage, will not likely comply with established norms in any case. But in a recent essay, Julian Ku approaches the question from a different perspective: might China’s engagement change the nature of the rules established, possibly in the wrong direction?

As Ku details, China’s view of the right of self-defense may be at odds with the U.S. understanding of self-defense. Generally speaking, Chinese legal scholars and government officials have viewed the right of self-defense more narrowly than their American counterparts. While acknowledging both a right of defense in case of attack and a right to preempt in case of imminent attack, China’s position has been that “armed attack” must include a certain degree of gravity, and “imminent” requires a very short time frame.

China’s “restrictivist” view has emerged at least partially in reaction to what it believes to be U.S. oversteps; these include the Kosovo War, the Iraq War, and the overthrow of Libyan dictator Muammar Gaddhafi. China fears that the U.S. approach to cyber conflict could enable preemptive or preventive cyber-attacks against a wide array of perceived threats, potentially with destructive consequences.

Ku’s point is that there are risks to engaging China is the development of international laws and norms regarding the appropriate employment of cyber-warfare. The primary risk, as with all such endeavors, is that China’s inclusion may change the system in ways that the United States does not like. In this case, China’s restrictive approach, applied to U.S. cyber-security, might prohibit certain kinds of preemptive or preventive action.

The precise implications of this are unclear. For example, what would a restrictivist approach mean for action along the lines of the Stuxnet attack against Iran, or of the reputed “left of launch” cyber-attacks against North Korea’s ballistic missile program? The preventive nature of these attacks might run afoul of China’s conception of self-defense, but on the other hand the campaigns might not be sufficiently “grave” to warrant a response from either country.

But then how would we apply this concern to China’s own cyber-security behavior? One way might be to consider China’s cyber-espionage efforts—widely believed to be backed both tacitly and explicitly by the Chinese government—in the U.S. and other Western countries. The Chinese government apparently believes that these actions fall well short of “cyber-attack,” and thus would legally incur no armed (or “cyber-armed”) retaliation. Whether this belief survives a significant cyber-attack on China from a state or non-state actor remains to be seen.

Finally, there’s a reasonable argument to be made that China’s approach to self-defense and imminence makes more sense than the U.S.; enshrining a more restrictive notion of the right of self-defense may well be a good idea for United States, as it is likely to experience relative military decline over the next century. U.S. vulnerability to cyber-attack (a hotly debated proposition, to be sure) might also behoove Washington to take a restrictivist view more seriously.

No comments: