The prevailing opinion, amongst my comrades here at Fidelis Cybersecurity, and other notables in the cyberdefense community is that this agreement is flawed, and only a half measure. This will not stop or slow down the Chinese and their cyberspying campaigns.
Here's my initial take on the agreement below as well as some analysis.
The first, obvious question is "Why should China stop what they have always emphatically denied doing?" Moving behind this, though, the agreement limits the activities to “intent of providing competitive advantages to companies or commercial sectors”. This doesn’t prohibit China for conducting cyber-espionage operations to benefit their military and people. This could include, but not be limited to:
- Energy exploration and production (particularly if China intends to use the energy on their south) -- think South China Sea. They could spy on energy companies just to develop a situational awareness of activity around contested regions.
- Healthcare/drug research particularly since China has an aging populace (that is now increasingly being affected by cancer and related conditions).
- Transportation and logistics organizations to combat rising traffic and implement new means of moving goods and people across an expanding urbanization effort across China.
- Higher-education institutions for new research (health, pollution, traffic, etc.) and locations to launch attacks from (which they have done in the past).
- Military intelligence and theft of IP related to schematics/plans for weaponry.
- Spying on organizations and companies to understand how they conduct business. China has conducted these types of "educational reconnaissance" spying operations in the past to understand how to work in a particular industry or field.
I don't expect to see a noticeable slow down of China state-sponsored cyber-espionage. Why would they just close up shop and stop their operations? They've developed quite a highly-sophisticated methodology and organization to support their missions. You may even see more of a focus on Asian and European companies.
One thing the agreement doesn't mention is the cybersecurity pledge that China wants foreign businesses to sign? Are they still going to pursue this? Time will tell.
One potential scenario if China does choose to slow their espionage operations would be for it to use “proxy” groups, the same way that Iran and Russia operate. It is easy to hide behind the "Great Firewall". Attribution is difficult with state-sponsored attacks because of the lack of physical evidence connecting the person to the "virtual". China can always find a patsy within the country, arrest them and claim "mission accomplished" if they're caught by the US on a spying operation.
Another important point to note about this agreement is that even if both sides abided by it, it would never have stopped the OPM breach or their campaigns against health care providers or the defense industrial base.
Actions speak louder than words. Time will tell if the words spoken in the West Wing are backed up by actions on the front lines of the silent cyber battlefield.
- Justin Harvey