Last month the Justice Department published a press release announcing that seven Chinese nationals have been charged with “conspiracy to commit computer intrusions and conspiracy to commit wire fraud.”
This announcement came on the heels of warnings from Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and National Cyber Director Harry Coker that Chinese hackers are making a strategic shift to target critical infrastructure, are likely able to launch cyberattacks that could cripple that infrastructure, and are increasingly exploiting Americans’ private information.
It’s apparent then that a conflict between China and the United States would include disruptive, dangerous cyberwarfare. Indeed, as U.S.-China military-to-military communications restart, cyber needs to become a key part of these conversations to develop bilateral crisis management mechanisms.
Unfortunately, cyber crisis management is still in its infancy. The United States and China have engaged in multiple bilateral and multilateral dialogues on cyber-related issues in the past. For example, the 2015 summit between President Obama and Xi Jinping created a series of agreements — tacit and explicit — on cyber espionage, the joint investigation of cybercrimes, and a process that eventually produced the U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues.
However, direct U.S.-China official dialogues have not led to substantial cooperation. President Biden warned Xi during a recent call against China using cyberattacks to target sensitive infrastructure, but no solutions nor potential dialogues appear to have been brought up.
There is no dearth of unofficial dialogues, and some have proposed discrete steps that would enhance U.S.-China cyber relations and crisis management mechanisms, such as coming to mutual definitions of cyber terms, strengthening bilateral communications, and promoting restraint in cyber usage. Unfortunately, despite the many attempts at facilitating U.S.-China cyber dialogues and improved relations, no concrete standards or guidelines on cyber usage in a potential conflict have been adopted, nor have U.S.-China cyber relations appeared to improve.
Both Washington and Beijing are familiar with the potential harm cyber can do when expertly implemented. Stuxnet, a malicious computer worm known to be created and implemented by the United States and Israel, damaged the centrifuges Iran used for its nuclear-enrichment program. China’s cyberespionage campaigns to steal sensitive technologies and designs from American businesses have led to strategic vulnerabilities — like with the theft of designs for the F-35 Joint Strike Fighter’s self-diagnostic system in 2009.
Concerns about cyber espionage have been a defining feature of U.S.-China technology and business relations since the early 2000s, extending into the rhetoric to ban TikTok. Cyber exploits could cut off power grids, like in Ukraine in 2015 and 2016, cripple wastewater treatment facilities, or render sources of vital information useless — as witnessed in the ongoing Russian invasion of Ukraine.
If a conflict were to break out between the United States and China, wherever and however it might, the reality is that cyber will be a key weapon in a well-rounded arsenal of traditional and emerging weaponry. Fortunately, there may be some space for negotiation. A RAND study — built upon “insights from interviews with leading Chinese and American cyberspace policy experts across [their] governments, militaries, think tanks, and academic communities” — found that China may be more likely to come to a bilateral agreement wherein both the United States and China agree not to cyberattack each other and limit the targeting of critical infrastructure.
There is also some precedent which would suggest that the Chinese government thinks that cyberattacking critical infrastructure should be off-the-table. In 2015, China participated in the drafting of and signed a note by the Secretary General as a member of a United Nations group of governmental experts, in which the participants recommended that states not target critical infrastructure with cyber. Further emblematic of this willingness to find common ground on cyberthreats is China’s 2015 agreement with Russia to not cyberattack one another. However, the RAND study also found that trust was one of the main impediments to creating such an agreement with the U.S. Neither the U.S. nor Chinese interviewees knew if they could fully trust the other side to adhere to any agreements against this kind of cyberespionage and exploitation.
Thus, any agreement like the China-Russia cyber “non-aggression pact” would need to foster transparency and trust between the relevant Chinese and U.S. parties. The agreement would need to be paired with bilateral channels designed to communicate information on cyber events, both mundane and arising from a crisis. Transparent forums between the U.S. and Chinese military, with a focus on cyber elements, is an absolutely vital step to navigate crises effectively and promote a restraint-based foreign policy and defense strategy, especially given the pervasive nature of cyber threats.
Luckily, in recent months, Washington and Beijing have re-established military-to-military communications, expressed continued interest in establishing dialogues on the use of artificial intelligence (AI), and have otherwise collaborated in the United Nations on a resolution establishing principles for AI development. While it is not cyber-specific, AI and cyber are conjoined issues. It shows that there may be space for U.S.-China collaboration on emerging technologies, which could lead to more robust dialogues and crisis management mechanisms. These could be vital trust-building exercises that lead to further cooperation on issues related to cybersecurity.
Ultimately, there is a path forward for the United States and China to come to an understanding on cyberwarfare in at least some domains. To this end, both sides need to create new bilateral forums to discuss and advance crisis management coordination on these issues of common concern about cyberwarfare.
