Presidents Obama and Xi agree that the U.S. and China won’t steal corporate secrets from each other, but the wording is so full of loopholes that CISOs shouldn’t take too much comfort in the pact for quite a while.
The agreement sets up high-level talks twice a year to deal with complaints the U.S. and China have about whether the other is responding quickly and thoroughly to claims by the other side about malicious cyber activity.
It also takes a run at corporate spying in particular: “[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
The word “knowingly” injects a factor of deniability. So one side might actually support cyber-enabled theft of intellectual property, but if they claim not to know about it, and nobody can prove they do, they’re OK. And if they do it and their intent is not to provide competitive advantages to companies or commercial sectors, they’re also OK, according a strict, lawyerly reading of this wording provided by the White House. That leaves this type of activity for the purpose of, say, military advantage, on the table.
Even if the two countries carry out the letter of the agreement, neither side has agreed to enough that corporate security pros should let down their guard.
Oboama did a little finger pointing and threatening, which cast a shadow on the agreement.
"I raised, once again, our rising concerns about growing cyber threats to American companies and American citizens. I indicated that it has to stop," Obama said in recounting his meeting with Xi, clearly implying that China has been increasingly threatening U.S. companies. "The United States government does not engage in cyber economic espionage for commercial gain." Again, that “for commercial gain” qualification that doesn’t rule out governmental/military espionage.
Xi said “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks,” which could be taken in two ways. 1) China doesn’t opposes and combats cyber thefts being perpetrated by China. 2) China opposes and combats cyber thefts being perpetrated against China. In either case, the statement doesn't promise and improvements in current behavior.
That said, it’s still good that the two sides have agreed to as much as they have.
“Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community,” the White House says. Anytime countries agree to such things, it’s good, and in this case the two parties have significant spheres of influence that might someday lead to better understood rules of the road for cyber activity that all countries will follow. Again, this sounds like a long-term project.
Diplomacy is a lot like the works of standards bodies in that they start with stated goals and then with months and years of working on details, specific parameters are hashed out. So the agreement as announced between the U.S. and China is a great start, but as Obama says, "The question now is - are words followed by actions?"