U.S., China reach 'common understanding' on cyber attacks

No one expected sanctions or an actual cyber security truce, but as agreements go, this one is as toothless as it gets

China and United States will not “conduct or knowingly support” cyber theft of intellectual property or commercial trade secrets, said President Barack Obama and General Secretary Xi Jinping in a Friday appearance at the White House Rose Garden. Obama and Xi discussed cyber security during their meeting and reached a “common understanding on the way forward,” Obama said.

Many observers had hoped Obama would pressure Xi about the growing number of attacks from China, and there had been speculation about possible sanctions or even a cyber security treaty. However, the agreement fell short of those expectations.

“We have jointly affirmed the principle that governments don't engage in cyber espionage for financial gain against companies," Obama said during the appearance.

The agreement focused on economic cyber attacks, not intelligence-based ones. The language specifically referenced attacks against commercial networks providing companies with trade secrets and other confidential business information that would provide competitive advantage or other economic gains. 

"We have, I think, made significant progress in agreeing to how our law enforcement and investigators are going to work together," Obama said.

Despite mounting evidence linking Chinese attackers with attacks against American companies and government networks, China has steadfastly denied any involvement. Even with this agreement, there is no acknowledgement that China had taken part in cyber attacks in the past and will stop going forward. Some industry experts on Twitter were skeptical that anything would actually change.

“Wondering if China doubts U.S. attribution capabilities and will continue theft ops despite agreement, while saying, ‘It’s not us, prove it,’” Richard Bejtlich, chief security strategist of FireEye, said on Twitter. 

Some decisions were made in regards to fighting cyber crime, including providing “timely responses” for information regarding malicious cyber activity and to cooperate with investigations. A high-level group would meet regularly to review timeliness and quality of responses to requests from investigators. The group will include representatives of the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office as well as officials from the U.S. Secretary of Homeland Security, the Attorney General, Federal Bureau of Investigation, and other intelligence agencies. The group will meet twice a year, with the first meeting happening before the end of 2015.

“As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests,” according to a fact sheet released by the White House.

Another working group will meet to further discuss “norms of behavior and other crucial issues for international security in cyber space,” the fact sheet said. China and the United States will work "together and with other nations, to promote other rules of the road," Obama said during the joint appearance.

Despite what observers had hoped for, no one really expected a deal to be announced. “In order to even agree not to attack critical infrastructure, they would have to admit they have the capability to do so, as well as possibly disclose some of those capabilities,” said Ken Westin, a senior security analyst with Tripwire.

Security researchers and government officials have increasingly warned that Chinese companies were benefiting from cyber espionage attacks against American companies. Mandiant, now part of FireEye, released a comprehensive report on one of the attack groups a few years ago, and several research reports since then have identified different groups operating out of China. "I raised, once again, our very serious concerns about growing cyber threats," Obama said. "I indicated that it has to stop." The agreement is sign of progress, but the work is not yet done.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform