Chinese Cyber Espionage

The Wall Street Journal published a transcript of written responses put to the Chinese President Xi Jinping.  On the issue of Chinese hacking the Chinese President had this response:

China takes cybersecurity very seriously. China is also a victim of hacking. The Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way. Cybertheft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offenses and should be punished according to law and relevant international conventions. China and the United States share common concerns on cybersecurity. We are ready to strengthen cooperation with the U.S. side on this issue.

The key part of the response here is “relevant international conventions.”  There aren’t any!  There is a model set of non-binding international norms released by the UN back in July, 2015.  Those norms include:

(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;

(b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;

(c) States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;

(d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

(e) States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;

(f) A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

(g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;

(h) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;

(i) States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

(j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

(k) States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

These norms involve the use of Information and Communications Technologies (ICT) to attack critical infrastructure, not espionage. These norms are a perfectly reasonable set of standards of international conduct on the Internet.  States should be diligent in protecting critical infrastructure, not allow their territories to be used for attacks on another, share vulnerability information, secure the supply chain from conterfeit products (from China), and states shouldn’t deploy their security researchers to do harm.

The states obligations under international law in (f) are about the laws of armed conflict and the protection of civilians and infrastructure, article 56, in the additional Protocol I of the Geneva Conventions, which incidentally the US had never ratified due to its objections to paragraph 3 of article 44 of the Protocol which absolve guerrilla fighters from the requires that other uniformed militaries must comply with and makes it more likely that civilians will be attacked and the military charged with war crimes.

Leave a Reply

Your email address will not be published. Required fields are marked *