Skepticism abounded both inside and outside of government when then-President Barack Obama and Chinese President Xi Jinping included special provisions for reducing commercial cyber espionage in their far-reaching September 2015 bilateral agreement. Specifically, China and the United States agreed to curb “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Critics of the agreement naturally wondered if difficulties attributing malicious activity in cyberspace would make enforcement of paper terms impractical; less charitable observers assumed this flaw explained Beijing’s willingness to reach these terms in the first place and that President Obama had been duped.
In hindsight these concerns missed the promise of such agreements entirely. They were designed not to put an end to cyber spying but to hem in certain classes of activity for the mutual benefit of all parties. Even more notably, observers also missed the critical role that the private sector would play in providing the parties with evidence of their good-faith progress toward implementation. A FireEye study of 182 compromises of U.S. targets by 72 Chinese cyber threat groups going back to early 2013 found a steady decline leading up to the Obama-Xi Agreement, with a rapid drop-off in theft of U.S. intellectual property after that, leaving the new status-quo at near-zero levels.
In this post, I explain how the private sector’s work in demonstrating state compliance with cyber agreements can in turn encourage such compliance. Continue reading or visit the Cyber Arms Control Blog to learn more.