Last Friday, after years of data breaches by Chinese hackers, many months of negotiations and occasional threats from the White House, while China's President Xi was in DC, the U.S. and China announced an agreement not to launch or support cyberattacks that steal corporate records for economic benefit.
But what does that really mean? China is famous for paying lip service and in the meantime do what it wants to. How is this going to be enforced? Also, China already has most of the data it set out to get, so it's easy to agree to something like this.
President Obama said progress has been made through the talks with Mr. Xi but added that U.S. officials would be monitoring closely to see if Chinese officials stop the attacks. “The question now is: ‘Are words followed by actions?’ And we will be watching carefully to make an assessment,” he said.
Well, apart from the thousands in the Chinese Cyberarmy, hacking in China is a grass-roots kind of thing that works bottom-up. There are hundreds of hacking groups supported by local governments. This is not an easy thing to stamp out because if you try to suppress it, they will go underground and work for cyber crime instead of the government.
This agreement simply is hard to enforce. From the data that is known at the moment, it looks like that the U.S. will have to:
- Prove there’s been a cyber incursion, then
- Correctly attribute its source, next
- Identify what proprietary data was exfiltrated,
- Prove that there was a benefit gained from it, and
- That the stolen information was put to use