U.S. and China Seek Arms Deal for Cyberspace
By DAVID E. SANGER

WASHINGTON — The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.

While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees’ personal data.

The negotiations have been conducted with urgency in recent weeks, with a goal to announce an agreement when President Xi Jinping of China arrives in Washington for a state visit on Thursday. President Obama hinted at the negotiations on Wednesday, when he told the Business Roundtable that the rising number of cyberattacks would “probably be one of the biggest topics” of the summit meeting, and that his goal was to see “if we and the Chinese are able to coalesce around a process for negotiations” that would ultimately “bring a lot of other countries along.”

But a senior administration official involved in the discussions cautioned that an initial statement between Mr. Obama and Mr. Xi may not contain “a specific, detailed mention” of a prohibition on attacking critical infrastructure. Rather, it would be a more “generic embrace” of a code of conduct adopted recently by a working group at the United Nations.

One of the key principles of the United Nations document on principles for cyberspace is that no state should allow activity “that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” The goal of the American negotiators is to have Chinese leaders embrace the principles of the United Nations code of conduct in a bilateral agreement with Washington.

But it seems unlikely that any deal coming out of the talks would directly address the most urgent problems with cyberattacks of Chinese origin, according to officials who spoke on the condition of anonymity to describe continuing negotiations.

Most of those attacks have focused on espionage and theft of intellectual property. The rules under discussion would have done nothing to stop the theft of 22 million personal security files from the Office of Personnel Management, which the director of national intelligence, James R. Clapper Jr., recently told Congress did not constitute an “attack” because it was intelligence collection — something the United States does, too.

The agreement being negotiated would also not appear to cover the use of tools to steal intellectual property, as the Chinese military does often to bolster state-owned industries, according to an indictment of five officers of the People’s Liberation Army last year. And it is not clear that the rules would prohibit the kind of attack carried out last year against Sony Pictures Entertainment, for which the United States blamed North Korea. That attack melted down about 70 percent of Sony’s computer systems.

Sony is not, by most definitions, part of the nation’s “critical infrastructure,” although the Department of Homeland Security does include “movie studios” on its list of critical “commercial facilities,” along with stadiums, museums and convention centers.

Still, any agreement to limit cyberattacks in peacetime would be a start. “It would be the first time that cyber is treated as a military capability that needs to be governed as nuclear, chemical and biological weapons are,” said Vikram Singh, a former Pentagon and State Department official who is now vice president for international security at the Center for American Progress.

Within the Obama administration, the effort to design “a set of norms of behavior” to limit cyberattacks has been compared to President John F. Kennedy’s first major nuclear treaty with the Soviet Union in 1963, which banned atmospheric nuclear tests. That accord did not stop the development of nuclear weapons or even halt underground tests, which continued for decades. But it was a first effort to prevent an environmental disaster, just as this would be a first effort by the world’s two biggest economic powers to prevent the most catastrophic use of cyberweapons.

Joseph S. Nye, a Harvard professor known for his studies of American power, said the concept of a “no first use” doctrine for cyberattacks had been “gestating for some time” in a variety of international forums. “It could create some self-restraint,” Mr. Nye said, but he added that the problem was, “how do you verify it, and what is its value if it can’t be verified?”

That problem goes to the heart of why arms control agreements in the cyberspace arena are so much more complicated than better-known agreements covering nuclear weapons.

In the Cold War and still today, nuclear arms remain in the hands of states, meaning they can usually be counted and their movements observed. Cyberweapons, too, are often developed by countries — the United States, Russia, China and Iran are among the most sophisticated — but they can also be found in the hands of criminal groups and teenagers, neither of which negotiate treaties.

Moreover, it was usually clear where a conventional attack had originated; the trajectory of a missile could be tracked by radar or satellite. Mr. Obama himself noted last week the difficulty of tracing a cyberattack, and thus of deterring it — or retaliating with confidence.

Earlier efforts to get Mr. Xi and other senior Chinese leaders to address cyberattacks have largely failed. Mr. Obama spent a considerable amount of time on the issue during a summit meeting with Mr. Xi at Sunnylands, a California estate, in 2013. But even after that session, the Chinese denied that their military was involved in attacks, and portrayed themselves as victims of attacks from the United States.

It was not an entirely spurious claim: Classified documents released by Edward J. Snowden showed a complex effort by the National Security Agency to get into the systems of a Chinese telecommunications giant, Huawei, though the United States maintained that the effort was for national security surveillance, not for the theft of intellectual property.

The recent Chinese movement on cybersecurity can be traced to several events, officials say.

The Office of Personnel Management breach, which went undetected for roughly a year, was traced to Chinese sources, and one official said evidence had been presented to Chinese officials. In August, Susan E. Rice, Mr. Obama’s national security adviser, took a trip to Beijing to meet with Mr. Xi and other officials, and used it to increase pressure on China, suggesting that newly devised economic sanctions could be imposed. Mr. Obama referred to that possibility in two recent speeches, suggesting that he would hold off only if there was progress with Mr. Xi.

Last week, a high-level Communist Party envoy, Meng Jianzhu, who is responsible for state security, came to Washington and met with Ms. Rice, several American intelligence officials and the director of the F.B.I., James B. Comey. That session focused on coming up with some kind of agreement, however vaguely worded, that Mr. Obama and Mr. Xi could announce on Friday.

For the United States, agreements limiting cyberweapons are also problematic. The country is spending billions of dollars on new generations of weapons, and in at least one famous case, the cyberattacks on Iran’s nuclear enrichment site at Natanz, it has used them.

American cyberwarriors would be concerned about any rules that limited their ability in peacetime to place “beacons” or “implants” in foreign computer networks; these are pieces of code that monitor how foreign computer systems work, and they can be vital in determining how to launch a covert or wartime attack. The Chinese have littered American networks with similar technology, often to the consternation of the Pentagon and intelligence agencies.

“One of the things to look for are any rules that bar ‘preparing the battlefield,’ ” said Robert K. Knake, a senior fellow at the Council on Foreign Relations who worked in the White House cybersecurity office earlier in the Obama administration.

Mr. Obama, who has said little about the United States’ development of cyberweapons during his presidency, has begun to talk about it in recent days. “If we wanted to go on offense, a whole bunch of countries would have some significant problems,” he told the Business Roundtable on Wednesday.

歐習會前 美中拚達成網攻管制協議

紐約時報報導，美國與中國大陸將首度把網路攻擊當成核武或生化武器加以管制，雙方正在協商簽署一項空前的網路武器管制協定，承諾不會在承平時期以網路武器發動「第一擊」，癱瘓對方重要的基礎設施。這項協議可望在大陸國家主席習近平廿四日在華府與美國總統歐巴馬舉行高峰會時宣布。

參與協商的美國官員說，協議涵蓋的重要基礎設施包括電廠、銀行系統、手機網和醫院，但協議的初版不會觸及美方指控陸方竊取智慧財產和兩千多萬公務員個資的駭客行為。

這幾周美中快馬加鞭協商，希望趕在「歐習會」宣布達成協議。

歐巴馬十六日向「商業圓桌組織」暗示，美中正就此議題談判。他說，他的目標是觀察「我們和中國是否能攜手協商」，最終「把其他許多國家也拉進來」。

不過，美國官員透露，歐巴馬和習近平的最初聲明也許不會具體、詳細提到禁止攻擊重要基礎設施，可能只會概括「支持」聯合國工作小組最近採行的一項行為準則。

聯合國網路行為準則要點之一，是任何國家都不應允許網攻「蓄意損害重要基礎設施，或癱瘓提供公共服務的重要基礎設施的使用和運作」。

美國官員說，美中不可能針對直接改正美方關切的大陸駭客問題達成協議。大陸的網攻以間諜和竊取智慧財產為主。協議也不會阻止陸方竊取美國兩千兩百萬公務員的個資。美國國家情報局局長克拉波最近告訴國會，竊取個資不算攻擊，而是「蒐集情報」，美國也在做相同的事。

不過，雙方若能達成在承平時期限制網攻活動的協議，都是一個開始。美國國防部和國務院前官員辛格說：「這是首次把網路當成需要管制的軍力，就像核武或生化武器一樣。」

歐巴馬政府把設計一套限制網攻的行為準則，與甘迺迪總統一九六三年與蘇聯達成禁止大氣層核子試爆相提並論，這是美蘇達成的第一項重要核子條約。

研究美國權力的哈佛教授奈伊（Joseph Nye）說，「不發動第一擊」網攻的觀念已被討論了一陣子，問題是「如何查證？若不能查證又有何價值？」這是何以網路武器管制比核武管制更複雜得多。

原文參照：
http://www.nytimes.com/2015/09/20/world/asia/us-and-china-seek-arms-deal-for-cyberspace.html

紐約時報中文版翻譯：
http://cn.nytimes.com/world/20150920/c20cyber/zh-hant/

2015-09-21．聯合報．A13．國際．編譯田思怡