China and Australia’s Cybersecurity Agreement: Going Beyond Economics
By John Bostwick, Managing Editor, Radius
In January, Australian prime minister Malcolm Turnbull addressed the subject of a US FBI report indicating that Moscow had made covert attempts to influence the outcome of the US presidential election. An article on the Australian Broadcasting Commission’s (ABC's) website quoted Turnbull as saying that cyberattacks such Russia’s represented “the new frontier of warfare,” and that Australia’s government, citizens and businesses “need to be aware of the threats and how to mitigate and protect against them.”
It was not the first time Prime Minister Turnbull had expressed concern about online attacks. Cybersecurity has been part of his strategy almost since he took over the position in September 2015. In 2016, his government released Australia’s Cyber Security Strategy, a 65-page report that sets out five “themes of action” the country is to undertake between 2016 and 2020. One of the themes involves working with Australia’s “international partners to champion an open, free and secure internet.”
The report notes that in 2014 and 2015, Australia had engaged in “cyber policy dialogues” to strengthen alliances and share information. The report mentions Australian dialogues with numerous countries, including its regional partner China.
The report’s mention of China as an ally in cybersecurity may have been an olive branch, or maybe a bit of wishful thinking. Not long before the report’s publication, public allegations surfaced of a Chinese state-sponsored cyberattack on Australia’s Bureau of Meteorology. ABC reported in December 2015 that the bureau has supercomputers holding information “critical … to a host of agencies” and that the breach “will cost millions of dollars to plug.” The compromised information included the fruits of scientific research and intellectual property. The ABC article notes that “the motivation for the attack on the bureau could be commercial, strategic or both.”
An Australian government official is quoted by ABC as saying there was little doubt the breach came from China, and that the “attack on the BoM is entirely consistent with what we know of how Chinese intelligence operates.” Beijing denied the allegations.
The ABC article mentions that the US has likewise “repeatedly blamed China for cyberattacks on its agencies and American businesses.” These concerns were addressed by the US and China in September 2015, when Chinese president Xi Jinping visited the US and agreed with President Obama “to work together to constructively manage our differences.”
President Xi’s visit resulted in a pact to strengthen cybersecurity between China and the US, including an agreement that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
Last week, Australia and China unveiled a similar joint statement on cybersecurity. The agreement was the culmination of one of those formal “dialogues” mentioned above. It was held in Sydney and the participants included Australia’s Minister of Foreign Affairs Julie Bishop and Attorney-General Senator George Brandis, along with China’s Secretary of the Central Commission for Political and Legal Affairs Meng Jianzhu.
The two delegations in Sydney agreed among other things to: “work together to counter malicious cyber actors;” “discuss options for joint operations to combat cybercrime;” and “not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage.” Australia and China also agreed to hold another cybersecurity dialogue — this one in China in 2018 — and to continue holding them on an ongoing basis.
In an article published last Monday on the bilateral agreement, The Financial Times quotes Director of the Australian Strategic Policy Institute Peter Jennings as saying he has “no doubt whatsoever that the Chinese were responsible for the meteorology bureau attack,” but that he thought “the bilateral agreement made sense as China was the largest source of cyber espionage for Australia to consider.”
Another expert quoted by the Times notes that the agreement itself, like the US-China agreement, “focuses on the theft of intellectual property and business-related issues but not espionage or political-inspired hacking.” This doesn’t inspire confidence that state-sponsored cyberattacks will be reduced by the agreement.
According to ZDNet, the security firm CrowdStrike said that in the three weeks following the US-China agreement, the company’s software “detected and prevented a number of intrusions into our customers' systems from actors we have affiliated with the Chinese government.” CrowdStrike alleged that the first attack took place the very day after Obama and Xi’s joint announcement. That said, the Times article notes that the security group FireEye has observed a “notable decline” in China-based cyberattacks on the US since 2014.
Whatever Beijing’s involvement in US and Australian cybersecurity attacks, the recent pact between China and Australia, and the similar agreement between the US and China, are reminders that cybersecurity is of critical concern to world political leaders, not just multinational companies concerned about data protection.
The agreements are also reminders that it is increasingly difficult to disentangle business from politics, and in some cases even from national security concerns. As Prime Minister Turnbull notes in his forward to Australia’s Cyber Security Strategy report, “the need for an open, free and secure internet goes far beyond economics.” The report goes on to say that, “All of us — governments, businesses and individuals — need to work together to build resilience to cybersecurity threats and to make the most of opportunities online.”
The Sino-Australian agreement may not directly address certain areas like cyber espionage, but at the least it raises global cybersecurity awareness and helps codify acceptable cross-border cyber practices for all users.