The prevailing opinion, amongst my comrades here at Fidelis Cybersecurity, and other notables in the cyberdefense community is that this agreement is flawed, and only a half measure. This will not stop or slow down the Chinese and their cyberspying campaigns.
Here’s my initial take on the agreement below as well as some analysis.
The first, obvious question is “Why should China stop what they have always emphatically denied doing?” Moving behind this, though, the agreement limits the activities to “intent of providing competitive advantages to companies or commercial sectors”. This doesn’t prohibit China for conducting cyber-espionage operations to benefit their military and people. This could include, but not be limited to:
I don’t expect to see a noticeable slow down of China state-sponsored cyber-espionage. Why would they just close up shop and stop their operations? They’ve developed quite a highly-sophisticated methodology and organization to support their missions. You may even see more of a focus on Asian and European companies.
One thing the agreement doesn’t mention is the cybersecurity pledge that China wants foreign businesses to sign? Are they still going to pursue this? Time will tell.
One potential scenario if China does choose to slow their espionage operations would be for it to use “proxy” groups, the same way that Iran and Russia operate. It is easy to hide behind the “Great Firewall”. Attribution is difficult with state-sponsored attacks because of the lack of physical evidence connecting the person to the “virtual”. China can always find a patsy within the country, arrest them and claim “mission accomplished” if they’re caught by the US on a spying operation.
Another important point to note about this agreement is that even if both sides abided by it, it would never have stopped the OPM breach or their campaigns against health care providers or the defense industrial base.
Actions speak louder than words. Time will tell if the words spoken in the West Wing are backed up by actions on the front lines of the silent cyber battlefield.