US, China in talks over potential cyberspace arms-control deal

Could cyber attacks one day be governed by treaties like those limiting the use of nuclear, chemical and biological weapons? The US and China are reportedly taking a first step in that direction.

The countries are discussing a mutual promise not to launch a first-strike attack with cyber weapons on the other country’s critical infrastructure, such as power plants, hospitals and banks, The New York Times reported Saturday.

The talks are geared toward producing a deal that would be announced next week during China President Xi Jinping’s state visit to the US, the Times said, citing unnamed officials involved in the negotiations.

Such an announcement might not mention an official rule barring attacks on critical systems, a Times source said. Rather, it could involve a general embrace of a United Nations code of conduct that spells out nonbinding “principles of responsible behavior” regarding the use of cyber weapons like malicious software.

Nonetheless, the UN guidelines single out attacks on critical infrastructure as the “most harmful,” and the negotiations could evolve into the first-ever arms-control deal for cyberspace, the Times said.[related-posts]

The news comes amid increased tension between the US and China over hacking and cyber spying. In June, the FBI said it suspected Chinese hackers of an attack on the US government’s personnel office that compromised the data of millions of current and former federal workers. And in August, officials with the Obama administration told The Washington Post that the US was developing a range of “unprecedented” economic sanctions against China over online espionage.

The deal under discussion wouldn’t prohibit such spying, or the theft of intellectual property, but it would, the Times said, “be a first effort by the world’s two biggest economic powers to prevent the most catastrophic use of cyber weapons.”
It’s not clear, though, how effective a cyber weapons treaty would be, the Times noted. Unlike a missile strike, a cyber attack can be tough to track, making deterrence and retaliation difficult.

“It could create some self-restraint,” a Harvard professor who studies US power told the Times, but “how do you verify it, and what is its value if it can’t be verified?”

The White House did not respond to a request for comment on the Times report.

[CNET]