U.S.-China Cyber Relations in the Trump Era

Recent discussions on the rise of Chinese cyber nationalism, the manipulation of personal data, and the hardening of the U.S. foreign investment review system suggest that Sino-U.S. cyber relations are worsening. What areas of common ground could help mitigate escalation and promote collaboration on developing norms?

I’m afraid I don’t think that either country can mitigate the escalation of competition in the cyber domain. The larger forces and trends are toward greater conflict. They are driven primarily by the trade relationship right now. In particular, the Trump administration’s concerns are with the trade deficit, Chinese industrial policy, and what it sees as the slow unraveling of the agreement between Presidents Xi Jinping and Barack Obama. So while the two sides share a common interest in preventing cyberattacks from escalating to actual military conflict and in preventing the proliferation of cyber capabilities to terrorists, and there is still the discussion on cybercrime, these common interests are most likely not strong enough to mitigate the larger forces.

In the wake of the Trump administration’s tariffs, China has sought stronger trade with Europe and consequently downplayed its Made in China 2025 policy. Might China also decide to adopt the EU General Data Protection Regulation privacy laws? Will the European Union require Chinese companies to store customers’ data in Europe.

Chinese leaders are unlikely to adopt the General Data Protection Regulation. China has its own privacy laws, which it will develop and promote—to the extent that it can—as a competitor to the U.S. and European regulations. The digital trade side of the outreach to other countries is probably China’s weakest point. The EU still has a high degree of suspicion about Chinese companies’ access to data and worries that these companies will allow access to the Chinese government. While I think China will continue to try to convince the EU that it is a more open trading partner than the United States, it is unlikely that the country will grant a lot of leeway on the data and privacy side. Given the EU’s concerns about U.S. companies’ technology practices, I can’t see it being all that comfortable with Chinese companies, particularly if they cannot prove that they are adequately protecting EU citizens’ data. Under these conditions, the EU will require that its companies’ data stays in Europe.

President Trump has made significant moves to block Chinese companies from acquiring U.S. technology, citing national security concerns. What are the key challenges in determining what constitutes “sensitive technology,” and which technology industries are “critical to national security”?

It is hard to figure out which technologies are going to be critical to defense, especially as militaries rely on more commercially available technologies. That has been true for at least a decade, if not two decades, and it will become even truer as we move toward a greater reliance on artificial intelligence and other systems that could have widespread military use but also have commercial use. The United States has typically tried to draw that line fairly narrowly, because it is afraid that drawing it too broadly would constrain U.S. innovation and, in some ways, slow the United States down and make it less economically competitive.

The Trump administration’s default seems to be a more expansive vision. U.S. officials floated the idea of restrictions on “industrially significant technology,” which is a very vague term. People are worried that this policy will be too broad. So I don’t think we know yet if the United States can protect critical technologies without damaging scientific competitiveness. People are looking at things like artificial intelligence, robotics, big data analytics, and surveillance technology as technologies that could be dual-use. The U.S. national security community, in particular, is worried about how China will access, develop, and use them. But right now there is no kind of established metric for deciding which technologies potentially pose a threat. Also, you would have to get some agreement among U.S. allies and trade partners about what those technologies are.

Xi’s economic strategy emphasizes the advanced technology sector. Does this technological shift toward artificial intelligence, quantum technology, and machine learning portend a competitive race with the United States, or is the United States still too far ahead for China to realistically catch up?

The United States is still the more innovative economy. It is more likely to produce new products and science-based innovations. But China is clearly competitive with the United States in a whole range of new technologies, especially in artificial intelligence, where the two countries seem to be the leaders. The Trump administration is clearly concerned about how that economic competition will affect U.S. national and economic security. It has, as we discussed before, focused on what it can do to block Beijing’s access to technology. The administration could, however, do more to encourage U.S. innovation at home by increasing federal funding for research and development.

What are the limits on technological independence, even for high-tech countries, and what do those limits mean for Sino-U.S. relations?

Technological independence is an ideal, but it will never be a reality because countries are always adapting and using ideas and technology from other places. Even the United States, which is considered more technically independent than China, still has a large number of Chinese products, goods, people, and ideas in its supply system. There is no way a country can ever achieve complete technological autarky. What that should suggest for U.S.-China cyber relations is the importance of the two sides seeing that they have an interest in maintaining the system and making it as innovative as possible for the benefit of both. But right now the politics is very zero-sum and competitive. And so China and Russia are both trying to disentangle the two systems. This will be very hard to do and will cause a lot of disruption, as has been evident with the ZTE case, where efforts to punish the company for violating sanctions reverberated and affected U.S. companies that supplied ZTE with critical components. Hopefully the two sides will begin to recognize that while they have legitimate security concerns, they also have shared interests in providing transparency, clear guidance for companies, and stable markets driven by the rule of law. However, I’m not all that confident this will happen given the politics right now.

Since the release of your book in 2016, have there been any significant developments in the last two years that have caused you to change your views on U.S.-China cyber relations?

In the book, I was probably overly optimistic about the prospect of shared norms of behavior for states in cyberspace. The progress that had been happening through the group of governmental experts on information security, convened under the auspices of the United Nations, hit a roadblock in 2017 when it failed to release a consensus document. A big part of the failure was the obstruction of Cuba, which argued that the discussions on norms would lead to the “militarization” of cyberspace. Another factor, however, was that the United States could not bridge the gaps with China and Russia on the right to self-defense and international law in cyberspace. Washington has wanted to hash out some of the specifics on how to apply international law to cyberspace; Moscow and Beijing think it would be better to have new treaties. The debate on those norms and approaches has become even more challenging in part because of Russian election interference. Those events have shifted the cyber discussion toward election meddling, which is a different, harder problem to solve. Any solution to the problem involves agreement on what interference looks like (whether it is just hacking or would include supporting a nongovernmental actor or dissident) and on information control (who decides if something is “fake news” or opposition to the ruling regime).

Adam Segal is the Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. He is the author of the book The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (2016) and the essay “Reducing and Managing U.S.-China Conflict in Cyberspace” in the NBR Special Report U.S.-China Relations in Strategic Domains (2016).

This interview was conducted by Alicia Fawcett, a Political and Security Affairs Intern at NBR.