The president of the global police organization Interpol delivered a speech this week calling for international cooperation and multi-stakeholder partnerships to fight cybercrime.
Nothing surprising came from the comments, other than the wrinkle that Interpol President Meng Hongwei also serves as the deputy head of Beijing’s main domestic police agency, the Ministry of Public Security.
The ministry is widely believed to have played a role in Chinese hacking operations, including the breach of the U.S. Office of Personnel Management.
Now, Meng’s speech is being hailed by some former U.S. officials as a step toward drawing China into universally agreed upon behaviors in cyberspace. And Beijing’s policies are being favorably compared to Russia, where the Kremlin is seen as doubling down on its commitment to weaponizing the attacker’s asymmetric advantage in cyberspace.
“I took great heart when I read [Meng’s] speech, because it looks like the campaign … to enforce the rule of law in the digital space is bearing fruit,” former federal prosecutor David Hickton told CyberScoop.
“It’s too soon to tell” if Meng’s words will actually be reflected in China’s behavior, according to James Lewis, senior vice president of the Center for Strategic and International Studies.
In his speech, Meng appeared to endorse not just a multinational approach, but the multistakeholder structure of the internet favored by the U.S and its allies.
“As the stakeholders who are accountable to the international security, we are playing indispensable roles [in the fight against cybercrime] in our own professions as government officials, law enforcement officers, scholars, private sector operators and cyber service providers,” Meng told the Interpol World Congress in Singapore. “No single country or profession can rely solely upon its own capability to address the problem.”
“Collaboration should not be limited to law enforcement agencies,” he added, “Contributions from leaders and experts in different professions are equally crucial.”
As U.S attorney for the Western District of Pennsylvania, Hickton indicted five professional hackers from the Chinese People’s Liberation Army Unit 61398 for online theft of intellectual property from U.S companies — a landmark case that shifted the terrain under Beijing’s state-sponsored hackers. For more than a decade, they ran amok in the U.S. defense and aerospace industries — hacking anyone they pleased and providing a generational “leg-up” to the Chinese economy.
The PLA indictment, derided by some critics as an exercise in “naming and shaming,” turned out to be a tipping point — the first time the U.S. put the force of law behind the attribution of nation-state cyber activity. The following year, then-President Barack Obama and his Chinese counterpart, Xi Jinping, signed a deal to end commercial cyber espionage.
China subsequently agreed to — as part of the G20 — the cyber norms promoted by the U.S. State Department. The prevailing view amongst private-sector observers, Hickton noted, is that Beijing has since reigned in its more blatantly commercial cyber-spying activities.
That action may be due the country acting in its own best interests.
“China is the number two economy in the world,” said Hickton, now director of the Pittsburgh University Institute for Cyber Law, Policy, and Security. “They want to be number one … Then everyone’s going to be hacking them.”
China also has a voracious cyber criminal underground — preying on consumers in the country’s burgeoning middle class.
“The problem they’re having is the same one [plaguing the U.S.],” Hickton said of Chinese authorities. When it comes to fighting cybercrime, “They’re building the plane while they’re flying the plane … Because the technology [hackers can exploit] is developing so fast.”
And China’s commitment to the multistakeholder model might also be a calculated move to counter U.S. soft power, cautions Lewis.
“The Chinese figured out a couple of years ago that one of the sources of what they saw as U.S. power was our leading role in these international technical organizations,” like the International Telecommunications Union and the International Standards Organization.
“They’ve made an effort to reach out,” and claim leadership roles in these standards-setting and rule-making organizations wherever they can, Lewis said. “It’s [China’s] way of announcing they are back on the great power stage,” he said.
According to the Associated Press, Meng’s selection to the largely ceremonial post, paired as it is with Beijing hosting the Interpol General Assembly in September, “set off alarm bells among human rights advocates over abuses and a lack of transparency within China’s legal system.”
His speech Tuesday was his first public remarks since being appointed in November.
“Whatever short term benefit [China] might seek from allowing cybercriminals to run wild,” said Hickton, “it will always be outweighed by the benefits of joining the civilized world and cooperating” on bringing criminals to account.
“The Chinese get that cybersecurity is the path to cyber opportunity … and cyber prosperity,” he added.
In the meantime, it’s not clear how Beijing’s move towards a norms-based approach will work out — either for China or the rest of the world, noted Lewis, adding that it was nonetheless “a good idea to make sure the Chinese commit to playing by the same rules” as everybody else.
China’s embrace — at least in public — of cybersecurity norms since the 2015 Xi-Obama summit is an interesting counterpoint to Russia’s recent trajectory, which seems to be doubling down on its rogue behavior.
“China I see as a potential cyber partner,” said Hickton. “Russia is an adversary.”
The problem for Russia, Hickton observed, is that cybercriminals “represent one of the central elements in their online strategy … they use this little band of contractors to give them some deniability … and then when we arrest them, they cry foul.”