Photo

President Obama with President Xi Jinping of China on Friday at the White House.Credit Doug Mills/The New York Times

WASHINGTON — When the United States and the Soviet Union made their first tentative steps toward limiting nuclear arms more than 50 years ago, distrust was sky high but they could, at least, count each other’s missiles and bombers and warheads.

The road President Obama and President Xi Jinping headed down on Friday to set up what Mr. Obama called an “architecture to govern behavior in cyberspace that is enforceable and clear” is far more difficult — perhaps impossible — according to many experts who have explored the nuclear analogy and found it wanting.

Unlike missiles, cyberweapons are impossible to count. They can be reproduced with a few flicks of the keyboard, and they are easy to hide: It took American investigators more than a year to figure out that the security records of 22 million federal employees and contractors were being stolen by Chinese actors. And unlike the nuclear age, the state has no monopoly on the technology. “Patriotic hackers,” criminal groups, terrorists and even teenagers all have access to the arsenal.

Continue reading the main story

Jane Perlez, The New York Times’s chief diplomatic correspondent, will be following China's president, Xi Jinping, and documenting key moments of his first state visit to the United States.

A Light Lunch With the Vice President

China's President Has a Facebook Page, But No One in China Can See It

A Chat in Chinese with Mark Zuckerberg, as Tech Giants Jostle for Face Time

Not Wanting to Compete With Pope Francis, Xi Jinping Lingers in Seattle

For those reasons, Mr. Obama and his aides say they believe that even the kind of highly specific accord he and Mr. Xi reached on climate change seems hard to imagine. Instead, what the two presidents inched toward on Friday is better described as rules of the road, aimed at first stopping cybercrime — the one area both leaders could agree upon.

In other words, the first agreement does not really address the nightmare scenario: a conflict in which a cyberattack on an American company or the Pentagon results in retaliation — and escalation. It was telling that while the two leaders announced that they would establish a “hotline” for cyberattacks, it would most likely ring in Washington at the Department of Homeland Security or the Justice Department and not at the White House or United States Cyber Command.

Still, there was progress. Never before had China agreed with Mr. Obama’s fundamental premise that the theft of intellectual property for commercial gain was off limits. After weeks of behind-the-scenes negotiations with the Chinese leadership, first in Beijing in late August and then with a delegation of nearly 50 senior Chinese officials who came to Washington quietly two weeks ago, Beijing agreed to wording that read: “Neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

“This is significant,” said James Lewis, who runs the cyberprogram at the Center for Strategic and International Studies in Washington. “And it is measurable: We can count the number of commercial espionage cases.”

Mr. Lewis and members of the American intelligence community believe China’s change of heart may have been influenced by the North Korean attack on Sony Corporation — which demonstrated that, in a growing number of cases, the National Security Agency can trace a cyberattack back to specific actors. The same happened to China’s People’s Liberation Army Unit 61398, which was exposed in 2013 as the source of much intellectual property theft. Eventually five officers in the unit — hardly the only one in the Chinese military with a similar mission, were indicted by the Justice Department, leading Beijing to cut off a low-level dialogue with the United States.

Now higher-level conversations are expected. But inside both countries, huge interests are at work worrying about the implications of pursuing the “architecture” Mr. Obama has in mind.

China’s state-owned industries have benefited tremendously from cybertheft, which enabled what Gen. Keith B. Alexander, the former head of the N.S.A., frequently called “the greatest transfer of wealth in human history.” The People’s Liberation Army has no interest in dismantling the powerful cyberunits it has used — not only for theft but also for espionage — around the world.

And while American officials rarely discuss it, even while off the record, the idea of placing too many limits on America’s offensive cyberpower sends a shiver through the Pentagon and its new United States Cyber Command. They believe the American-led attack on Iran’s nuclear infrastructure is critical to forcing it to the bargaining table.

Just like the Cold War generals who thought that overwhelming numbers and high precision were crucial to nuclear deterrence, the architects of America’s new push into cyberweapons say they must be free to get inside networks around the world to see cyberattacks amassing, create “battle maps” to help plan how to operate in time of conflict and conduct attacks if ordered by the president. Both Americans and the Chinese know from disclosures by Edward J. Snowden that China is a major target for American espionage. Yet so far these issues are still off the table. The People’s Liberation Army has declined to get into a military-to-military dialogue with the United States. Some looked at the specifics announced on Friday and found them wanting.

Fred H. Cate of Indiana University, who has engaged in talks with many countries about norms of behavior in cyberspace, said he had expected at least “agreement on some basic principles to help guide future talks. Instead we got agreement with a U.N. document.”

Even that had not been assured a few weeks earlier. When Susan E. Rice, the national security adviser, went to Beijing at the end of August, many of the country’s senior leaders did not know about commitments the Chinese government had already made in the obscure United Nations forum of cybersecurity experts.

So many in the administration still wonder how energetic the Chinese will be in tracking down hackers who, in many cases, may be working for branches of the government or state-owned enterprises. For that reason Mr. Obama warned that he may still “impose sanctions on individuals or entities where we have proof that they’ve gone after U.S. companies or U.S. persons.”

This suggests that the two countries are still in the beginning phase of a confrontation in cyberspace that will stretch into the next presidency and likely many beyond. But Mr. Obama noted during his news conference that “the rules in this area are not well developed.” His goal, he said, was to create “a template whereby countries know what the rules are.”

In cyberspace, the barriers to developing the weapons are far lower than they are in the nuclear arena. Mr. Obama has calculated that his best bet is to start somewhere, even if he is starting small.

Read more http://rss.nytimes.com/c/34625/f/640387/s/4a2d5391/sc/7/l/0L0Snytimes0N0C20A150C0A90C260Cworld0Casia0Climiting0Esecurity0Ebreaches0Emay0Ebe0Eimpossible0Etask0Efor0Eus0Eand0Echina0Bhtml0Dpartner0Frss0Gemc0Frss/story01.htm