This may not mean the agreement is worthless, according to Alperovitch, who said at the time of his company’s October report that it would likely take time for the agreement to have an effect. “The fact that there is some time delay between agreement and execution is not entirely unexpected,” he said, adding that, “I continue to have hope that meaningful progress can be made to turn the corner and establish norms of behavior for nation-states in cyberspace.”
He noted this past week in an interview that, “the fact sheet that was made public by the White House didn’t specify the timeframe for execution.”
Harvey agreed, noting that just because a breach is discovered after the agreement does not mean that is when it happened.
“The Chinese could have stopped, and firms like ours and CrowdStrike are still responding to the historical breaches pre-agreement,” he said.
Munroe said a delay should be expected, for two reasons: First, China is an enormous bureaucracy, and any major change takes time. Second, “there are significant political differences between the Chinese ruling party and the Chinese military leadership.
“Taking that into account, it is likely to be a four- to six-month process, if it actually occurs,” he said.
But Neal Dennis, cyber threat analyst at Arbor Networks, pointed out that China has never admitted to conducting economic espionage, and therefore, “the concept of a timeline between agreement and execution is moot. There is no timeline from China's perspective, because establishing one would be tantamount to admitting that the government did in fact support corporate espionage efforts.
“Until recently, China never even openly acknowledged they had a cyberwarfare," he said.
Harvey said he thought China should be able to demonstrate progress in curbing economic espionage within 60 days, “especially since President Xi was the former No. 2 commander of the military.”
He said another six weeks beyond that should be more than enough. “If I were working in the U.S. government, I would demand and expect full cooperation and adherence to the agreement by Jan 1,” he said.
But the U.S. may not have many options beyond “demanding and expecting” if the Chinese don’t abide by the agreement. The U.S. has threatened economic sanctions for years, but has never imposed them.
And Harvey does not expect any in the future. “They will not be imposed and they won’t work,” he said, pointing to a blog post he wrote prior to Xi’s visit to the U.S. in September, noting that the U.S. economy is heavily dependent on China – the U.S. imported $466 billion worth of goods from China in 2014.
Munroe agreed. “Outside the European Union, China and the U.S. are the world’s largest trading partners,” he said, adding that it is in China’s strategic interests to steal R&D data from U.S. businesses, “to increase their competitiveness and lower their costs.”
Sign up for CIO Asia eNewsletters.