The United States and China reached a landmark cybersecurity agreement in September 2015, with both nations committing to refrain from conducting or supporting cyber-enabled theft of intellectual property for commercial advantage. The accord, announced during Chinese President Xi Jinping's state visit to Washington after several weeks of negotiations, represented the first bilateral attempt to establish norms governing state-sponsored commercial espionage in cyberspace. Notably, the agreement did not address traditional government-to-government espionage activities such as the massive Office of Personnel Management hack that affected 22 million federal employees.
The agreement emerged after years of escalating tensions over Chinese state-backed cyber operations targeting American companies and government agencies. In May 2014, the U.S. Justice Department had indicted five officers from China's People's Liberation Army Unit 61398—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—for conducting cyber espionage operations from 2006 to 2014. The 31 criminal counts included economic espionage charges for hacking into six major American corporations including Westinghouse Electric, SolarWorld, U.S. Steel, and Alcoa to steal trade secrets and proprietary information. The charges marked the first time the United States had criminally prosecuted foreign military officials for cyber espionage.
Under the bilateral commitment, both governments agreed they would not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, for commercial advantage. The deal established a ministerial-level compliance process and created mechanisms for cooperation on cybercrime investigations, including twice-yearly cybersecurity dialogues involving the Secretary of Homeland Security and China's Ministry of Public Security. President Obama retained significant enforcement leverage, threatening to use "whatever tools we have in our tool kit" against cybercriminals and maintaining the option to impose sanctions under Executive Order 13694.
The bilateral agreement's significance expanded beyond U.S.-China relations when it was adopted by all G20 members at the November 2015 Antalya Summit. Leaders affirmed "that no country should conduct or support cyber-enabled theft of intellectual property with the intent of providing competitive advantages to companies or commercial sectors," establishing a broader international norm for cyber conduct.
Initial data suggested the agreement achieved measurable results. Cybersecurity firm FireEye reported a significant decline in observed Chinese cyber espionage activity against U.S. commercial targets in the months following the accord. By August 2016, a cybersecurity hotline between the Department of Homeland Security and China's Ministry of Public Security had become operational, and two rounds of formal cyber talks had been conducted. Some analysts attributed the reduction in Chinese cyber activities to both external U.S. pressure and President Xi's internal anti-corruption campaign.
However, the agreement's limitations became apparent over time. The accord lacked provisions requiring China to hold its companies accountable domestically for cyber theft, and its narrow scope exempted traditional intelligence collection activities. Security analysts noted that Chinese operations appeared to shift toward intelligence collection on U.S. government agencies and defense contractors rather than ending entirely.
The agreement's durability faced significant tests as bilateral relations deteriorated in subsequent years. By 2018, a formal Section 301 trade investigation update declared that China had violated the 2015 commitment. The report cited NSA official Robert Joyce stating the U.S. had seen "a resurgence of hacking and intellectual property theft attempts by people based in China," specifically pointing to continued APT10 activities and "rising incidence of Chinese cyber-enabled theft" against American companies.
The 2015 cyber agreement established important precedent for international norms governing state behavior in cyberspace, successfully expanding from a bilateral accord to a multilateral G20 commitment. However, its mixed implementation record—showing initial compliance followed by apparent violations—illustrated the challenges of enforcing cyber norms and would inform future U.S. approaches to addressing state-sponsored cyber threats through diplomatic channels.