While progress has been made, “the jury is still out. We’re looking very carefully, we’re continuing to watch this,” Painter said in Washington on Wednesday. “We haven’t taken any of the tools we have off the table, but we’re very serious in making sure that this commitment is upheld.”

Before Xi and Obama reached their accord on corporate hacking last year, the U.S. said it was considering economic sanctions on Chinese individuals and companies in response to a string of cyber attacks against American businesses and government agencies. In 2014, the U.S. indicted five Chinese military officials on charges that they stole trade secrets from companies including Westinghouse Electric Co. and United States Steel Corp.

After meeting with Xi, Obama pointedly said he hadn’t ruled out resorting to sanctions if their agreement was violated. China has denied being involved in hacking and has said it’s a victim of cyber espionage.

‘Absolute Sovereignty’

Ahead of an annual gathering of U.S. and Chinese officials in Beijing, the U.S. is trying to “mainstream” cybersecurity as a foreign policy issue and seeking to create standards of acceptable behavior, Painter said. He’ll join Secretary of State John Kerry at the meeting on June 5 to 7 where cyber issues will be just part of the agenda.

“China promotes absolute sovereignty in cyber space; they want to draw borders around their cyber space,” Painter said. “We think sovereignty has a role, but absolute sovereignty doesn’t have a role. There are internationally recognized human rights that transcend national borders.”

Cyber Diplomacy

Painter, a 58-year-old former prosecutor who worked on cyber policy on the National Security Council, said his “cyber diplomacy” also extends to Russia, whose state-linked and organized crime groups are often blamed for hacking attacks.

“We have very different views of the world with the Russians, in terms of how they look at cyber space and the fact they want more state control,” Painter said. “We are looking for ways that we can avoid the inadvertent escalation and keep conflict from happening, so there’s some common ground there.”

By contrast, there’s no “cyber dialogue” with Iran, Painter said. He wouldn’t discuss specific cases but said the U.S. puts “countries on notice of conduct that we think is unacceptable.”

The U.S. faces a range of online threats, from nation-states to “lone gunman hackers” as well as terrorists, he said.

“Terrorists have used the internet to recruit and to spread their messages,” he said. “They haven’t attacked infrastructure yet – but we’re worried about that.”

The U.S. also continues to worry about the economic effects of trade-secret theft, Painter said. In the private sector, technology and financial businesses have more robust cybersecurity, while others, such as manufacturers, are playing catch-up, he said.

“Companies are beginning to see this is a big challenge for them, because it’s the bottom line. If their trade secrets are leaving the door, that’s their future,” he said. “Some of the other sectors who haven’t dealt with this day-in and day-out are still trying to find good policies.”