As recently as last week, senior administration officials were in Beijing trying to flesh out the agreement between the two presidents. Participants say that among the points of discussion was how to set up a hotline through which the two countries can alert each other to malicious software they have detected in global networks, with the expectation that Chinese and American investigators would work to find its source.

Establishing such norms of behavior is far more likely to be effective than attempting to negotiate a treaty, according to outside experts who have been trying to devise the cyberequivalent of arms-control agreements.

“Treaties are not verifiable in the cyberarena,” said Joseph Nye, a Harvard professor known for his studies of how nations use “soft power,” who in recent years has turned to the problem of regulating activity in cyberspace. “The same code can be benign or a weapon depending on the user’s intent,” he said. For example, a six-digit code that unlocks a cellphone is a protection for the user — and a potential weapon for a hacker.

“So instead of focusing on the weapons, you have to focus on targets,” Mr. Nye said. “You start by saying that you don’t target something that has a clearly civilian use, like a power grid.”

Mr. Nye and Michael Chertoff, the secretary of Homeland Security during the Bush administration, who now runs a private firm that is deeply involved in cybersecurity, were among the lead authors of a report to be published on Tuesday by the Global Commission on Internet Governance that will describe those norms to the United Nations and other groups.

Just how fundamentally the Chinese are changing is a matter of debate. There is some evidence, American intelligence officials say, that while the People’s Liberation Army is not stealing as much on behalf of Chinese state-owned firms, much of the hacking activity has been shifted to the intelligence agencies, which can make the case that they are stealing national security secrets, not commercial information. Often, the difference is blurry, especially when the target is, say, the design of a satellite or a ship.

Even after Mr. Obama and Mr. Xi announced their agreement last fall, American officials have said they have discovered malware in power grids, cellphone networks and other purely civilian targets. But it is unclear whether that malicious software is intended to collect information about users, shut the system down or both.