The limited but still significant accord reached between the U.S. and China on economic cybertheft is a welcome step toward curbing crimes that exact a high economic and diplomatic cost. While there are still significant enforcement questions, as well as concerns that the agreement does not address cyberespionage, it is nonetheless an encouraging outcome of direct diplomacy between the Obama administration and the Chinese government led by President Xi Jinping.

The two economic superpowers reached a “common understanding” that neither side would use government cyber capabilities to steal intellectual property, President Obama said during a news conference coinciding with Xi’s state visit last week. Together, he added, they would try to set “international rules of the road for appropriate conduct in cyberspace.”

That will be easier said than done, despite advancements in tracing the source of hacking. Last year’s hack of Sony, for example, was relatively quickly attributed to North Korea. But even if a breach is detected, it may not be directly traceable to a government or military, and could instead be the work of shadowy quasi-governmental groups, criminal networks, organized terrorist groups or even rogue individuals.

Seemingly recognizing the challenges of enforcement and verification, Obama said that “the question now is, ‘Are words followed by actions?’ ” For the United States’ part, Obama reportedly told Xi directly that tools such as sanctions and criminal indictments remain an option in order to enforce the agreement.

Other promising, albeit tepid, steps are a mutual acceptance of a United Nations accord that the White House describes as addressing “norms of behavior and other crucial issues for international security in cyberspace,” as well as establishing a hot line to contend with issues during investigations.

But the agreement is limited. “The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies and commercial sectors,” according to a White House fact sheet distributed during Xi’s visit. And, indeed, protecting U.S. business interests from cybercrime is imperative, especially given economic globalization and the importance of the tech sector to America.

Left unanswered are issues like the hack of the Office of Personnel Management, in which up to 22 million Americans had their security compromised. Chinese complicity is widely suspected.

The U.S. cannot allow its security to continue to be compromised by these insidious threats. The agreement between Obama and Xi is a promising beginning, but the president, and his successors, need to be vigilant with verification and punitive measures should Chinese cheating be detected.