I appeared on the talk show 'The Fresh Outlook' this weekend to discuss cybersecurity issues and China. Here is a link to the video. I argued for a more nuanced, less panicky approach when dealing with China on this sensitive subject.
Here are some more thoughts:
The most recent revelations of the activities of the Chinese Army Unit 61398 through the computer firm Mandiant has given the impression that the United States is entering a new phase of cyber conflict with the People's Republic of China. In reality, however, while the recent study is impressive in its scope and detail, it did not reveal anything new to experts in the field. These sort of attacks have happened consistently over the last few year, will continue to do so and the Chinese are not alone. Every nation is engaged in some form of cyber espionage. China, however, "is the most aggressive", according to James A. Lewis. The real issue is how to avoid that these sort of attacks lead to escalating tensions between the two great powers on a strategic level.
Most Western countries (including the United States) have fewer incentives to engage in cyber espionage on the scale of the People's Republic of China. One of the reasons for that is that the United States and its allies are still home to the most innovative and technological advanced companies in the world. Another reason is that the United States Armed Forces clearly in possession of the most advanced military technologies and its military does not need to seek an asymmetrical advantage over its adversaries given its conventional strengths. The West has thus fewer incentives to launch massive scale cyber espionage operations, aimed at stealing technological secrets from Chinese companies.
According to customary international law, espionage is not prohibited. There is little that both sides can/are willing to do in the short term. The primary fear in the United States, however, is that these cyber espionage activities are just a first step in an ever escalating Chinese threat emerging from cyberspace: "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,"as President Obama stated during his state of the union address in February 2012. "Enemies" in this context must clearly be understood to be the Chinese. Acts of sabotage on these scales from China, however, will only happen in the unlikely course of a Chinese attempt to forcefully reunite with Taiwan and the United States honoring its treaty obligations.
Despite the unlikelihood of a full scale cyber war between the two countries, it does not reduce the need for confidence building measures given the inherent strategic instability of cyberspace, where tensions such as the revelation of Army Unit 61398 could quickly escalate and go viral with real economic and political consequences.
It is hard if not impossible to establish strategic stability in cyberspace that could dissuade malicious actors from exploiting vulnerabilities in the critical information infrastructures of countries. According to a study done by the Cyber Conflict Studies Association: "The current strategic cyber environment is marked by an inability to establish credible deterrence and effectively prevent the emergence of adversaries and conflicts in cyberspace detrimental to U.S. interests."
This assessment is based on various factors such as the inherent vulnerable structure of networks and the Internet, a low barrier of entry for actors (cyber weapons are cheap and attackers do not have to be very skilled for most forms attack), and the anonymity of attackers.
For example, non-state actors (cyber terrorists, criminal networks, political activists) could use the political tensions between China and the United States for their own advantage, by launching massive attacks themselves aimed at specific targets for either financial or political gains, while security experts and policy makers are overwhelmed with fighting off state-sponsored attacks.
The only way to start to reduce tensions is to consciously lay out the joint vulnerability of both the United States and China to cyber attacks. One way how to begin to build trust is for the United States and China to agree on a joint public study on the interdependence of their respective critical information infrastructures. A special focus should be the likely economic effects of non-state actors' attacks with strategic impacts. My colleague Dr. Greg Austin and I recommended such a study in our most recent report "Cyber Détente Between the United States and China". As we state:
"This could be done under the framework of the United States- China Strategic and Economic Dialogue. This may not be welcome by some private operators. Yet the need for such a study exists on a political level. It is a consequence of the strategic impact of private ownership of critical infrastructure. As much as such a study might intrude on narrowly defined private sector interests, leading ICT businesses need a deeper understanding of the military implications of the intermingled, even tangled, character of U.S. and Chinese operations in cyberspace."
The need for such a public study is every increasing and should include a wide range of actors from the private and public sector, academia, the military and intelligence communities. While the direct political impact of such an unclassified study may be low, it would nevertheless illustrate to people in the media, politicians, and civil society as a whole the pervasive connectivity as well as joint vulnerabilities of both China and the United States.
A version of this article has appeared on China-US Focus.