As multiple media outlets share their experience of having suffered cyber-attacks and computer security firms publish reports highlighting China’s People’s Liberation Army backing for hacking activities in the United States, the issue threatens to strain U.S.-China relations, even as both powers are already at odds over other security issues such as the rising territorial disputes in the Asia-Pacific region.
Cyber-attacks have time and again caused a flurry of headlines (e.g. “Titan Rain” attack aimed at U.S. Pentagon and House of Commons in 2006, denial of service attack on Estonian Governmental websites in 2007, Google hacking in 2009, Stuxnet aimed at Iranian nuclear facilities in 2010). This time around, the debate was intensified and prolonged by a couple leading factors: increased intensity of the phenomena; wider range of targets and aims; release of data pointing to a hacker’s identity; and the different reactions by governments involved.
Cyber-related terms are widely used without a common definition: cyber-attack, cyber-security, cyber-threat, cyber-war, cyber-warfare, cyberspace, cyber-crime, cyber espionage, cyber sabotage, cyber activity, cyber intrusions etc. This is partly due to the lack of an internationally accepted definition of what most of these terms refer to.
Cyber-threats, however, can be divided into three main categories—based on the actor’s motivation—which include cyber-attacks, cyber-crimes and cyber-warfare. Cyber crimes can be viewed as a digital version of traditional criminal offenses and involve only non-state actors. Cyber-attacks may be carried out by state or non-state actors, must aim to undermine the function of a computer network, and must have a political or national security purpose.. Cyber-warfare always meets the conditions of being a cyber-attack. But not all cyber-attacks are cyber-warfare; only cyber-attacks with effects equivalent to those of a conventional “armed attack”, or occurring within the context of armed conflict, rise to the level of cyber-warfare.
In March 2012, the FBI noted three primary categories of cyber threat actors: organized crime groups, terrorist groups and state sponsors. While the first and second are mostly interested in profit and ideology, respectively, the motivation of state sponsored cyber threat actors is more difficult to categorize and determine.
This paper will focus on state sponsored cyber threats, more specifically on the U.S. and Chinese cyber-security policies and how both governments are responding to the allegation by media outlets and security firms that Chinese hacking groups are increasingly targeting American corporations.
A common mistake is to assume that the West is pointing its finger only at China. This is far from true, as many other nations take part in cyber-espionage—including the United States itself, Russia Iran and Israel. China, however, is assessed by many security firms and U.S. intelligence agencies to be the country most commonly engaged in this practice. In an October 2011 report to Congress, the Office of the National Counterintelligence Executive described Chinese actors as “the world’s most active and persistent perpetrators of economic espionage”. Chinese activity in cyberspace—on the rise since 2004—has spiked over the last two years. On January 31, 2013, U.S. Secretary of State Hillary Clinton said that there has been an increase in hacking attacks on both state institutions and private companies, echoing a U.S. congressional report published last year that called China “the most threatening actor in cyberspace”.
In an October 2012 speech, U.S. Defense Secretary Leon Panetta said China was “rapidly growing” its cyber capabilities. He stated that “in my visit to Beijing, I underscored the need to increase communication and transparency with each other so that we could avoid a misunderstanding or miscalculation in cyberspace”.
Lack of understanding of the other’s security needs and clouded perception of one another is at the heart of the current miscalculations and tensions between both powers. As stated in an August 2012 Congress Research Paper, “U.S. officials sometimes complain that even at the height of the Cold War, the United States and the Soviet Union had closer consultation on strategic issues than the U.S. and China do now.”
The way in which governments will decide to define cyber-attacks and warfare and respond to it in the upcoming years will have global consequences and far-reaching implications in shaping how international relations will be led by future generations.
The New York Times’ (NYT) article entitled, “Hackers in China Attacked the Times for Last 4 Months” and published on January 30, 2013, sparked the debate on cyber-attacks and who lies behind them. In the following week, several other news and social media outlets, such as The Wall Street Journal, Bloomberg, The Washington Post, Facebook, and Twitter all revealed that their respective websites had been targeted by coordinated hacking efforts. Some of them alleged the hacking originated from China.
On February 19, 2013, an American computer security firm named Mandiant made public a document describing an explicit link between Chinese hackers and the People’s Liberation Army. It determined that one of China’s twenty or so hacking groups is located in a building in Shanghai belonging to the PLA’s General Staff’s Department (also known as Unit 61398). Even though China has refuted the claim, the People’s Liberation Army Daily had announced in July 2010 the creation of the PLA’s Information Security Base, co-located with the PLA’s General Staff Department and aimed at improving Chinese cyber security and strengthen cyber infrastructure. Could the two entities be related?
It remains true that cyber-attacks have a transnational and anonymous nature which makes identifying the perpetrator more difficult and more time consuming. It is not an impossible task, as shown by Joe Stewart, a Dell SecureWork researcher, who unmasked a Chinese hacker’s identity recently—that of Zhang Changhe, who works at the PLA’s “information Engineering University” in Zhengzhou, Henan—and said that when he reversed-engineered a tool used by hackers to mask their true location, he found that the vast majority of data stolen from American corporations had been transferred to the same range of I.P addresses that Mandiant later identified in Shanghai.
What most worries American corporation and government officials in the latest set of attacks believed to be coming from Unit 61398 are their new capabilities and aim. The recent cyber-attacks were not just intended to steal corporate secrets, but also to obtain the ability to manipulate American critical infrastructure, including—as President Obama mentioned in his State of the Union address—power grids, financial institutions, and air traffic control systems.
Faced with increased cyber-threats to their trade secrets, some corporations and security firms are advocating a more offensive approach, which has opened the door to a debate on the use of pre-emptive cyber-operations by private companies. The absence of public debate over the pros and cons of using cyber-weapons stands in sharp contrast to the discussion over nuclear weapons. Some, however, have voiced their concern that a more offensive approach might incite other countries around the world to feel entitled to carry out cyber-attacks and use malware preemptively against their enemies, leading to a risk of escalation and militarization of cyber space.
American and Chinese perception of Cyber-warfare
The U.S. government does not appear to have one official definition of cyber warfare, nor does it have one unique federal agency in charge of establishing and implementing the U.S. approach towards cyber-related threats. Different agencies, however, have broader strategies that include cyber-threat-related components—of which each agency has its own definition. The U.S. Department of Defense defines cyber warfare as the use of cyberspace (operating within or through it) to attack personnel facilities, or equipment with the intent of degrading, neutralizing or destroying enemy combat capability, while protecting our own.
China has a more broad-based and elaborated strategy related to cyber-defense. In a U.S. Army War College paper entitled China’s Cyber Power and America’s National Security, Colonel Jayson M. Spade point out that China defines cyber warfare as a “use of network technology and methods to struggle for an information advantage in the fields of politics, economics, military affairs, and technology”, including a “series of actions like network surveillance, network attack, network defense, and network support” with the goal of establishing network control.
Colonel Spade also stressed that from China’s perspective, the U.S. is both the standard for military technological achievements and China’s principal adversary for regional dominance. China and U.S. share a sense of national exceptionalism and uniqueness among nations which makes it more difficult for both powers to understand and trust each other.
Chinese vision and policy towards cyber-attacks
Even as China’s potential role in cyber-attacks has come under increasing scrutiny, the Chinese government has repeatedly denied any responsibility in initiating attacks. After Mandiant’s report was published, the Chinese Foreign Ministry spokesman Hong Lei denied the accusations, saying that China was a frequent victim of cyber-attacks itself and that the U.S. had been the top source of such attacks. He further underlined that “we can only say they originated in the U.S.”, which he said was “entirely different from media reports that the Chinese government or the Chinese military are responsible.” China’s Ministry of National Defense equally disputed the allegations, stating that “the Chinese military has never supported any kind of hacker activities, so saying that the Chinese military is involved in Internet attacks is neither professional nor consistent with the facts.” The Defense Ministry further stressed that “it is unprofessional and groundless to accuse the Chinese of launching cyber-attacks without any conclusive evidence.” After the NYT published its article a few weeks earlier, The People’s Daily accused the United States of fanning “fear of China” out of self-interest, saying that “America keeps labeling China as hackers, simply playing up the rhetoric of the ‘China threat’ in cyberspace, providing new justification for America’s strategy of containing China.”
The Chinese assessment of threats and challenges to its own security—according to its Information Office of the State Council’s document China’s National Defense in 2008—is connected to its perception of the U.S., which it perceives as strategically trying to contain it from without. Out of the four provisions of China’s defense strategic framework—geared toward transforming their military and defense system—an entire one is dedicated to modernizing the national defense and armed forces through “informationization,” which includes a networked military and development of cyber capabilities.
The development of China’s cyber capabilities goes back to the late 1990s. After having seen how a networked military was a critical American advantage in boosting its military performance in the Gulf War and other operations thereafter, China took strategic clues from America’s recent military experience—especially related to informatization of the military and development of asymmetric capabilities. The book Unrestricted Warfare—written in 1999 by two PLA officers—examines ways for a nation to deter, intimidate, or defeat a militarily and technologically superior opponent by using a variety of asymmetric attacks on all elements of national power—economic, political, information, and military—instead of focusing on direct military confrontation. It has since then developed a modern and informatized force capable of fighting in and through cyberspace. Information warfare and dominance—aimed at establishing control of an adversary’s information flow, while denying or degrading the enemy’s ability to transmit, receive, access or use information—is central in China’s national defense strategy.
The China’s National Defense in 2008 document further “calls for the building of a lean and effective deterrent force and the flexible use of different means of deterrence”. The aim of deterrence is to discourage an opponent from starting or continuing a conflict by convincing him that he has more to lose by fighting than by standing down. Colonel Spade points out that if cyber power is the ability of a nation-state to establish control and exert influence within and through cyberspace, then China has demonstrated that it is a strong cyber power. In this sense, China’s recent cyber assertiveness, coupled with the numerous articles on information and cyber warfare written by the PLA since 1996, could be interpreted as the Chinese authorities’ way of demonstrating its capabilities and deter America or any other nation from getting involved in its fundamental interests.
U.S. Vision and policy towards cyber-attacks
In 2012, James Clapper, Director of National Intelligence, outlined cyber threats as one of the top threats to U.S. national security—alongside terrorism and nuclear proliferation—and cyberspace was recognized as the fifth domain of warfare by the U.S. Department of Defense in late 2010 (the other four domains being land, sea, air, and space).
The United States, however, still does not have an official cyber-strategy: America’s cyber infrastructure is largely unregulated and unmonitored. At least eight federal departments have responsibilities for securing parts of American cyberspace. With cyberspace having become so vital in all sectors of U.S. military and society—government, commerce, academia, and private life—the U.S.’s current security posture and lack of a global strategy on cyber-security seems unsustainable.
Until the issue was forced into the public sphere by the publication of Mandiant’s report and the wide media coverage, the U.S. Government had mostly raised its concerns to China in private, but it seems like its patience with China is wearing thin. The U.S. has indicated it plans on telling China’s new leaders that the volume and sophistication of the attacks are threatening the fundamental relationship between Washington and Beijing.
On February 12, President Obama signed an executive order addressing the issue of the cyber security of critical infrastructure. The U.S. Government perceives the increased cases of attacks on its critical infrastructure (described as “assets and systems, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such would have a debilitating impact on security, national economic security, national public health or safety) as a threat to its national and economic security. The executive order aims at increasing information sharing—including information on the unique digital signatures of large hacking groups, such as those emanating from near where Unit 61398 is based in China—between the government and private companies that oversee the country’s critical infrastructure, as well as with American Internet providers.
To date, there is no comprehensive international framework that governs cyber-attacks or other cyber-related threats. That is mainly due to the fact that the international community has so far failed to reach a general consensus on a common definition of a cyber-attack due to diverging security perceptions.
There are, however, several existing legal frameworks that explicitly or implicitly regulate certain aspects of cyber-attacks and provide some tools to control this growing threat. These frameworks include customary international law of countermeasures, as well as international or regional forums such as the United Nations, the North Atlantic Treaty Organization (NATO), the Shanghai Cooperation Organization and the Council of Europe. Some of these institutions have established their own definition of a cyber-attack or have specific mechanisms geared towards managing cyber defense, such as NATO’s Cyber Defense Management Authority and Cooperative Cyber Defense Centre of Excellence. Domestic law can also provide tools for combating cyber-attacks.
The way forward
The only way to mitigate the rising cyber threats is two-fold: simultaneous bilateral dialogue and cooperation between China and the U.S., and adoption of internationally accepted norms of behavior in cyberspace.
In the same way the U.S. and the Soviet Union worked out guidelines to mitigate the nuclear threat during the Cold War, China and the U.S. have to establish a code of conduct for cyberspace. This can only be done if each side clarifies how it defines a cyber-attack, how far it will tolerate network intrusions, and how it might react if that line is crossed. The danger of the U.S.’s current lack of formal cyber-strategy is that its position and intents are ambiguous, which further increases the potential for miscalculation and mistrust.
A first step in clarifying their position would be for the U.S. to establish its own strategy and doctrine on cyber-security. Having a unique federal agency—such as an Office of National Cyber security—charged with overseeing and directing all agencies involved in cyber defense would further offer a point of contact for foreign actors while making sure that different agencies’ missions do not overlap.
The U.S. should take cues from China’s already existing capabilities to develop its own minimum standard for establishing an integrated cyber policy.
Another way to bring about a constructive dialogue on this crucial issue would be to review the 100 or so already existing dialogue mechanisms between the U.S. and China. Even though the Chinese and U.S. government have drastically increased cooperation, communication and dialogue on economic issues, such equivalent on security and strategic issues lag far behind. A Strategic Security Dialogue was implemented in 2011, but it remains a sub-section of the Strategic and Economic Dialogue (S&ED). Even though it is the highest-profile regular dialogue between both Administrations, it meets only once a year. This Strategic Security Dialogue, which is the only formal U.S.-China dialogue that brings together military and foreign policy leaders in the same room, should be made into an independent mechanism and have a fixed minimum number of annual meetings exclusively aimed at addressing critical strategic issues such as cyber-warfare, or the overall U.S. and Chinese security postures in Asia, since no such forum currently exists.
At the same time, both powers should push for the adoption of an international framework that defines the term cyber-attack and cyber-warfare and paves the way for more international cooperation on dealing with this transnational threat. Both sides should look at Europe as a leading partner in shaping a global vision of cyber-threats. Indeed, the Council of Europe is the first organization to have promulgated an international treaty on crimes committed using the Internet and other computer networks (2001 Convention on Cybercrime), which is to date signed by 47 countries, including the U.S. A global consensus, however, seems to depend on China and the U.S. finding common ground between themselves first.
Recommended articles on the issue:
Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, Executive Office of the President of the United States, February 2013
China’s National Defense in 2008, Information Office of the State Council of the People’s Republic of China, January 2009, Beijing
China’s National Defense in 2010, Information Office of the State Council of the People’s Republic of China, March 2011, Beijing
Executive Order—Improving Critical Infrastructure Cyber Security, The White House, Office of the Press Secretary, February 2013
Colonel Jayson M. Spade, China’s Cyber Power and America’s National Security, U.S. Army War College, May 2012
Kristin M. Finklea and Catherine A. Theohary, Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement, Congressional Research Service, January 2013
Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel, The Law of Cyber-Attack, California Law Review, published August 2012 (written May 2011)
Susan V. Lawrence and David MacDonald, U.S.-China Relations: Policy Issues, Congressional Research Service, August 2012
Written by Camille McConaughey. Camilleis an intern with the China Program at The Carter Center. She is a recent graduate in International Relations at the French Oriental Language and Civilization Institute in Paris.
Photo: From Foreign Policy