By Dan Blumenthal
The Internet is now a battlefield. China is not only militarizing cyberspace -- it is also deploying its cyberwarriors against the United States and other countries to conduct corporate espionage, hack think tanks, and engage in retaliatory harassment of news organizations.
The Internet is now a battlefield. China is not only militarizing cyberspace -- it is also deploying its cyberwarriors against the United States and other countries to conduct corporate espionage, hack think tanks, and engage in retaliatory harassment of news organizations.
These attacks are another dimension of the ongoing strategic
competition between the United States and China -- a competition
playing out in the waters of the East and South China seas, in Iran and
Syria, across the Taiwan Strait, and in outer space. With a number of
recent high-profile attacks in cyberspace traced to the Chinese
government, the cybercompetition seems particularly pressing. It is
time for Washington to develop a clear, concerted strategy to deter
cyberwar, theft of intellectual property, espionage, and digital
harassment. Simply put, the United States must make China pay for
conducting these activities, in addition to defending cybernetworks
and critical infrastructure such as power stations and cell towers. The
U.S. government needs to go on the offensive and enact a set of
diplomatic, security, and legal measures designed to impose serious
costs on China for its flagrant violations of the law and to deter a
conflict in the cybersphere.
Fashioning an adequate response to this challenge requires
understanding that China places clear value on the cyber military
capability. During the wars of the last two decades, China was terrified
by the U.S. military's joint, highly networked capabilities. The
People's Liberation Army (PLA) began paying attention to the role of
command, control, communications, computers, intelligence, surveillance,
and reconnaissance (C4ISR) assets in the conduct of war. But the PLA
also concluded that the seeds of weakness were planted within this new
way of war that allowed the United States to find, fix, and kill targets
quickly and precisely -- an overdependence on information networks.
Consider what might happen in a broader U.S.-China conflict. The PLA
could conduct major efforts to disable critical U.S. military
information systems (it already demonstrates these capabilities for
purposes of deterrence). Even more ominously, PLA cyberwarriors could
turn their attention to strategic attacks on critical infrastructure in
America. This may be a highly risky option, but the PLA may view
cyber-escalation as justified if, for example, the United States struck
military targets on Chinese soil.
China is, of course, using attacks in cyberspace to achieve other
strategic goals as well, from stealing trade secrets to advance its wish
for a more innovative economy to harassing organizations and
individuals who criticize its officials or policies.
Barack Obama's administration has begun to fight back. On Feb. 20, the White House announced
enhanced efforts to fight the theft of American trade secrets through
several initiatives: building a program of cooperative diplomacy with
like-minded nations to press leaders
of "countries of concern," enhancing domestic investigation and
prosecution of theft, promoting intelligence sharing, and improving
current legislation that would enable these initiatives. These largely
defensive measures are important but should be paired with more
initiatives that start to play offense.
Offensive measures may be gaining some steam. The U.S. Justice
Department, in creating the National Security Cyber Specialists' Network
(NSCS) last year, recognizes the need for such an approach. The NSCS
-- consisting of almost 100 prosecutors from U.S. attorneys' offices
working in partnership with cyber-experts from the Justice Department's
National Security Division and the Criminal Division's Computer Crime
and Intellectual Property Section -- is tasked with "exploring investigations and prosecutions as viable options for deterrence and disruption" of cyber attacks, including indictments
of governments or individuals working on the government's behalf. It's a
good first step, but Congress could also consider passing laws
forbidding individuals and entities from doing business in the United
States if there is clear evidence of involvement in cyber attacks.
Congress could also create a cyberattack exception to the
Foreign Sovereign Immunities Act, which currently precludes civil suits
against a foreign government or entity acting on its behalf in the
cyber-realm. There is precedent: In the case of terrorism, Congress
enacted an exception to immunity for states and their agents that
sponsor terrorism, allowing individuals to sue them.
Enterprising companies and intelligence personnel are already able to
trace attacks with an increasing degree of accuracy. For example, the
U.S. security company Mandiant traced
numerous incidents going back several years to the Shanghai-based Unit
61398 of the PLA, which was first identified publicly by the Project
2049 Institute, a Virginia-based think tank.
Scholars Jeremy and Ariel Rabkin have identified
another way to initiate nongovernmental legal action: rekindling the
19th-century legal practice of issuing "letters of marque" -- the act of
commissioning privateers to attack enemy ships on behalf of the state
-- to selectively and cautiously legitimize retaliation by private U.S.
actors against hacking and cyber-espionage. This would allow the U.S.
government to effectively employ its own cybe-rmilitia. Creating new
laws or using current ones would force the Chinese government and the
entities that support its cyber-strategy to consider the reputational
and financial costs of their actions. Of course, if the United States
retaliates by committing similar acts of harassment and hacking, it
risks Chinese legal action. But America has a key advantage in that its
legal system is respected and trusted; China's is not.
Diplomatic action should bolster these efforts. The Obama
administration's suggestions for pressuring China and other countries
are a good start, but U.S. diplomacy must be tougher. In presenting
Chinese leaders with overwhelming evidence of cyber-misdeeds (but
without giving away too many details), Washington should communicate how
it could respond. To control escalation, the administration should
explain what it views as proportionate reprisals to different kinds of
attacks. (For instance, an attack on critical infrastructure that led to
deaths would merit a different response than harassment of the New York Times.)
As the administration's report suggests, the United States is not the
only victim and should engage in cooperative diplomacy. The United
States should set up a center for cyberdefense that would bring together
the best minds from allied countries to develop countermeasures and
conduct offensive activities. One such center could be Taiwan, as its
understanding of Chinese language, culture, business networks, and
political landscape make it invaluable in the fight against
cyberattacks. Of course, centers could be placed elsewhere and still
utilize Taiwan's knowledge, but even the threat of placing a
cyberdefense center just across the strait would be very embarrassing
for China's leaders, as Taiwan is viewed as a renegade province. The
point is not to be gratuitously provocative, but rather to demonstrate
that the United States options that China would not favor.
The U.S. military's cyber-efforts presumably already include it own
probes, penetrations, and demonstrations of capability. While the leaks
claiming the U.S. government's involvement
in the Stuxnet operation -- the computer worm that disabled centrifuges
in the Iranian nuclear program -- may have damaged U.S. national
security, at least China knows that Washington is quite capable of
carrying out strategic cyber attacks. To enhance deterrence, the U.S.
government needs to demonstrate these sorts of capabilities more
regularly, perhaps through cyber-exercises modeled after military
exercises. For example, the U.S. military could set up an allied public
training exercise in which it conducted cybe rattacks against a "Country
X" to disable its military infrastructure such as radars, satellites,
and computer-based command-and-control systems.
To use the tools at America's disposal in the fight for cyber security
will require a high degree of inter-agency coordination, a much-maligned
process. But Washington has made all the levers of power work together
previously. The successful use of unified legal, law enforcement,
financial, intelligence, and military deterrence against the Kim regime
of North Korea during a short period of George W. Bush's administration
met the strategic goals of imposing serious costs on a dangerous
government. China is not North Korea -- it is far more responsible and
less totalitarian. But America must target those acting irresponsibly in
cyberspace. By taking the offensive, the United States can start to
impose, rather than simply incur, costs in this element of strategic
competition with China. Sitting by idly, however, presents a much
greater likelihood that China's dangerous cyber-strategy could spark a
wider conflict.
Source:http://www.aei.org/article/foreign-and-defense-policy/regional/asia/the-great-cyber-smackdown/
Comments