Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

EastWest Direct: A Chinese View

Richard Zhao is the Chief Strategy Officer for NSFOCUS Information Technology, a Chinese firm that provides network security to a broad range of clients. In a recent conversation in Beijing with EWI’s Andrew Nagorski, Zhao—who has worked in both China and the United States—discussed the differing perceptions of these two countries of key cybersecurity issues.

What is really happening when it comes to cyber developments in China and the United States? Where do we see deepening integration and where to we see deepening suspicion?

Both sides use cyber as an extension of their traditional intelligence services. Maybe the difference between traditional intelligence gathering and intelligence in the cyber age is the level of transparency and the degree of collaboration with intelligence services. For example, China and the U.S. have a hotline and bilateral talks to deal with traditional security issues, but in the cyber age, the corresponding mechanisms have not been established for cyber. Besides, China is not very comfortable with the huge technological advances of the United States. The U.S. has companies like Google, Amazon, Microsoft, Cisco and IBM. They control most of the world’s ICT infrastructure, and they have the capacity to collect enormous amounts of data and general intelligence. Based on this intelligence, the U.S. “understands” China better than China “understands” the U.S.

There have been many reports of alleged Chinese cyber attacks against the U.S. Are you saying that you think China’s actions are motivated by this sense that it is behind in the cyber field?

Yes, they want to do something more to better their position. Technically, I do think the U.S. is in a stronger position.

So you feel that China is more vulnerable than the United States?

I do. Most of the technical reports reflect this point. China is more vulnerable by far than the U.S. The U.S. leads in high-tech areas; they make use of this advantage to do some things that that other nations can’t visualize or detect. Increasingly, however, the U.S. is far more transparent than other nations; it has a complete set of laws, which China doesn’t have.

Has there been progress in terms of working out common standards for things like cloud computing to provide more of a sense of assurance to both sides?

There has been some progress. For example, there is the CSA (Cloud Security Alliance), a non-profit organization, founded in 2009. They developed security guidance for the cloud and are unique in the industry for providing guidance for security operations and auditing services for the cloud providers and customers. The ISO (International Organization for Standardization) and ITU (International Telecommunication Union) have started some initiatives to develop some standards for the cloud as well. Some of them are collaborating together with CSA and ENISA (European Network and Information Security Agency).

As for China, I founded the CSA Greater China Chapter, later called the Greater China Regional Coordinating Body. We offer promotions and education awareness programs about security governance for cloud providers, customers, researchers, etc. in China. CSA security governance guidelines are not mandatory. As an aside, CSA is preparing an Open Certification Framework (OCF) for cloud providers based on their security guidance programs. According to my knowledge, the Alibaba Group just passed the OCF. CSA is planning to promote this OCF worldwide.

Can more be done here to promote such joint efforts?

I don’t know for sure, but I do think that if EWI can initiate a dialogue between the U.S. and China on the cloud and cloud computing’s impact on the economy, and try to establish communication on issues concerning legal data and privacy, that would be a big step forward.

One of your colleagues said money motivates 90 percent of hacking. In the U.S., there’s a tendency to think that the attacks from China originate with the government. Do you think that there could be serious attacks originating in China that are not initiated by the government but criminally motivated?

There could be, but the essential point may be that the U.S. and China need to sit together and put the data on the table. The U.S. should share the evidence it has collected on China so China can do some proper investigation. For example, Google reported they were hacked by attackers, in a case now nicknamed Operation Aurora. Given that the finger is pointed at China, why not provide the detailed evidence through some channel so that some proper China agencies can investigate and reach a jointly acceptable conclusion? In general, when you point your finger at all of China, then no single Chinese agency is likely to jump in to take responsibility.

Do you think anything can change this atmosphere of mutual recriminations and suspicion?

The Chinese need to establish a central point of coordination. China doesn’t have a cybersecurity coordinator, a cyber tsar, similar to the special coordinator for the U.S. president. If the U.S. were to detect an APT (Advanced Persistent Threats) attack, this coordinator could work together with many agencies. There needs to be an established mechanism for dealing with these kinds of threats.

 

EastWest Direct is an ongoing series of interviews with experts tied to breaking news stories.

Shaky Cyber Trigger Fingers

Project Syndicate recently featured EWI’s Franz-Stefan Gady’s “Shaky Cyber Trigger Fingers,” where he and co-author Alexander Klimburg argue that increased public awareness of cyber threats may actually be increasing tensions in cyberspace. Their article:

A media storm centered on the “emerging cyber threat” has turbocharged the public debate on cyber security in the United States – and raised the stakes in bilateral relations with China. While wider public awareness of the cyber threat should be welcomed, the increasingly strident discourse may not help alleviate tensions in cyberspace. In the medium term, it might even increase the risk of serious cyber conflict.

A recent report by the US Department of Defense employs the strongest language yet to implicate China’s government and military in cyber espionage, including on computer systems owned by the US government. The report also warns that, for those targeted by such activities, distinguishing between espionage and preparations for serious cyber attacks is virtually impossible. What the report does not mention is that this ambiguity has another important implication: a serious cyber conflict could easily be triggered by accident.

This means that China’s alleged incursions are not the only threat; America’s increasingly forceful position on cyber espionage could inadvertently trigger a cyber war. After all, actions about cyberspace can be misunderstood just as easily as activities in cyberspace.

In this context, the US government should tread lightly. While invoking the specter of cyber attacks may help to mobilize domestic support for security legislation, it may also increase the likelihood of a major cyber conflict. As another recent report from the US Department of Defense suggests, a cyber war could be catastrophic: military aircraft could be grounded, or, in an extreme scenario, parts of America’s nuclear arsenal could be compromised. Civilians would suffer considerably in such a “permanently degraded cyber environment,” which could include the collapse of energy and utility services. The lights might not simply go out; they could remain off for a long time.

While such an apocalyptic scenario is unlikely to occur, it cannot be ruled out, especially given that a cyber conflict, unlike most conventional military conflicts, can be initiated unintentionally, taking even the party responsible by surprise. Such “inadvertent escalation” can stem from a pattern of imprudent operational behavior, for example, or from persistent strategic miscalculation.

Given that national cyber security usually involves at least 5-6 government departments or ministries, along with a vast array of state and non-state actors, most operational tasks are conducted with minimal oversight. In other words, senior government officials do not always know what is occurring at the operational level – or understand how provocative or misleading it may be. While accusations of insufficient oversight over hackers’ activities have been leveled specifically at China, the challenge of tracking potentially disruptive cyber activities extends to all current and future cyber powers.

At the same time, governments must contend with significant strategic challenges, which vary according to national conditions. For example, US law hampers the federal government’s ability to protect critical infrastructure and key resources from cyber attacks. While recent legislative proposals like the Cyber Information Security and Protection Act (CISPA) may help to improve the situation, their impact remains to be seen.

The US, increasingly confident in its ability to identify and strike back at any cyber assailant, has so far evaded legal obstacles by focusing on deterrence. But this approach is effective only if would-be attackers have at least a basic understanding of America’s capabilities. Fortunately for the US, the media are helping to fill this gap with a steady stream of revelations on the subject.

Deterrence, however, carries significant escalation risks. By instilling fear in its adversaries, deterrence can goad governments – even those that are not directly involved in current cyber standoffs – into reckless or unpredictable behavior. Although recent officials US statements have been directed primarily at China and Russia, they have motivated governments worldwide to build their own offensive cyber capabilities.

While there is a small possibility that stronger language from the US will lead China to curb its alleged cyber-espionage activities, the more likely outcome will be akin to a cyber arms race, with an increasing number of countries striving to become cyber powers in their own right. More than 40 countries now have some sort of military-intelligence cyber capability, and with the proliferation of offensive cyber capabilities, inadvertent escalation will become increasingly likely.

A global set of “norms of state cyber behavior,” developed through multilateral diplomacy, could help to mitigate this threat. But, so far, the US has preferred to pursue a bilateral approach to cyber affairs. This strategy is highly labor-intensive, given that it requires individual engagement with every new cyber power (potentially dozens of countries). Moreover, given the deftness with which China has negotiated bilateral trade treaties with many Asian and African countries that favor its interests, the US approach could fail to ensure that Western interests prevail.

American media and the private sector will continue to exert pressure on persistent cyber offenders like China to change their behavior by “naming and shaming” them. But it would be prudent for the US government to adopt a less assertive approach, and keep the threat of its sizable cyber capabilities as a last resort.

Click here to read full article on Project Syndicate.

Preventing a U.S.-China Cyber War

An editorial on May 25, 2013 in The New York Times urges President Barack Obama and President Xi Jinping to consider EWI’s work on fighting spam as a model for U.S.-China cooperation.
 
The two leaders will meet for the first time next month in California, and a major topic is likely to be the controversy over charges that China is mounting increasing numbers of cyber attacks against U.S. institutions.
 
The editorial pointed to the high cost of hacking, and noted that new measures are needed to help counter this threat.
 
“But before adopting punitive measures, the two nations need to try working together,” it declared. “For example, the EastWest Institute, an independent research group, is working with representatives of many governments, including China and the United States, to develop ground rules for protecting the digital infrastructure. The group’s detailed proposal on fighting spam — which carries malware used by hackers — is worth considering by President Obama and President Xi.”
 
The full editorial can be read here.

 

Source
Source: 
The New York Times

Gady Discusses Sound Cyber Defense Strategies in Der Standard

An article in the Austrian Daily Der Standard quotes EWI Senior Fellow Franz-Stefan Gady arguing for strategic stability in cyberspace as well as an increased emphasize on resiliency in systems when it comes to developing sound strategies for cyber defense. On the subject of cyber defenses he makes an analogy between the theoretical debate that surrounded air warfare in the 1930s and the current nascent debate on cyber war.

Franz states, "What we need is strategic stability in cyberspace. Deterrence in cyberspace can only work if we know each other's full capabilities. The militaries have to put everything on the table. There needs to be a bigger emphasize on resiliency when it comes to cyber defense. As the Battle of Britain showed in 1940, a strategy based around resiliency is able to withstand and absorb even the severest of attacks."

 

Jaws, Nuclear Weapons and Cyber War

Writing for foreignpolicyblogs.com, EWI's Franz-Stefan Gady discusses the fear surrounding the words "cyber attacks" and their implications.

“It's all psychological. You yell barracuda, everybody says, ‘Huh? What?’ You yell shark, we've got a panic on our hands on the Fourth of July.” In the summer of 1975, the budding auteur, Steven Spielberg, created a virtual panic at America’s beaches with ingeniously crafted screen images of a certain Great White Fish.  The top Chinese official of the People’s Liberation Army, General Fang Fenghui, created his own Jaws effect when he recently announced that the consequences of a major cyber attack “may be as serious as a nuclear bomb. ”You yell cyber everybody says, ‘Huh? What?’ You yell nuclear, we’ve got a panic on our hands…"

While I do not want to accuse General Fang Fenghui of a plot to manipulate public perception and trigger a cyber hysteria, his remarks are symptomatic of the global uncertainty surrounding the results of a ‘major cyber attack.’ The simple truth is we do not know the likely consequences of such an attack as there has not been a full-scale cyber war to trigger major strategic cyber attacks. Even if total cyber war should break out, cyber weapons, while destructive, “appear to have nowhere near the ability to inflict catastrophic destruction along the lines of a major nuclear attack,” as Andrew F. Krepenevich stated in a report on cyber warfare.

For example, US power grid systems (SCADA systems) are highly centralized, divided into three separate power grids—the Eastern Interconnection, the Western Interconnection, and the Electric Reliability Council of Texas Interconnection. Ninety percent of the Defense Department’s critical infrastructure is dependent upon power from these networks.  Military exercises have indicated that even a single cyber strike could disable any of the three grids not to mention the myriad consequences for civilian life. One expert  spelled out the potential fallout in congressional testimony in April 2012:

When transformers fail, so too will water distribution, transportation, communications, and many emergency and government services. Given the 12-month lead time typically required to replace a damaged transformer with a new one, the local and regional economic and societal disruption caused by cyber attacks that that disable or destroy the mechanical functioning of key components of the power grid would be devastating.

The possible consequences of such an event combined with cyber attacks on the financial and transportation sector have been mapped out in various scenarios demonstrating the crippling ripple effect of such an assault. But even the most extreme predictions do not approach the human catastrophe of a nuclear detonation in Manhattan and the instant incineration of a million or more people. Comparatively, a major cyber attack might be dramatized as the menacing threat of a Giant Squid, which would require all of the cinematic artifice of the mature Spielberg to effectively magnify the danger in a screen spectacle dubbed Tentacles.

History provides us a vivid example about the impossibility of determining the impact of a new dimension of warfare on the outcome of a conflict. Contrary to some current thinking, the contemporary technological context of war does not so much resemble the 1950s as the 1930s and the evolution of air power and air power strategy. In 1921, Guilio Douhet argued in his The Command of the Air that air power was revolutionary because it operated in the third dimension setting of a decade long debate about the impact of airplanes on warfare. He argued that since aircrafts could fly over ground forces, they would relegate land soldiers to secondary importance. The vastness of the sky made defense almost impossible, so the essence of air power was the offensive. The only defense was a good offense (similar to the United States Cyber Command active defense doctrine. The psychological effect of German bombing on France and Great Britain during the First World War led to an exaggerated fear of the capabilities of air power in Western Europe. British Prime Minister Baldwin stated in 1932 that “the bomber would always get through,” and the fear of Germany’s “knockout blow" against Paris or Britain led to a frenzied search for solutions.

The actual course of the war showed however that much of the fear of airpower was exaggerated. As a matter of fact, “the bombers did not always get through.”  The German air force lost the Battle of Britain and the air war over Germany and Japan—although important and lethal—was not decisive in the outcome of the war.  The British Royal Force, the German Luftwaffe and the United States Air Force did not achieve their strategic or operational objectives; air power supported, but could not replace, boots on the ground.

The true strategic impact of cyber weapons also may fall below expectations in a future war. Any historical analogy has its limits however.  General Fang Fenghui’s rhetoric expresses the palpable fear in both China and the United States of the intrinsic vulnerability of their respective economies and critical information infrastructures to strategic cyber strikes.

Some long-time students of Chinese military policy take Fang's warning very seriously, although not at face value. Dr. Greg Austin, a Professorial Fellow at the EastWest Institute, reminds us that in 1996 Professor Joseph Nye and Admiral Bill Owens together warned that the advent of information weapons and infrastructure may affect strategic deterrence. Says Austin, "those who relegate information warfare to an artificial and compartmented construct similar to air power are ignoring how overarching strategies for information dominance, held both by China and the United States, have altered the calculus of risk for use of a nuclear missile strike." The trouble with this view, credible as it maybe, is that we can't see the physical evidence in the public domain. We need to be able to access some part of the substance of this new and evolving theater of cyber warfare before we can see more clearly what will land “on the beach” of our fears. 

Click here to read this piece on foreignpolicyblogs.com.

China's Cyber Weakness

Writing for The Global Journal, EWI's Greg Austin discusses tensions in the U.S.-China relationship surrounding cybersecurity concerns.

The last two months have seen unprecedented friction between the United States and China over allegations of attacks by the latter on the computer networks and sensitive information of American business and government. The public commentary in the United States has frequently painted China as an enemy -- as if there were no other context. There has been almost no attention paid to the underlying asymmetry in cyber power between the two countries. This imbalance of power has helped to fuel insecurity for both countries and to drive the aberrant behavior.

Here is a brief chronology of recent diplomacy. On 12 February, United States President Barack Obama, without naming China, alluded to it as an enemy of the United States for seeking to occupy its critical infrastructure through cyber operations. The remarks came two days after leaks from a U.S. intelligence estimate named China – again – as the most serious menace in the cyber domain. On 11 March, National Security Adviser Thomas Donilon issued three demands on China, which responded the next day saying it was prepared to talk. The next day, the Director of National Intelligence identified cyber threats to the United States as the number one threat, and talked of a “soft war” against the United States in this domain. On March 14, Obama raised the issue with President Xi Jinping in their first telephone call as heads of state. On March 18, China’s Prime Minister surprisingly called on both China and the United States to stop making “groundless accusations” about cyber attacks against each other. On March 19, U.S. Treasury Secretary Jack Lew discussed the issue when he met Xi in Beijing. One week later, President Obama signed a bill that will exclude the purchase of IT products by U.S. government agencies if any part of them is made by a Chinese corporation.

The United States has never mounted such a robust diplomatic campaign against China in this field, nor has it ever appeared to stake so much of the entire U.S/China relationship on cyber issues. A disinterested bystander could be forgiven for believing that China’s cyber power and actions are a serious threat to United States national security and that a confrontation between the two countries is inevitable unless China changes course.

Yet in overall capability, China’s armed forces remain weak relative to those of the United States. In the cyber domain, in spite of successes in peacetime espionage, China is simply not competitive with the United States for the full range of cyber combat operations during wartime. That is what is what China’s leaders think. And it is what the United States government and the best-informed American analysts (from the intelligence community) think.

The analysts say fairly uniformly that the United States has an unmatched military cyber power for several reasons. First, it has been able to build off its pre-eminence in the civilian information technology sector. Second China lacks the necessary testing ground for strong military cyber capabilities, especially the capacity for integrated command and control of joint operations. The analysts cite in the U.S. case a strong tradition of such operations refined in combat around the globe for at least 25 years. Third, and most importantly, the United States has unmatched human and technical intelligence collection capabilities needed for effective cyber offensive operations against military targets.

It is China’s weakness relative to the United States that determines its military strategy of disabling some critical information infrastructure in the United States in the event that a war with it seemed imminent.

If both countries want stability, and an end to current cyber practices, the over-arching policy question then becomes one of comparing insecurities and vulnerabilities, and later eventually addressing them. The two countries appear to need a strategy for managing a very big asymmetry of military power in cyber space. There is little hint of that consideration in the bilateral diplomacy so far. A heavier emphasis on how concepts of common security can be applied in the bilateral cyber relationship may be needed.

Read this piece at The Global Journal.

Greg Austin is a professorial fellow at the EastWest Institute. He leads the institute's Policy Innovation Unit.

Michael Chertoff Discusses the Cybersecurity Executive Order

In an interview with Bloomberg West, EWI board member Michael Chertoff, former Director of Homeland Security and co-founder of The Chertoff Group, discussed the value of the Obama Administration's executive order on cybersecurty.

"Cybersecurity is a dynamic proposition," noted Chertoff. "Hackers constantly invent new tools. The good news is we’ve got a lot of investment...in coming up with solutions that would actually change the game in terms of security."

 

Deloitte's Harry Raduege Assesses Critical Cyber Challenges

Harry D. Raduge, Jr. is the chairman of the Deloitte Center for Cyber Innovation and a member of the EastWest Institute's President's Advisory Group. He recently spoke with EWI’s Isaac Molho about a number of critical cybersecurity issues, including: the rise of cyber breaches; the Obama administration's recent executive order; and the importance of priority international communications in times of crisis. 

As you know, EWI has released a policy report on Priority International Communications (PIC). Could you please give an overview of the most recent efforts to implement international, uniform PIC standards? What are the advantages of doing so?

International network standards need to be implemented so that a priority call, in a time of emergency when communications are limited in certain areas, would be transparently transferred across a border into another country and would enjoy that same level of priority service in each country involved.

We’ve established, over a decade or so, the critical agreements, standards, policies and regulations that would allow us to implement priority international communications, not only with hardware but also with software. The problem has been that forward movement in agreement or even recognition of these elements has stalled, and I think the major reason is that there is a low probability that we will experience a major catastrophe involving international proportions. But history has shown that when a major catastrophe does occur, everyone usually wishes they had implemented a solution earlier.

Harry Raduege Speaks at the EastWest Institute's 3rd Worldwide Cybersecurity Summit in New Delhi:

Do you think private sector stakeholders with sensitive, confidential data, like law firms, are sufficiently aware of the threats that are out there?

Private sector stakeholders with sensitive, confidential data now are becoming increasingly aware of the cybersecurity threats that are ever present and growing on a daily basis. Frankly, only within the last few years have private organizations and stakeholders been made aware of the growing intensity of cybercrime and cyber espionage, where sensitive, confidential information is being stolen by others for their competitive advantage and benefit.

Could you elaborate on some of the measures to reduce this risk of damages arising out of cyber attacks?

There are a number of procedures available to effectively detect and isolate cyber-related threats and attacks and it is most important to manage the risks associated from potential damage. We have an overarching need now, both in government and industry, to gain advanced threat detection and dynamic situational awareness through continuous network monitoring of what is going on in the particular network enterprise for which we’re responsible: what software is installed, who’s using our network, what information is being extracted from our enterprise and where is that information going? These are questions that leaders in various organizations—both public and private—are now asking of their cybersecurity professionals, and they are demanding answers because cybercrime is on the rise.

What are your thoughts on the Obama Administration’s executive order on cybersecurity? The elephant in the room seems to be state-sponsored cyber warfare.

Nation state sponsored activity is certainly one of the elephants in the room; it can gain tremendous insights and intelligence through espionage and by injecting insidious pieces of malicious software. At risk is intellectual property, personal identity information, credit card numbers, bank account numbers and other highly sensitive information. These sophisticated attacks could be used not only against targeted government activities, companies or industries, but also against private citizens.

Cyber intrusions are a multi-spectrum problem: everything from state-sponsored espionage, which could lead to a devastating terrorist attack, throughout the full spectrum of cybercrime and malicious software injection, all the way down to private citizens being taken advantage of and relieved of their personal resources and reputation.

There’s currently a serious shortage of cybersecurity experts in the U.S. What can be done to ensure that the next generation of policymakers and engineers have a deep understanding of these issues?

I think this is a problem that we have been facing in the United States for quite some time. There’s been a propensity for people to stay away from the hard-core educational studies involving science, technology, engineering and math, the STEM disciplines. Those are areas that can provide career avenues through gained insights leading to very lucrative careers in cybersecurity related activities.

The sophistication of cyber attacks against us is growing in intensity. Everyone now has to protect themselves and their organizations against cyber intrusions; the threat is growing in intensity and we cannot have enough trained individuals. This is something that we need to emphasize, not only within our higher educational institutions, but also in the elementary, middle and high school levels of education.

Cyber Espionage: Reducing Tensions Between China and the United States

Writing for China-US Focus, EWI Senior Fellow Franz-Stefan Gady looks at recent concerns about cybersecurity in the U.S.-China relationship.

The most recent revelations of the activities of the Chinese Army Unit 61398 through the computer firm Mandiant has given the impression that the United States is entering a new phase of cyber conflict with the People’s Republic of China. In reality, however, while the recent study is impressive in its scope and detail, it did not reveal anything new to experts in the field. These sort of attacks have happened consistently over the last few year, will continue to do so and the Chinese are not alone. Every nation is engaged in some form of cyber espionage. China, however, “is the most aggressive," according to James A. Lewis. The real issue is how to avoid that these sort of attacks lead to escalating tensions between the two great powers on a strategic level.

Most Western countries (including the United States) have fewer incentives to engage in cyber espionage on the scale of the People’s Republic of China. One of the reasons for that is that the United States and its allies are still home to the most innovative and technological advanced companies in the world. Another reason is that the United States Armed Forces clearly in possession of the most advanced military technologies and its military does not need to seek an asymmetrical advantage over its adversaries given its conventional strengths. The West has thus fewer incentives to launch massive scale cyber espionage operations, aimed at stealing technological secrets from Chinese companies.  

According to customary international law, espionage is not prohibited. There is little that both sides can/are willing to do in the short term.  The primary fear in the United States, however, is that these cyber espionage activities are just a first step in an ever escalating Chinese threat emerging from cyberspace: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” as President Obama stated during his state of the union address in February 2012. “Enemies” in this context must clearly be understood to be the Chinese. Acts of sabotage on these scales from China, however, will only happen in the unlikely course of a Chinese attempt to forcefully reunite with Taiwan and the United States honoring its treaty obligations.

Despite the unlikelihood of a full scale cyber war between the two countries, it does not reduce the need for confidence building measures given the inherent strategic instability of cyberspace, where tensions such as the revelation of Army Unit 61398 could quickly escalate and go viral with real economic and political consequences.

It is hard if not impossible to establish strategic stability in cyberspace that could dissuade malicious actors from exploiting vulnerabilities in the critical information infrastructures of countries.  According to a study done by the Cyber Conflict Studies Association: “The current strategic cyber environment is marked by an inability to establish credible deterrence and effectively prevent the emergence of adversaries and conflicts in cyberspace detrimental to U.S. interests.”

This assessment is based on various factors such as the inherent vulnerable structure of networks and the Internet, a low barrier of entry for actors (cyber weapons are cheap and attackers do not have to be very skilled for most forms attack), and the anonymity of attackers.  

For example, non-state actors (cyber terrorists, criminal networks, political activists) could use the political tensions between China and the United States for their own advantage, by launching massive attacks themselves aimed at specific targets for either financial or political gains, while security experts and policy makers are overwhelmed with fighting off state-sponsored attacks.

The only way to start to reduce tensions is to consciously lay out the joint vulnerability of both the United States and China to cyber attacks.  One way how to begin to build trust is for the United States and China to agree on a joint public study on the interdependence of their respective critical information infrastructures. A special focus should be the likely economic effects of non-state actors’ attacks with strategic impacts. My colleague Dr. Greg Austin and I recommended such a study in our most recent report “Cyber Détente Between the United States and China”. As we state: 

“This could be done under the framework of the United States- China Strategic and Economic Dialogue. This may not be welcome by some private operators. Yet the need for such a study exists on a political level. It is a consequence of the strategic impact of private ownership of critical infrastructure. As much as such a study might intrude on narrowly defined private sector interests, leading ICT businesses need a deeper understanding of the military implications of the intermingled, even tangled, character of U.S. and Chinese operations in cyberspace.”

The need for such a public study is every increasing and should include a wide range of actors from the private and public sector, academia, the military and intelligence communities.  While the direct political impact of such an unclassified study may be low, it would nevertheless illustrate to people in the media, politicians, and civil society as a whole the pervasive connectivity as well as joint vulnerabilities of both China and the United States.

Click here to read this piece at China-US Focus.

 

Photo: "US President Barack Obama during a bilat" (CC BY-ND 2.0) by U.S. Embassy The Hague

Pages

Subscribe to RSS - Cyberspace Cooperation