China's Reach in Cyberspace
In the wake of Defense Secretary Panetta's recent remarks, EWI Professorial Fellow Greg Austin looks at assessments of China's cybersecurity capabilities.
In his short speech on October 11 on Pentagon responses to evolving cyber threats, Defense Secretary Leon Panetta revealed both the strengths and shortcomings of United States public policy on issues of national cyber defense. The forum for the speech was not necessarily the place where Panetta might have been expected to give a full exposition of policy, yet in his need to summarize complex issues for his audience of Business Executives for National Security, the secretary outlined a picture of where the United States is and where it is going. Panetta set the scene by mentioning the threat of a “crippling cyber attack,” as serious as the 9/11 terrorist attacks. Several points that relate to China are of interest.
No Secret about Chinese Cyber Capabilities?
The most challenging statement Panetta made was: “It's no secret that Russia and China have advanced cyber capabilities.” As a researcher of Chinese cyber policies using only unclassified sources and the knowledge gained from occasional conversations with senior U.S. intelligence figures, I would question the statement’s implication about “advanced capabilities.” First, it is impossible to find a comprehensive assessment of China’s military cyber capabilities on the public record; however, there are several useful sources—their titles, at least, sound like they fit the bill. For example, a report prepared by Northrop Grumman for the United States China Commission, with the subtitle of “Chinese Capabilities for Computer Network Operations and Cyber Espionage” released in March 2012, is a stunningly detailed overview of many aspects of the problem. But it offers almost no credible assessment of China’s military capability. It documents a series of doctrinal writings and reports at a very general level of Chinese information warfare activities, citing mostly examples of espionage activity. Another useful article, “The Art of (Cyber) War” by Brian Mazanec from the Journal of International Security Affairs in 2009 cites a senior State Department official commenting that Chinese capabilities “have evolved from defending networks from attack to offensive operations against adversary networks.” But there is no Chinese equivalent of Stuxnet yet. Mazanec’s article could only postulate the outlines of possible Chinese cyber war strategy.
The European Defence Agency has been sponsoring a survey of the military capabilities of European Union countries in cyber defense. Their methodology gives some insight into what is missing in public assessments of China’s military cyber capabilities. It has been following a systematic model with the acronym DOTMLPF, which stands for doctrine, organization, training, means (i.e. budget), leadership (chain of command), personnel and facilities. The study has also expanded this model to include interoperability, a fundamental characteristic of cyber warfare at the strategic, operational and tactical levels of war. Interoperability among different branches of the armed forces is one of the hardest organizational challenges facing any country.
The existing public studies on Chinese capability are strongest on doctrine, but they don’t have much detail on the other aspects beyond identifying the names of units involved, the names of some of the commanders and the facilities. In addition, China has had relatively poor performance when it comes to interoperability. Another significant aspect of assessing military capability is the net assessment: how well would the forces of one side (say, China) perform against an adversary (say, the United States, Taiwan or their military allies, such as Japan, the United Kingdom and Australia). In comparison to the high level of detail on Chinese conventional and nuclear force capabilities available in the public domain, the current state of public knowledge of Chinese military cyber capability is very low; basically, it’s still a secret.
The public record of Chinese cyber espionage capabilities is slightly better. There is a long list of authoritative reports describing various intelligence victories attributed to the Chinese government. This is in itself significant in terms of cyber military capability, since according to U.S. sources, well targeted and sustained intelligence collection is an absolute precondition for advanced cyber offensive operations. China’s espionage capability is a part of the capability assessment overall. Yet even here the picture is incomplete. Well-placed sources in Washington with access to the intelligence record have concluded that the United States can see enough to worry us but not enough to know with confidence the full picture.
U.S. Vulnerability: the Cyber Defense Gap
The United States feels its vulnerability in cyberspace deeply. It does not always recognize that this is an inherent characteristic of the domain and too often seeks to address the anxiety by resorting to exaggerated assessments of potential adversaries. Striking the right balance in United States strategic policy is no less of a problem now than it was in preceding decades: the bomber gap (1950s), the divisions gap (late 1960s), the missile gap (1960s), the civil defense gap (1970s) and so on. The 9/11 attacks and a decade of war in Afghanistan, and the long Iraq campaign, have incubated a sense of insecurity. In spite of exhibiting strong confidence in American cyber superiority, Panetta noted about the private sector that “too few companies have invested in even basic cybersecurity.” He called for support for administrative, legislative and regulatory efforts because without them “we are and we will be vulnerable.” Invoking the 9/11 attacks and lack of effective anticipatory defense against them, he added that “the attackers are plotting.” Well, yes, they are. But we all need a much clearer sense of how big the cyber defense gap is. What are the relative capabilities, and more importantly, how do capabilities fit into overall concepts of deterrence for countries like China, Russia and Iran?
Panetta acknowledged that U.S. systems will never be impenetrable. The same is true of the Chinese systems. The global infrastructure and its vulnerabilities, to which Panetta referred to, is also shared by China. In assessing where China stands today, we should certainly factor that into the equation as well.
For further information on how the global community can co-create solutions to these challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.