EWI Senior Fellow Franz-Stefan Gady writes on steps needed to break the U.S.-China cyber stalemate, including a recommendation that China "remove the veils covering its activities in cyberspace."
Read the piece here on China-U.S. Focus
Both China and the United States have a vested interest in de-escalating tensions in cyberspace. In the post-Snowden world, the United States has lost its self-conferred leadership role in promoting global Internet freedom, whereas China is seen as recklessly expanding its cyber espionage activities. Within only a year the fluctuant pendulum of world opinion has decisively swung back and forth between the two nations until finally reaching equilibrium that may be interpreted as a “cyber stalemate”.
The public outcry after the revelations of the 2013 Mandiant Report with its exposure of the Chinese military unit labeled “Advanced Persistent Threat 1,” and its alleged cyber espionage activities, yielded, based on the disclosures of Edward Snowden, to privacy fears of an all-intrusive NSA in the last few months. However, rather than perceiving it as a serious setback, the current cyber stalemate between the United States and the People’s Republic of China should be seized by political leaders in both countries as an urgent incentive to push for cooperation and strategic stability in cyberspace. In that respect the United States has recently taken the lead.
The Obama administration’s briefing for the Chinese military leadership on the US military doctrine for defending against cyber attacks was an unprecedented step towards strategic stability in cyberspace. The US military is envisioning to spend USD 26 billion in the next five years on protecting its networks from intrusions, but also to continue to develop offensive cyber weapons. This naturally leads to uneasiness in the technologically inferior PLA as well as among the Chinese political leadership, which threatens to further destabilize an already precarious relationship. While the Pentagon is disappointed that the Chinese have so far not reciprocated its openness, indications from the briefing suggest that the U.S. military has finally come around to actively seek strategic stability in cyberspace through some form of cyber deterrence.
One way to increase the deterrence factor vis-à-vis adversaries is to have a more systematic public display of nation states' cyber war capabilities. In the past, the media has been used to convey a country's cyber warfare capabilities with strategic leaks of classified information (e.g. Operation Olympic Games) to some news outlet as part of a country's unofficial cyber deterrence strategy. Now, the United States has taken a more direct, nuanced and official approach by outlining its military doctrine without, presumably, detailing the capabilities of U.S. offensive cyber weaponry. The Pentagon presentation made it easier for the Chinese leadership to discern the infamous “red line” for the United States regarding Chinese cyber attacks and improved the signaling mechanisms between the two countries.
Another sign for the willingness towards de-escalation is the recent announcement by the Obama White House that the NSA will more openly share intelligence on zero-day vulnerabilities—security holes in software that are unknown to the vendor and are exploited by hackers before they can get fixed. There is a loophole of course: the NSA can still withhold information in case of a “clear national security or law enforcement need.” Yet, as a spokeswoman for the US National Security Council states: “This process is biased toward responsibly disclosing such vulnerabilities.”
This is almost certainly part of a carefully planned publicity campaign, and it is primarily meant to assuage the U.S. private sector, which, more than ever, is vulnerable to losing global market shares to foreign competition after the revelations of its tacit cooperation with US intelligence agencies. Nevertheless, the zero-day vulnerability announcement is also a clear signal to U.S. adversaries that the United States is interested in stabilizing cyberspace by its willingness to “unilaterally disarm”, parts of its cyber arsenal.
Technological inferiority is still a grave concern to Chinese top military brass. As Major General Wu Jiangxing, president of the PLA Information Engineering University, stated in an interview: “The gap is that China does not have a cyber army, whereas the United States has established a Cyber Command, certainly with cyber warfare units.” This refrain, heard time and again from the Chinese side, however, has so far not yielded any diplomatic benefits. The U.S. offer on quasi-unilateral disarmament (or at least the discussion thereof) may be a first step in mollifying corresponding Chinese fears.
However, despite the recent emphasis by senior Chinese leadership on cyber security, the reaction by the Chinese government has so far been tepid and no discernible reciprocal steps have been taken by, for example, the People’s Liberation Army. On the contrary, as the 2014 Mandiant Report states:
The Chinese government is expanding the scope of its cyber operations, and China-based advanced threat actors are keen to acquire data about how businesses operate—not just about how they make their product . . . Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.
It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions. While there is an inherent asymmetry between U.S. and Chinese military capabilities in related technology, this should not be used as an excuse by the Chinese leadership to avoid a more open engagement with the United States in the coming months and try to break the cyber stalemate between the two rivals.
Photo Credit: U.S. Secretary of Defense via Flickr