Debating the Chinese Cyber Threat
If you follow cyber conflict issues, you’ll want to see this correspondence from International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195:
In “The Impact of China on Cybersecurity: Fiction and Friction,” Jon Lindsay asserts that the threat of Chinese cyber operations, though “relentlessly irritating,” is greatly exaggerated; that China has more to fear from U.S. cyber operations than the United States does from China; and that U.S.-China relations are reasonably stable.1 He claims that “[o]verlap across political, intelligence, military, and institutional threat narratives . . . can lead to theoretical confusion” (p. 44). In focusing almost exclusively on military- to-military operations, however, where he persuasively argues that the United States retains a signiacant qualitative advantage, Lindsay underemphasizes the signiacance of vulnerabilities in U.S. civilian networks to the exercise of national power, and he draws broad conclusions that have doubtful application in circumstances short of a full-out armed conoict with China. In addition, he does not discuss subthreshold conoicts that characterize, and are likely to continue to characterize, this symbiotic but strife-ridden relationship.
To begin, Lindsay argues that American infrastructure is safe from nation-state cyberattack. For support, he cites a similar conclusion by Desmond Ball, who touts the supposed “sophistication of the anti-virus and network security programs available” in advanced Western countries.2 The notion that Western-made anti-virus and network se- curity programs are effective against sophisticated cyberattacks would astonish any group of corporate security ofacers. Anti-virus programs are oimsy alters designed to catch only some of the malware that their designers know about. They miss a great deal. New malware enters the market at the rate of about 160,000 per day.3 Filters, whether employed by the military or not, are unable to keep up. “Network security programs” vary in quality, are insufaciently staffed, and are often not implemented at all across the economy. The Pentagon is expending huge sums to build its own power grids, even as its budget shrinks, precisely because the civilian grid cannot be relied upon in a crisis. On this subject, Lindsay says only that China’s ability to attack the U.S. grid “cannot be discounted.” In contrast, Adm. Michael Rogers, director of the National Security Agency (NSA) and commander of U.S. Cyber Command, testiaed in 2014 that China and “one or two” other countries could shut down the power grid and other critical systems in the United States.4
Lindsay’s article also fails to address the relationship between nonmilitary vulnera- bilities and the exercise of national power. For example, when Russian intruders pene- trated JPMorgan Chase Bank’s computer system in 2014 during tensions over Ukraine, no one could tell President Barack Obama whether Russian President Vladimir Putin was sending him an implied threat.5 Taking down a major bank would have enormous economic repercussions, and Chase’s vulnerability was there for all to see. When evalu- ating his options, could the president ignore the possibility that exercising one of them carried the palpable risk that a major U.S. bank could be taken down? Whatever the source and objective of the intrusion in the Chase case, the incident demonstrates the way in which a critical vulnerability in the civilian economy could constrain the ex- ercise of national power, including military power, in a crisis.
Lindsay speculates skeptically about the increase in the reporting of commercial net- work exploitation since 2010 and wonders whether it may be spurred by self-interested disclosures by network defense arms seeking to scare up demand for their services. He does not mention that the Securities and Exchange Commission issued guidance in 2011 stating that public companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”6 And despite Lindsay’s claim that commercial network exploitation is overreported, virtually every private-sector lawyer and consultant I know in this aeld believes that publicly dis- closed information understates the severity and frequency of attacks on corporate net- works. The reasons are well known: companies resist disclosure for fear of harm to their brands and stock prices and to avoid shareholder derivative class-action lawsuits and regulatory action by the Federal Trade Commission.
Lindsay is on better footing when he denies that a network penetration, even when it results in the theft of intellectual property (IP), necessarily results in lost proat or mar- ket share. The absorption and application of stolen intellectual property are compli- cated processes; they require know-how as well as a recipe. This is one reason why IP theft and reverse engineering do not necessarily produce market share for the thief and the copy-cat. Thus China still cannot produce a jet engine, even though it has plenty of American and Russian engines to study, because it cannot master the fabrica- tion process. These are not contested propositions, however. Insurance carriers cer- tainly understand them, which is largely why IP cannot be insured against theft. It is incorrect, however, to imply from this, as Lindsay does, that IP theft is not a signiacant issue for many of its victims. China has no difaculty using stolen IP about, say, oil and gas exploration data and materials testing research. Both are prime targets.
Chinese intruders have also stolen negotiation strategies to good effect, as more than a few companies could testify (but will not). And in the case of solar-power tech- nology, Chinese IP thieves had no trouble absorbing stolen secrets and penetrating Western markets.7 Some descriptions of the economic losses have been hyperbolic, no doubt; and the losses have eluded persuasive quantiacation. Nevertheless, the problem is real and substantial.
The overall state of American networks and of private-sector capabilities simply is drastically different from the picture Lindsay paints. Take attribution. Public reports that the NSA can often—though not always—do very good attribution does not mean that private companies can do it. Attribution has three levels: (1) identifying the device from which an intrusion was both launched and commanded; (2) identifying the actor at the keyboard; and (3) identifying the actor’s afaliation. Even the NSA can- not always get to the second and third levels, as the Chase Bank incident demonstrated.
The most basic difference between the military-to-military situation and the corpo- rate reality, however, is that militaries and intelligence agencies aght back. In contrast, companies are exposed to attack without the legal right to retaliate (for mostly good reasons) even when they have, or could buy, the ability to do so. In this environment, offense is unquestionably dominant. According to Lindsay, since 2010 “Western cyber- security defenses, technical expertise, and government assistance to arms have im- proved” (p. 23). In fact, very few companies receive government help with intrusions. If he means that private-sector defenses have improved when measured against them- selves, then that is true but irrelevant. Attacks have also increased in sophistication, and when measured against the offense, defenses have not improved. All defenses are versions of Whac-A-Mole, and there are too many moles to whack them all.8
In sum, Lindsay and I agree that the current and foreseeable state of cyber technol- ogy “enables numerous instances of friction to emerge below the threshold of violence” (p. 9). This is what I have called “the gray space between war and peace.” If this envi- ronment is showing signs of strategic stability, it is partly, as Lindsay argues, because mutual vulnerability is creating mutual restraint among nation-states. But the vulnera- bilities remain, and they could be exploited by China or Russia in a crisis and by a growing number of second-tier cyber players that are not so constrained.
1. Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, Vol. 39, No. 3 (Winter 2014/15), pp. 7–47. Further references to Lindsay’s article appear parenthetically in the text.
2. Ibid., p. 35 n. 94, quoting Desmond Ball, “China’s Cyber Warfare Capabilities,” Security Affairs, Vol. 17, No. 2 (Winter 2011), p. 101.
3. Luis Corrons, “Malware Still Generated at a Rate of 160,000 New Samples a Day in Q2 2014,” Panda News, August 29, 2014, http://www.pandasecurity.com/mediacenter/press-releases/ malware-still-generated-rate-160000-new-samples-day-q2-2014/.
4. Ken Dilanian, “NSA Director: Yes, China Can Shut Down Our Power Grids,” Associated Press, November 20, 2014, http://www.businessinsider.com/nsa-director-yes-china-can-shut-down-our- power-grids-2014-11.
5. See Joel Brenner, “Nations Everywhere Are Exploiting the Lack of Cybersecurity,” Washington Post, October 24, 2014.
6. U.S. Securities and Exchange Commission, Corporate Finance Division, “CF Disclosure Gui- dance: Topic No. 2: Cybersecurity” (Washington, D.C.: U.S. Securities and Exchange Commission, October 13, 2011), http://www.sec.gov/divisions/corpan/guidance/cfguidance-topic2 .htm.
International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195, doi:10.1162/ISEC_c_00208
© 2015 by the President and Fellows of Harvard College and the Massachusetts Institute of Technology.