When President Obama meets woth Chinese President Xi Jinping Friday and Saturday in Southern California, a major topic of conversation between the two will be Chinese cyber-attacks and cyber-espionage against American commercial and government targets.
According to U.S. counterintelligence officials, billions upon billions of dollars worth of information has been “lifted” out of American computers and servers in recent years.
In fact, only last week, newspapers were reporting that an internal Defense Department review had concluded that China had used cyber attacks to gather data on more than three dozen key U.S. military programs, including the country’s most advanced missile defense systems, naval warships and even the F-35 Joint Strike Fighter—the stealthy, fifth-generation jet that will be the backbone of the American military’s ability to sustain air superiority in the decades ahead.
As one might expect, the Chinese government has denied any complicity in these attacks. And it is doubtful, given how successful Chinese efforts have been, that even “blunt” talk by the president to the new Chinese leader, will have much effect on Chinese practices.
The reality is, the Chinese government is engaged in a form of warfare—new to be sure in its technological aspects but not new in the sense that cyber attacks harm our relative military strength and damage the property (intellectual and proprietary) of citizens and companies alike.
So far, the American government’s response has largely been defensive, either talking to the Chinese about establishing new, agreed-upon “rules of road” for cyberspace or working assiduously to perfect new security walls to protect government and key private sector computer systems.
Although neither effort should be abandoned, they are no more likely to work than, say, before World War II, the Kellogg-Briand Pact could outlaw war and the Maginot Line could protect France from an invading Germany.
This last point is especially important. When it comes to cyberspace, according to Cyber Command head and director of the National Security Agency, General Keith Alexander, those on the offensive side of the computer screen–that is, those hacking into or compromising computer systems–have the advantage over those on the defensive side who are trying to keep systems secure. Walls have always been breached and codes broken.
Moreover, attempts to beef up security are complicated by the fact that our own cyber warriors are undoubtedly reluctant to provide those charged with protecting systems here at home with the latest in their own capabilities.
In addition to increasing the chance such information might leak by expanding the number of persons in the know, efforts to use that information to plug our own vulnerabilities can inadvertently alert a potential adversary on the very backdoors American would want to save for using in a future crisis or conflict.
All of which leads to the conclusion that to stem the tide of harmful cyber attacks by the Chinese (or, for that matter, Iran, Russia or North Korea), there has to be a cyber response on America’s part that deters continued cyber aggression.
Reprisals that are proportionate, in self-defense and designed to stop others from such behavior falls well within the bounds of international law as traditionally understood.
Nor is it the case that such reprisals should be limited to responding to government-on-government cyber attacks. The U.S. government has always understood that it has an affirmative duty to protect the lives and property of its citizens from foreign aggression and, in times both past and current, this has meant using American military might.
That need not be the case here, however. Indeed, one advantage of the cyber realm is the wide variety of options it offers up for reprisal that can inflict economic harm without causing loss of life or limb.
The good news is that the U.S. government has been gradually beefing up its offensive cyber capabilities.
Indeed, a little over a month ago in open testimony before the House Armed Services Committee, Gen. Alexander said that he created thirteen new teams that would go on the offensive if the nation were hit by a major cyber attack. And new reports coming out of the Pentagon indicate that the Joint Chiefs would like to empower geographic combatant commanders to counter cyber attacks with offensive cyber operations of their own.
These are necessary steps if we hope to create a deterrent to Chinese cyber aggression; however, they are not sufficient.
The threat posed by China’s army of cyber “guerrillas” is constant, is directed at both the U.S. government and the private sector, and ranges from the annoying to the deadly serious.
A truly adequate response would require meeting the Chinese challenge on all these fronts. And no amount of summitry between the American and Chinese leaders is likely to substitute for the cold, hard fact that, when it comes to Chinese misbehavior, upping the cost to Beijing is a necessary first step to reclaiming the peaceful potential of the newest of the “great commons,” cyberspace.
Gary Schmitt is director of the Marilyn Ware Center for Security Studies at the American Enterprise Institute.