Beware of Cyber China
How should we define an “act of war” in the virtual world of the internet?
Editor’s note: This is the third in a series of articles about cybersecurity and cyber warfare that will be published periodically in Defining Ideas. Earlier articles in the series are available here.
Cyberspace is awash in vulnerabilities. Actors in the cyber domain are wise to protect against crime, espionage, and hacktivist intrusions. But while those vulnerabilities are all too real, they are not driving the policy debate today in Washington. Instead, what seems to have seized the imagination of so many is the prospect of a true cyberwar.
But we’ve never had a real cyberwar (though the Russian attack on Georgia comes close), so there is no solid data on the threats that exist. We can only assess the potential for cyberwar by measuring the capabilities or our possible adversaries, and then only by educated guess work. We have no clear sense of true intent. As a result we lack a solid quantifiable risk assessment of the cyber threat to national security and this leaves policy makers only with speculation as to the extent of our risk from a cyber attack by a willful cyber opponent.
The uncertainty does not, however, prevent us from thinking about the problem. We struggle today with two inter-related questions: Who are we likely to fight? And how are we going to fight them?
American military strategists see China as the most likely peer opponent in cyberspace. As the Department of Defense’s (DoD) 2010 report to Congress, Military and Security Developments Involving the People’s Republic of China, concluded:
Likewise, China sees the United States as its principal cyber-competitor. A recent report in the Chinese-language, Liberation Army Daily (an unofficial but well-vetted source) put it this way:
China has demonstrated significant cyber capabilities in recent years. One of the most notable events was Operation Aurora. In early 2010, Google announced that it had been the subject of a “highly sophisticated and targeted attack” that had originated in China, resulting in the “theft of intellectual property” from Google. The attacks seemed to be targeted at Chinese human rights activists. And Google was not alone—at least twenty other major companies spanning sectors including internet, finance, and the chemical industry were also targeted. At its core, the attack apparently attempted to corrupt some of Google’s source code.
China, naturally, denied responsibility for the attacks and even claimed that evidence of their complicity had been falsified. But, according to one classified State Department cable (released by WikiLeaks) the operation was authorized by the Politburo Standing Committee, the rough equivalent in authority of the U.S. National Security Council. And later analysis by Google (assisted by NSA) traced the source of Internet Protocol addresses and servers used to facilitate the exploitation to a single foreign entity consisting either of “agents of the Chinese state or proxies thereof.”
American military strategists see China as the most likely peer opponent in cyberspace.
Another display of Chinese capabilities occurred in April 2010, when the internet was hijacked. Traffic on the internet is, typically, routed through the most efficient route. Servers calculate that route based upon a “call-and-response” interaction with other servers—in effect, downstream servers advertise their own carrying capacity and current load, soliciting traffic.
On April 8, 2010, China Telecom began broadcasting erroneous network traffic routes. As a result, American and other foreign servers were instructed to send internet traffic through Chinese servers. In the end, according to the United States China Economic and Security Review Commission, roughly 15 percent of the world’s traffic was routed to China. This included official US government traffic, as well as the traffic from any number of commercial websites.
Even more chillingly, some reports have suggested that our electronic grid and telecommunications systems have already been infiltrated by logic bombs (malicious code inserted in a system that will be set off only upon instruction or when certain conditions are met). In 2009, the Wall Street Journal reported that software had been placed into our system, so that it could be “detonated” at a later date, presumably in a time of war. Doing so could cripple our economy and military capabilities at a time of crisis. Richard Clarke, the former cybersecurity czar, likens these cyber logic bombs to mines, and blames China for their placement.
And, recently, the security firm RSA (which manufactures the security tokens that many companies use to control access to secure systems) was penetrated by an intrusion that compromised the company's SecureID system. Just a few weeks later, Lockheed Martin was attacked by someone using the stolen RSA data. The focus on a defense contractor, rather than on a bank, seems a clear indication that the RSA hack was done by a sovereign peer competitor, not by cyber criminals who would have used the data to break into bank accounts instead. Again, China denied any responsibility for the attack but, as Clarke said, “this attack [has] all the hallmarks of Chinese government operations.”
In the end, just as the United States has begun to prepare for a cyber war (through the organization of US Cyber Command) China, too, is preparing for one. Last May, China announced the formation of a cyber “Blue Army,” with two stated purposes: defending the nation against cyber attacks and leading cyber offensives in case of war. That’s the same mission that US Cyber Command has. Though a full cyberwar has yet to be fought, both sides are preparing for the worst.
What Is A Cyber War?
We know what war looks like in the real world—generals marshal armies and launch attacks, things get blown up, and people die. But what would be an “act of war” in cyberspace? Consider the following hypotheticals (all of which are reasonably realistic). An adversary:
Some of these, like probing the Pentagon computer, are clearly analogous to espionage in the physical world and won’t be considered acts of war. Others, like disrupting our military command and control systems, look just like acts of war in the kinetic world. But what about the middle ground? Is leaving a logic bomb behind in a radar station like espionage, or is it similar to planting a mine in another country’s harbor as a preparation for war? Is the blockade of internet access like a military blockade in a time of war? Is causing a brown out by degrading the electric grid an attack?
We have only begun to answer to these questions. The new DoD Strategy for Operating in Cyberspace, in its unclassified public version, focuses on the legitimacy of “active defenses” which will authorize real- time counter-attacks against incoming efforts to penetrate the Pentagon’s systems. Meanwhile, the classified version of the strategy is reported to define an act of war as any act that is equivalent in kinetic effect to a military attack (so the attack on the electric grid would be a military attack) and to authorize the United States to use any military response in its arsenal. In other words, we reserve the right to answer a cyber weapon with a real world weapon of proportional effect, which seems like the right policy.
In the end, however, the critical question of cyberwar is going to be “who attacked?” For even though we have grave suspicions about Chinese intent, the reality is that the internet is not designed to allow for conclusive identification of the source of an attack. As the DoD strategy puts it, in designing the internet “identity authentication was less important than connectivity.” But if you don’t know who the attacker is, how can you respond? Imagine if a nuclear missile landed in Chicago, but we didn’t know who launched it?
As we prepare for cyberwar, one is reminded of the uncertainty faced by medieval mapmakers. As they reached the edge of the known world on their maps they would carefully inscribe on the edge “here be dragons.” That’s just as true of cyberspace today, in more ways than one. ......................................................................................................................................
Rosenzweig is a cum laude graduate of the University of Chicago Law School. He is the coauthor (with James Jay Carafano) of the book Winning the Long War: Lessons from the Cold War for Defeating Terrorism and Preserving Freedom and author of the forthcoming book Cyberwarfare: How Conflicts in Cyberspace Are Challenging America and Changing the World.
"On a recent flight, I read "Cyber Warfare" by Paul Rosenzweig. Wonderful book. Couldn't put down. Great legal analysis."
"Paul Rosenzweig is uniquely qualified to write about our need for the better use of data. Cyber Warfare asks critically important questions about how we can best optimize both security and privacy in a world of increasing threats and information availability."
"Paul Rosenzweig's Cyber Warfare is a comprehensive, insightful, and clear explanation of how the world of cyber has evolved from a simple tool of communication and data storage into a fundamental domain of global security. Policy makers and citizens alike will find this volume stimulating and startling."
"From his extensive experience in legal policy and homeland security, Paul Rosenzweig is in a unique position to explain the immediate challenge that cyber warfare presents to America and our allies. In his book on this subject, he provides a comprehensive analysis of the imminent challenge and an incisive commentary on what must be done to protect the nation against this increasing threat."