experts and translators of the new domain
Beware of Cyber China
By Paul Rosenzweig
How should we define an “act of war” in the virtual world of the internet?
Editor’s note: This is the third in a series of articles about cybersecurity and cyber warfare that will be published periodically in Defining Ideas. Earlier articles in the series are available here.
Cyberspace is awash in vulnerabilities. Actors in the cyber domain are wise to protect against crime, espionage, and hacktivist intrusions. But while those vulnerabilities are all too real, they are not driving the policy debate today in Washington. Instead, what seems to have seized the imagination of so many is the prospect of a true cyberwar.
But we’ve never had a real cyberwar (though the Russian attack on Georgia comes close), so there is no solid data on the threats that exist. We can only assess the potential for cyberwar by measuring the capabilities or our possible adversaries, and then only by educated guess work. We have no clear sense of true intent. As a result we lack a solid quantifiable risk assessment of the cyber threat to national security and this leaves policy makers only with speculation as to the extent of our risk from a cyber attack by a willful cyber opponent.
The uncertainty does not, however, prevent us from thinking about the problem. We struggle today with two inter-related questions: Who are we likely to fight? And how are we going to fight them?
American military strategists see China as the most likely peer opponent in cyberspace. As the Department of Defense’s (DoD) 2010 report to Congress, Military and Security Developments Involving the People’s Republic of China, concluded:
numerous computer systems around the world, including those owned by the U.S. government, continued to be the target of intrusions that appear to have originated within the [People’s Republic of China]. These intrusions focused on exfiltratring information, some of which could be of strategic or of military utility. The accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks. It remains unclear if these intrusions were conducted by, or with the endorsement of, the [People’s Liberation Army] or other elements of the [People’s Republic of China] government. However, developing capabilities for cyberwarfare is consistent with authoritative [People’s Liberation Army] military writings.
Likewise, China sees the United States as its principal cyber-competitor. A recent report in the Chinese-language, Liberation Army Daily (an unofficial but well-vetted source) put it this way:
The U.S. military is hastening to seize the commanding military heights on the Internet, and another Internet war is being pushed to a stormy peak. . . . Their actions remind us that to protect the nation’s Internet security, we must accelerate Internet defense development and accelerate steps to make a strong Internet army. . . . Although our country has developed into an Internet great power, our Internet security defenses are still very weak. So we must accelerate development of Internet battle technology and armament.
China has demonstrated significant cyber capabilities in recent years. One of the most notable events was Operation Aurora. In early 2010, Google announced that it had been the subject of a “highly sophisticated and targeted attack” that had originated in China, resulting in the “theft of intellectual property” from Google. The attacks seemed to be targeted at Chinese human rights activists. And Google was not alone—at least twenty other major companies spanning sectors including internet, finance, and the chemical industry were also targeted. At its core, the attack apparently attempted to corrupt some of Google’s source code.
China, naturally, denied responsibility for the attacks and even claimed that evidence of their complicity had been falsified. But, according to one classified State Department cable (released by WikiLeaks) the operation was authorized by the Politburo Standing Committee, the rough equivalent in authority of the U.S. National Security Council. And later analysis by Google (assisted by NSA) traced the source of Internet Protocol addresses and servers used to facilitate the exploitation to a single foreign entity consisting either of “agents of the Chinese state or proxies thereof.”
American military strategists see China as the most likely peer opponent in cyberspace.
Another display of Chinese capabilities occurred in April 2010, when the internet was hijacked. Traffic on the internet is, typically, routed through the most efficient route. Servers calculate that route based upon a “call-and-response” interaction with other servers—in effect, downstream servers advertise their own carrying capacity and current load, soliciting traffic.
On April 8, 2010, China Telecom began broadcasting erroneous network traffic routes. As a result, American and other foreign servers were instructed to send internet traffic through Chinese servers. In the end, according to the United States China Economic and Security Review Commission, roughly 15 percent of the world’s traffic was routed to China. This included official US government traffic, as well as the traffic from any number of commercial websites.
Even more chillingly, some reports have suggested that our electronic grid and telecommunications systems have already been infiltrated by logic bombs (malicious code inserted in a system that will be set off only upon instruction or when certain conditions are met). In 2009, the Wall Street Journal reported that software had been placed into our system, so that it could be “detonated” at a later date, presumably in a time of war. Doing so could cripple our economy and military capabilities at a time of crisis. Richard Clarke, the former cybersecurity czar, likens these cyber logic bombs to mines, and blames China for their placement.
And, recently, the security firm RSA (which manufactures the security tokens that many companies use to control access to secure systems) was penetrated by an intrusion that compromised the company’s SecureID system. Just a few weeks later, Lockheed Martin was attacked by someone using the stolen RSA data. The focus on a defense contractor, rather than on a bank, seems a clear indication that the RSA hack was done by a sovereign peer competitor, not by cyber criminals who would have used the data to break into bank accounts instead. Again, China denied any responsibility for the attack but, as Clarke said, “this attack [has] all the hallmarks of Chinese government operations.”
In the end, just as the United States has begun to prepare for a cyber war (through the organization of US Cyber Command) China, too, is preparing for one. Last May, China announced the formation of a cyber “Blue Army,” with two stated purposes: defending the nation against cyber attacks and leading cyber offensives in case of war. That’s the same mission that US Cyber Command has. Though a full cyberwar has yet to be fought, both sides are preparing for the worst.
What Is A Cyber War?
We know what war looks like in the real world—generals marshal armies and launch attacks, things get blown up, and people die. But what would be an “act of war” in cyberspace? Consider the following hypotheticals (all of which are reasonably realistic). An adversary:
- Disrupts the stock exchanges for two days, preventing any trading;
- Uses cyber weapons to take an early warning radar system offline;
- Introduces a logic bomb into a radar station that can disable it when triggered, but doesn’t trigger it just yet;
- Makes a nuclear centrifuge run poorly in a nuclear production plant;
- Implants a worm that slowly corrupts and degrades data on which certain military applications rely (say, for example, by degrading GPS location data);
- Adds a backdoor to a piece of hardware that is built into a computer system, allowing the potential for the implantation of a worm or virus that would disrupt or destroy the system;
- Takes the U.S. command and control systems offline temporarily;
- Probes a Pentagon computer to map its structure and identify its vulnerabilities;
- Blockades another country’s access to the internet; or
- Disables an industry (say, part of the electric grid).
Some of these, like probing the Pentagon computer, are clearly analogous to espionage in the physical world and won’t be considered acts of war. Others, like disrupting our military command and control systems, look just like acts of war in the kinetic world. But what about the middle ground? Is leaving a logic bomb behind in a radar station like espionage, or is it similar to planting a mine in another country’s harbor as a preparation for war? Is the blockade of internet access like a military blockade in a time of war? Is causing a brown out by degrading the electric grid an attack?
We have only begun to answer to these questions. The new DoD Strategy for Operating in Cyberspace, in its unclassified public version, focuses on the legitimacy of “active defenses” which will authorize real- time counter-attacks against incoming efforts to penetrate the Pentagon’s systems. Meanwhile, the classified version of the strategy is reported to define an act of war as any act that is equivalent in kinetic effect to a military attack (so the attack on the electric grid would be a military attack) and to authorize the United States to use any military response in its arsenal. In other words, we reserve the right to answer a cyber weapon with a real world weapon of proportional effect, which seems like the right policy.
In the end, however, the critical question of cyberwar is going to be “who attacked?” For even though we have grave suspicions about Chinese intent, the reality is that the internet is not designed to allow for conclusive identification of the source of an attack. As the DoD strategy puts it, in designing the internet “identity authentication was less important than connectivity.” But if you don’t know who the attacker is, how can you respond? Imagine if a nuclear missile landed in Chicago, but we didn’t know who launched it?
As we prepare for cyberwar, one is reminded of the uncertainty faced by medieval mapmakers. As they reached the edge of the known world on their maps they would carefully inscribe on the edge “here be dragons.” That’s just as true of cyberspace today, in more ways than one.
Paul Rosenzweig, Esq., is the founder of Red Branch Law & Consulting, PLLC. Rosenzweig formerly served as deputy assistant secretary for policy in the Department of Homeland Security and twice as acting assistant secretary for international affairs. Rosenzweig is a professorial lecturer in Law at George Washington University and a visiting fellow at the Heritage Foundation. He serves as a senior editor of the Journal of National Security Law & Policy.
Rosenzweig is a cum laude graduate of the University of Chicago Law School. He is the coauthor (with James Jay Carafano) of the book Winning the Long War: Lessons from the Cold War for Defeating Terrorism and Preserving Freedom and author of the book Cyberwarfare: How Conflicts in Cyberspace Are Challenging America and Changing the World.
The essay above is based on a forthcoming book by the author titled, Cyberwarfare: How Conflicts in Cyberspace are Challenging America and Changing the World.
Letters to the editor may be sent to email@example.com. Editors reserve the right to reject or publish (and edit) letters.