Friday, March 9, 2012

Thoughts on the USCC’s New Report on Chinese Cyberattacks

Via CFR's Asia Unbound Blog -

Yesterday the U.S.-China Economic and Security Review Commission (USCC) released the second report prepared for it by Northrop Grumman on Chinese cyber capabilities. As numerous press reports noted, Occupying the Information High Ground argues that China’s improving cyber capabilities pose a threat to the United States military, that China could target U.S. logistic and transport networks in the case of a regional conflict, and that Chinese IT companies ZTE, Datang, and Huawei all have close collaborative ties with the People’s Liberation Army (PLA).

The report does a good job of bringing a great deal of Chinese-language and open-source information together, and is especially useful in laying out how information security research is funded in and conducted by military and civilian universities.


The specific findings of the report are useful and important, but we should remind ourselves of four things. First, it is easy to forget that much in the report is about aspirations, what the PLA hopes to accomplish, and that we are less certain about how capable it truly is.


Second, and again the authors make this point, Occupying the Information High Ground is not a net assesment. It makes no effort to “detail possible countermeasures and network defense capabilities that the U.S. military and government may employ that could successfully detect or repel the types of operations described.”


Third, as most of the writings cited in the report demonstrate, we know a lot more about Chinese thinking at the tactical level and much less about how the central leadership understands the political or strategic implications of a cyberattack on U.S. interests, especially one on critical infrastructure. The report notes that “the decision to move beyond strictly military targets for network attack operations would likely be made at the highest levels of China’s military and political leadership because of the recognized dangers of escalation that such a move presents.” How certain can leaders on either side of the Pacific be that it is possible to limit network attacks to “strictly military targets”? If the strategic is always a possibility in the tactical, then we need better insight into what central leaders in Zhongnanhai understand about and expect from cyber operations.


Finally, shadowing the report is the question of what the U.S. policy response should be. The report does not spend much time discussing cyber espionage threats (which was covered more expansively in the previous report, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation), but it does suggest that continuous exfiltration of data from U.S. government networks exacerbates military instability


As I argue in my recent Foreign Affairs article, Chinese Computer Games, raising the costs and calling the perpetrators out is part of a strategy that will include bilateral and multilateral discussions on rules of the road for cyber, capacity-building, deterrence through denial, and possibly trade or other sanctions. Even using all these policy tools, it is going to take a long time; Chinese-based cyberattacks will not disappear anytime soon.

No comments:

Post a Comment