Active Cyber Defense and the Sino-US Relationship

The head of the United States Cyber Command and the National Security Agency, Michael S. Rogers, recently announced at a hearing in front of the Senate Armed Services Committee that the U.S. government’s efforts to deter cyberattacks are not working and that, as a consequence, the United States needs to step up its active cyber defense posture.

“We’re at a tipping point (…) We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence? (…) in the end, a purely defensive, reactive strategy will be both late to need and incredibly resource-intense,” Rogers emphasized.

Chairman of the Armed Services Committee, John McCain, expanded on Rogers’ point. “The failure to develop a meaningful cyber-deterrence strategy has increased the resolve of our adversaries and will continue to do so at a growing risk to our national security,” he noted.

It is no secret that the American intelligence and defense community is above all concerned at the number of cyberattacks launched from the People’s Republic of China. Beijing’s cyber espionage activities are a particular sore spot in the bilateral relationship.

Open Exchange

A number of U.S. initiatives in the past couple of years were intended to signal China that the United States – aware of its technological superiority in cyberspace – is willing to accommodate Chinese concerns and is willing to engage in a more open exchange about ways to reduce tensions between Beijing and Washington on this issue.

For example, last year, the Pentagon held an unprecedented briefing for senior Chinese military leaders on the U.S. military’s cyber war doctrine. The rationale behind the Pentagon’s presentation was to make it easier for Beijing to discern to what extent Washington would tolerate Chinese cyberattacks and also to improve the signaling mechanisms between the two countries.

Around the same time, the Obama White House announced that the United States will more openly share intelligence on zero-day vulnerabilities – security holes in software that are unknown to the vendor and that constitute the principal method for breaching and exploiting an opponent’s network by hackers. This announcement was intended to be a symbolic gesture of unilateral cyber disarmament by Washington.

Yet, Beijing has not reciprocated any of these efforts and according to the 2014 Mandiant Report has even expanded the scope of its cyber operations, although the People’s Liberation Army has finally acknowledged in December 2013 that it is capable of conducting cyber war operations and has outlined the broad organizational structure of its cyberwar forces in the event of a conflict.

Consequently, should the United States indeed step up its active cyber defense, this will have been partially precipitated by China’s uncompromising attitude towards accommodating U.S. concerns when it comes to the activities of Chinese hackers in cyberspace.

Indictment

Indeed, the United States has already switched from a more conciliatory stance in the last few years to a more confrontational posture with the indictment of five Chinese military hackers by a grand jury back in May 2014. The five PLA members, purported to be members of the secretive Unit 61398, were accused of computer hacking, economic espionage and other offenses targeting the U.S. private sector.

The indictment signaled that the United States government is ready to progress up the escalation ladder from indirectly “naming and shaming” Chinese state-sponsored hackers via the U.S. private sector – with which the government has often cooperated in identifying the origins of attacks – and the media (see the 2013 Mandiant Report), to a more direct approach.

This more deliberate method of “naming and shaming” Chinese hackers is part of what appears to be a gradual escalatory framework of the United States’ national cyber deterrence strategy. Should Rogers actually initiate a more active cyber defense strategy in dealing with Chinese intrusions, it would mean a further step up the escalation ladder.

Active cyber defense is about attribution and retribution – identifying the source of the attack and retaliating, for example by knocking a server offline. The U.S. Department of Defense provides the following definition: “Active cyber defense is DoD’s synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities (…) It operates at network speed by using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems.” In reality, this implies legally, politically and strategically sensitive counter-attacks on critical information infrastructure of the intruder.

What makes it even more problematic is that active cyber defense can set a precedent for an increase in private-sector “cyber vigilantism” – companies unilaterally engaging in destructive counter-attacks (“hack back”) outside their networks once they have identified the perpetrators, which, in many cases will presumably be aimed at critical information infrastructure owned by China.

Next to the political problems arising from this vigilantism, unauthorized access to a computer or network would also violate the U.S. Computer Fraud and Abuse Act and consequently pose numerous legal problems.

Point of No Return

Perhaps, we have already moved past the point of no return on this issue, and active cyber defenses and pre-emptive cyberattacks will become more common in the years ahead. However, this should not lead to the conclusion that cyber deterrence is impossible. For example, one way to increase the deterrence factor vis-à-vis adversaries is to have a more systematic public display of nation states' cyber-war capabilities.

In the past, the media has been used to convey a country's capabilities with strategic leaks of classified information (such as Stuxnet and Flame) to selected news outlets – this still seems to be part of the cyber-deterrence strategy in many Western countries. The results of this approach were ambiguous at best.

More recently, however, nation states have begun to publicize the organizational structures of their respective cyber forces, budget numbers, and the size of their cyber warrior forces, rather than their actual cyber weapons arsenal (which in cyberspace would be tantamount to disarmament).

For example, revealing the organizational structure of the PLA cyber forces – as has happened in the 2013 edition of The Science of Military Strategy – serves as a substitute for revealing specific cyber weapons and their capabilities. Yet, whether this can truly serve as a substitute for active cyber defense and retaliatory strikes remains to be seen.

Ultimately, China and the United States are still interested in pursuing strategic stability in cyberspace. However, should active cyber defense strategies become more prevalent in the years ahead, it is fair to assume that it will constitute a significant blow to Sino-U.S. relations.