Talking Cyber Strategy with China
Better to Focus on Cyber Espionage
Some recent reports surrounding U.S. Defense Secretary Hagel’s visit to China claim that the United States “release[d] cyber warfare plans to China” in December in an effort to encourage greater Chinese transparency. It is more likely that the United States has simply shared the contours of a doctrine already widely known, particularly after Edward Snowden’s release of a classified presidential directive (read it here). In any case, the U.S. has previously held several bilateral cyber war games with China under the auspices of think tanks, which would have provided China with more useful information about how U.S. officials think about these issues than a prepared briefing.
In general I am supportive of these discussions, but I have several concerns about where we are headed.
First, the most immediate cyber security concerns, particularly with China, are commercial and deeply linked with broader worries about state-sponsored intellectual property theft (like the Google mess of 2010). So long as Chinese firms benefit more from state-sponsored industrial espionage than they stand to lose to theft by others, the incentives don’t seem to be on our side. To the extent that our outreach to China is aimed at dissuading the Chinese government from using military cyber resources to steal commercial secrets from U.S. firms, I wonder if we really have much leverage, particularly acting alone.
The strongest and most effective response to this kind of activity would be internationally-backed economic sanctions against China (yes, this is serious enough to talk about sanctions), but even European countries like France engage in espionage on behalf of some of their corporations. The U.S. could consider acting unilaterally, but there could be difficult issues of verification as Chinese cyber spies become more careful, and such a response might encourage other countries to respond much more aggressively to revelations of U.S. cyber spying.
The U.S. often claims to hold the moral high ground of not engaging in cyber espionage for commercial gain of U.S. companies. (See this post on Lawfare about the distinction.) But it doesn’t matter much whether China believes the U.S. here. American unilateral restraint is only relevant, in a pure power sense, if the U.S. is implying it might begin commercially attacking Chinese targets unless China stops this type of behavior–something about which China should not be concerned, because its companies still have relatively little to lose. The remaining relevance is merely rhetorical.
Second, we should be certain that we are not telling China anything about our strategy we have not already told our allies, and we should be briefing our allies about what we are telling China. There are already more than enough unnecessary concerns out there about the willingness of the U.S. to confront China.
Third, I am unsure about the proper role of the Department of Defense in working on cyber issues with China. Given the Chinese tendency to see commercial and security interests as one–particularly in the cyber realm–perhaps the best U.S. counterpart for at least some of these dialogues is the Department of Defense. But I am skeptical about the relevance of the Department of Defense dialogue outside the scope of cyber attacks, where “direct physical injury and property damage” could be a use of force violating international law. The present-day risks from China, both commercial and military, come from cyber espionage and not cyber attacks.
It would be legally absurd (and undesirable given U.S. ambitions in cyberspace) to treat cyber espionage as constituting use of force in international law, subject to military retaliation, in the way that we could do for cyber attacks causing physical damage. Indeed, even non-cyber espionage occupies a strange place in international law that would not justify treating it in this fashion. So it’s just not clear DOD has that much to contribute on the espionage problem.
Back to cyber attacks. David Sanger wrote in the New York Times:
The effort, senior Pentagon officials say, is to head off what Mr. Hagel and his advisers fear is the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China…. In interviews, American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.
“Think of this in terms of the Cuban missile crisis,” one senior Pentagon official said. While the United States “suffers attacks every day,” he said, “the last thing we would want to do is misinterpret an attack and escalate to a real conflict.”
This is a useful discussion to begin (and an appropriate one for DOD), though maybe not the “major step” we wish it were. I think cyber espionage is the more immediate problem, and I worry that no progress is being made with China there.
If you liked this post, sign up for the Asia Ruminations FeedBurner feed, which makes it easy to add this blog to Google Reader, My Yahoo, or other sites; and the feed offers email notifications of new posts (no more than 2–3 per week). I am on Twitter as danielmichaeli.