LAWFARE (BLOG)
A Deepening U.S.-China
Cybersecurity Dilemma
By Ben Buchanan, Robert D. Williams
Wednesday, October 24, 2018,
8:00 AM
In Lawfare on Oct. 19, Chinese cybersecurity analyst Lyu Jinghua (吕晶华)
offered a thoughtful critique of the 2018 Department of Defense Cyber Strategy,
an unclassified seven-page summary of which was released publicly on Sept. 18. Lyu observes that the new strategy marks a break from previous
such documents in that it lists China first among the group of four “States
that can pose strategic threats to U.S. prosperity and security” (in addition
to Russia, North Korea, and Iran). In the context of rapidly deteriorating
U.S.-China relations, Lyu explains, “even a ‘minor’
change like this … sends the Chinese government a signal that America views
China as a potential adversary.” The United States, Lyu
argues, “is consistently critical of China’s cyber security measures and hypes
China up as a cyber threat.”
In her view, this assessment of the strategic environment
animates the Pentagon’s recent shift to an approach that, according to the
Defense Department’s summary, “will defend forward to disrupt or halt malicious
cyber activity at its source, including activity that falls below the level of
armed conflict.” The approach, although not entirely new, seems to be oriented
toward giving the U.S. military greater freedom of action. It is likely a
response to the often-expressed concern that statutory authorities have limited
U.S. Cyber Command’s capacity to interdict foreign threats outside combat
zones.
We think the combination of the Pentagon’s strategy and Lyu’s critique is particularly interesting. It shows a
deepening cybersecurity dilemma—a topic one of us (Buchanan) has written about
at length—between the United States and China. A variant on the classic
security dilemma, the cybersecurity dilemma is the notion that as one nation
takes steps to defend itself in cyberspace, it inadvertently threatens other
nations with what appears to be offensive action. The dilemma can work on both
strategic and operational levels. Strategically, one nation’s development of
additional cyber capabilities and loosening of authorities can be seen by other
nations as an unavoidable threat. Operationally, a practice of “defending
forward” can look a lot like attacking forward when one is on the receiving end
of a hacking operation.
Lyu cautions that the Pentagon’s
shift to a more offensive posture as outlined in the Cyber Strategy will induce
anxiety in other countries and carries potential risks of conflict escalation.
She uses language that strongly fits with the logic of the cybersecurity
dilemma:
Interactions in cyberspace can foster trust and cooperation,
but they also have the potential to provoke suspicion, competition and
conflict. Alarmingly, the latest Defense Department document lists “defend
forward, shape the day-to-day competition, and prepare for war” as the
Pentagon’s priorities and “building a more lethal joint force” as the first
approach the department will take. In the meantime, terms like “mitigate risks”
and “control conflict escalation,” which were used in the previous two reports,
have disappeared from the latest report.
Other countries will likely feel anxious about their own
cybersecurity if they see that the most powerful cyber force is committed to
building more forces and pursuing a more offensive posture, even though some
Americans may understand the Defense Department as, itself, responding to the
aggressive postures of other states. This increased insecurity and heightened
suspicion are particularly dangerous in cyberspace, because operations there
are more apt to lead to unintentional crisis and escalation.
Lyu is right that a more proactive
U.S. policy is taking on some risks and might impair stability. However, we
find her assessments of the broader situation—-that is, why the United States
has chosen to adopt this policy—less persuasive. The deepening cybersecurity
dilemma is due not just to American action. It is in part due to threats the
United States perceives from China, a topic her account largely glosses over.
Make no mistake: The Defense Department chose to pursue a
more aggressive course of action because of the failure of previous efforts at
establishing a status quo it finds acceptable. The 2015 agreement between the
United States and China on commercial cybertheft seems to have failed to
appreciably slow the widespread hacking of American targets by state-affiliated
Chinese operators, though it may have caused them to increase their operational
security in a bid to evade detection. Much-discussed U.S. steps aimed at
establishing deterrence, such as indicting Chinese military hackers and
threatening sanctions, likewise seem to have had minimal effect. Numerous
reports have outlined the costs of continued Chinese cyber activity to U.S.
economic and strategic interests. With diplomacy and deterrence not working as
well as the Pentagon would like, disruption of malicious cyber activity has
become an option that is attractive to policymakers, even if it carries risks
of its own. Michael Sulmeyer has written persuasively
about the need for such disrupt-and-degrade operations to complement other
government efforts.
China is also not satisfied with the status quo, as Lyu’s piece suggests. There can be little doubt that the
U.S. intelligence community also hacks Chinese targets for reasons that go
beyond defense and disruption. China likely sees U.S. cyber activities—whether
intended to be defensive or offensive—as intrusive and threatening. It may well
launch hacking operations to attempt to disrupt American efforts; despite Lyu’s assertion that China’s concept of “active defense” is
a “military strategic guideline … rather than an operational concept,” we would
be surprised if the Chinese government did not pursue efforts that aim to
disrupt other nations’ hacking capabilities.
Indeed, China’s 2015 National Defense White Paper
characterizes the PLA’s approach to “active defense” as, among other things,
“adherence to the unity of strategic defense and operational and tactical
offense.” Given this doctrinal context, Lyu’s attempt
to distinguish “preemption” from “retaliation” fails to recognize the
structural blurriness of such distinctions in the cyber domain. American
policymakers are likely to find the distinction meaningless, just as Chinese
policymakers will probably fail to appreciate areas in which the United States
thinks it limits its aggressiveness.
What are the prospects for mitigating this version of the
cybersecurity dilemma? Lyu makes an important case
for the wisdom of self-restraint through adherence to norms of responsible
state behavior in cyberspace, specifically highlighting the norm-setting
process of the U.N. Group of Governmental Experts on Developments in the Field
of Information and Telecommunications in the Context of International Security
(GGE). While we applaud her focus, we are less optimistic that the GGE forum
will prove useful, in part because there remain serious questions about the
Chinese government’s participation in international norm-building efforts.
Michael Schmitt and Liis Vihul
have observed that China is one of three state-parties, along with Cuba and
Russia, whose recalcitrance led to the collapse of the latest round of the GGE
in June 2017. At that meeting, Chinese representatives reportedly objected to
acknowledging three foundational legal principles of state conduct in
cyberspace, including the right of self-defense under the UN Charter, the right
to respond to internationally wrongful acts, and the applicability of
international humanitarian law to cyberspace—leading to blistering criticism
from the U.S. State Department’s deputy coordinator for cyber issues.
Similarly, even where cyber norms have been established—as
occurred in earlier rounds of the GGE or through the 2015 U.S.-China agreement
on commercial cybertheft—considerable questions of interpretation linger. As
one of us (Williams) has argued previously, achieving common understanding on
definitions of cyber norms is a particular challenge
given the embedded and intertwined nature of the Communist Party-state in
China’s economy and the expansive conception of national security reflected in
Chinese law and policy. This challenge of norm-construction is underscored by
recent evidence suggesting that China is either flouting the 2015 cybertheft
agreement or exploiting its ambiguities.
Toothless norms do little to mitigate any security dilemma,
and the cybersecurity dilemma is no exception. Consequently, as Michèle
Flournoy and Michael Sulmeyer have argued, durable
norms require a “coalition of like-minded states willing not just to sign on to
[cybersecurity] norms but also to impose serious economic and political costs
on those who violate them.” Talk is cheap.
For all the dangers of the cybersecurity dilemma, the United
States and China do have areas of mutual interest in the digital domain. For
example, they share interests in the integrity and stability of the global
financial system, in not being misled into great-power conflict with one
another by a third-party malefactor, in not letting cyber weapons get into the
hands of malicious non-state actors, in better understanding how each side
approaches cyber-policy questions such as the definitions of “armed conflict”
or “critical infrastructure,” and in cooperating to combat transnational
cybercrime. Given the enormous stakes, U.S. and Chinese stakeholders must not
allow the recent deterioration in U.S.-China relations to halt efforts to
advance these common goals.
For areas where their respective interests do seem to
diverge, however, both the United States and China would do well to recognize
the dangers of the cybersecurity dilemma. U.S. policymakers must remain keenly
attentive to potential escalation risks associated with the Department of
Defense’s defend-forward strategy; Chinese policymakers must recognize that
their actions are hardly blameless, and that American mistrust is high after
the apparent failures of the 2015 agreement and the GGE process. There is too
much at stake for both nations to permit a slide into still-greater tension and
conflict—especially a conflict no one wants.
The Authors
Ben Buchanan
Ben Buchanan is an Assistant Teaching Professor at
Georgetown University’s School of Foreign Service, where he conducts research
on the intersection of cybersecurity, artificial intelligence and statecraft.
His first book, "The Cybersecurity Dilemma," was published by Oxford
University Press in 2017. Previously, he has written journal articles and
peer-reviewed papers on artificial intelligence, attributing cyber attacks, deterrence in cyber operations,
cryptography, election cybersecurity, and the spread of malicious code between
nations and non-state actors. He is also a regular contributor to Lawfare and
War on the Rocks, and has published op-eds in the
Washington Post and other outlets. Ben received his Ph.D. in War Studies from
King’s College London, where he was a Marshall Scholar. He earned master’s and
undergraduate degrees from Georgetown University.
Robert D. Williams
Robert Williams is Executive Director of the Paul Tsai China
Center, as well as Senior Research Scholar and Lecturer in Law at Yale Law
School.
Available at https://www.lawfareblog.com/deepening-us-china-cybersecurity-dilemma