Foreign Policy Chat – Managing China’s Cyber Threat

A new Congressionally-commissioned report on China's offensive cyber capabilities was released today, arriving just in time to contribute to the debate over a new cyber security bill winding its way through the legislature. The report provides some interesting technical details, but it was based off of open-source intelligence, making its big conclusions familiar to those who have been paying attention to these issues over the last several months. We know that China is pursuing a robust program of offensive capability that it hopes would allow it to disrupt foreign information and hardware networks, in addition to demobilizing an opponent's command and control, in advance of a traditional military operation.  The report also highlights the prevalence of Chinese non-government, though perhaps sanctioned, hackers' continued efforts to steal business information and R&D details from American corporations. Intelligence officials and corporate officers have known about his for years, but officials -- both in and outside the Government -- have only recently begun calling out China publically for its role in supporting cyber espionage.

While information theft is certainly a problem, policymakers should not be surprised by China developing cyber capabilities and contemplating its role in their contingency planning. The United States is certainly doing the same thing. US Cyber Command is tasked with a similar mission and one would hope that they're also toiling to stay on the cutting edge of offensive and defense cyber capabilities, as well as developing ways to integrate these tools into strategic and tactical planning. It would be a mistake to view china's foray into this space as an unusually aggressive move, rather than something to be expected. As we manage this new reality, however, we should view the evolving cyber space through two critical prisms.

Building and maintaining our security defenses needs to be a top priority and far more can and should be done to protect ourselves from cyber threats. A large part of Cyber Command's mission -- along with DHS and others -- is to secure government and defense networks from potential attack. This effort should be commended, but there needs to be a commitment of resources that is actually scaled to the task. In addition to more robust funding, though, existing agency constituencies need to sacrifice tightly-held turf in order to promote an effective whole-of-government approach. 

While these reforms can appear daunting, they're actually much further ahead than the private sector. Much of the essential US infrastructure -- power plants, telecom, utilities -- are privately owned. Up to now we have largely relyied on these private corporations to protect their networks and services on their own. Unfortunately, very few have actually stepped up to the plate. James Lewis, a cyber expert at the Center for Strategic and International Studies, highlighted this problem when he recently testified before Congress: "As a nation, we are still too reliant on cybersecurity policies from the 1990s that depend on voluntary action, market forces and feckless public private partnerships.  This approach has failed.  It is inadequate for what has become a global infrastructure that our economy relies upon and, because of its speed and scale, makes criminals, spies and hostile militaries our next door neighbors. Continued endorsement of these old ideas as the basis for cybersecurity puts the nation at risk"

This is the critical issue that the Cybersecurity Act of 2012 is intended to address. The status quo has clearly failed and Congress should make sure to write and pass a strong bill that will not allow our national security to be put at risk simply because corporations would rather spare themselves the expense and hassle of securing and upgrading their systems. Let's be clear; Like the Wall Street banks, it's the American citizens, tax payers, and government who will be left holding the bag if our physical or digital infrastructure is compromised, so it's past time to enforce reasonable regulations.

Along with playing a strong defense, we also need to keep in mind that our approach to cyber is part of our much larger relationship with China. The President's "pivot to Asia" reflects the reality that the nature of Sino-US relations will be, perhaps, one of the most consequential factors driving 21st century global politics. The speed and size of the Chinese economic expansion will inevitably bring with it a desire for more regional, global, and military influence. This situation calls for effective and proactive engagement by the US. Domestic cyber attacks and espionage is also a huge and growing problem within China and, when searching for common interests, we shouldn't dismiss out of hand the potential for this issue to be a potential source of collaboration.

As China grows into its more influential role, US policy makers need to be wary of slipping into an unnecessarily combative relationship. We no longer have the option of falling into a new Cold War. Our economies and interests in the global commons are simply too interdependent. This doesn't mean that we shouldn't confront the Chinese in order to protect US interests. We should not shy away from raising the stakes -- at the WTO and bilaterally -- on issues of trade and currency manipulation. But every new tank produced in Beijing or Chinese hacker who skims a password should not be viewed as an indication of focused aggression and a sign of some imminent attack. As the recent report on cyber capabilities makes clear, China has many broad and diverse interests and they have little motivation to pick a real fight with the United States. Increased military spending should be expected from China given their economic growth and the massive balance of force advantage that the US maintains. Despite large investments by Beijing, China is not a near-peer for the US in conventional military might. The US will remain, for many decades at least, the only country with the hardware, infrastructure, and logistics necessary to project sustained military power around the globe.

The ongoing cyber threat from China is real, but our response must avoid overreaction and be viewed within the larger context of the US-Sino relationship. We need to raise our game in securing our private and public network infrastructure, work with China and the international community to establish a credible cyber regime, and then hold violators responsible through appropriately-scaled penalties. This is not a time to simply withdraw behind firewalls. In the long run, both Americans and Chinese have a shared interest in a stable and secure global digital commons, and this challenge calls on us to be global leaders in making that happen.