First, as both countries become more dependent on the Internet, it is in their interests to work together to fend off malicious cyber activities. In this asymmetric domain, it is easy to launch attacks from a remote place and an unidentifiable IP address, with near-zero likelihood of being caught. With low cost and risks from such attacks, the damages could be huge. To protect their infrastructure, administration, enterprises and other widely used networks, China and the US need to support each other in maintaining law and order in cyberspace. 

Second, as leadership in both countries have recognized the importance of building a new type of great power relations, it is imperative to enhance engagement and dispel mutual-distrust, including cyberspace. Since cyber technology is widely used in various fields, both sides need to do their best to reduce the chances of misinterpretation and miscalculation so as to avoid a real-world confrontation. 

Third, as the absence of internationally accepted rules is a fundamental cause of chaos in cyberspace, it is the responsibility of the two major powers to establish rules together and construct a fair and healthy order for cyberspace, built upon the foundation of cooperation. 

Now, in what areas is cooperation feasible? 

The first area for cooperation is to investigate and crack down on illegal cyber activities. China and the US can work together to destroy porn websites, punish the criminals who illegally break into public systems and the hackers who are developing and using viruses and other malware to attack others. In fact, China and the US have already started to cooperate in this area. What needs to be done now is to do more substantial work for better results. 

Another field for cooperation is countering cyber terrorism. Today, terrorist groups are using cyber technology to accomplish tasks like recruiting new members, collecting funds, propagating messages and even teaching war skills. It can be predicted that some terrorist groups will launch operations in cyberspace, as they can easily strike at the key sectors of a country and cause a panic. China and the US can work together to curb such activities. 

An urgent task for China and the US is to establish universal rules in cyberspace. To start, some basic terms should be defined such as cyberspace, cyber attacks, cyber weapons, etc. so as to reach a consensus and build a framework for cyber cooperation. China and the US can also have dialogues on a possible code of cyber conduct, which will define the ‘red lines’ for what can and cannot be done in cyberspace.  

While discussing cooperation, both sides need to seek common ground while respecting differences. For example, many Americans would tend to regard total cyber freedom as the priority, while in China, many people believe, while ensuring people’s access to Internet, cyber-traffic, like vehicular traffic on roads, needs some regulations to ensure its healthy development and social stability. However, such differences should not stand in the way of cooperation. 

Since cyber security is a global issue, it also needs global attention and cooperation. Some established international institutions, such as the United Nations and the International Telecommunication Union should be good platforms for countries all over the world to exchange views and solve disputes in cyberspace. 

Finally, it is also necessary for the US to assess China’s cyber capabilities more objectively. With a large number of netizens and IP addresses, China is a big power in cyberspace. But, due to lack of ability in researching and developing key information technologies, China is absolutely not a strong cyber power. According to the Cyber Power Index, developed by the Economist Intelligence Unit and sponsored by Booz Allen Hamilton, China ranks 13^th among G20 countries, in regard to the ability to withstand cyber attacks and harness digital environment. If the US side overestimates and exaggerates China’s ability in cyberspace, it will lead to miscalculation. 

In a word, cooperation is a win-win approach for both China and the US to achieve security in cyberspace. It is high time that the two countries stop pointing fingers and join hands to maintain a peaceful, secure and prosperous cyberspace. 

Dr. Lu Jinghua is a Research Fellow, Center on China-America Defense Relations (CCADR), PLA Academy of Military Science (AMS), China.

Tom Watkins

For some time, Congressman Mike Rogers (R-Michigan), Chairman of the House Permanent Select Committee on Intelligence and a former FBI agent, has been warning that China has been stealing government information and intellectual property from U.S. businesses.

For his efforts, he has been called either a modern day Paul Revere or “Chicken Little”. 

“The sky is falling, the sky is falling” is a cry that remains an idiom even today. Is cyber disaster imminent? 

What if the crier is right? 

This is exactly the dilemma that Congressman Rogers finds himself in as he attempts to alert the country to paying more attention and protecting ourselves against further cyber attack. There is no doubt that cyber attacks can cripple our economy and financial institutions or destroy our power and electrical systems grids — crippling the computer networks that help run our entire country’s infrastructure. 

Sounds rather sci-fi, doesn’t it? Complete with enemies able to unleash a computer virus so powerful that it might shut down our country. Scary enough? 

Rogers believes that this level of devastation is currently being threatened by terrorist organizations and foreign governments, particularly, China. He believes that Russia, China, Iran, North Korea and Al-Qaida daily are improving their capabilities to attack America’s vital targets using cyberspace. 

This is not the first time we have experienced cyber-attacks against American companies originating from China. A widely released report from a private security firm in February 2013, found that the Chinese military hacked into more than 140 businesses, mostly in the United States.  The Chinese government strongly denies the claim. 

The exponential number of attacks as well as the sophistication and coordination of the attacks has bought the issue to a boiling point in our government. 

Congressman Rogers was recently joined at a Congressional Committee by former Michigan Governor John Engler, now President of the U.S. Business Roundtable. Engler believes China is stealing business secrets at an alarming rate. He told the congressional committee that protecting U.S. companies from these threats is a top-level national economic issue that must be addressed. 

Rogers is working in overdrive to pass legislation he terms The Cyber Intelligence Sharing and Protection Act. It would allow the U.S. government to share classified information related to expected computer system attacks with American businesses. His idea for early warning systems would help create shields to protect our nation’s security interests. 

This new bill was introduced after the original died in the U.S. Senate, failing to be introduced during the last legislative session.

President Barack Obama highlighted the cyber -security issue as a threat to the U.S. in his recent State of the Union address.  

In what was described as an unusually direct appeal, The Washington Post reported recently that the Obama administration “called on China to halt its persistent theft of trade secrets from corporate computers and engage in a dialogue to establish norms of behavior in cyberspace.” 

The demand marks the Obama administration’s first public effort to hold China accountable for what officials have described as “an extensive, years-long campaign of commercial cyber-espionage.” 

When asked which powerful Washington institutions have been penetrated by Chinese cyber spies, U.S. cyber-security experts agree: “Almost all of them”. The list of those hacked includes think tanks, media outlets, law firms, human rights groups, manufacturers, contractors, congressional offices and federal agencies and embassies. 

The President’s National Security Adviser, Thomas E. Donilon, called on China to takes steps towards stopping the attacks. As The New York Times reported: “Mr. Donilon said the threats to cyber security had moved to the forefront of its concerns with China, noting that he was not ‘talking about ordinary cybercrime or hacking.’” 

Chinese denial 

According to The China Daily China’s Ministry of National Defense scorned the accusations as “unprofessional and false” shortly after the report was released. It also said China has never directly accused the U.S. government of being behind similar attacks on China’s computers even though its military computers suffered “a large number” of overseas attacks with “a considerable number” of them originating from the U.S. judging from IP addresses.”

Hua Chunying, a Chinese Foreign Ministry spokeswoman repeated China’s assertion that it is firmly opposed to cyber-attacks and claims China has suffered most from them. “Cyberspace needs rules and cooperation, not wars.” Hua went on to say that “China is willing, on the basis of the principles of mutual respect and mutual trust, to have constructive dialogue and cooperation on this issue with the international community including the United States to maintain the security, openness, and peace of the Internet.” 

To paraphrase an old saying– both sides are likely to distrust and verify. 

Cyber threats all Too Real 

President Obama met with key US business executives in the secure White House Situation Room a day after U.S. intelligence leaders said for the first time that cyber attacks and cyber espionage have supplanted terrorism as the top security threat facing the United States. The meeting included Honeywell International’s David Cote, AT&T’s Randall Stephenson, and Northrop Grumman’s, Wes Bush. 

The President did not mince words saying, “What is absolutely true is that we have seen a steady ramping up of cyber security threats ” noting that some threats were “state sponsored.” President Obama continued, “We’ve made it very clear to China and some other state actors that, you know, we expect them to follow international norms and abide by international rules.” 

Our national economic interests and security are at risk. While the Chinese take offense at the accusations, our diplomats are walking a tightrope to resolve an issue that has become too big to ignore. Both countries must find a way to navigate the cybersecurity waters before it leads to problems that spin out of control. 

It seems imperative for not only China and America, but also all of humanity, that our two great countries must find ways to develop “win-win” strategies. We need to resolve issues like these quickly in order to assure continued peaceful co-existence on the cyber-security and other fronts. 

Cyber-security will test both our countries’ leadership. This is a test neither side can afford to fail. 

Tom Watkins serves on the Board of Advisors for the University of Michigan’s Confucius Institute as well as on the Michigan Economic Development Corporation’s international advisory board. He is the former Michigan State Superintendent of Schools and former President and CEO of the EconomicCouncil in Palm Beach County Florida. Currently, Tom is a U.S./China business and educational consultant.

After a careful reading of the Mandiant report, I believe most readers will think three things. Firstly, Mandiant has astonishing intelligence capabilities, which allows it to find many minor details. Secondly, Mandiant has internet capabilities of reverse engineering, which also can be used to carry out cyber attacks and is far smarter and more capable than the “Chinese military hackers.” Thirdly, the evidence in the report is unable to prove that the APT attacks were launched by “PLA officials in the white, 12floor building.” The report is more likely aiming to find a scapegoat than make a meticulous and objective investigation. Most of the Chinese audience will not believe that the crack troops of PLA are using junk e-mails to fight against U.S. rivals. And they will not believe that the tactics are successful in stealing the top secrets and technologies from the U.S., the creator of the internet and the strongest country in cyber space. 

It is not the first time that “cyber espionage” has been a trouble in China-US relations, and it is probably not the last. At the end of 2011, China and the U.S. were facing a similar situation, as cyber security firms Symantec and MacAfee claimed that they tracked the source of cyber attacks to Chinese territory. Some believed that the increase in cyber problems is related to close relations between President Barack Obama and Silicon Valley. Eric Schmidt, the chairman of Google; Tim Cook, the CEO of Apple; and Mark Zuckerberg, the founder of Facebook have famously dined at the White House. And Barack Obama won his second term with a successful Twitter campaign despite a terrible economy. Therefore, it is not unexpected that the US government put cyber security as a top priority, and that it has raised a warning of outside cyber threats to push the process of domestic internet security lawmaking in order to help cyber security firms win more business. 

On the other hand, China is willing to cooperate with the U.S. on an international platform. China has the same concern of cyber threat as the U.S. does. There were over 14 million computers kidnapped by foreign hackers in 2012, as reported by the National Computer network Emergency Response technical Team Coordination Center of China. China also has a long history of cooperating in this area. In 2011, China and Russia submitted suggestions of cyber security international rule to UN, but were opposed by western countries. 

On a deeper level, the spasmodic “cyber espionage” problem between China and the U.S. has been caused by a fundamental difference in understandings of internet governance. One aspect is the priority and tolerance of the public on this issue. For China, the public is more worried about the security of food and environment than their cyber privacy, and most people have little knowledge’s and awareness of cyber security. It has caused China to become a relay station for cyber criminals around the world to thieve from or to hide themselves. Most of China’s websites and networks are easy to invade. According to an official agency, the number of foreign cyber attacks on China has increased by 18 times since 2009. In 2011, “CSDN,net”, one of the biggest programmer BBS was easily hacked by unknown group, and 6 million account numbers and passwords were released to the internet. However, the public is not aware of the cyber danger, so the government has little opportunity to cope with it. 

China has long insisted that government and official agencies should be responsible for stopping crime, and that the solution to international cyber attacks should come from international law enforcement agencies. Nevertheless, it seems to China that the principles and standards of the U.S. are changing and are often self-contradictory, as shown by its attitudes towards Wikileaks and internet freedom. How could the China and rest of world trust the country that developed and employed the most dangerous virus “Stuxnet” to free the world of cyber attacks? 

The bitterness caused by the Mandiant report is slowly being digested, although China has noticed that the U.S. has not intensified the issue. In other words, the event may become an opportunity for China and the U.S. to open a pragmatic dialogue on cyber issues as well as in the military area. It is more urgent for the two countries to reduce their security concerns than to be entangled by the past. It is better to establish a complex cyber dialogue for China and the U.S., which includes market opening, intellectual property protection and cyber security. As the  two biggest countries in the 21st century, China and US have a common interest in protecting the current international system from destructive attacks by cyber criminals, so we need to step forward.

Li Zheng is Assistant Researcher in the Institute of American Studies, China Institutes Of Contemporary International Relations

Yang Jian

Through its practice, the United States has not only made new enemies, but also polarized the global attitude toward security matters. A review of various US documents on strategic matters has revealed the omnipresence of such an erroneous mentality embraced by the United States on security matters. As a first step, the United States has listed some countries as its national enemies in its documents on cyber security strategies and grouped the countries operating in the cyber world into allies, neutral states and potential enemies. It has also taken the lead to create a force specializing in cyber operations. Initiated by the United States and followed by other countries, this erroneous security mentality has come to reign across the globe, an easily foreseeable result. For example, suppose a certain country is listed by the United States as a potential enemy in its cyber strategy, this country will surely start to study the US capabilities in cyber wars, imitate its model of operations, and develop countermeasures.

It was also the United States that first introduced the concept of deterrence into the cyber world. By making strategic enemies, the United States has not only soured state relations, but also shaken the foundation for transnational cooperation in the field of cyber security. Moreover, it has embroidered cyber warfare into its organizational and operational strategies, a move that has broken the peace of the cyber world from a state height and deviated from the goal of using cyberspace as a tool for economic development. Its inception of cyber warfare deterrence and strive for absolute superiority in this field, meanwhile, has, in practice, started an arms race in the cyber world, setting a bad example that hinders global progress in the field of cyber security.

Global and borderless, cyberspace is a field where security can hardly be secured through deterrence, a measure primarily employed by the United States during the Cold War to support its military security strategies. During the era of the nuclear arms race, mutual deterrence remained a top concern of rival countries. In the same way, the offense-and-defense game of cyber deterrence will only lead other countries to improve their offensive and defensive cyber skills, as the United States tries to secure absolute security.

Dr. Hamadoun Touré, Secretary General of the U.N. International Telecommunications Unions, once stated, “We need to have an international framework to make cyberspace peaceful. People who think they are secure don’t want anyone else to talk about it. I say there is no online superpower.” With the diffusion and popularization of technology, no hegemon can hope to permanently keep its unilateral superiority in cyberspace.

Global cyber security can be secured through unity, trust and understanding between the governments of all countries in the world. Since major powers shoulder a greater responsibility over the creation of a cyber security culture, cultivation of cyber security mentalities, and formulation of cyber security standards and codes of conduct in our present-day era of globalization, the United States should do away with its current cyber deterrence mentality on cyber security that has been based on its Cold War mentality and totally gone out of date. In 2011, China, Russia, Tajikistan and Uzbekistan submitted the International Code of Conduct for Inormation Security to the United Nations General Assembly, the first comprehensive document of its kind, which proposed the following principles concerning cyber security:

*  Compliance with the UN Charter by all members, and respect to each other’s sovereignty, territorial integrity, and political independence.

*  No use of information or telecom technologies to conduct hostile behaviors.

*  Enjoyment by all countries of the right to protect the safety of their cyber spaces.

*  Freedom of cyberspace.

*  No attempt to weaken the independent control of other countries over information technology by taking advance of one’s superiority in resources, key equipment or core technologies.

* Creation of a multilateral, transparent and democratic international Internet governance mechanism.

* Cooperation in the crackdown of cyber crimes and cyber terrorism.

Articulating its explicit objection to the idea of cyber war and the use of information or telecom technologies to conduct hostile behaviors, this Code of Conduct both reflects the national norms advocated by the submitting states and highlighted their security concepts in terms of global cyberspace interests. As a result, the world’s major powers should take the lead and promise not to use information technology as a weapon or cyber space as a battlefield.

In order to dismiss the deterrence mentality set, major powers must contemplate how to secure global cyber security through international cooperation, the creation of legal mechanisms, and the adoption of pertinent technological measures. The role of the United Nations and other international organizations should also be brought into full play, and inter-governmental trust should be promoted to serve as the basis of international cooperation. Although the United States has set a bad example, it is the responsibility of all countries to give up all attempts of deterrence, instead embracing global collective security in cyberspace.

Yang Jian is vice-president of the Shanghai Institutes for International Studies.

Franz Stefan-Gady

Most Western countries (including the United States) have fewer incentives to engage in cyber espionage on the scale of the People’s Republic of China. One of the reasons for that is that the United States and its allies are still home to the most innovative and technological advanced companies in the world. Another reason is that the United States Armed Forces clearly in possession of the most advanced military technologies and its military does not need to seek an asymmetrical advantage over its adversaries given its conventional strengths.  The West has thus fewer incentives to launch massive scale cyber espionage operations, aimed at stealing technological secrets from Chinese companies.  

According to customary international law, espionage is not prohibited. There is little that both sides can/are willing to do in the short term.  The primary fear in the United States, however, is that these cyber espionage activities are just a first step in an ever escalating Chinese threat emerging from cyberspace: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,”as President Obama stated during his state of the union address in February 2012. “Enemies” in this context must clearly be understood to be the Chinese. Acts of sabotage on these scales from China, however, will only happen in the unlikely course of a Chinese attempt to forcefully reunite with Taiwan and the United States honoring its treaty obligations.

Despite the unlikelihood of a full scale cyber war between the two countries, it does not reduce the need for confidence building measures given the inherent strategic instability of cyberspace, where tensions such as the revelation of Army Unit 61398 could quickly escalate and go viral with real economic and political consequences.

It is hard if not impossible to establish strategic stability in cyberspace that could dissuade malicious actors from exploiting vulnerabilities in the critical information infrastructures of countries.  According to a study done by the Cyber Conflict Studies Association: “The current strategic cyber environment is marked by an inability to establish credible deterrence and effectively prevent the emergence of adversaries and conflicts in cyberspace detrimental to U.S. interests.”

This assessment is based on various factors such as the inherent vulnerable structure of networks and the Internet, a low barrier of entry for actors (cyber weapons are cheap and attackers do not have to be very skilled for most forms attack), and the anonymity of attackers.  

For example, non-state actors (cyber terrorists, criminal networks, political activists) could use the political tensions between China and the United States for their own advantage, by launching massive attacks themselves aimed at specific targets for either financial or political gains, while security experts and policy makers are overwhelmed with fighting off state-sponsored attacks.

The only way to start to reduce tensions is to consciously lay out the joint vulnerability of both the United States and China to cyber attacks.  One way how to begin to build trust is for the United States and China to agree on a joint public study on the interdependence of their respective critical information infrastructures. A special focus should be the likely economic effects of non-state actors’ attacks with strategic impacts. My colleague Dr. Greg Austin and I recommended such a study in our most recent report “Cyber Détente Between the United States and China”. As we state: 

“This could be done under the framework of the United States- China Strategic and Economic Dialogue. This may not be welcome by some private operators. Yet the need for such a study exists on a political level. It is a consequence of the strategic impact of private ownership of critical infrastructure. As much as such a study might intrude on narrowly defined private sector interests, leading ICT businesses need a deeper understanding of the military implications of the intermingled, even tangled, character of U.S. and Chinese operations in cyberspace.”

The need for such a public study is every increasing and should include a wide range of actors from the private and public sector, academia, the military and intelligence communities.  While the direct political impact of such an unclassified study may be low, it would nevertheless illustrate to people in the media, politicians, and civil society as a whole the pervasive connectivity as well as joint vulnerabilities of both China and the United States.

Franz-Stefan Gady is a Senior Fellow at the EastWest Institute. 

First, the allegation is laughable because it is technologically senseless. It is only too naïve to reach the conclusion that “the attacks originated from China” only by identifying the IP addresses. Anyone with a little cyber knowledge wouldn’t believe that a professional hacker would be so foolish as to use his/her own computer for hacking. No hacker would register his/her IP address at the place where they operate. And few would launch a massive attack to expose his or her “hideout”. They usually hijack a third-party computer and turn it into a “zombie” as part of a “botnet”, on which they then launch the planned attack. In its report, Mandiant claimed that a Shanghai-based army unit was the Chinese military’s “hacking headquarters”. The only reason it cited to support this claim was that the army unit used the term “headquarters” when registering for online address. This is ridiculous. Even an American cyber expert shrugged it off as pure “conjecture”.

Second, the allegation is laughable because it is nothing new but a hackneyed trick. Two years ago, some American cyber activists labeled a Lanxiang Technical School in Shandong Province as China’s “base camp of hackers” backed by the military and identified a company in Hengshui, Hebei Province and a college in Zhengzhou, Henan Province as “cyber militia units”. The assertions later turned out to be groundless. Now they played the old trick again. Analysts said, while the American cyber firms may have whipped up the fanfare for advertisement, the US government and military joined in only to scrounge more funding off the Congress to arm its cyber troops.

Thirdly, the allegation represents a peremptory attitude. The United States is the “rules maker” with an unchallengeable position in the cyber world. The US military set up the Cyber Warfare Command in 2010 and planned to enlarge the recruits for its cyber security force to 4,900. On the contrary, China sits at the lower end of the Internet chain and has been one of the worst-inflicted victims of cyber attacks. Available statistics indicate that 73,000 overseas IP addresses, working as Trojan and botnet controller servers, were involved in controlling 14 million computers in China last year. Another 32,000 overseas IP addresses exercised remote control over 38,000 Chinese websites by way of planting backdoors. Of these attacks, those from the US cyber sites were the largest in number. While China has suffered most from cyber attacks, the US proved to be the attacking side. Instead of restraining itself, the US threw the mud at China. This is really unfair and ungentlemanly.

Fourth, it is also an irresponsible attitude. Sino-US relationship is one of the most important bilateral relations in the contemporary world. A strategic trust between the two countries is of great significance to maintaining world peace and development. Chinese laws forbid hacking and any other actions that harm Internet security. The Chinese Government has imposed strict regulations on the use of Internet. Chinese army has never supported any act of cyber hacking. However, some American companies and media have fabricated and spread the lies about “threats from Chinese hackers” out of ulterior motives. This is not only an irresponsible attitude but will also undermine the relations between the two countries.

The slanderous report was released by a US company. The respondents from the Chinese side were government departments. The Americans have won enough face in the case. We shouldn’t have responded to it as such ridiculous and unprofessional accusations do not deserve a response at all. However, the allegation was so ill-intended and so irresponsible we have to present the facts to correct misunderstandings.

Meng Yan and Zhou Yong, are a deputy chief and a staff officer, respectively, of the International Publicity Bureau under the Ministry of National Defense of China.

The article was first published at People’s Daily’s Overseas Edition.

Another US institution recently claimed it was “attacked by Chinese hackers.” This time the self-proclaimed “victim” is The New York Times.

There have been quite a few US “victims” in recent years who accused “Chinese hackers” of targeting their computer networks, including Google, arms manufacturers, the US Chamber of Commerce, the National Aviation and Space Administration and so on. The US-China Economic and Security Assessment Committee of Congress went so far as to say in its annual report, published in November, that China had become the most aggressive country in the cyber world.

However, for all this hyping of “Chinese hacker attacks” the US has yet to produce any damning evidence to support the wild accusations. The evidence that The New York Times and others such as Dow Jones cited for their accusation is the same as  previous allegations – the attacks were traced back to IP addresses located in China.

Anyone with a fair amount of Internet know-how can tell you that hacker attacks are usually launched via a string of overseas addresses and under various disguises to hide the identity and location(s) of the attacker(s). The US, which has always been on the cutting edge of Internet technology, must know this better than anyone else.

By repeatedly accusing China of hacker attacks without solid evidence the US is in fact spreading the “China threat theory” in the cyber world as another excuse for efforts to contain China. National security is now the ultimate one-size-fits-all loin cloth for Washington to take any arbitrary action it wants to against another country, be it trade protectionism or economic sanction. It is also the ultimate excuse to sound the “China threat” alarm.

Some US media entities and politicians are allergic to China’s progress in economic development as well as science and technology and the more they see it the more anxious they feel. So much so they habitually accuse China of “stealing” or “copying” (US technology/inventions) and a whole lot of “conspiracies”. Besides, hyping “Chinese hacker attacks” is obviously a handy way to attract voter support as well as public attention for US politicians nowadays, not to mention the bonus of having one more reason to install more tech export bans against China.

Fact is, while hyping its “China threat in cyber world” claim, the US is quickening the pace of expanding its cyber security force. Just a few days before The New York Times and Dow Jones accused China of hacker attacks a press report said that Pentagon plans to expand the cyber security force five-fold. Coincidence or a well-executed attack formation, it is enough to let some observers wonder what else can it be except an excuse to redouble funding for cyber warfare capability buildup.

The US sees itself as the guardian of online freedom, but it is also the leader in using the Internet as a convenient channel for efforts to interfere in other sovereign countries’ internal affairs and even subvert their governments. To this end it is stepping up a campaign to militarize the Internet and turn it into a warzone whenever it wants to. Little wonder the US military, certain high-tech companies and politicians have been crying wolf so hard in recent years about the so-called China threat in cyber world.

On the Internet business spies and cyber thieves are everywhere. Any wired government department or enterprise can be targeted by hackers for any or no reason at all. Available statistics show China is one of countries most frequently attacked by foreign hackers. In December last year alone at least 3,049 IP addresses took control remotely of 11,295 websites based in China by installing backdoor programs in those systems and the remote attack sources located in the US outnumbered any other country. Despite the fact that so many hacker attacks were traced back to IP addresses located in US networks the Chinese side did not publicly accuse any American entity of launching cyber assault on Chinese sites.

With the largest online population in the world China forbids by law any attempt at network hacking and punish the culprits quite severely while taking a constructive part in global exchanges and cooperation on network security. In the era of economic globalization and informationization, information security has become an international issue and counter-attack against hackers depends on international cooperation to succeed. Hurling unsubstantiated accusations at China while exercising double-standard on Internet management sets a glaring example for irresponsible behavior by any country, superpower or not.

This is translated from a commentary published in the overseas edition of People’s Daily on February 4.

Franz Stefan-Gady

The journalist, Joseph Alsop, was not mincing words in his syndicated column on August 1, 1958: “The Eisenhower Administration is guilty of gross untruth concerning the national defense of the U.S.” The reason behind this vitriol was the now infamous (and fictional) missile gap—a presumed strategic advantage for the Soviet Union over the United States in bombers and nuclear missiles—that Alsop believed was factual. When Ike read the paper he supposedly threw it across the room.  The president knew the gap was fictional due to top secret, U-2 spy flights over the Soviet Union, but he could not inform the public about the non-existing missile gap due to the top-secret nature of the flights. Alsop had received incomplete intelligence from the Air Force and a couple of US senators.  For years the fear of a missile gap poisoned the discourse about Soviet capabilities and led to an increase in military spending under the Kennedy administration.

Today, we are in danger of falling into a “cyber weapons gap”—exaggerating the capabilities of the Chinese People’s Liberation Army—when it comes to waging cyber war. Halting just short of an Alsop indictment, the press and various national security experts have sensationalized the technology developments of the PLA and the exploits of Chinese hackers. Fear of a cyber “Pearl Harbor” against critical US information infrastructure is exaggerated. While some of the danger of cyber espionage from China is real, doomsday scenarios distort the true nature of the threat.

One reason is that there has been little clarity in public debates about the true impact of cyber war: How much damage would it really inflict? The simple truth is that much of the debate surrounding the PLA’s cyber war capabilities is mere speculation based on evidence of its undoubted success in cyber espionage. Yet the capabilities needed for cyber spying compared with those needed for cyber operations with strategic military impact are very different. High school hackers can chance upon a breach, but a fully mobilized and prepared cyber force, supported by advanced intelligence methods and human intelligence activity, is needed for cyber operations in a theater of war.

Actual strategic vulnerabilities create a context for speculative jitters. A report prepared for the US-China Economic and Security Review Commission from March 2012 is careful in outlining consequences of cyber war with China:  “The majority of the clearance and settlement infrastructure has become concentrated in the U.S. over the past three decades, potentially magnifying the international effects of an attack against U.S.-based financial systems.” Or, “CNE tools with BIOS destruct payloads….could create catastrophic hardware failures in key networks.” Or: “BIOS destruct tools pre-placed via network reconnaissance and exploitation efforts….might be activated to destroy the circuit board…” It seems every objective report on Chinese cyber war capabilities is marked by conjecture and cyber angst, as it is virtually impossible (unlike with nuclear war) to assess the true impact of cyber war without actual attacks being launched.

This has not stopped certain commentators to raise Cassandra warnings about the threat originating from cyberspace and China: ”There’s almost universal agreement that the U.S. faces a catastrophic threat from cyber attacks by terrorists, hackers and spies.” Such sweeping claims are unsupported by convincing evidence and rely mostly on the hyperbole of fear mongering officials. However, while we cannot know the entire Chinese cyber weapons arsenal or its precise capabilities, we can draw some broad conclusions drawn from external variables to determine China’s capabilities and intentions in cyber space. In short, they appear to be limited and conventional.

First, China never issued a formal cyber warfare strategy document. At the 16^th Party Congress in 2002 then General Secretary Jiang Zemin announced that the PLA’s future mission will be to persevere in “local wars under informationized conditions” by 2050. This strategic guidance set in motion a time table of modernization with the end result of a total “informatization” of the PLA by 2050. Single Service stovepipes and the low level of military IT applications in the PLA will be hard challenges to overcome to meet the outlined objective for a decade at least, and consequently severely limit the capabilities for large scale offensive operations in cyber space.

Second, China is mostly preparing for a local war with very specific objectives in the Taiwan region—not a “cyber Armageddon”. Chinese military writing singles out U.S. logistics, command and control, as well as C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) systems as centers of gravity to target in a future conflict over Taiwan (the only presumptive casus belli between the two countries). Consequently, China will especially target systems of United States Pacific Command and United States Transportation Command rather than the entire U.S. critical information infrastructure.

Third, as my colleague Greg Austin pointed out, severe weaknesses persist in China’s cyber warfare capabilities.  Despite intensifying attempts to improve expertise, Chinese technology institutes and universities still cannot compete with the United States in the highly specialized areas that support cyber warfare. (On a micro level Chinese specialists can compete with their Western analogs, but postgraduate training for military personnel in cyber related spheres is not as good as in the United States. The PLA also has other competing military priorities, such as mechanization of the army, modernizing the air force and deploying a more robust navy.) Most importantly, the private sector capacity in China—the true center of gravity in any cyber conflict—is inferior to the US private sector’s capacity to support cyber war operations because of a lack of coordination. As Jimmy Goodrich pointed out:  “US-China engagement must take into account China’s fractured cybersecurity space.”

Last, as the report “Occupying the Information Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage” points out: “Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks.” News about Chinese hackers penetrating US networks should not be seen as testimony of a flaccid United States cyber security. Those responsible are trying to pass the buck. It is not a testimony to Chinese superiority in the field, but merely underlines the fact that cyber defense may be at a disadvantage vis-à-vis offensive cyber operations.

To conclude, the first lesson from the Alsop-missile gap analogy is to acknowledge that every debate on national security issues is incomplete without access to a wide array of classified information from the intelligence community. More importantly, however, the major lesson to be drawn from this neo-missile gap is to rely on CSA (common sense analysis). Good security policy analysts can draw more accurate conclusions from various external factors as outlined above.  In December 1962, during budget discussions with the president, then Secretary of Defense, Robert McNamara, stated that the missile gap,was created by  “emotionally guided but nonetheless patriotic individuals in the Pentagon.” Lest, we fall for similarly guided emotional  appeals to national honor, we need more common sense analysis of a greater store of relevant facts to realistically assess China’s cyber warfare capabilities.

Franz-Stefan Gady is a Senior Fellow at the EastWest Institute and co-author of “Cyber Détente Between the United Stated and China: Shaping the Agenda”.  

In August 2010, after Japanese firm Mitsubishi Heavy Industries became the subject of cyber attacks from China, one commentator in the Financial Times suggested that cyber threats might provide new common ground to re-energise the traditional military security alliance between the US and Japan. It appeared a reasonable suggestion when, two months later, the lower house of Japan’s Diet also fell victim to cyber attacks, reportedly from China.

Mutual Insecurity

All of them reflect U.S. concerns about the so-called Chinese asymmetric strategy (anti-access, or area denial, strategy) as the PLA progresses toward modernization. Some Americans think that China has been developing an offensive capacity for use in the global commons that could impose significant risk to U.S. military activities. It is well known that the U.S. armed forces depend highly on the global commons in which to roam. Thus, Chinese actions are viewed as threats and huge challenges to U.S. military supremacy.

However, China is feeling much more threatened from the U.S. side in cyberspace and outer space. It was the U.S. that established the world’s first Cyber Command. And many U.S. defense officials have talked about the possibility of launching cyber attacks on other countries. Moreover, the U.S. has absolute advantages in cyber technologies. These aspects make the Chinese feel threatened in their daily life and worried about national security in case of conflict. So it is in outer space.

The above U.S. comments reflect a new scenario in Sino-U.S. relations that indicates a kind of mutual insecurity is forming in the global commons. The U.S. is suspicious of Chinese intentions to invest. At the same time, China feels more and more pressure from U.S. aggressive actions. With this sense of insecurity, any potential investment by one side is probably viewed as new threats by the other side. And a more dangerous scenario is the invisible competition, technologically and militarily, in the global commons which will lead to more insecurity.

The mutual insecurity is rapidly looming to the forefront of Sino-U.S. relations in a negative way and is seriously influencing the threat perception on both sides. Based on a primary statistic, there have been more than twenty media reports in the U.S. about China’s so-called cyber aggressiveness since early 2011. Although most of these reports are unbelievable, it really reflects the increasing importance of the issue. Similarly, Chinese people keep a watchful eye on the U.S. International Strategy for Cyber Space, the DoD’s cyber operational strategy and some horrible media descriptions about cyber wars with China.

What is worse, the looming mutual insecurity occurs simultaneously with evolving Sino-U.S. relations, which adds more anxiety.
 
Evolving Sino-U.S. Relations

Sino-U.S. relations are currently undergoing some fundamental changes which may constitute a new challenge for leaders and experts on both sides.

The first change results from the potential end of the global counter-terrorism era. As U.S. armed forces pull out of Iraq and Afghanistan, the counter-terrorism collaboration between China and the U.S. is fading away. This means one of the most important pillars characterising Sino-U.S. relations in the past decade disappears. Also, the potential end of counterterrorism provides the U.S. with more resources to deal with other challenges, including emerging powers.

Another fundamental change concerns Sino-U.S. economic and trade relations. The economic and trade link has long been the cornerstone of the whole relationship and always plays a decisive role at critical moments. However, as both countries begin to undergo economic transitions, there is some evidence that the cornerstone is becoming a stumbling block. The direct competition between these two nations over the size of their economies, industrial structures and share of the markets is becoming a distinct characteristic of the political relationship.

And the sharp increase in production costs, resulting from the rise in Chinese workers’ wages and continuous appreciation of the RMB, makes the Chinese market less attractive to American corporations. So with the inevitable withdrawal of American business from China there will be a loosening of economic ties between the nations.

The danger of these changes lies in the possible collapse of the foundations of a positive, cooperative and comprehensive Sino-U.S. relationship, especially considering the evolving balance of power between them and lack of mutual trust in other fields, like the long stagnant military-to-military relations.

These aspects of the Sino-U.S. relationship are contextual indicators of the importance and significance of dealing with the global commons issue.

New Chance for New Foundation

It is not in either Chinese or U.S. interests for mutual distrust between the two countries to continue. And a potential confrontation in the global commons will be bad news for both international security and prosperity. Both nations should pursue an interactive approach that strives to deal with their mutual interests.

In fact, China and the U.S. have many common interests in the global commons. A fundamental interest is to maintain secure, open and stable access. For cyber security issues, both have to deal with problems like hackers, cyber terrorism and cyber crime. In outer space, maintaining non-militarization and dealing with space trash are of mutual interest. For the maritime common, both countries need to confront threats from pirates, and they have already collaborated in doing so in the Gulf of Aden.

Another common interest concerns the formulation of international ‘norms’, or practices, related to the global commons. The lack of norms in cyberspace and outer space is partly responsible for the mutual insecurity and suspicion on both sides. So it is imperative to formulate governance systems acceptable to the international community to regulate the behaviors of all nations. In this process, China and the U.S. undoubtedly will play an indispensable role.

Cooperation in the global commons – an issue related to international security – will also have significant implications for the current Sino-U.S. relationship. It is undoubtedly a strategic issue and cooperation between the U.S. and China has the potential to build a new domain for military-to-military exchanges. The exchanges need to be upgraded from the current symbolic level to be substantial, high-end true cooperation. Moreover, pursuing common interests and enhancing cooperation on such a global issue as the commons can contribute to more mutual trust which is lacking in the current relationship.

In essence, their mutual insecurity requires both the U.S. and China to deal with it promptly in a cooperative way. Cooperation on the global commons issue could be the basis for a new foundation for the Sino-U.S. relationship, a vital concern for the elites of both nations.

Li Yan is a scholar from the Institute of American Studies, China Institutes of Contemporary International Relations (CICIR). His fields of research include military and security affairs concerning the U.S. and Sino-U.S. relations