The unclassified version of the 2013
Strategic Stability in Cyberspace
“The U.S. Department of Defense seeks to build a military-to-military relationship with China that is sustained and substantive, while encouraging China to cooperate with the United States, our allies and partners, and the greater international community in the delivery of public goods.”
The major criticism in the report is reserved for China’s activities in cyberspace where the Department of Defense accuses the People’s Republic along with Russia of playing “a disruptive role.” The document also outlines China’s cyber espionage activities against the Department of Defense itself—an unprecedented step in the history of these unclassified reports on Chinese military developments.
Bilateral discussions surrounding cyber war, cyber espionage, and cyber crime will soon take center stage in the US and China. The past few months were filled with media reports (e.g., the Mandiant revelations) about Chinese cyber espionage activities in the United States and dire warnings by US officials about the possible diplomatic and economic fallout should these attacks persist. China’s customary response has been pointed recriminations against the United States. The disagreements over cyberspace are now threatening to spill over into other areas such as bilateral trade negotiations and undermine what some analysts see as the most important political relationship of the 21st century.
One of the principle questions moving forward will be how the United States and China can manage to contain their disagreements over cyberspace without an escalation in cyber rivalry and the risk of a full-scale cyber war. One approach may be that both governments seriously discuss strategic cyber stability. The goal would be an equilibrium in which both sides are deterred from engaging in reckless behavior for fear of upsetting the status quo in cyberspace and inciting a cycle of retaliatory cyber attacks. Here is a short outline of a framework.
First, both countries must agree to abandon their quest for information dominance as mandated by both U.S. and Chinese official military doctrine. This sort of military doctrine is counterproductive and may lead to a cyber arms race which some argue is already taking place. This is obviously easier said than done, but perhaps as an initial first step, an agreement could be produced to curtail active cyber defense in times of peace between both countries and call certain critical information infrastructures off limits.
Second, both countries must actively promote cyber resiliency and adequate backup systems. This means both China and the United States must create conditions in which neither side is vulnerable to a surprise knockout blow by incorporating adequate backup systems in both the private and public sectors. Additionally, both countries must continually reassure the other that neither side is mortally vulnerable to strategic cyber strikes. Especially in the United States, strong private-public partnerships must develop this resiliency, given the private sector’s ownership of most critical information infrastructure.
Resiliency alone, however, cannot dissuade an opponent from engaging in aggressive behavior since cyberspace favors the offense; therefore, in addition to system resiliency, there must be an agreement towards transparency of each country’s respective cyber warfare capabilities. The discovery of the Stuxnet computer worm in the late 2000s—one of the first publicly known cyber weapons—could be interpreted as a deliberate leak by the United States to send China an indirect message about its capabilities and to deter the Middle Kingdom from crossing a certain threshold in its cyber activities. The opposite, however, appears to have been the effect. China last year announced its intention to speed up informatization of its armed forces. Although Stuxnet did little physical damage, it shattered the illusion of peaceful co-existence in cyberspace.
Collection of information about capabilities will be imperfect. During the height of the Cold War both Russia and the United States were uncertain about the precise number of warheads and capabilities of the other side, but both powers agreed on the destructive nature of nuclear weapons derived from highly publicized nuclear weapons tests. Perhaps the time has also come for public cyber weapons tests.
The key for any deterrence strategy in cyberspace to work is the invulnerability of certain strategic assets to cyber attacks. As Oskar Morgenstern already stated in 1959 discussing nuclear strategy: “In order to create a nuclear stalemate under conditions of nuclear plenty it is necessary for both sides to possess invulnerable retaliatory forces.” So far, the mentality when it comes to cyberspace is that the attacker will always succeed – “the bomber will always get through.” This psychology needs to change. Lawrence Freedman in an essay on the first and second generation of US nuclear strategists points out that convincing the military that invulnerability of both sides was key to stability was the hardest part:
“This novel idea of seeking to convince a potential enemy that there was no serious threat to his most precious strategic assets was not one that occurred naturally to the military…and they were not overly impressed when the idea was put forward by this new breed of civilian strategists.”
An encouraging sign is that China and the United States recently have agreed to establish a joint working group on cyber security. The subject of strategic stability in cyberspace demands urgent attention and may hold the key for a stable bilateral relationship of China and the United States in cyberspace.
Franz-Stefan Gady is a Senior Fellow at the EastWest Institute.