The Risk of Cybersecurity Spillovers

In the recent

Dan Steinbock

While President Xi has advocated “a new type of great power relationship,” strategic cybersecurity issues may soon spill over into bilateral economic relations.

When President Barack Obama arrived in the White House in early 2009, he declared cyberspace a strategic national asset and requested a full cyberspace policy review. This effort intensified after April 2009, when computer spies infiltrated the Pentagon’s $300 billion Joint Strike project, the costliest weapons program in history. A year later, the Stuxnet infiltration of Iranian nuclear sites caused extensive physical damage to infrastructure. Reportedly, it was a joint project between the U.S. and Israel, with possible assistance from Germany and Britain.

From Stuxnet to espionage attacks against Google, Western energy companies and South Korea’s government networks, publicized cyberattacks have attracted more attention. In May 2011, the White House released its international strategy for cyberspace, which served to define expectations for Washington’s emerging plans in the United States, as well as for both U.S. allies and adversaries.

Meanwhile, Huawei, the Chinese telecom giant began efforts to expand in the United States, where Washington deemed it a threat rather than an opportunity. In October 2012, the House Select Committee on Intelligence (HSCI) released a report on the alleged national security threats posed by Huawei and ZTE, whereas a subsequent survey by the White House contradicted some of the HSCI conclusions.

Cybersecurity remains elusive because of the unique characteristics of digital media[CH1] . Cyber intrusions are asymmetric in the sense that even actors with limited financial or technical resources can paralyze high-value targets. Also, the inherent openness of the web makes it highly vulnerable to offensive attacks. Third, the anonymity of digital interactions complicates attributions. As a result, U.S. efforts to “name and shame” cyberattackers rely on classified documentation rather than publicly substantiated evidence. In a recent interview, former CIA and NSA head Michael Hayden said that Huawei has “shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with.” In turn, John Suffolk, Huawei’s highly-regarded chief security officer, asked Hayden to substantiate his accusations publicly: “It’s time to put up or shut up.”

Citing repeated cyber-intrusions into critical infrastructure, the White House, in February, issued Executive Order 13636, hoping to enhance security through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned critical infrastructure. Unfortunately, this approach seems to blur responsibilities between security agencies and civilian networks.

Earlier this spring, Edward Snowden, the former contractor for the NSA and a former employee of the CIA, leaked details of several top-secret U.S. and British government mass surveillance programs to London’s The Guardian, which released a series of investigative articles on the interception of U.S. and European telephone metadata and the PRISM and Tempora Internet surveillance programs. As Snowden was charged with espionage in the U.S., the international reverberations of his disclosures are only about to begin.

In Chinese media, the disclosed evidence on PRISM and other surveillance instruments has unleashed an intense debate. While Washington has accused China repeatedly of cyberattacks into U.S. companies’ systems, Snowden’s disclosures have confirmed to the Chinese the extent of the surveillance, the role of the U.S. government in it and the cooperation of the world’s leading information and communication technology (ICT) companies in these efforts.

In late June, the cover story by China Economic Weekly named and shamed eight U.S. companies – Cisco, Apple, Google, IBM, Intel, Microsoft, Oracle, and Qualcomm – which had reportedly “seamlessly penetrated” China. Due to its role in the U.S. anti-Huawei campaigns, Cisco attracted most attention. After all, it dominates more than half of China’s information infrastructure in financial, military, government and transportation sectors. While the company has announced it has no role in PRISM programs, this has not satisfied Chinese critics who believe that, under certain circumstances, Cisco could accommodate Washington’s surveillance programs.

It is hardly surprising that these disclosures have caused a media storm in China. In that regard, Chinese are no different from Americans. For argument’s sake, let’s assume that, say, a hypothetical Panda Telecom, which serves most global telecom operators and has lobbied hard against U.S. companies in China, dominated more than 50 percent of U.S. critical information infrastructure. Let’s also assume that it has been supporting surveillance programs that monitor U.S. government, companies, and people. It is safe to conclude that CIA, NSA or Pentagon would not be exactly happy with such a status quo.

Chinese media have recently reported on Cisco’s upgrades of the People’s Bank of China’s intranet, Microsoft’s role in China Eastern Air’s information systems, IBM’s facilitation in constructing the Yunnan province police bureau’s database, and so on. How do ordinary Chinese think about these things? Well, let’s assume that the hypothetical Chinese Panda Telecom would be in charge of upgrades of the U.S. Federal Reserve, or that DragonSoft, another hypothetical Chinese company, would dominate the information systems of Delta or United, and so on. It is hardly difficult to predict what the U.S. response would be like.

Currently, the new Chinese leadership is preparing for the greatest reform drive in some two decades. Many U.S. companies have been eager to participate in these efforts. But taking into account the deepening bilateral distrust, these opportunities may now be at risk.

In the past few years, assertive U.S. voices have advocated increasing reciprocity vis-à-vis China. In matters of strategic and economic friction, the U.S. should reciprocate in kind, or so the argument goes. What such reciprocity games in the U.S. ignore is the increasing probability of mirror-like measures to protect economic and strategic interests in China.

Chinese observers have already noted that the Chinese government has not paid adequate attention to the safety of the Internet infrastructure and information systems in the past. In the early years of the reform and opening-up policies, China was largely dependent on foreign technology. But that status quo is history.

In the nascent multipolar world, Chinese companies will have a central role nationally and internationally. While many Chinese recognize the great contribution of U.S. companies to China’s growth, others argue now that many of these companies are subject to efforts to leverage U.S. global military dominance into the cyberspace.

What could be done to minimize the adverse impact of these cybersecurity conflicts? By its very nature, the web is open, collaborative and global. Alone, neither the United States nor China may be able to contain all potentially devastating cyberthreats. However, working together, the two could rally the international community behind effective cybersecurity, without inflated security measures or excessive economic protectionism. That, in turn, would pave way to true strategic trust and multipolar cooperation.

Dr Dan Steinbock is the research director of international business at the India, China and America Institute (USA) and a visiting fellow at the Shanghai Institutes for International Studies (China)