In their California summit meeting, US President Barack Obama and Chinese President Xi Jinping had a new issue at the top of the agenda: internet security. In recent months, mounting and ever deeper cyber attacks on US companies and government agencies allegedly coming from Chinese military services have spurred general concern over the rising aggressiveness of Beijing and the overall evolution of Sino-American relations.
Cyber-warfare refers to a broad set of actions aimed at penetrating another state’s computer networks for the purpose of espionage or sabotage. Intruders are specialized hackers working for private groups or, more often, belonging to state bodies. Their biggest weapon is the so-called “spear phishing”: attackers send emails containing “malware”, namely malicious software (e.g. viruses, worms, Trojan horses, rootkits, spyware etc.) able to cripple computer shields when the targeted recipient clicks on the infected message. Once attackers have access to databases, they can collect sensitive information, steal industrial blueprints, and disrupt crucial assets like infrastructure-control systems, telecommunication stations, or power grids.
To non-experts of digital technology, it could appear as another science fiction movie whose frightening details are exaggerated by internet corporations searching for lucrative contracts. Yet, according to many experts, this is the price we must pay for our technological progress. As stated by a 2010 US military report, just as airpower transformed warfare in the mid-twentieth century, now cyberspace “has fractured the physical barriers” of nations’ defense. For James Clapper, Director of National Intelligence, today’s threats are “more diverse, interconnected and viral than at any time in history.” And the US, being the country most reliant on IT systems, is also the most exposed to cyber-warfare.
Sino-American cyber frictions began in 2010 when Symantec (a leading antivirus company) named Saoxing, a city 160km south of Shanghai, as “the world’s malware capital”. Henceforth, American accusations of Chinese hacking have grown exponentially – although Chinese officials constantly deny and reject all responsibilities. A recent study released by an important internet firm, Mandiant, claims that the most prominent Chinese hacking groups operate from inside the headquarters of “Unit 61398”, an intelligence body of the Chinese army located on the outskirts of Shanghai. Cyber espionage, according to a recent congressional report, costs the American economy more than $300 billion a year, with China being responsible for approximately 70% of the theft of corporate intellectual property and trade secrets.
In the security realm, the most notable infiltration was suffered in 2011 by Lockheed Martin, the US’ largest defense contractor, with over 20,000 files stolen. It is a strange coincidence, many analysts and officials say, that Chinese cyber technologies rapidly improved over the last two years: in 2011 Beijing inaugurated its first stealth jet fighter, and it is soon expected to unveil its first armed drone.
The US administration has decided to reverse its low-profile policy and take the offensive against China. In the latest State of the Union address, President Obama said the US is aware that foreign countries “swipe our corporate secrets” and that “our enemies are also seeking to sabotage” US infrastructures and IT systems. And he called for a clear response by the US, although by adopting tactful terms. Later on, Attorney General Eric Holder released a document depicting a new, stronger US strategy against cyber-crime, especially for commercial thefts. Last March, in a speech at Washington’s Asian Society, it was then National Security Adviser Tom Donilon who denounced explicitly “cyber intrusions emanating from China on an unprecedented scale” and added that “the international community cannot afford to tolerate such activity from any country.” The same views have been expressed by Defense Secretary Chuck Hagel and the Chairman of the US Joint Chiefs of Staff, General Martin Dempsey, in their talks with Chinese counterparts.
The first Obama-Xi summit was shaped by convergent interests grounded on rational as well as symbolic reasons. America and China are so interdependent that increased cyber tensions could escalate by harming both economies and, as a result, produce negative outcomes for both. Obama and Xi are eager not only to adjust bilateral relations, but also personal ones, while also showing who is the most trustworthy leader on the world stage. Both know that an excessively hard-nosed and muscular attitude would probably backfire.
Yet, there are three obstacles that are expected to hinder cooperation. The first and more immediate concern is the normative vacuum regarding cyberspace, especially the lack of a commonly accepted definition of cyberwar. This brings about two crucial questions: what can be considered an act of cyber aggression? Even more importantly: what constitutes legitimate cyber self-defense by states in terms of reasonable and proportionate force? In cyberwar, an attack has hitherto the advantage over defense, for the core of the current strategic debate refers to pre-emption. As cyber attacks are, at least in their initial phase, invisible and hardly attributable, anonymity can easily become synonymous of innocence and undermine the legitimacy of retaliation by prompting a never-ending chain reaction.
Another issue that might arise is the tradeoff between security and freedom. The evolution of Sino-American competition in the cyber realm has pushed the Obama administration to urge a greater cooperation between the government and the private sector. Should this happen on a large scale, virtually all private actors (firms and individuals alike) might be subject to intrusions by public agencies like, for instance, email monitoring. Since 9/11, the US has already experienced a contraction in the domain of civil liberties with the controversial Homeland Security Act. And today’s Verizon scandal involving the NSA is a new case in point. For, what is the limit, one may ask, between protection and control? Will the US, in order to defend itself from foreign threats, transform into what Harold Lasswell defined a “garrison state”?
In this rapidly evolving context, we may still find some guidance in an updated version of the classical quote from Latin author Vegetius: “if you want (cyber)peace, prepare for (cyber)war”. IT systems are the driving force of the current industrial revolution, and they are thriving all over the world. Although military expenses are generally decreasing, R&D in internet security is rising, at least in the budgets of the greatest powers, and the trend is unlikely to stop. What apparently matters most in cyber-warfare is that the full potential of cyber technologies is yet unclear. In other words: how much harm can actually be caused through the internet?
Stuxnet might offer a tentative answer. In June 2010, the US and Israel launched a cyber-attack on Iran’s nuclear site of Natanz, and according to reliable reports around 1,000 uranium enriching centrifuges were destroyed with over 60,000 computers infected. Iran retaliated by crippling more than 30,000 computers of the Saudi oil company Aramco. Russia is another major cyber-warrior: in 2007 Estonia suffered a major attack, in 2008 it was Georgia’s turn, and in the last few months Lithuania has been targeted. North Korea is also developing its cyber arsenal: while the international community was focusing on the latest episode of nuclear escalation and brinkmanship, South Korea’s major banks and broadcasting stations were hacked.
The US and the UK, as well as NATO and the EU, have set up agencies and elaborated policy doctrines specifically devoted to strengthening internet firewalls and creating some initial political and legal bases for regulating cyber life. Though concrete results are yet to come, much of future development passes through what the US and China will begin telling each other.