The authorities I spoke with pooh-poohed as urban myth the idea that an electronic assault was behind the power failures that rippled from the Midwest to the East Coast in August of 2003. By all accounts, this was a cascading series of mechanical and human errors. But after asking corporate and government officials what worried them, I learned several unsettling things I hadn’t known before.
First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big—bigger than the Google-China case—is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long. Electronic-commerce systems are already in a constant war against online fraud. “The real skill to running a successful restaurant has relatively little to do with producing delicious food and a lot to do with cost and revenue management,” an official of an Internet commerce company told me, asking not to be named. “Similarly, the real business behind PayPal, Google Checkout, and other such Internet payment systems is fraud and risk management,” since the surge of attempted electronic theft is comparable to the surge of spam through e-mail networks.
At a dinner in Washington late last year, I listened to two dozen cyber-security experts compare tales of near-miss disasters. The consensus was that only a large-scale public breakdown would attract political attention to the problem, and that such a breakdown would occur. “Cyber crime is not conducted by some 15-year-old kids experimenting with viruses,” Eugene Spafford, a computer scientist at Purdue, who is one of the world’s leading cyber-security figures (and was at the dinner), told me later via e-mail.
It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries’) toleration if not support. It is already responsible for billions of dollars a year in losses, and it is growing and becoming more capable. We have largely ignored it, and building our military capabilities is not responding to that threat.
With financial, medical, legal, intellectual, logistic, and every other sort of information increasingly living in “the cloud,” the consequences of collapse or disruption are unpleasant to contemplate. A forthcoming novel, Directive 51, by John Barnes, does indeed contemplate them, much as in the 1950s Nevil Shute imagined the world after nuclear war in On the Beach. Barnes’s view of the collapse of financial life (after all, our “assets” consist mostly of notations in banks’ computer systems), the halt of most manufacturing systems, the evaporation of the technical knowledge that now exists mainly in the cloud, and other consequences is so alarming that the book could draw attention in a way no official report can.
Next, the authorities stressed that Chinese organizations and individuals were a serious source of electronic threats—but far from the only one, or perhaps even the main one. You could take this as good news about U.S.-China relations, but it was usually meant as bad news about the problem as a whole. “The Chinese would be in the top three, maybe the top two, leading problems in cyberspace,” James Lewis, a former diplomat who worked on security and intelligence issues and is now at the Center for Strategic and International Studies, in Washington, told me. “They’re not close to being the primary problem, and there is debate about whether they’re even number two.” Number one in his analysis is Russia, through a combination of state, organized-criminal, and unorganized-individual activity. Number two is Israel—and there are more on the list. “The French are notorious for looking for economic advantage through their intelligence system,” I was told by Ed Giorgio, who has served as the chief code maker and chief code breaker for the National Security Agency. “The Israelis are notorious for looking for political advantage. We have seen Brazil emerge as a source of financial crime, to join Russia, which is guilty of all of the above.” Interestingly, no one suggested that international terrorist groups—as opposed to governments, corporations, or “normal” criminals—are making significant use of electronic networks to inflict damage on Western targets, although some groups rely on the Internet for recruitment, organization, and propagandizing.
This led to another, more surprising theme: that the main damage done to date through cyberwar has involved not theft of military secrets nor acts of electronic sabotage but rather business-versus-business spying. Some military secrets have indeed leaked out, the most consequential probably being those that would help the Chinese navy develop a modern submarine fleet. And many people said that if the United States someday ended up at war against China—or Russia, or some other country—then each side would certainly use electronic tools to attack the other’s military and perhaps its civilian infrastructure. But short of outright war, the main losses have come through economic espionage. “You could think of it as taking a shortcut on the ‘D’ of R&D,” research and development, one former government official said. “When you create a new product, a competitor can cherry-pick the good parts and introduce a competitive product much more rapidly than he could otherwise.” Another technology expert, who serves on government advisory boards, told me, when referring to the steady loss of technological advantage, “We should not forget that it was China where ‘death by a thousand cuts’ originated.” I heard of instances of Western corporate officials who arrived for negotiations in China and realized too late that their briefing books and internal numbers were already known by the other side. (In the same vein: I asked security officials whether the laptops and BlackBerry I had used while living in China would have been bugged in some way while I was there. The answers were variations on “Of course,” with the “you idiot” left unsaid.)
The final theme was that even though these cyber concerns are not confined to China, the Chinese aspects do deserve consideration on their own, because China’s scale, speed of growth, and complex relationship with the United States make it a unique case. Hackers in Russia or Israel might be more skillful one by one, but with its huge population China simply has more of them. The French might be more aggressive in searching for corporate secrets, but their military need not simultaneously consider how to stop the Seventh Fleet. According to Mike McConnell, everything about China’s military planning changed after its leaders saw the results of U.S. precision weapons in the first Gulf War. “They were shocked,” he told me. “They had no idea warfare had progressed to that point, and they went on a crash course to take away our advantage.” This meant both building their own information systems—thus China’s aspiration to create a Beidou (the Chinese name for the Big Dipper) system of satellites comparable to America’s GPS—and being prepared in time of war to “attack what they see as our soft underbelly, our military’s dependence on networking,” as McConnell put it, noting the vast emerging PLA literature on defending and attacking data networks.
Ed Giorgio, formerly of the NSA, has prepared charts showing the points of “asymmetric advantage” China might have over the long run in such competition. Point nine on his 12-point chart: “They know us much better than we know them (virtually every one of their combatants reads English and virtually none of ours read Mandarin. This, in itself, will surely precipitate a massive intelligence failure).” But James Lewis, of CSIS, pointed out an “asymmetric handicap”: “For all the effort the Chinese put into cyber competition, external efforts”—against a potential foe like the United States—“are second priority. The primary priority is domestic control and regime survival. The external part is a side benefit.” For many other reasons, the China-cyber question will, like the China-finance and China-environment and China-human-rights questions, demand special attention and work.
The implications of electronic insecurity will be with us in the long run, among the other enduring headaches of the modern age. The “solution” to them is like the solution to coping with China’s rise: something that will unfold over the years and require constant attention, adjustments, and innovations. “Cyber security is a process, not a patch,” Eugene Spafford said. “We must continue to invest in it—and for the long term as well as the ‘quick fix,’ because otherwise we will always be applying fixes too late.”
No doubt because I’ve been so preoccupied for so long with the implications of China’s growth, I thought I heard a familiar note in the recommendations that many of the cyber-security experts offered. The similarity lies in their emphasis on openness, transparency, and international contact as the basis of a successful policy.
In overall U.S. dealings with China, it matters tremendously that so many Chinese organizations are led or influenced by people who have spent time in America or with Americans. Today’s financial, academic, and business elite in China is deeply familiar with the United States, many of its members having studied or worked here. They may disagree on points of policy—for instance, about trade legislation—but they operate within a similar set of concepts and facts. This is less true of China’s political leaders, and much less true of its military—with a consequently much greater risk of serious misunderstanding and error. The tensest moment in modern China’s security relationship with the outside world came in January of 2007, when its missile command shot one of its own weather satellites out of the sky, presumably to show the world that it had developed anti-satellite weaponry. The detonation filled satellite orbits with dangerous debris; worse, it seemed to signal an unprovoked new step in militarizing space. By all accounts, President Hu Jintao okayed this before it occurred; but no one in China’s foreign ministry appeared to have advance word, and for days diplomats sat silent in the face of worldwide protests. The PLA had not foreseen the international uproar it would provoke—or just didn’t care.
Precisely in hopes of building familiarity like that in the business world, the U.S. Navy has since the 1980s taken the lead in military-to-military exchanges with the PLA. “I think both sides are trying to figure out what kind of a military-to-military relationship is feasible and proper,” David Finkelstein, of the Center for Naval Analyses, in suburban Washington, D.C., told me. “We have two militaries that, in some circumstances, see each other as possible adversaries. At the same time, at the level of grand strategy, the two nations are trying to accommodate each other. There is a major chasm, but both sides are working hard to bridge it.” Such exposure obviously doesn’t eliminate the real differences of national interest between the two countries, but I believe it makes outright conflict less likely.
A similar high-road logic seems to lie behind recommendations for cyber security in general, and for dealing with the Chinese cyber threat in particular. The NSA, which McConnell directed and where Giorgio worked, is renowned for its secrecy. But both men, along with others, now argue that to defend information networks, the U.S. should talk openly about risks and insecurities—and engage the Chinese government and military in an effort to contain the problem.
As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. No credit-card company wants to admit how often or how easily it is cheated. No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don’t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.
While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.
We’re naturally skeptical of abstractions like “cooperation” or “greater openness” as the solutions to tough-guy, real-world problems. But in making the best of a world that will inevitably be changed by increasing Chinese power and increasing electronic threats from many directions, those principles may offer the right, realistic place to start.