by Ella Chou
This winter, I cut my European trip short to be back in snow-covered Boston for an intensive course at Harvard Kennedy School on cyber security, taught by Richard Clarke and Eric Rosenbach. I loved this course because for one, Mr. Clarke, former anti-terrorism czar for Bush I, Clinton and Bush II, gave us the course-book -- his Cyber War -- for free. More importantly, I was in the company of a very diverse group of students, many of whom have courageously served the country in two wars and have a much better real-world understanding of the security issues than I would ever have. I have studied international law and taken courses on international affairs, but cyber war is an entirely new and different subject.
Roughly a third of the class time was devoted to the "China threat". Being the only Chinese student in the room, I can't help but oppose that perspective, even though I'm in no way an expert.
So I asked some Chinese experts in the cyber security industry for their insights and described to them a scenario that is considered very likely in Mr. Clarke's book: The date is February 10, 2011. China has infiltrated U.S. power grids, exfiltrated crucial military information, and laid trapdoors in U.S. defense systems that will compromise United States' conventional military power. The experts from China said: "Are you kidding, Ella?! This, coming from a country that developed and used Stuxnet?"
Stuxnet is a computer worm that gained notoriety in 2010 as it took down about one fifty of Iran's nuclear centrifuges. The New York Times describes it as may be "the most sophisticated cyberweapon ever deployed". Many experts believe that it was developed by either the United States or Israel. And the official Chinese media asserted that Stuxnet is a joint U.S.-Israel project. (Interestingly, to lend itself credibility, one news report from the leading Chinese news agency is entitled "New York Times Confirms U.S.-Israel Development of Computer Worm Targeted at Iran".)
Does the United States' (possible) active use of cyber weapons legitimize their use by other countries? And more pertinent to my concern, is China's insistence on the United States' involvement in Stuxnet a sign of Beijing's intention to capitalize on the legitimacy conferred by Stuxnet?
The China Cyber War Threat
Cyber attacks from China have been going on for more than a decade. The high-profile Titan Rain and Operation Aurora made it clear that networks belonging to the U.S. government, the defense industry, and other companies have suffered large-scale, sustained and highly sophisticated cyber attacks from computers located in China, though Beijing has denied any involvement. As with Stuxnet, the nature of cyber attacks makes it hard to trace to their origin, and even if an origin is found, there is no international legal authority that could hold the state responsible for the cyber activities of its individuals. The states can plead "plausible deniability" which is what makes it possible for many cyber attackers to operate with impunity, as seen in the case of Russian attacks on Estonia.
Regarding the China threat, many American security experts worry that in a dispute over Taiwan, China would disable and exploit U.S. computer networks. But some, like James Mulvenon, Deputy Director of Defense Group and a specialist on the Chinese military, go further to say that he observed a potential expansion of the People's Liberation Army's (PLA) intrusion set. He argues that the list of targets for both computer network exploitation and attack activities would encompass a wide range of countries and regions, including the East and South China Seas.
Moreover, experts point to China's systematic training of its cyber warriors and its recruitment strategy. The cyber warriors are firstly trained in military institutions such as the PLA National University of Defense Technology, which built the "Tianhe 1A" supercomputer that surpassed U.S.' Cray XT5 Jaguar as the world's fastest computer by a large margin at the end of last year. Second, the PLA has included computer network operations (CNOs) in its military exercises since 2005 and aims at disabling target networks with its first attacks, according to Dr. Zheng Dacheng, a Taiwanese expert on the Chinese military.
In addition to trained cyber warriors, China can fully utilize the talents of its civilians who require the kind of security clearance for which only about 20% of U.S. population would qualify if the same cyber missions were carried out by United States, according to Kevin G. Coleman, security technology expert at Technolytics Institute.
So why do I argue against the "China threat" thesis (other than out of my sophomoric impulse to contradict the professor)?
In this equation, intent ranges from zero to 100% (100% meaning the country is willing to devote all capability to one mission). Even if China's capability in the cyber arena is increasing, it does not make it a threat to U.S. national security if China does not have the intent to use that capability in an attack against the United States. It would hardly be surprising to learn that China, like all countries with such capabilities, is engaged in cyber espionage. But real or threatened attacks against either U.S. military or the civilian infrastructure would not be in China's interests for a variety of reasons: the negative effects on trade which would have a direct impact on its volatile migrant labor population, the international backlash that would destroy its hard-earned position in the international organizations in which it has strong interests, not to mention the danger of confronting the full weight of U.S. military.