Chinese cyberwar and the US ‘myth of scheming’

The challenge of determining who is behind an online attack is being brushed aside in “favour of direct accusations”.

To go with feature story Lifestyle-China
"If a government official complains to a journalist that some country is breaking into their computers, we should expect follow-ups about that government's own hacking efforts," writes Webster [AFP]

Last week, after the Washington Post reported that numerous Washington institutions in and outside government have experienced hacking attributed to China, the Post‘s excellent political writer Ezra Klein had this unfortunate foray into commentary on Chinese elite politics:

The Chinese look at Washington, and they think there must be some document somewhere, some flowchart saved on a computer in the basement of some think-tank, that lays it all out. Because in China, there would be. In China, someone would be in charge. There would be a plan somewhere. It would probably last for many years. It would be at least partially followed. But that’s not how it works in Washington.

Coming at these events from a Washington perspective has led to some conceptual and factual assumptions that are emblematic of wider misperceptions of the US relationship with China.

Problem number one: who exactly are “the Chinese” in this paragraph? The charitable interpretation of this usage is that “the Chinese” here means “the Chinese government”, but I doubt a sophisticated commentator such as Klein would so comfortably refer simply to what “the Americans” think.

The less charitable interpretation is that Klein is using an old-fashioned, essentialising term as a crutch for lack of more detailed knowledge of the splits, divides and diversities of the fifth of the human population living in the People’s Republic of China. “The Chinese” appears as a collective noun in this short piece seven times. (A similar “silly Chinese!” piece in Foreign Policy resorts to this usage five times.)

‘The myth of scheming’

Does Klein have some survey data, or one of his famous graphs, to show that the misconception he attributes to Chinese people is actually widely held? Does he have some documents or references showing the government of China works on the assumption of a vast organised conspiracy? 

Inside Story:
How real is the threat of cyberwar?

Problem number two (and this one’s a doozy): Klein rightly dismisses the assumption that there are effective secret plans in an arena so vast as the US political world, only to give no evidence in asserting that there would be such a blueprint in China’s vast Communist Party and state organisations. He hedges, in saying that a Chinese plan would be “at least partly followed”, but the error is too deep.

By painting in a single stroke the Chinese people, their government, the Party, the People’s Liberation Army (PLA) and hackers who may or may not work for one or more of those bodies, this argument misses the first lesson of Chinese politics: An authoritarian system is not necessarily a unified and non-competitive one.

Problem number three (the one that led to the others): The paragraph above seems not to have been written in an effort to understand or explain Chinese politics, or even really to explain the error of Chinese hackers. Instead, it’s a vehicle for Klein’s very good point regarding US politics – “the myth of scheming”:

What the Chinese hackers are looking for is the great myth of Washington, what I call the myth of scheming…. This is the most pervasive of all Washington legends: that politicians in Washington are ceaselessly, ruthlessly, effectively scheming. That everything that happens fits into somebody’s plan. It doesn’t. Maybe it started out with a scheme, but soon enough everyone is, at best, reacting, and at worst, failing to react, and always, always they’re doing it with less information than they need (emphasis mine.)

What a fantastic point. It’s one that I often make with Chinese friends who are not especially well-versed in US politics. But if Klein asked around among people who have dealt with Chinese officials and scholars, I think he would have learned that many Chinese who work on relations with the US are well versed in the chaotic nature of its political system. Indeed, I can’t count how many times I’ve heard or read comments comparing the US logjam to the relative decisiveness of some Chinese decision-making. 

Just as Klein diagnoses a Chinese mistake in order to make a point about Washington, I’m discussing his to make one about China: beware the myth of unitary control. 

The US government and various private organisations (including the Washington Post), have recently been more specific than ever in attributing individual attacks to the Chinese government. As I discussed in this space more than a year ago, many in the US government have been confident for some time that attacks emanate from the Chinese government. Now, however, more private firms are bringing their grievances into the open.

President Barack Obama included a thinly veiled reference to Chinese intellectual property theft in the State of the Union. And the security firm Mandiant has gone farther in a provocative way, accusing a specific unit of the PLA of culpability for hacking hundreds of computers. But “someone in China” is not the same as “top Chinese decision-makers”.

In recent days, the so-called “attribution problem” – the challenge of determining who is behind an online attack – is being brushed aside in favour of direct accusations, at least when it comes to China. But the attribution problem is stubborn, because real understanding requires more detail about who’s behind the attacks.

The weakest point in the Mandiant report is its insistence that the specific and detailed hypothesis they present, that a vast body of online activities are physically controlled from a specific building in Shanghai by a specific unit of the PLA, is the only possibility that fits the facts. They give a preposterous alternate hypothesis as a straw man, when from the evidence presented, it is at very least possible that the building in question could be a relay station and not the true headquarters. Any number of other wrinkles could undermine the specific accusation.

But Mandiant’s argument is valued precisely because it addresses the details and allows us to discuss them, rather than simply accusing “China”. One imagining this kind of specificity might be available in intelligence circles or when firms are trying to defend themselves, but we rarely get to see this kind of detail in the open. If we did, perhaps fewer people would be comfortable blaming “the Chinese” for events, or ascribing to them a single world-view.

The myth of unitary control 

“Even if a victim of a cyber attack were 100 percent confident on national origin, the question of who’s behind the attack is still alive.” 

In Chinese politics, the myth of unitary control presents a trap in many fields, not just cybersecurity. The opacity of the Chinese political system makes it hard for outsiders to know who is responsible for what outcomes.

For example, the usual way to think about the top leadership position (the seat Xi Jinping will solidify once he adds the presidency to his positions as the head of the Communist Party and the Central Military Commission this month) is as first among equals at the Politburo Standing Committee – currently a body of seven men with varying portfolios and factional ties. Most of the rest of the system is at least that ambiguous.

If Chinese hackers working for the government are indeed seeking to steal a glance at US political groups, the question of whom they work for, under what state, party, or military authority, is a gaping hole in our understanding – a hole unfilled by the reporting currently available.

The myth of unitary control is nothing new. It was strong in the Mao era, when detailed information on Chinese politics was very hard to come by. In the late 1980s, the political scientists Michel Oksenberg and Kenneth Lieberthal, who at different times served in the US National Security Council, described what they called “fragmented authoritarianism” in China. The Communist Party was not, they argued, a unified leviathan working under the direction of a single leader. Rather, bureaucratic bodies and officials with varying interests jockeyed for influence.

The study of Chinese politics continues to advance, but this core insight still shines bright, even where the fog of secrecy obscures the details. If different groups have different interests within the Chinese government, why would we assume they all have the same interests and assumptions when looking for information abroad?

Ultimately, the myth of unitary control presents what we could call a “second-layer attribution problem” in cybersecurity policy. Even if a victim of a cyber attack were 100 percent confident on national origin, the question of who’s behind the attack is still alive and well. Similarly, China can loom large in the domestic politics of many countries, but it always bears asking what part of China’s people, government, military, or economy is really in play.

For now, the cybersecurity discussion gets even more confused when political voices jumble the ideas of cyber attacks, intellectual property theft, online espionage, computer system sabotage and cyberwar. The public discussion on these issues needs an upgrade. If victims of hacking wish to be specific in allocating blame, they should think more specifically than nation-states.

If politicians are developing policy, they should consider the difference between an attack on national security infrastructure, a think-tank, or a major business before assessing the national interest. And if a government official complains to a journalist that some country is breaking into their computers, we should expect follow-ups about that government’s own hacking efforts. More discussion on cybersecurity is good, but only if that discussion gets more detailed.

Graham Webster is an analyst on Chinese politics and technology, and a US-China relations fellow at the China Center of Yale Law School.  

Follow him on Twitter: @gwbstr