Cyber Cold War rhetoric haunts the US and China

Claims of an undeclared cyberwar between China and the US are inaccurate, and misrepresent both countries’ interests.

Barack Obama and Hu Jintao 2
undefined
There is ‘the highest possible need for co-operation between the US and China’, author says [EPA]

New York, NY – In January 2010, a Google executive announced “a new approach to China” in a blog post, revealing that the firm had “detected a highly sophisticated and targeted attack… originating from China” and that it would reconsider business operations there. In the ensuing two years, US rhetoric about China and cyber security has become ever more breathless.

“China is waging a quiet, mostly invisible but massive cyberwar against the United States,” wrote the Washington Post editorial board earlier this month. A Bloomberg News headline summed up concerns about attacks on corporate targets by conjuring an “undeclared cyber cold war.”

Computer systems in government and the private sector are indeed vulnerable to unauthorised access, as seen in the recent report of an allegedly China-based incursion at the US Chamber of Commerce. People who gain access can exfiltrate data, insert false information, or further tamper with systems for a variety of purposes. But the notion of a cyber cold war with China is inaccurate and irresponsible.

At war with whom?

The Cold War was in no small part defined by mutually assured destruction. The United States, the Soviet Union and their allies, had a relatively clean notion of “the adversary” that made strategic accommodation possible. If one side were to initiate a nuclear attack, it would be quite clear which side was responsible.

In cyber security, the so-called “attribution problem” makes ascertaining the origin of an online attack far more difficult. If an attack appears to originate in Delaware, it could just as well have come from Denmark. Thus with any individual incident, the identity of the adversary is unclear.

This doesn’t mean that security experts have no confidence in who is behind attacks. The Wall Street Journal recently reported on a US investigation that attributes attacks on US defence contractors to specific groups associated with China’s People’s Liberation Army. Factors such as the software used in attacks, patterns in the apparent origin of transmissions and programming mistakes can make identification possible – though there is no guarantee that an individual incident will be traceable.

It is important to consider the source. Many accounts, such as a recent Wall Street Journal report of a hacking incident at the US Chamber of Commerce, rely on vague statements by anonymous sources to make the connection to the Chinese government: “It is possible the hackers had access to the network for more than a year before the breach was uncovered, according to two people familiar with the Chamber’s internal investigation,” Siobhan Gorman writes in the Journal. “One of these people said the group behind the break-in is one that US officials suspect of having ties to the Chinese government.” Other accounts depend on security contractors with direct financial interests in increased hysteria over cyber security.

Even assuming some attacks are correctly attributed to actors inside China, a position that seems foolish to deny given that even US cyber security alarmists readily admit the US too engages in advanced online espionage, there is a major difference between China as a whole and a smattering of government or private actors.

A series of accusations of espionage, credible or not, do not constitute a cold war – or really a war of any kind. A war, however it is defined, needs parties to the conflict, and there is no reason to believe the experience of US business and government networks in unique. It would also be foolish to believe that the US targets only China. The internet does not accommodate a bipolar strategic landscape.

One way to avoid the confusion created by fraught metaphors is to move away from an understanding of cyber security based on perceived threats from foreign countries, and toward one based on vulnerabilities.

It would be foolish to believe that the US targets only China. The internet does not accommodate a bipolar strategic landscape.”

By studying existing incursions and prioritising defence over attribution, security staff can avoid the folly of focusing on a perceived threat while ignoring one that failed to announce itself. Journalists and commentators could avoid needlessly warlike rhetoric that seems to abandon any hope of US-China co-operation.

At very least, the public in the US and elsewhere should treat rhetoric that puts two major countries in a war of any kind with the utmost skepticism. Indeed, another characteristic of the so-called “Cold War” was the persistence of proxy wars, most prominently in the Korean Peninsula and in Vietnam.

The willingness of commentators to speak of cyberwar or cold war with China should alarm those who recall just how destructive a conflict between two great powers can be.

Blood vs treasure

The greatest folly of using ill-fitting and outdated historical metaphors to understand US-China interaction is that the reality is unprecedented. China’s three decades of rapid development have brought its economy into deep integration with the rest of the world. China’s stimulus was a major global policy action in the context of the financial crisis.

Michael Pettis, an expert in Chinese financial markets, notes that many in Beijing are looking to the eurozone crisis as another source of concern. A simple contest between two great powers is almost nonsensical in an era of complex global ties.

With economic issues intertwined with national security issues, recent cyber security rhetoric has focused on as much on industrial espionage as on threats to government systems or critical infrastructure.

Governments and peoples now have to adapt to a world where economic development and national security are spoken of interchangeably. The challenge is that actual violence – what some have taken to calling “kinetic” attacks – are still fundamentally different from information-based incursions, and businesses are still fundamentally different from militaries.

If a bandit with friends in a foreign government steals cash or material wealth from a US firm, the US is not going to respond with its military. Local or international law enforcement are there for these purposes.

Even the US military seeks to maintain a division of responsibilities for violence involving its soldiers and that involving purportedly private contractors.

National security policymakers and the public have had lengthy debates about the role of security contractors in armed conflict. The role of corporate concerns in national cyber security should be at least as hotly debated, and the legitimate claims of firms that lose sensitive data should be weighed with full consideration of their private status.

Talking about cyberwar with China blurs the lines between competition, espionage and military conflict. With great interdependence and the highest possible need for co-operation between the US and China, the world cannot afford chest thumping and imprecision.

Graham Webster is a public policy and communications officer at the EastWest Institute and an independent analyst on East Asian politics and technology.

Follow him on Twitter: @gwbstr

The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial policy.