China, Cyberespionage and Cyberwarfare
Evan Osnos is the China columnist for the New Yorker.
My impression is that he usually covers the social issues/human rights/dissident beat.
However, yesterday, riffing off the news about organized Chinese hacking of US government and private websites, he veered off into counter-proliferation black ops:
The fact is that the United States government has already shown signs of an energetic capacity for cyber war, as in the case of Stuxnet, the software worm that the U.S., working with Israel, is believed to have used to disrupt Iran’s uranium-enrichment program. Coincidentally, I happened to ask some North Korea experts last week if Pyongyang’s latest round of nuclear tests might make it a prime target for a Stuxnet-style intervention. “The only time I heard anything along such lines recently was suspicion that the April launch failure may have resulted from cyber attack—but that was in the realm of conspiracy theory,” John Delury, of Yonsei University, in Seoul, told me.
As long as it’s in the realm of the theoretical, here’s another twist: given China’s vocal frustration with its erstwhile allies in Pyongyang, and China’s fondness for cyber adventures, any chance that China might try a Stuxnet approach to slow down a headache on its northeast border? From what I gathered, the chances were slim, in part because of operational differences between Iran and North Korea. “Do the Chinese know which industrial-control systems are in place?” Adam Segal, of the Council on Foreign Relations, asked. “Could they deliver the malware to a system that is most likely ‘air gapped’ and not connected to the Internet? Could they be sure that the infection wouldn’t spread—back to China or to U.S. or others? Do D.P.R.K. nuclear scientists travel? Is it possible to leave thumb drives around with no one noticing?”
On a couple of levels I am gobsmacked by Olnos’ blithe presumption.
I will set aside for the time being his rather fanciful view of the dynamics underlying PRC-DPRK relations. Suffice to say that Beijing’s vision for sustaining its rather precarious economic and political sway over the northern half of the Korean peninsula do not involve sabotaging Pyongyang’s most cherished strategic initiative.
But as to the casual attitude toward a “Stuxnet approach”, Stuxnet was an act of war. Full stop. If the PRC or anybody else did that to us, they would face the prospect of direct, escalating retaliation.
If one is looking for an explanation for why cyberwarfare has become an obsession of the Department of Defense, with the planned addition of thousands of specialists to “Cyber Command”, and why President Obama raised the spectre of cyberwarfare in his State of the Union address, look no further than Stuxnet.
I believe the stories of massive hacking effort condoned and directed by the PRC government, and the significant value of the intellectual property and secrets extracted.
But for the sake of clarity, let’s call it “cyberespionage”.
Cyberwarfare—the destruction of military, industrial, or infrastructure facilities i.e. acts of war—is qualitatively different.
I also believe that the reason that that the reason that Chinese cyberespionage is hyped today (and conflated into the “cyberwarfare” category) is to distract attention from the US complicity in an irrevocable escalation of cyberwarfare, and to prepare public opinion against the day when this weapon is turned against us.
In the same article that Osnos advances the narrative of the dire character of Chinese hacking (After years of warnings that Chinese hacking was a rising threat, the Mandiant study, and the willingness of U.S. officials to confirm many of its findings, signal a blunt new American counteroffensive against the era of Chinese cyber attacks), he proposes that the PRC might engage in a Stuxnet-type exploit of cross-border military sabotage.
There’s a qualitative difference in what the PRC has been accused of in the past, and what the US did with Stuxnet.
That’s not because the PRC is run by wonderful, peace-loving people–or because the PRC has not developed any cyberwar weapons (for one thing, I expect the PRC’s computer scientists have been interested and involved participants in Iran’s struggles with Stuxnet).
It’s because the PRC is extremely careful to avoid cycles of escalation with US power, preferring to counterpunch asymmetrically.
In defense matters, the asymetric doctrine is embodied in “non-interference in the affairs of sovereign states” as a bedrock value, one that provides China with a ready, if ever-eroding, bulwark against US “pre-emption” and “R2P” doctrines which leverage US military and technological superiority across national borders, and the ability for unmatchable escalation that is at the heart of the American game.
That isn’t a diplomatic and strategic shield to be abandoned lightly for the transient pleasures of fucking with North Korea’s nuclear program, or other cyberwarfare shenanigans, for that matter.
So I found Osnos’ speculation rather clueless, both in the matter of his understanding of the PRC security mindset and in the matter of his apparent utter gormlessness as to the significance of the Stuxnet exploit.
I will speculate that Olnos’ level of comfort with the “Stuxnet approach” has a lot to do with the fact that “we did it first, so it must be OK.”
Well, it’s not OK, and President Obama realizes it and the Pentagon realizes it, as can be seen from the attached piece.
But if Evan Osnos thinks it’s OK, and his ignorance is contagious, we’re closer to the day when US cyberaggression against China can be excused and advocated as “less than war” and any Chinese retaliation will, inevitably, be condemned as “an act of war”.
So Evan, if there’s a war with China…it’s your fault!
Peter Lee edits China Matters. He can be reached at: chinamatters (at) prlee. org.