Good afternoon, and thanks to for inviting me to another event in your national security luncheon series. It's a pleasure to join in speaking to you today, but before we get to listen to him talk about Libya, I hope you'll allow me to say a few words about cyber strategy, Chinese cyber challenges, and the role of strategic deterrence in cyberspace.
In this country, we most often think about cyber threats in relatively narrow, technical terms. We worry about Internet-based attacks on our computer networks, and about what such attacks could do to our computerized and communications-based civilian economy, to critical pieces of our national infrastructure, or to our military's ability to defend us. When we talk of cyber attack, the first thing that usually comes to mind is probably someone breaking into a computer system by electronic means, to steal data. Sometimes we also fret about what someone could do with such access – particularly with respect to shutting downvital activities, or deliberately causing events like the highly destructive in Siberia, part of which all but exploded in 2009 when an employee mistakenly activated an unused turbine while remotely accessing the plant's computers. (The former type of "attack" is the cyberspace analogue to espionage; the latter equates more to bombing someone.)
There is indeed much to be said about such specifically technical threats. Like all advanced modern societies, we do indeed have a great many cyber vulnerabilities, and there certainly seems to be no shortage of would-be cyber attackers out there. The tide of electronic probes that washes against important computer networks every day is positively breathtaking, with by some accounts perhaps 21 million "Trojan Horse" attacks having been attempted in 2010 alone – a figure dramatically up from the estimated 2009 total of only three million.
Rather than get bogged down in cyberdefense statistics and technical detail, however, I'd like to speak a bit about the policy and strategic context in which all this computer activity occurs. But to set the stage for this, it's worth emphasizing that not all cyber threats are created equal. The ones that seem to be giving security planners the most headaches these days are the cyber-infiltration efforts that have come to be known as the "" (APT).
This term "APT" is used to refer to an ongoing campaign of computer attacks first identified in the mid-2000s, aimed mainly at networks associated with the U.S. defense industry and armed forces. These attacks are generally traceable to China, and though inarguable "proof" is hard to come by in the cyber arena, they are widely blamed upon the Chinese government – acting either directly (e.g., through the Third Department of the People's Liberation Army) or indirectly (e.g., through "" sponsored by the government, or "hacktivists" egged on by Chinese officials). According to the head of Israel's Shin Bet security service, China is "the world's largest employer of hackers," and most experts indeed feel Beijing to be behind the APT.
As indicated by the adjective "advanced" in the acronym APT, these attacks are felt to be quite sophisticated, operating in ways more subtle and effective than the simple "botnet"-driven denial-of-service attacks that have become so lamentably common elsewhere on the Internet. In one series of campaigns against the Tibetan diaspora that was publicly revealed in 2009, for example, intruders "infected" nearly 1,300 computers all around the world – taking complete control of many of them, not only in order to search for and steal information but also, in some cases, covertly to spy on their users even in the physical world, by secretly activating Web cameras and audio inputs. (Some of these capabilities mirror in the West by U.S. or European firms seeking government contracts in support of law enforcement and counterterrorism activity.)
So far, nothing from the APT has been publicly reported that matches the sophistication of the "StuxNet" worm allegedly used by the United States and Israel to degrade Iran's uranium enrichment operations at Natanz for a time. Nor, to my knowledge, have any reports publicly associated the APT with activities beyond covertly accessing and removing information – that is to say, cyber espionage as opposed to destructive attacks. Nevertheless, APT campaigns are believed to have netted enormous quantities of information, with penetrations of computer systems in several companies involved in developing the F-35 Joint Strike Fighter, for instance, said to have resulted in the .
Moreover, since the network access needed for such data-exfiltration is usually also just what an attacker needs for system sabotage or manipulation, it seems clear that there is an enormous potential for destructive mischief as well. Some of the most pernicious assaults possible in the cyber arena are likely to be ones that conceal their own manipulative effects – as indeed "StuxNet" seems to have tried to do – or ones that only have observable effects in the first place when activated remotely in time of crisis. Accordingly, the APT's repeated system exploration over time is worrying, especially in conjunction with growing concern about the appearance of counterfeit Chinese-made microprocessors in the supply chain at a time when our security apparatus is ever more dependent upon commercial-off-the-shelf (COTS) acquisition.
But let me return to the policy and strategic context. If indeed it is true that the APT can be attributed to the Chinese government, we face a potentially very significant cyber adversary. But what is the game here? What does China think about cyber-warfare?
As I recounted in a on cyber arms control, what little Western experts think they know about Chinese cyber doctrine suggests that officials in Beijing have a much broader concept of cyber conflict than we do. As noted, our Western conceptions are very system-centric. We think about cyberwar in terms of attacking and defending computer systems themselves, and when we imagine computer attacks having "real-world" effects, we envision this in very concrete terms and picture it having occurred because a computer network has been shut down or manipulated.
Through Chinese eyes, however, cyberwar apparently is a much bigger phenomenon. Planners in Beijing certainly include computer system attacks in their understanding of cyber conflict, but they also include what might be called ideational attacks transmitted through the Internet. Their notion of cyberwar is bound up with issues of government control over information within a society, and with the manipulation of adversaries' views and decision-making processes. China fears not just inputs of malicious computer code but also outside injections of ideas and perspectives that might undercut Communist Party control, as well as outside interventions or technologies that could facilitate political organization by the Chinese people in ways not controllable by the regime. (The Party seems to view Western connectivity and social networking outfits such as Google and Facebook, for instance, as ".") Through this prism, cyber conflict occurs not only in wartime but in peacetime as well, and it encompasses all aspects of ideological, political, social, and economic competition between the Chinese government and its actual or potential adversaries at home or abroad.
The fact that information control – in the broadest, most sweeping sense – is a key objective of Chinese policy is, of course, not precisely a surprise. China is, after all, the land of the so-called "Great Firewall," the world's most ambitious effort to maintain strict government-controlled parameters for acceptable Internet political content (even while letting most other aspects of Web life proceed relatively unmolested). And when the head of China's state-controlled Xinhua News Agency that it is now time to "coordinate" and "reset[] rules and order in the international media industry" on the basis of "theories of 'checking superpower' and 'maintaining equilibrium,'" it is also clear that information control is a tool that Beijing imagines being wielded offensively as well as defensively. Indeed, some Chinese writings seem to view every aspect of the Internet through a warlike prism, evoking ideas of threat, competition, and opportunity principally in the broad ideational or political sense. As Hu Xiaohan, the head of the Central Propaganda Department's Information Bureau put it in a , it is essential for China to stand "on the offensive" in the "war for public opinion" taking place both within the country and internationally, using strategies that "derive[] from the art of warfare."
Now that China feels increasingly cocky as a major player on the world stage, in fact, it seems to wish to shape the whole world's views more to its liking. As , the director of China's State Council Information Office – the government organ charged with controlling the Internet in China – Beijing must "do external propaganda well" in order "effectively [to] engage the international struggle for public opinion" and "grab the discourse power" in the international arena. China's objective, Wang explained, is to "win the primary leadership right" in global public opinion, "working to realize an external public opinion power commensurate with China's level of economic development and its international status."
This is not the place for a long discussion of Chinese propaganda concepts and information strategy, either at home or abroad, but is worth bearing these nuances in mind as we seek to understand the relationship between Beijing's strategy and the APT. The conventional wisdom about the APT is that it aims to steal defense secrets and orchestrate industrial-scale intellectual property theft. And, of course, this it does. I would suggest, however, that it may also be that the APT fits into a broader Chinese strategic policy – a messaging strategy, if you will, bound up with achieving "information warfare" effects of just the sort that Chinese cyber doctrine leads one to expect Beijing would to wish to create.
In the conventional narrative of the APT, Chinese government-affiliated hackers take advantage of the problems of cyberspace attack attribution to conceal themselves. In an arena in which cyber warriors may mount their attacks through hijacked swarms of computers belonging to innocent third parties, of course, it is indeed devilishly hard to be sure where an assault really originated. This attribution problem is said – quite correctly – to complicate issues of strategic signaling and deterrence in cyberspace, giving attackers considerable leeway to do their thing without fear of the kind of retaliation that would likely result if it were clear who they really were. Even though most observers are pretty sure China is behind it, in other words, the APT hides itself behind "plausible deniability" in cyberspace. And indeed, the government in Beijing claims that it never, ever engages in such activity – thus preserving the that Chinese rulers have claimed for themselves for thousands of years.
Except that it's not quite as simple as that. Some experts who study such things are apparently surprised by the degree to which China goes to such little trouble to conceal its significant involvement in cyberspace. Officially, of course, it has no such role at all, and the state-run Chinese media gleefully reprint accounts of overt Pentagon cyberwar preparations as evidence of Washington's self-interested malice in world affairs. But in an environment in which it is apparently technically possible to conceal one's fingerprints nearly completely, it is perhaps remarkable that the campaigns of the APT are not better concealed as having their origins at least somewhere in China.
Perhaps, seen through the broader perspective of full-spectrum information conflict, such semi-attribution is useful. It does not allow enough certainty to permit beyond-a-reasonable-doubt attribution to the Chinese government, thus facilitating Beijing's virtuous posturings and helping prevent overt retaliation. But at the same time, the APT's tracks are not so hidden that everyone doesn't have a pretty good idea what's going on. And this may be quite intentional.
As I suggested earlier, everyone knows that with network access one can do more than simply steal information. He who can exfiltrate someone else's data, after all, can infiltrate his own code. And, as military people will tell you, the first priority for mounting a really sophisticated attack of any sort is good reconnaissance. When access is coupled with a deep understanding of target systems acquired through systematic reconnaissance, all sorts of things are possible. Today, it seems clear – as one U.S. Air Force cyber-general told Aviation Week last May – that the APT is not just about espionage, but also about "accessing our networks for later exploitation."
In many circumstances, such reconnaissance is surely best done covertly. One imagines, for instance, that whomever mounted the "StuxNet" attack did not wish Iranian authorities to know that someone overseas was interested in the control networks for the centrifuge cascades at Natanz or the steam turbine at Bushehr. On the other hand, maybe it is sometimes useful to let the target know you're out there – and thus important not entirely to conceal your tracks.
As the myriad probes of the APT wash daily up against U.S. government and defense industry computer networks, perhaps we are expected to see a shadowy Chinese hand behind the campaign. The message, perhaps – delivered to us as the most significant military power on the planet, but one whose forces are enormously dependent upon Internet-facilitated connectivity and computerized control systems – is something like: "We're here, and you ain't seen nothin' yet. So watch your step."
Through this prism, then, the semi-attributable nature of the APT may thus serve an important purpose that complete concealment would not. On top of its considerable benefits in technology acquisition and network attack preparation, the APT perhaps does double duty as a sort of strategic signaling in its own right. Not really all that different from official Chinese leaks of information about purported "stealth" fighter technology, press accounts of the new DF-21 anti-shipping ballistic missile, ill-concealed attack submarine deployments increasingly far afield, and anti-satellite weapon tests, the APT may be designed, in part, to encourage leaders in the United States and our Asian allies to believe that it's just too much trouble, and is too dangerous, for us to stand up to some future Chinese military provocation.
It is, of course, up to people better informed than myself to assess whether that Chinese message is actually true. It might be ... but not necessarily – and the details matter. How prepared are we for what China implicitly proclaims itself prepared to do? What would our countermeasures be? And what parade of problems would we, on our part, be prepared to confront Beijing with having to manage if the proverbial balloon went up?
Those are questions I will not attempt to answer here. Chinese strategic writings seem to place great stock in having the clever plan, the brilliant ruse, or the secret weapon or stratagem that will enable one to triumph over adversaries no matter how powerful they are. When one really does have a miraculous trick up one's sleeve, I suppose, this is all well and good. But people who think this way too much can sometimes miscalculate, picking a fight that it is beyond the power of their cleverness to win.
It is not for me to say what China's odds of success really are in such an eventuality, but the implied Chinese message to us seems reasonably clear. When viewing the APT, we are expected to be cowed, to be deterred from taking actions Beijing does not wish us to take. I'll admit that it is becoming an annoying cliché to quote the ancient Chinese strategic writer Sun Zi in any discussion of such topics, but it is nonetheless surely true that the best sort of victory is indeed when one is able to subdue one's enemy without fighting. It a widespread assumption in Western analyses that deterrence is virtually impossible in cyberspace. But I'm not entirely convinced of this – and neither, I suspect, are planners in Beijing.
Thank you. I look forward to our discussions.