Managing risks in cyber warfarePosted: 26/02/2013
By Dr William Choong, Shangri-La Dialogue Senior Fellow for Asia-Pacific Security
It is a nondescript 12-storey building in Shanghai, but its alleged exploits in cyber hacking into American-based computers has put it at the centre of intensified tensions between China and the United States.
The alleged intrusions by China-based hackers are not entirely new. In past years, the Pentagon and Google have alleged that Chinese hackers had broken into their networks. In 2011, it was alleged that Operation Shady RAT had targeted more than 70 organisations over five years. This included the United Nations, government agencies in the US, Canada, South Korea, Taiwan and Vietnam.
But the mounting evidence of China’s support for the hacking and the growing threat posed to US infrastructure, if proven to be true, would represent an emerging Chinese way of war that is truly worrying.
First, the alleged hacking shows that state-sponsored Chinese hackers have become adept at using the fog of war to cloak their attacks. For example, US security firm Mandiant had a video on its website, which tracked how hackers from the People’s Liberation Army (PLA) unit had used US-based Internet addresses to break into US servers.
The fog of war also enables China to offer plausible denials.
Granted, it has been reported that the Obama administration would share with US Internet providers the unique digital signatures of China’s largest hacking groups, including a group called Comment Crew. This has lent weight to the allegations in the Mandiant report.
But Mandiant is not a government agency. And its allegations have been vigorously denied by Chinese officials, who have countered that 32,000 Internet addresses outside China were used to control 38,000 Chinese websites remotely using ‘backdoor implementation’. The US ranked first in such attacks, said a Ministry of Foreign Affairs spokesman last Tuesday.
If proven to be true, Mandiant allegations would also prove China’s state-sponsored hacking hews to Mao Zedong’s vaunted strategy of asymmetrical warfare against a stronger opponent.
This strategy would involve using a full suite of methods to fight a bigger enemy, such as in the political, economic, cultural and technological realms.
Writing in Unrestricted Warfare in 1999, two PLA senior colonels argued for such a strategy. Given that their book was published by a Beijing-based PLA publishing house, the work was seen to have received approval from the PLA leadership.
According to Senior Colonels Qiao Liang and Wang Xiangsui, a full court press against the US would involve a multiplicity of attack routes – hacking into websites, targeting financial institutions, the use of terrorism and the media as well as urban warfare.
The goal would be ‘to use all means whatsoever – means that involve the force of arms and means that do not involve the force of arms, means that involve military power and means that do not involve military power, means that entail casualties and means that do not entail casualties – to force the enemy to serve one’s own interests’.
That said, some circumspection is needed here.
For cyber attacks to qualify as ‘cyber war’, it must take place alongside military operations. Put differently, for cyber war to be ‘war’, there must first be war. But full-on conflict between the US and China is unlikely, given growing common interests between the two countries.
In the unlikely event that war erupts, cyber attacks are unlikely to be decisive. Writing in a report assessing the effects of cyber war, Mr Martin Libicki, an analyst at US-based Rand Corp, argues that cyber attacks will only frustrate operators of military systems, and then only temporarily.
Moreover, in the course of being attacked in cyberspace, a country can rectify its vulnerabilities, people can be made less vulnerable, and, as a result, become less susceptible to coercion.
There are also tried and tested methods to reduce the threat of cyber attacks significantly. According to studies conducted by Australia’s Defence Signals Directorate and the US National Security Agency, four measures can reduce the risk of cyber attacks.
These include ‘whitelisting’, which allows only authorised software to run on a computer or network, rapid patching of operating systems and programs, and minimising the number of people on a network who have ‘administrator’ privileges.
Citing their studies, Mr James Lewis, a cyber security expert at the Centre for Strategic and International Studies, said the four measures reduced the risk of cyber attacks by 85 per cent, and in some cases, to zero.
The US can also go on the offensive. Writing in Armed Forces Journal in 2007, a US Air Force colonel suggested that the US establish its own ‘botnet’ – a network of computers that ‘can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic’.
In response to the alleged Chinese intrusions, the Obama administration is planning to give the US president broad powers to order offensive, pre-emptive strikes on a country’s cyber assets if Washington detects credible evidence of a major digital attack, the New York Times reported this month.
Arguably, calibrating a response appropriate to a cyber attack is difficult. This is called the ‘Blind Mike Tyson’ effect – an attack by a lesser power could result in a bigger power retaliating with ‘offline’ weaponry, such as nuclear weapons (that is, ‘you blind me, I nuke you’).
For now, however, President Barack Obama’s drive for pre-emptive strikes is misplaced. Just as the shield countered the sword, and rocket-propelled grenades countered the tank, defensive measures in cyberspace would counter most offensive cyber attacks.
Cyber attacks might be worrying, particularly if they are accompanied by conventional military offensives. But to maintain a sense of proportionality – and control a risky escalation in a conflict – the use of defensive measures will be more appropriate for now.