Recent revelations in the American media about the involvement of the Chinese military in cyber attacks against the United States have attracted much attention not because such unfriendly acts are news,but because for the first time,accusations of Chinese misdeeds are accompanied by well-documented evidence gathered by an independent party (in this case,an American computer security company called Mandiant,which was hired by The New York Times to defend the paper against Chinese cyber attacks after it published investigative reports on the enormous wealth accumulated by the family members of the Chinese premier). In other words,one might say that the Chinese military was caught red-handed.
The Chinese government,of course,does not see things the same way. Its military has countered with its own evidence,showing over 100,000 recent cyber attacks against Chinese military websites,most of them originating in the US.
This unfolding US-China duel in cyberspace is a stark reminder that not only is the strategic rivalry between the worlds two most powerful countries becoming full-fledged,but it could also spread into dangerous territories if neither side sets the minimum rules of engagement.
It has been known for a long time that the Chinese government has a comprehensive and,by some accounts,extremely aggressive,programme to build cyber offensive capabilities. What sets the Chinese programme apart from those of other major countries is its scale and scope. Data compiled by the American technology firm,Akamai,which tracks web trafficking,shows that roughly one-third of all cyber attacks originate in China (compared to under 15 per cent for the US). Based on volume,China can easily qualify as the worlds most active cyber attacker. Cyber attacks launched from China are also distinct in the wide scope of their targets,ranging from American government institutions and its military establishment to its commercial enterprises,newspapers,thinktanks,and US-based Chinese dissident groups. This is another piece of evidence suggesting that such attacks have clear guidance from Chinas civilian leadership and are unlikely to be rogue operations by freelancers. Among the most damning evidence uncovered by Mandiant is that Chinese cyber attackers begin work at 8 am,Beijing time,and take weekends off,suggesting that they are employees of companies or government agencies based in China.
Given the enormous publicity surrounding Chinas cyber attacks,political pressure is building up in the US to do something. Some Congressmen are openly talking about sanctions,which might include restrictions on technology transfers,limitations on the operations of Chinese-owned businesses in the US and visa bans on Chinese individuals suspected of involvement in such attacks. More outspoken critics of China even hint at counter-attacks against Chinese military and civilian establishments.
The questions that need to be asked are whether such threats can produce the desired results and whether there may be a better way of managing Chinas cyber threat. The answers to these questions are,unfortunately,not very encouraging.
Sanctions or the threat of sanctions against China over cyber attacks might work if the Chinese government understands that it will suffer unbearable economic or diplomatic consequences and have no way of retaliating against the Americans. At the moment,the ideas being floated in the US do not appear to contain measures that could cause howling pain in Beijing. In terms of restrictions on technology transfers,the US already has very strict rules on the sale of dual-use technologies to China. American companies have also been increasingly careful about transferring technologies to China because of concerns over Chinas rising competitiveness and the problem of intellectual property protection. Limiting the operations of Chinese-owned businesses,mostly private technology firms (such as the telecom giant Huawei,which has research and development facilities across the US),could cause some pain,but the victims would be private Chinese firms,not state-owned entities. Visa bans might sound tempting,but it is worth noting that the Chinese government is unlikely to allow these individuals to travel abroad,least of all to the US,out of fear that they may spill its secrets. Retaliating against Chinese cyber attacks,another tempting idea,needs to be thought through. Are we talking about hacking into Chinese systems and stealing their secrets,or are we thinking about causing real damage? The former is a proportional response to Chinas cyber attacks,but the latter would constitute a substantial escalation.
The biggest problem with these proposed sanctions is that China could retaliate,playing tit-for-tat against each type of sanction. The consequences of such escalations would be a serious deterioration in US-China relations,not an outcome sought by either Washington or Beijing.
The realisation that sanctions may not work has led some to propose negotiating with China for a set of rules governing cyber attacks. On the surface,this appears to be a more reasonable and promising idea,but many obstacles remain.
The most obvious one is that China firmly believes that the US itself is engaged in similar activities and is in no position to criticise China on this issue. For instance,Americas successful use of the Stuxnet virus against the Iranian nuclear programme would undermine Washingtons argument that China should rein in its cyber activities. Another obstacle is the unique nature of cyber attacks these days. Hackers can use computers based in a third country to route their attacks,thus concealing their fingerprints. A technical fix for this problem might be difficult to find. This will make verification of compliance almost impossible. A final problem is that an effective regime governing cyber attacks will require many technical specifications that could force signatories to reveal crucial secrets about their cyber offensive and defensive capabilities. If you think the SALT treaties between the US and the Soviet Union were difficult to negotiate (it took them many years),striking a US-China bargain over cyber security could be almost impossible.
What this leaves us is a rather pessimistic outlook on the cold war in cyberspace between the US and China. Based on the mutual distrust and the temptation to gain critical advantages over a strategic rival,neither side may want to make concessions. The only hope we can have is that,like the Soviets and the Americans in the Cold War,the Chinese and the Americans will observe at least some minimum rules. In this case,one of such rules should be: you may steal trade secrets,but you must never wreck critical infrastructure.
The writer is a professor of government and non-resident senior fellow at the German Marshall Fund of the US