That the United States and China have engaged in skirmishes in the cyber domain is no secret. Since the beginning of the 21st century, targeted cyberattacks, often with signs of Chinese origin, have attempted to penetrate the computer networks of U.S. corporations and government agencies in search of potentially valuable information. In response to this new strategic threat, the U.S. Military’s Strategic Command commissioned the creation of a sub-unified Cyber Command in 2009, with one of its stated objectives being the “defense of specified Department of Defense information networks.”
U.S. President Barack Obama very clearly defined the threat that cyberattacks pose to the economy, in both the public and private sectors, when he said that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” Indeed, conflict in the cyber domain is still having some serious repercussions for the business world.
Civilian Involvement in Cyber Warfare
The characteristic of cyber warfare that makes it so uniquely dangerous to the corporate sector is that military power in the cyber domain must be extended through computer networks provided and maintained by non-governmental bodies. The use of these networks for cyberattacks or defense requires the conscription or cooperation of civilian resources. This creates extreme liabilities for the corporations that provide these networks, as they will quickly become the targets of suspicion and possible retaliation from the enemy state. In recent years, both Chinese and American companies have been caught in just this situation.
On October 8, 2012, the U.S. House of Representatives’ intelligence committee released a report that warned of potential national security threats posed by Chinese telecommunication giants Huawei and ZTE. After conducting a year-long investigation of the suspect companies, the intelligence committee found serious vulnerabilities caused by hidden “backdoors” worked into the companies’ technologies that would allow access to U.S. government and business networks. The report advised against the purchase of products manufactured by Huawei or ZTE, and suggested that policymakers block any mergers between either of the two companies and U.S. telecommunication corporations. These accusations have seriously hurt consumer confidence in the two companies, to the extent that in December of 2013, Huawei’s executive vice president dramatically declared “we are not interested in the U.S. market anymore.” While Huawei has managed to hold on to a small market share in America, the company’s association with Chinese state-sponsored cyberattacks has devastated its ability to operate in the United States.
It became clear last year, though, that the United States was a perpetrator of cyberattacks as well as a victim. In June 2013, former U.S. National Security Agency contractor Edward Snowden provided the world with a look into the intelligence apparatus of the NSA, releasing thousands of classified documents to the media. The released documents revealed that the U.S., like China, was using domestic tech firms (in many cases without their knowledge or consent) as conduits for intelligence gathering cyberattacks. In May 2014, the Chinese government announced that it would no longer purchase or use two of Microsoft’s main products, the Windows 8 operating system and the Microsoft Office 365 Suite. Then, in late July and early August, Chinese officials from the State Administration for Industry and Commerce (SAIC) raided multiple offices owned by Microsoft and its contractors in China. While vague statements about an anti-monopoly probe were made, the company’s decision to end support for the Windows XP operating system – a move that would expose the many Chinese computers that use the operating system to security risks – was also cited as a factor in the raids. While it is likely that the ban and subsequent raids were also intended to pave the way for new operating system technologies created in China, the Snowden revelations allowed potential U.S. espionage activities to be cited as a justification. Just as Huawei and ZTE suffered for their association with espionage activities of the Chinese government, Microsoft took a major hit because of the provocative actions of its government.
An Undefined Battlefield
On both sides of the Pacific, it is clear that both U.S. and Chinese tech firms are being caught in the crossfire of these cyber skirmishes between the two countries. Any escalation in tensions in the cyber domain could be disastrous to the private sector. Unfortunately, despite the risks that future cyberwars hold for multinational corporations, there is a marked absence of legislation, precedent, and international norms that could govern the relationships between private companies and the governments looking to use them as avenues through which cyberwar could be conducted. For as long as these ambiguities exist, corporations that deal in the communication technology industry will exist in the gray area of an unregulated cyber battlefield devoid of any policies meant to protect the assets and infrastructures of civilian actors. It is in the interests of both countries to more clearly define, through domestic cooperation with corporate partners and with bilateral international discussion and agreement, the boundaries between civilians and the military in cyber warfare. Failure to do so could severely hamper the economic interaction that has been so lucrative for both countries and further destabilize an already fragile Sino-American relationship.
Government’s Role in Domestic Cyber Security
While organizations have taken extensive measures to provide security against cybercrime, the challenges of a larger cyberwar against a capable and persistent foe require greater national organization and civilian-government cooperation. Unfortunately, in the United States, government responses to engagements in the cyber domain have been slow at best, but more often nonexistent. The cause of this is commonly the difficulty in identifying attackers and the lack of procedures in place for how a national response can and should be mobilized to address an attack on a civilian target. This lack of definition creates additional liability for the civilian counterpart because the opposing state (in this case China) does not know to what extent the civilian is involved with the defense and possible subsequent counterattacks. The lack of clarity directly increases the probability that the civilian will be the target of general suspicion and will suffer financial damage, as was seen with Huawei, ZTE and Microsoft. In broad terms, foreign attacks on domestic civilian targets can be placed in one of two categories: those that pose a national security threat and those that cause potential financial harm to the recipient of the attack. These two types of attacks require specific responses that have not yet been clearly defined by the U.S. government and the business community.
A cyberattack that directly threatens the national security of the United States might require the temporary direct use, or even the partial or complete conscription, of a civilian network. Disruptions of public utilities, theft of sensitive information from a security contractor, or the sabotage of civilian networks necessary for the operation of the military are examples of intrusions that might necessitate such a response. However, the documents released by Edward Snowden revealed that civilian networks were commonly conscripted for foreign surveillance activities, often without the knowledge of their owners. One of the largest barriers that conscription faces to becoming a transparent counter-cyberattack strategy is the ambiguity surrounding the cyber domain in warfare. Because no legislation exists that explicitly defines cyberattacks as acts of war and because the Supreme Court has never ruled on the constitutionality of conscription in any form during peacetime, no precedent has ever been set that would instruct the government on how to publicly organize a defense in the case of a cyberattack against a civilian target that threatened national security. While this does not excuse the NSA of its secrecy, it does indicate the need for legal clarification on the matter of cyber warfare. A decisive answer to the question of the legality of government conscription of civilian network assets in the interests of national security would allow a transparent strategy that involved input from both civilian and government representatives to be formed.
If a cyberattack is not a national security threat, but only threatens the financial health of the victim, the procedures for a government response are even more unclear. With traditional cybercrime, civilians are responsible for their own cyber security and the liability of unsuccessfully defending against an attempted network penetration falls on the civilian’s security provider or the civilian’s own security measures. However, it seems unreasonable to assume that a civilian would be able to successfully defend against the cyberattacks of a foreign state, which presumably would have greater access to technology, talent and funding.
Say, for example, a cyberattack of Chinese origin manages to steal sensitive information relating to a patented product of an American company. What response could that company expect to receive from the government? The answer to that question has yet to be explicitly defined through any official legislation or successful precedent. However, the Cybersecurity Act of 2013, which was recommended for further consideration in July 2013, might be a step in the right direction. The bill directs the Secretary of Commerce and the Director of National Institute of Standards and Technology to work toward the, “development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure.” While the bill does not specifically say what measures can be taken to address the problem, a dialogue between the government and the civilian sector is a necessary first step toward assuring that the government will take an active role in preventing damaging cyberattacks on civilian targets.
A Line in the Cyber Sand
The lack of adequate procedural preparation for cyber warfare and ambiguity about the government’s role in protecting its civilians from cyberattacks represents a real strategic threat to the United States as well as a financial liability for civilians. Before the release of the NSA documents last year, the U.S. government was acting unilaterally to address the problems presented by aggression from the Chinese in the cyber domain. The nature of cyber warfare, however, necessitates civilian cooperation. Now there is an opening to create a partnership to more clearly define the lines between state actions that might be internationally provocative and civilian resources that, while necessary to the state’s actions, do not represent the civilian’s participation as an aggressor. Not only will this protect civilian assets that are not directly involved in cyber warfare efforts, it will also create procedures that will allow for a more effective and efficient strategy for the conduct of cyber warfare.
Given the very real risk that conflict between China and the U.S. in the cyber domain could escalate in the future, we need to find ways to isolate it from the vibrant economic exchange that have benefited both countries. The worst-case scenario would be the disintegration of the line between warfighting assets and civilian assets, such that the intentional targeting of noncombatants becomes a viable strategy. Both China and the U.S. need to act to ensure that their civilians do not become casualties of cyber warfare.
Cameron Stevens is a student at the Schreyer Honors College of Pennsylvania State University, and an intern at the Strategic Studies Institute. The views expressed in this article do not necessarily represent the opinions or positions of the Strategic Studies Institute, U.S. Army War College, or the U.S. military.