The Rebalance author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into the U.S. rebalance to Asia. This conversation with Dr. Herbert S. Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Research Fellow at the Hoover Institution, both at Stanford University; chief scientist, emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990-2014 as study director of major projects on public policy and information technology; adjunct senior research scholar and senior fellow in cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University; and professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues, is the 63rd in “The Rebalance Insight Series.”
Explain the use of offensive operations as instruments of national policy in cyberspace.
Offensive operations in cyberspace are performed to compromise the confidentiality of information, the integrity of information, or the availability of information. A compromise of confidentiality results in unauthorized parties gaining access to information that they should not have — stealing electronic medical records, for example. A compromise of integrity results in improper changes to information — changing a medical record so that a patient’s blood type is represented as Type A when her actual blood type is Type O. A compromise of availability results in information inaccessible to parties that should have it — the patient’s physician is unable to access the information in the medical record.
A nation might choose to conduct offensive operations for many reasons. For example, it might wish to gather intelligence on potential adversaries, in which case it could use offensive operations to spy on them in cyberspace. It may wish to disrupt the operations of an adversary’s weapons systems, in which case it might compromise the integrity of the databases used to control where and when the adversary can use its weapons. Or it may wish to cause an adversary some temporary inconvenience as a warning, in which case it might compromise the availability of the online banking sites of the adversary.
Offensive operations in cyberspace potentially affect anything that involves computer or communications technology, a fact that makes them extraordinarily flexible instruments for carrying out the wishes of national policy makers. Many nations, including the largest and most powerful nations in the world, are interested in exploiting the potential value of such operations.
Assess the role of tools, such as a Trojan named NanHaiShu (South China Sea rat) used in cyber attacks against institutions opposed to China’s territorial claims, in cyberwarfare.
Public reports indicate that NanHaiShu is a cyber weapon that has been used against a number of government and private-sector organizations that are involved in the present disputes occurring in the South China Sea. Analysts believe that Chinese hackers (possibly sponsored, supported, or encouraged) by the Chinese government have targeted organizations that oppose Chinese territorial claims in the South China Sea. If so, it is possible that these operations have been carried out as a way of demonstrating Chinese displeasure with the policy positions of the nations with which the targeted organizations are associated. It appears that the primary purpose of NanHaiShu is to compromise confidentiality of files residing on the systems of the targeted organizations—knowledge of their contents could help the Chinese government anticipate further actions by these organizations.
According to recent Financial Times reporting, 90 percent of Asia-Pacific companies have been hit by some form of cyber attack this year, up from 76 percent a year ago. How does Asia’s cybersecurity infrastructure and responsiveness compare to that of the United States?
One major difference between the United States and Asian nations is the much sharper line that separates government from private sector activities, a line that many Asian nations do not appreciate or even believe. As a result, the leverage that the U.S. government has over its private companies is usually less — significantly less — than in Asian nations, and in particular the U.S. government must rely on persuasion rather than direction in improving the cybersecurity posture of its private sector. On the other hand, the United States has been actively addressing the cybersecurity issue for a much longer time than most Asian nations, and arguably has a head start in understanding many of the issues that arise in securing itself in cyberspace.
What are, if any, the rules of engagement in cyberspace as a new theater of conflict?
No international agreements govern the use of cyber weapons as such, although many nations have stated that international law, including the laws of armed conflict, applies to cyberspace. Thus, specific rules of engagement are determined by the particular nations using cyber weapons according to their own national priorities and needs. What Nation A might determine to be an appropriate rule of engagement in a given situation may well not be the same as what Nation B determines to be appropriate.
What are the top cybersecurity policy challenges in Asia that face the next U.S. president?
Given that cyberspace spans the globe, it is not clear that Asia presents challenges to cybersecurity that the rest of the world does not. That said, I believe the overall Sino-American relationship is the most important bilateral relationship in the world, and how China and the United States relate to each other in cyberspace is a key and fundamental element of that relationship. Encouraging signs of progress in cybersecurity emerged from the Obama-Xi summit in September 2015, and one critical challenge is to build on that progress without allowing other dissonances in the Sino-American relationship to impede it.
A second key cybersecurity challenge is growth in the number of Internet users from Asia over the next several years. Asia and Africa will account for the vast majority of the 1 to 2 billion additional Internet users that will be seen in this time frame, and this enormous growth will affect cybersecurity in two profound ways. Cyber criminals of today will find even more opportunities for victims in this additional population (most of whom will be using mobile devices have lesser technological capabilities to provide cybersecurity). Additionally, the number of criminal hackers will expand. Managing this challenge will be difficult not just for the U.S. President but for national leaders around the globe.