26 June 2021

A Credible Deterrent to Chinese Cyber Attacks

Norman Friedman

With the use of cyber weapons of various kinds, the world seems to be in a new kind of strategic era. For the first time in many decades, there are strategic weapons that can be used without destroying the world. Low-level cyber warfare seems to go on constantly. It is almost always strategic, in the sense that it touches places anywhere in the world. It generally seems much less destructive than any nuclear weapon. However, it seems clear a cyber attack could have such horrific physical consequences that it might justify a nuclear response. But short of a nuclear strike, what credible response could the United States pose to deter an adversary from launching a crippling cyber attack? In the case of China, it would be a cyber attack against its social credit system.

A deterrent must be a credible threat to exact sufficient damage to convince an enemy to avoid some kinds of cyber attacks or activities. The U.S. government already is painfully aware that cyber weapons are being used against the nation. Probably nearly all readers of this article, for example, were affected by the successful penetration of the Office of Management and Budget (OMB), which gave the attackers full access to the U.S. government’s files on personnel clearances. It is difficult to imagine dropping a nuclear bomb on Beijing in retaliation, but without a credible threat of retaliation, China pays far too little in cost.

The OMB penetration is an interesting case, because it illustrates the two aspects of cyber operations. They can be classic intelligence operations to gain access to poorly guarded U.S. government information. However, they can also be an attack against U.S. capabilities. Some observers have suggested that the point of the OMB attack was to identify all U.S. citizens with security clearances, so that anyone operating under cover abroad could be neutralized. If that is true, it will take a long time to find, train, and clear replacements.

When do intelligence operations (to gain information) become more like direct attacks? Reportedly, the Chinese have also sought to penetrate U.S. power and water company operating systems, presumably looking for more than classic intelligence. Penetration includes the threat that these utilities could be disabled in a crisis.

U.S. cyber operations and capabilities are rightfully carefully guarded, just as nuclear capabilities are protected. Occasionally a leak provides some information; the public learned, for example, of a U.S.-developed means of penetrating foreign governments that was stolen and put up for sale on the Dark Web.

The Cold War nuclear deterrent record is discouraging. Until the 1980s, there was apparently no serious attempt in the United States to discover exactly what would have deterred the Soviets. Nuclear strategists (of which I was one) approached their craft as though it was a branch of applied mathematics. Damage criteria were set from time to time, but without reference to the way real Russians thought or acted. The seismic shift to minimum deterrence, which justified the submarine-launched ballistic-missile fleet as sufficient to deter the Soviets, was based on a U.S. criterion that the ability to destroy a sufficient (and terrifying) percentage of Soviet cities would suffice. But there was little or no logic backing up the criterion. Every so often, nuclear targeters would posit an “environmental” logic: The damage imposed on the Soviet Union would be so horrific that it would surely encompass the worst nightmares of Soviet leaders. Certainly, the damage the Soviets could have imposed on us encompassed our own nightmares.1

But the Soviet leaders were not Americans, and they did not live in a system anything like ours. Someone pointed out that they were much more like the heads of organized crime families, concerned with their own survival but not much else. They would likely take a personal threat seriously. This was called leadership targeting. Not coincidentally, the final edition of Soviet Military Power, the booklet on the Soviets issued by the Defense Department, featured a new map of the leadership shelter system in Moscow—the implication being that it would be the prime target.

This was deterrence; making a credible threat a potential enemy was likely to take seriously. But deterrence can fail.

For cyber deterrence to work, the United States needs cyber deterrents tailored to its likely enemies, not to American values. Most likely that has to be something analogous to the late Cold War deterrent threat against Soviet leaders. That is likely to trump any threat to Chinese national economic survival.
What the Chinese Communist Party Fears Most

The Chinese Communist Party has shown that it will expend enormous effort to maintain control of its population. This need for control apparently extends to foreign countries. For example, countries and organizations that speak on behalf of the Uighurs suffering genocide are subject to various sanctions. It does not matter that China has signed treaties making such sanctions illegal; what matters is maintaining and extending President Xi Jinping’s power. The Chinese government likewise fears internal unrest. The Party clearly fears any organization it cannot control, which has led it to attack all forms of organized religion and even those who have banded together to do traditional exercises (the Falun Gong).

To Xi and his government, the most effective instrument of control is the computerized system of social credit. It maintains a file on everyone in the country, supported in part by facial recognition software. The file records the most trivial everyday behavior. Even jaywalking or spitting on a sidewalk costs points. Without enough points, a Chinese citizen can forget about buying a train ticket, renting a good apartment, or moving to a city with good jobs.

The social credit system is China’s cyber target most closely equivalent to the nuclear shelters for the Soviet leaders. The Chinese must know that all such systems are vulnerable. Moreover, knowledge of the details of the Chinese system is likely to spread. China has claimed to potential friends that it has developed the perfect means of enforcing social discipline. The cyber-fascist system is likely to be a popular export, just as East Germany and North Korea once exported training in their skills of maintaining police states. It seems likely, then, that the key software of the Chinese system will spread—and become even more vulnerable to compromise.

Like any computer system, the Chinese system can be protected from hacking only by isolating it. However, the system’s central computers cannot be disconnected from multiple networks, because they must cover the whole country, rapidly receiving information and passing social ratings throughout the Chinese economy. Social control works only because misbehavior anywhere in the country must register in such a way that it is reported instantly; the system’s tentacles must reach everywhere in China. Even if this system uses an isolated communication net, the net itself is tappable. This system, so central to the life of the Chinese government, is surely the best U.S. target for effective cyber deterrence.

Can the United States actually hack into the Chinese social computer system? Any answer must be very secret. But for a deterrent to work, its target must have at least a sense of vulnerability. It is possible that merely discussing this seriously will impact the Chinese government.

No comments: