[Infowarrior] - Fallows: Cyber Warriors
Richard Forno
rforno at infowarrior.org
Wed Feb 10 16:55:41 UTC 2010
http://www.theatlantic.com/doc/201003/china-cyber-war
Cyber Warriors
by James Fallows
Early in my time in China, I learned a useful lesson for daily life.
In the summer of 2006, I saw a contingent of light-green-shirted
People’s Liberation Army soldiers marching in formation down a
sidewalk on Fuxing Lu in Shanghai, near the U.S. and Iranian
consulates. They looked so crisp under the leafy plane trees of the
city’s old colonial district that I pulled out a camera to take a
picture of them—and, after pushing the button, had to spend the next
60 seconds running at full tilt away from the group’s leader, who
pursued me yelling in English “Stop! No photo! Must stop!” Fortunately
he gave up after scaring me off.
The practical lesson was to not point a camera toward uniformed groups
of soldiers or police. The broader hint I took was to be more careful
when asking about or discussing military matters than when asking
about most other aspects of modern China’s development. I did keep
asking people in China—carefully—about the potential military and
strategic implications of their country’s growing strength. Ever since
the collapse of the Soviet Union and consequent disappearance of the
U.S. military’s one superpower rival, Western defense strategists have
speculated about China’s emergence as the next great military threat.
(In 2005, this magazine published Robert Kaplan’s cover story “How We
Would Fight China,” about such a possibility. Many of the
international-affairs experts I interviewed in China were familiar
with that story. I often had to explain that “would” did not mean
“will” in the article’s headline.)
The cynical view of warnings about a mounting Chinese threat is that
they are largely Pentagon budget-building ploys: if the U.S. military
is “only” going to fight insurgents and terrorists in the future, it
doesn’t really need the next generation of expensive fighter planes or
attack submarines. Powerful evidence for this view—apart from
familiarity with Pentagon budget debates over the years—is that many
of the neoconservative thinkers who since 9/11 have concentrated on
threats from Iraq, Afghanistan, and Iran were before that time writing
worriedly about China. The most powerful counterargument is that
China’s rise is so consequential and unprecedented in scale that it
would be naive not to expect military ramifications. My instincts lie
with the skeptical camp: as I’ve often written through the past three
years, China has many more problems than most Americans can imagine,
and its power is much less impressive up close. But on my return to
America, I asked a variety of military, governmental, business, and
academic officials about how the situation looks from their
perspective. In most ways, their judgment was reassuringly soothing;
unfortunately, it left me with a new problem to worry about.
Without meaning to sound flip, I think the strictly military aspects
of U.S.-China relations appear to be something Americans can rest easy
about for a long time to come. Hypercautious warnings to the contrary
keep cropping up, especially in the annual reports on China’s
strategic power produced since 2000 by the Pentagon each spring and by
the U.S.-China Economic and Security Review Commission each fall. Yet
when examined in detail, even these show the limits of the Chinese
threat. To summarize:
• In overall spending, the United States puts between five and 10
times as much money into the military per year as China does,
depending on different estimates of China’s budget. Spending does not
equal effectiveness, but it suggests the difference in scale.
• In sophistication of equipment, Chinese forces are only now
beginning to be brought up to speed. For instance, just one-quarter of
its naval surface fleet is considered “modern” in electronics,
engines, and weaponry.
• In certain categories of weaponry, the Chinese don’t even compete.
For instance, the U.S. Navy has 11 nuclear-powered aircraft-carrier
battle groups. The Chinese navy is only now moving toward construction
of its very first carrier.
• In the unglamorous but crucial components of military effectiveness—
logistics, training, readiness, evolving doctrine—the difference
between Chinese and American standards is not a gap but a chasm. After
a natural disaster anywhere in the world, the American military’s vast
airlift and sealift capacity often brings rescue supplies. The Chinese
military took days to reach survivors after the devastating Sichuan
earthquake in May of 2008, because it has so few helicopters and
emergency vehicles.
• For better and worse, in modern times, American forces are
continually in combat somewhere in the world. This has its drawbacks,
but it means that U.S. leaders, tactics, and doctrine are constantly
refined by the realities of warfare. In contrast, vanishingly few
members of the People’s Liberation Army have any combat experience
whatsoever. The PLA’s last major engagement was during its border war
with Vietnam in February and March of 1979, when somewhere between
7,000 of its soldiers (Chinese estimate) and 25,000 (foreign
estimates) were killed within four weeks.
Beyond all this is a difference of military culture rarely included in
American discussions of the Chinese threat—and surprising to those
unfamiliar with the way China’s Communist government chose to fund its
army. The post-Vietnam American military has been fanatically devoted
to creating a “warrior” culture of military professionalism. The great
struggle of the modern PLA has been containing the crony-capitalist
culture that comes from its unashamed history of involvement in
business. Especially under Deng Xiaoping, the Chinese military owned
and operated factories, hotels and office buildings, shipping and
trucking companies, and other businesses both legitimate and shady. In
the late 1990s President Jiang Zemin led a major effort to peel the
PLA’s military functions away from its business dealings, but by all
accounts, corruption remains a major challenge in the Chinese
military, rather than the episodic problem it is for most Western
forces. One example: at a small airport in the center of the country,
an airport manager told me about his regular schedule of hong bao
deliveries—“red envelopes,” or discreet cash payoffs—to local air-
force officers, to ensure airline passage through the sector of
airspace they controlled. (Most U.S. airspace is controlled by the
Federal Aviation Administration; nearly all of China’s, by the
military.) A larger example is the widespread assumption that military
officials control the vast Chinese traffic in pirated movie DVDs.
The Chinese military’s main and unconcealed ambition is to someday be
strong enough to take Taiwan by force if it had to. But the details of
the balance of power between mainland and Taiwanese forces, across the
Straits of Taiwan, have been minutely scrutinized by all parties for
decades, and shifts will not happen by surprise. The annual reports
from the Pentagon and the Security Review Commission lay out other
possible scenarios for conflict, but in my experience it is rare to
hear U.S. military or diplomatic officials talk about war with China
as a plausible threat. “My view is that the political leadership is
principally focused on creating new jobs inside the country,” I was
told by retired Admiral Mike McConnell, a former head of the National
Security Agency and the director of national intelligence under George
W. Bush. Another former U.S. official put it this way: “We tend to
think of everything about China as being multiplied by 1.3 billion.
The Chinese leadership has to think of everything as being divided by
1.3 billion”—jobs, houses, land. Russell Leigh Moses, who has lived in
China for years and lectures at programs to train Chinese officials,
notes that the Chinese military, like its counterparts everywhere, is
“determined not to be neglected.” But “so many problems occupy the
military itself—including learning how to play the political game—that
there is no consensus to take on the U.S.”
Yes, circumstances could change, and someday there could be a
consensus to “take on the U.S.” But the more you hear about the
details, the harder it is to worry seriously about that now. So why
should we worry? After conducting this round of interviews, I now lose
sleep over something I’d generally ignored: the possibility of a
“cyberwar” that could involve attacks from China—but, alarmingly,
could also be launched by any number of other states and organizations.
The cyber threat is the idea that organizations or individuals may be
spying on, tampering with, or preparing to inflict damage on America’s
electronic networks. Google’s recent announcement of widespread spying
“originating from China” brought attention to a problem many experts
say is sure to grow. China has hundreds of millions of Internet users,
mostly young. In any culture, this would mean a large hacker
population; in China, where tight control and near chaos often
coexist, it means an Internet with plenty of potential outlaws and
with carefully directed government efforts, too. In a report for the
U.S.-China Economic and Security Review Commission late last year,
Northrop Grumman prepared a time line of electronic intrusions and
disruptions coming from sites inside China since 1999. In most cases
it was impossible to tell whether the activity was amateur or
government-planned, the report said. But whatever their source, the
disruptions were a problem. And in some instances, the “depth of
resources” and the “extremely focused targeting of defense engineering
data, US military operational information, and China-related policy
information” suggested an effort that would be “difficult at best
without some type of state-sponsorship.”
The authorities I spoke with pooh-poohed as urban myth the idea that
an electronic assault was behind the power failures that rippled from
the Midwest to the East Coast in August of 2003. By all accounts, this
was a cascading series of mechanical and human errors. But after
asking corporate and government officials what worried them, I learned
several unsettling things I hadn’t known before.
First, nearly everyone in the business believes that we are living in,
yes, a pre-9/11 era when it comes to the security and resilience of
electronic information systems. Something very big—bigger than the
Google-China case—is likely to go wrong, they said, and once it does,
everyone will ask how we could have been so complacent for so long.
Electronic-commerce systems are already in a constant war against
online fraud. “The real skill to running a successful restaurant has
relatively little to do with producing delicious food and a lot to do
with cost and revenue management,” an official of an Internet commerce
company told me, asking not to be named. “Similarly, the real business
behind PayPal, Google Checkout, and other such Internet payment
systems is fraud and risk management,” since the surge of attempted
electronic theft is comparable to the surge of spam through e-mail
networks.
At a dinner in Washington late last year, I listened to two dozen
cyber-security experts compare tales of near-miss disasters. The
consensus was that only a large-scale public breakdown would attract
political attention to the problem, and that such a breakdown would
occur. “Cyber crime is not conducted by some 15-year-old kids
experimenting with viruses,” Eugene Spafford, a computer scientist at
Purdue, who is one of the world’s leading cyber-security figures (and
was at the dinner), told me later via e-mail.
It is well-funded and pursued by mature individuals and groups of
professionals with deep financial and technical resources, often with
local government (or other countries’) toleration if not support. It
is already responsible for billions of dollars a year in losses, and
it is growing and becoming more capable. We have largely ignored it,
and building our military capabilities is not responding to that threat.
With financial, medical, legal, intellectual, logistic, and every
other sort of information increasingly living in “the cloud,” the
consequences of collapse or disruption are unpleasant to contemplate.
A forthcoming novel, Directive 51, by John Barnes, does indeed
contemplate them, much as in the 1950s Nevil Shute imagined the world
after nuclear war in On the Beach. Barnes’s view of the collapse of
financial life (after all, our “assets” consist mostly of notations in
banks’ computer systems), the halt of most manufacturing systems, the
evaporation of the technical knowledge that now exists mainly in the
cloud, and other consequences is so alarming that the book could draw
attention in a way no official report can.
Next, the authorities stressed that Chinese organizations and
individuals were a serious source of electronic threats—but far from
the only one, or perhaps even the main one. You could take this as
good news about U.S.-China relations, but it was usually meant as bad
news about the problem as a whole. “The Chinese would be in the top
three, maybe the top two, leading problems in cyberspace,” James
Lewis, a former diplomat who worked on security and intelligence
issues and is now at the Center for Strategic and International
Studies, in Washington, told me. “They’re not close to being the
primary problem, and there is debate about whether they’re even number
two.” Number one in his analysis is Russia, through a combination of
state, organized-criminal, and unorganized-individual activity. Number
two is Israel—and there are more on the list. “The French are
notorious for looking for economic advantage through their
intelligence system,” I was told by Ed Giorgio, who has served as the
chief code maker and chief code breaker for the National Security
Agency. “The Israelis are notorious for looking for political
advantage. We have seen Brazil emerge as a source of financial crime,
to join Russia, which is guilty of all of the above.” Interestingly,
no one suggested that international terrorist groups—as opposed to
governments, corporations, or “normal” criminals—are making
significant use of electronic networks to inflict damage on Western
targets, although some groups rely on the Internet for recruitment,
organization, and propagandizing.
This led to another, more surprising theme: that the main damage done
to date through cyberwar has involved not theft of military secrets
nor acts of electronic sabotage but rather business-versus-business
spying. Some military secrets have indeed leaked out, the most
consequential probably being those that would help the Chinese navy
develop a modern submarine fleet. And many people said that if the
United States someday ended up at war against China—or Russia, or some
other country—then each side would certainly use electronic tools to
attack the other’s military and perhaps its civilian infrastructure.
But short of outright war, the main losses have come through economic
espionage. “You could think of it as taking a shortcut on the ‘D’ of
R&D,” research and development, one former government official said.
“When you create a new product, a competitor can cherry-pick the good
parts and introduce a competitive product much more rapidly than he
could otherwise.” Another technology expert, who serves on government
advisory boards, told me, when referring to the steady loss of
technological advantage, “We should not forget that it was China where
‘death by a thousand cuts’ originated.” I heard of instances of
Western corporate officials who arrived for negotiations in China and
realized too late that their briefing books and internal numbers were
already known by the other side. (In the same vein: I asked security
officials whether the laptops and BlackBerry I had used while living
in China would have been bugged in some way while I was there. The
answers were variations on “Of course,” with the “you idiot” left
unsaid.)
The final theme was that even though these cyber concerns are not
confined to China, the Chinese aspects do deserve consideration on
their own, because China’s scale, speed of growth, and complex
relationship with the United States make it a unique case. Hackers in
Russia or Israel might be more skillful one by one, but with its huge
population China simply has more of them. The French might be more
aggressive in searching for corporate secrets, but their military need
not simultaneously consider how to stop the Seventh Fleet. According
to Mike McConnell, everything about China’s military planning changed
after its leaders saw the results of U.S. precision weapons in the
first Gulf War. “They were shocked,” he told me. “They had no idea
warfare had progressed to that point, and they went on a crash course
to take away our advantage.” This meant both building their own
information systems—thus China’s aspiration to create a Beidou (the
Chinese name for the Big Dipper) system of satellites comparable to
America’s GPS—and being prepared in time of war to “attack what they
see as our soft underbelly, our military’s dependence on networking,”
as McConnell put it, noting the vast emerging PLA literature on
defending and attacking data networks.
Ed Giorgio, formerly of the NSA, has prepared charts showing the
points of “asymmetric advantage” China might have over the long run in
such competition. Point nine on his 12-point chart: “They know us much
better than we know them (virtually every one of their combatants
reads English and virtually none of ours read Mandarin. This, in
itself, will surely precipitate a massive intelligence failure).” But
James Lewis, of CSIS, pointed out an “asymmetric handicap”: “For all
the effort the Chinese put into cyber competition, external efforts”—
against a potential foe like the United States—“are second priority.
The primary priority is domestic control and regime survival. The
external part is a side benefit.” For many other reasons, the China-
cyber question will, like the China-finance and China-environment and
China-human-rights questions, demand special attention and work.
The implications of electronic insecurity will be with us in the long
run, among the other enduring headaches of the modern age. The
“solution” to them is like the solution to coping with China’s rise:
something that will unfold over the years and require constant
attention, adjustments, and innovations. “Cyber security is a process,
not a patch,” Eugene Spafford said. “We must continue to invest in it—
and for the long term as well as the ‘quick fix,’ because otherwise we
will always be applying fixes too late.”
No doubt because I’ve been so preoccupied for so long with the
implications of China’s growth, I thought I heard a familiar note in
the recommendations that many of the cyber-security experts offered.
The similarity lies in their emphasis on openness, transparency, and
international contact as the basis of a successful policy.
In overall U.S. dealings with China, it matters tremendously that so
many Chinese organizations are led or influenced by people who have
spent time in America or with Americans. Today’s financial, academic,
and business elite in China is deeply familiar with the United States,
many of its members having studied or worked here. They may disagree
on points of policy—for instance, about trade legislation—but they
operate within a similar set of concepts and facts. This is less true
of China’s political leaders, and much less true of its military—with
a consequently much greater risk of serious misunderstanding and
error. The tensest moment in modern China’s security relationship with
the outside world came in January of 2007, when its missile command
shot one of its own weather satellites out of the sky, presumably to
show the world that it had developed anti-satellite weaponry. The
detonation filled satellite orbits with dangerous debris; worse, it
seemed to signal an unprovoked new step in militarizing space. By all
accounts, President Hu Jintao okayed this before it occurred; but no
one in China’s foreign ministry appeared to have advance word, and for
days diplomats sat silent in the face of worldwide protests. The PLA
had not foreseen the international uproar it would provoke—or just
didn’t care.
Precisely in hopes of building familiarity like that in the business
world, the U.S. Navy has since the 1980s taken the lead in military-to-
military exchanges with the PLA. “I think both sides are trying to
figure out what kind of a military-to-military relationship is
feasible and proper,” David Finkelstein, of the Center for Naval
Analyses, in suburban Washington, D.C., told me. “We have two
militaries that, in some circumstances, see each other as possible
adversaries. At the same time, at the level of grand strategy, the two
nations are trying to accommodate each other. There is a major chasm,
but both sides are working hard to bridge it.” Such exposure obviously
doesn’t eliminate the real differences of national interest between
the two countries, but I believe it makes outright conflict less likely.
A similar high-road logic seems to lie behind recommendations for
cyber security in general, and for dealing with the Chinese cyber
threat in particular. The NSA, which McConnell directed and where
Giorgio worked, is renowned for its secrecy. But both men, along with
others, now argue that to defend information networks, the U.S. should
talk openly about risks and insecurities—and engage the Chinese
government and military in an effort to contain the problem.
As a matter of domestic U.S. politics, McConnell argues that we now
suffer from a conspiracy of secrecy about the scale of cyber risks. No
credit-card company wants to admit how often or how easily it is
cheated. No bank or investment house wants to admit how close it has
come to being electronically robbed. As a result, the changes in law,
regulation, concept, or habit that could make online life safer don’t
get discussed. Sooner or later, the cyber equivalent of 9/11 will occur
—and, if the real 9/11 is a model, we will understandably, but
destructively, overreact.
While trying to build bridges to the military, McConnell and others
recommend that the U.S. work with China on international efforts to
secure data networks, comparable to the Chinese role in dealing with
the world financial crisis. “You could have the model of the
International Civil Aviation Organization,” James Lewis said, “a body
that can reduce risks for everyone by imposing common standards. It’s
moving from the Wild West to the rule of law.” Why would the Chinese
government want to join such an effort? McConnell’s answer was that an
ever-richer China will soon have as clear a stake in secure data
networks as it did in safe air travel.
We’re naturally skeptical of abstractions like “cooperation” or
“greater openness” as the solutions to tough-guy, real-world
problems. But in making the best of a world that will inevitably be
changed by increasing Chinese power and increasing electronic threats
from many directions, those principles may offer the right, realistic
place to start.
The URL for this page is http://www.theatlantic.com/doc/201003/china-cyber-war
More information about the Infowarrior
mailing list