Both the 2015 National Security Strategy and 2015 Department of Defense Cyber Strategy state that the United States desires to “deter” or “prevent” China from using cyberspace to conduct malicious activity. To achieve these ends, the United States may consider employing tactics that have the following desired outcomes:
• Build up Chinese confidence that they are achieving their goals and devote resources to attacking networks where the United States wants them to be.
• Increase ambiguity in China’s understanding of the information they are able to acquire.
• Introduce doubt in China believing it has the ability to disrupt U.S. information networks.
• Force China to expend more resources focused inward to controlling information within China that threatens Communist Party control.
Unlike the other domains, cyberspace is entirely man-made and the physical properties that characterize it can be altered, almost at will and instantaneously. Traditional geographic constraints do not apply, and we can alter the cyber strategic geography to reinforce American competitive advantages.
For example, many U.S. networks that interest Chinese cyber forces reside on public and commercial Internet service provider (ISP) backbones, such as those owned by Verizon and AT&T, and use commercially available equipment, such as Cisco routers. We like to think of “cyberspace” or “the Internet” as being a “global commons,” but nearly all the physical infrastructure and equipment are privately owned and subject to manipulation. The information travels on electrons, which can also be manipulated.
The United States might develop alternative information pathways and networks, perhaps solely owned and operated by the government or military and not connected to the public ISP backbone. By keeping the existence of a separate network a secret, China may continue to devote resources to attacking and exploiting existing government networks residing on public ISPs. Alternatively, the United States could permit China to acquire access to this surreptitious network in order to feed it deceptive information. In either case, the Chinese regime’s confidence in its ability to disrupt or deceive U.S. information networks could be placed in doubt at a time of our choosing.
Existing information networks could be made more resilient. Peter Singer recommends that we think about resilience in terms of both systems and organizations. He identifies three elements underpinning resiliency: the capacity to work under degraded conditions, the ability to recover quickly if disrupted, and the ability to “learn lessons to better deal with future threats.”1
The DOD also should play a role by establishing more consistent network security standards. Cleared defense contractors such as Lockheed Martin, Northrup Grumman, and Boeing are priority targets for espionage. The DOD can leverage its buying power to mandate accountability, not only for the products developed by the contractors but also the security of the information networks they use. It can work to bring “transparency and accountability to the supply chain” to include using agreed-upon standards, independent evaluation, and accreditation and certification of trusted delivery systems. It should address supply-chain risk mitigation best practices to all contracting companies and the Department.2 These principles should be applied to our national critical infrastructure. Resiliency, risk mitigation, and security can reduce China’s confidence that it can execute sabotage or offensive deterrence.
Another tactic might be to develop capabilities that permit the United States to execute cyber blockades or create cyber exclusion zones. A cyber blockade is a “situation rendered by an attack on cyber infrastructure or systems that prevents a state from accessing cyberspace, thus preventing the transmission (ingress/egress) of data beyond a geographical boundary.” Alison Lawlor Russell has researched the potential of blockades, examining case studies of Russian attacks on Georgia in 2008 and Estonia in 2012, and comparing them to more traditional maritime blockades and “no fly zones.” She notes that it is a “legitimate tool of international statecraft . . . consistent with other types of blockades” and can be, though not always, considered an act of war.3 Cyber exclusion zones seek to deny a specific area of cyberspace to the adversary, sometimes as a form of self-defense.4
As previously stated, China’s information strategy is designed to ensure regime survival. It has erected a massive information control system to monitor, filter, and control information within China and between China and the world. It spends more money and resources on domestic security and surveillance than on its army.5 Clearly, in the minds of those controlling the Chinese Communist Party, information control is a critical vulnerability. Therefore, tactics that keep China focused inward are advantageous. The United States might invest in technologies that can be easily inserted into the Chinese market and encrypt communication or permit Chinese users to bypass government monitors. Targeting China’s information control regime should align with current and historic cultural themes. Sophisticated highlighting of these issues put pressure on the Communist Party.
We need to better integrate the growth in advanced technology into planning, not just acquisition. We need to consider the impact of dual-use technology and its proliferation worldwide, not just to China. We must consider the implications of Chinese information technology companies providing goods and services in the United States (and our allies and partners)—especially to the U.S. government. The DOD should develop human capital investment strategies that leverage America’s strengths, and consider new ways to recruit, train, and keep the best and brightest in the military, intelligence, and national security communities.
2. Ibid., 202–205.
3. Alison Lawlor Russell, Cyber Blockades (Washington DC: Georgetown University Press, 2014, 144–45.
4. Ibid., 146–47.
5. Amy Change, “Warring State: China’s Cybersecurity Strategy” (Washington, DC: Center for a New American Security, 2014).