A Deepening U.S.-China Cybersecurity Dilemma

In Lawfare on Oct. 19, Chinese cybersecurity analyst Lyu Jinghua (吕晶华) offered a thoughtful critique of the 2018 Department of Defense Cyber Strategy, an unclassified seven-page summary of which was released publicly on Sept. 18. Lyu observes that the new strategy marks a break from previous such documents in that it lists China first among the group of four “States that can pose strategic threats to U.S. prosperity and security” (in addition to Russia, North Korea, and Iran). In the context of rapidly deteriorating U.S.-China relations, Lyu explains, “even a ‘minor’ change like this … sends the Chinese government a signal that America views China as a potential adversary.” The United States, Lyu argues, “is consistently critical of China’s cyber security measures and hypes China up as a cyber threat.”

In her view, this assessment of the strategic environment animates the Pentagon’s recent shift to an approach that, according to the Defense Department’s summary, “will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The approach, although not entirely new, seems to be oriented toward giving the U.S. military greater freedom of action. It is likely a response to the often-expressed concern that statutory authorities have limited U.S. Cyber Command’s capacity to interdict foreign threats outside combat zones.

We think the combination of the Pentagon’s strategy and Lyu’s critique is particularly interesting. It shows a deepening cybersecurity dilemma—a topic one of us (Buchanan) has written about at length—between the United States and China. A variant on the classic security dilemma, the cybersecurity dilemma is the notion that as one nation takes steps to defend itself in cyberspace, it inadvertently threatens other nations with what appears to be offensive action. The dilemma can work on both strategic and operational levels. Strategically, one nation’s development of additional cyber capabilities and loosening of authorities can be seen by other nations as an unavoidable threat. Operationally, a practice of “defending forward” can look a lot like attacking forward when one is on the receiving end of a hacking operation.

Lyu cautions that the Pentagon’s shift to a more offensive posture as outlined in the Cyber Strategy will induce anxiety in other countries and carries potential risks of conflict escalation. She uses language that strongly fits with the logic of the cybersecurity dilemma:

Interactions in cyberspace can foster trust and cooperation, but they also have the potential to provoke suspicion, competition and conflict. Alarmingly, the latest Defense Department document lists “defend forward, shape the day-to-day competition, and prepare for war” as the Pentagon’s priorities and “building a more lethal joint force” as the first approach the department will take. In the meantime, terms like “mitigate risks” and “control conflict escalation,” which were used in the previous two reports, have disappeared from the latest report.

Other countries will likely feel anxious about their own cybersecurity if they see that the most powerful cyber force is committed to building more forces and pursuing a more offensive posture, even though some Americans may understand the Defense Department as, itself, responding to the aggressive postures of other states. This increased insecurity and heightened suspicion are particularly dangerous in cyberspace, because operations there are more apt to lead to unintentional crisis and escalation.

Lyu is right that a more proactive U.S. policy is taking on some risks and might impair stability. However, we find her assessments of the broader situation—-that is, why the United States has chosen to adopt this policy—less persuasive. The deepening cybersecurity dilemma is due not just to American action. It is in part due to threats the United States perceives from China, a topic her account largely glosses over.

Make no mistake: The Defense Department chose to pursue a more aggressive course of action because of the failure of previous efforts at establishing a status quo it finds acceptable. The 2015 agreement between the United States and China on commercial cybertheft seems to have failed to appreciably slow the widespread hacking of American targets by state-affiliated Chinese operators, though it may have caused them to increase their operational security in a bid to evade detection. Much-discussed U.S. steps aimed at establishing deterrence, such as indicting Chinese military hackers and threatening sanctions, likewise seem to have had minimal effect. Numerous reports have outlined the costs of continued Chinese cyber activity to U.S. economic and strategic interests. With diplomacy and deterrence not working as well as the Pentagon would like, disruption of malicious cyber activity has become an option that is attractive to policymakers, even if it carries risks of its own. Michael Sulmeyer has written persuasively about the need for such disrupt-and-degrade operations to complement other government efforts.

China is also not satisfied with the status quo, as Lyu’s piece suggests. There can be little doubt that the U.S. intelligence community also hacks Chinese targets for reasons that go beyond defense and disruption. China likely sees U.S. cyber activities—whether intended to be defensive or offensive—as intrusive and threatening. It may well launch hacking operations to attempt to disrupt American efforts; despite Lyu’s assertion that China’s concept of “active defense” is a “military strategic guideline … rather than an operational concept,” we would be surprised if the Chinese government did not pursue efforts that aim to disrupt other nations’ hacking capabilities.

Indeed, China’s 2015 National Defense White Paper characterizes the PLA’s approach to “active defense” as, among other things, “adherence to the unity of strategic defense and operational and tactical offense.” Given this doctrinal context, Lyu’s attempt to distinguish “preemption” from “retaliation” fails to recognize the structural blurriness of such distinctions in the cyber domain. American policymakers are likely to find the distinction meaningless, just as Chinese policymakers will probably fail to appreciate areas in which the United States thinks it limits its aggressiveness.

What are the prospects for mitigating this version of the cybersecurity dilemma? Lyu makes an important case for the wisdom of self-restraint through adherence to norms of responsible state behavior in cyberspace, specifically highlighting the norm-setting process of the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). While we applaud her focus, we are less optimistic that the GGE forum will prove useful, in part because there remain serious questions about the Chinese government’s participation in international norm-building efforts. Michael Schmitt and Liis Vihul have observed that China is one of three state-parties, along with Cuba and Russia, whose recalcitrance led to the collapse of the latest round of the GGE in June 2017. At that meeting, Chinese representatives reportedly objected to acknowledging three foundational legal principles of state conduct in cyberspace, including the right of self-defense under the UN Charter, the right to respond to internationally wrongful acts, and the applicability of international humanitarian law to cyberspace—leading to blistering criticism from the U.S. State Department’s deputy coordinator for cyber issues.

Similarly, even where cyber norms have been established—as occurred in earlier rounds of the GGE or through the 2015 U.S.-China agreement on commercial cybertheft—considerable questions of interpretation linger. As one of us (Williams) has argued previously, achieving common understanding on definitions of cyber norms is a particular challenge given the embedded and intertwined nature of the Communist Party-state in China’s economy and the expansive conception of national security reflected in Chinese law and policy. This challenge of norm-construction is underscored by recent evidence suggesting that China is either flouting the 2015 cybertheft agreement or exploiting its ambiguities.

Toothless norms do little to mitigate any security dilemma, and the cybersecurity dilemma is no exception. Consequently, as Michèle Flournoy and Michael Sulmeyer have argued, durable norms require a “coalition of like-minded states willing not just to sign on to [cybersecurity] norms but also to impose serious economic and political costs on those who violate them.” Talk is cheap.

For all the dangers of the cybersecurity dilemma, the United States and China do have areas of mutual interest in the digital domain. For example, they share interests in the integrity and stability of the global financial system, in not being misled into great-power conflict with one another by a third-party malefactor, in not letting cyber weapons get into the hands of malicious non-state actors, in better understanding how each side approaches cyber-policy questions such as the definitions of “armed conflict” or “critical infrastructure,” and in cooperating to combat transnational cybercrime. Given the enormous stakes, U.S. and Chinese stakeholders must not allow the recent deterioration in U.S.-China relations to halt efforts to advance these common goals.

For areas where their respective interests do seem to diverge, however, both the United States and China would do well to recognize the dangers of the cybersecurity dilemma. U.S. policymakers must remain keenly attentive to potential escalation risks associated with the Department of Defense’s defend-forward strategy; Chinese policymakers must recognize that their actions are hardly blameless, and that American mistrust is high after the apparent failures of the 2015 agreement and the GGE process. There is too much at stake for both nations to permit a slide into still-greater tension and conflict—especially a conflict no one wants.