Thoughts on USG Candor to China on Cyber

Paul is skeptical about the USG's unilateral briefing to Chinese officials on some of its cyber operations and doctrines that David Sanger discloses in the NYT.  He argues that China is unlikely to reciprocate, he doubts the usefulness of the unilateral disclosure, and he wonders why the USG does not share the information with the American public.  I think the matter is more complex. First, it may be (as I have long argued) that greater candor by the USG vis a vis China is a necessary precondition to genuine progress on the development of norms for cyberoperations – both exploitation and attack.  Unless we can credibly convey what we are doing and what we might do (and not do) in certain cyber situations, our adversaries will assume the worst and (a) invest in their own cyber programs to keep up – a classic arms race situation, and/or (b) interpret particular cyberoperations in a risk-averse fashion, in their least charitable light, which might induce unwarranted escalation in those contexts.  Our adversaries will rationally assume the worst because, despite USG claims about its responsible use of cyber exploitations and attacks, the news is filled with reports about prodigious USG cyber-operations and aggressive plans in this realm.  Indeed, as Sanger notes: “The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations.  It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.” Second, Paul is right to be skeptical about reciprocity by China.  But it sounds like the United States didn’t give up much new information on U.S. doctrine for the use of cyberweapons.  (Sanger states that “elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012.”)   More importantly, the United States can in theory benefit from unilateral disclosure of doctrine and weapons capabilities even if China doesn’t reciprocate, for the unilateral disclosure might assist China in interpreting, and not misinterpreting, USG actions in the cyber realm – all to the USG’s advantage.  As Sanger says, “American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.”  In theory, unilateral information disclosure to China about the nature of USG cyberoperations can help China interpret USG actions properly, and can thereby help tamp down on the possibility of mistaken escalation by China; and the USG might also in this manner help China to see the benefits to itself in disclosure to the USG. That said, and third, I have a hard time understanding how the USG can convey anything credible to China about what it does in the cyber realm, what its doctrines are, what it might do in certain cyber situations, and when and why certain cyber operations should be viewed as threatening.  Why would Chinese officials believe anything in the briefing?  (And why would we believe anything that China says if it purported to reciprocate?)  Conveying credible information about military doctrines and limits on the nature, use, and developments of offensive weapons is a notoriously difficult problem in traditional arms situations.  But the attribution and verification problems are significantly more difficult in the cyber context, and thus credibility is much harder to establish.  How to establish a verification regime for cyber?  How can a nation credibly demonstrate limits?  I have no idea, other than by allowing the adversary to live in one’s networks. Fourth, Paul says: “if we are briefing the PLA, perhaps we might share the same briefing with the US public?”  As noted above, a good bit of the information may already be public for those paying attention.  But more significantly, the USG might have reasons to tell China, a uniquely threatening cyber power, about certain red lines, even while keeping those red lines (and related information) secret from other adversaries – something that is impossible if the government informs the American public.