11 July 2017

BEIJING’S VIEWS ON NORMS IN CYBERSPACE AND CYBER WARFARE STRATEGY PT. 2

By LCDR Jake Bebber 

The following is a two-part series looking at PRC use of cyberspace operations in pursuit of its national strategies and the establishment of the Strategic Support Force. Part 1 considered the centrality of information operations and information war to the PRC’s approach toward its current struggle against the U.S. Part 2 looks at the PRC’s use of international norms and institutions in cyberspace, and possible U.S. responses.

Cyber-Enabled Public Opinion and Political Warfare

Many American planners are carefully considering scenarios such as China making a play to force the integration of Taiwan, seize the Senkaku Islands from Japan, or seize and project power from any and all claimed reefs and islands in the South China Sea. Under these scenarios we can expect preemptive strikes in the space and network domains in an attempt to “blind” or confuse American and allied understanding and establish a fait accompli. This will, in Chinese thinking, force the National Command Authority to consider a long and difficult campaign in order to eject Chinese forces, and the CCP is placing a bet that American decision makers will choose to reach a political accommodation that recognizes the new “facts on the ground” rather than risk a wider military and economic confrontation.

The role of public opinion warfare may be an integral component of future crisis and conflict in Asia. Well in advance of any potential confrontation, Chinese writing emphasizes the role of “political warfare” and “public opinion warfare” as an offensive deterrence strategy. China will seek to actively shape American, allied, and world opinion to legitimize any military action the CCP deems necessary. We might see cyber-enabled means to “incessantly disseminate false and confused information to the enemy side … through elaborate planning [in peacetime], and [thereby] interfere with and disrupt the enemy side’s perception, thinking, willpower and judgment, so that it will generate erroneous determination and measures.”1 China may try to leverage large populations of Chinese nationals and those of Chinese heritage living outside China as a way to influence other countries and generate new narratives that promote the PRC’s position. Consider, for example, how Chinese social media campaigns led to the boycotts of bananas from the Philippines when it seized Scarborough Reef, or similar campaigns against Japanese-made cars during its ongoing territorial dispute over the Senkaku Islands. Most recently, Lotte Duty Free, a South Korean company, suffered distributed denial-of-service attacks from Chinese IP servers – almost certainly a response to South Korea’s recent decision to host the THAAD missile defense system.

It is also critical to recognize China’s understanding and leverage of the American political, information, and economic system. Over decades, China has intertwined its interests and money with American universities, research institutes, corporate institutions, media and entertainment, political lobbying, and special interest organizations. This has had the effect of co-opting a number of institutions and elite opinion makers who view any competition or conflict with China as, at best, detrimental to American interests, and at worst, as a hopeless cause, some going so far as to suggest that it is better for the U.S. to recognize Chinese primacy and hegemony, at least in Asia, if not worldwide. Either way, China will maximize attempts to use cyber-enabled means to shape American and world understanding so as to paint China as the “victim” in any scenario, being “forced” into action by American or Western “interference” or “provocation.”

What can the U.S. do to Enhance Network Resilience?

One of the most important ways that network resiliency can be addressed is by fundamentally changing the intellectual and conceptual approach to critical networks. Richard Harknett, the former scholar-in-residence at U.S. Cyber Command, has suggested a better approach. In a recent issue of the Journal of Information Warfare, he points out that cyberspace is not a deterrence space, but an offense-persistent environment. By that he means that it is an inherently active, iterative, and adaptive domain. Norms are not established by seeking to impose an understood order (such as at Bretton Woods) or through a “doctrine of restraint,” but rather through the regular and constant interactions between states and other actors. Defense and resiliency are possible in this space, but attrition is not. Conflict here cannot be contained to “areas of hostility” or “military exclusion zones.” No steady state can exist here—every defense is a new opportunity for offense, and every offense generates a new defense.2

Second, the policy and legal approach to network resiliency must shift from a law enforcement paradigm to a national security paradigm. This paradigm is important because it affects the framework under which operations are conducted. The emphasis becomes one of active defense, adaptation, identification of vulnerabilities and systemic redundancy and resilience. A national security approach would also be better suited for mobilizing a whole-of-nation response in which the government, industry, and the population are engaged as active participants in network defense and resiliency. Important to this is the development of partnership mechanisms and professional networking that permit rapid sharing of information at the lowest level possible. Major telecommunications firms, which provide the infrastructure backbone of critical networks, require timely, actionable information in order to respond to malicious threats. Engagement with the private sector must be conducted in the same way they engage with each other – by developing personal trust and providing actionable information.

Network hardening must be coupled with the capabilities needed to rapidly reconstitute critical networks and the resiliency to fight through network attack. This includes the development of alternative command, control, and communication capabilities. In this regard, the military and government can look to industries such as online retail, online streaming, and online financial networks (among others) that operate under constant attack on an hourly basis while proving capable of providing on-demand service to customers without interruption. Some lessons might be learned here. 

Third, new operational concepts must emphasize persistent engagement over static defense. The United States must have the capacity to contest and counter the cyber capabilities of its adversaries and the intelligence capacity to anticipate vulnerabilities so we move away from a reactive approach to cyber incidents and instead position ourselves to find security through retaining the initiative across the spectrum of resiliency and active defensive and offensive cyber operations.

Congressional Action and Implementing a Whole-of-Government Approach

There are five “big hammers” that Congress and the federal government have at their disposal to effect large changes – these are known as the “Rishikof of Big 5” after Harvey Rishikof, Chairman of the Standing Committee on Law and National Security for the American Bar Association. These “hammers” include the tax code and budget, the regulatory code, insurance premiums, litigation, and international treaties. A comprehensive, whole-of-nation response to the challenge China represents to the American-led international system will require a mixture of these “big hammers.” No one change or alteration in Department of Defense policy toward cyberspace operations will have nearly the impact as these “hammers.”3

The tax code and budget, coupled with regulation, can be structured to incentivize network resiliency and security by default (cyber security built into software and hardware as a priority standard), not only among key critical infrastructure industries, but among the population as a whole to include the telecommunication Internet border gateways, small-to-medium sized Internet service providers, and information technology suppliers. Since the federal government, Defense Department, and Homeland Security rely largely on private industry and third-party suppliers for communications and information technology, this would have the attendant effect of improving the systems used by those supporting national security and homeland defense. The key question then is: how can Congress incentivize network resiliency and security standards, to include protecting the supply chain, most especially for those in industry who provide goods and services to the government?

If the tax code, budget, and regulation might provide some incentive (“carrots”), so too can they provide “sticks.” Litigation and insurance premiums can also provide similar effects, both to incentivize standards and practices and discourage poor cyber hygiene and lax network security practices. Again, Congress must balance the “carrots” and “sticks” within a national security framework.

Congress might also address law and policy which permits adversary states to leverage the American system to our detriment. Today, American universities and research institutions are training China’s future leaders in information technology, artificial intelligence, autonomous systems, computer science, cryptology, directed energy and quantum mechanics. Most of these students will likely return to China to put their services to work for the Chinese government and military, designing systems to defeat us. American companies hire and train Chinese technology engineers, and have established research institutes in China.4 The American taxpayer is helping fund the growth and development of China’s military and strategic cyber forces as well as growth in China’s information technology industry.

Related specifically to the Department of Defense, Congress should work with the Department to identify ways in which the services man, train, and equip cyber mission forces. It will have to provide new tools that the services can leverage to identify and recruit talented men and women, and ensure that the nation can benefit long-term by setting up appropriate incentives to retain and promote the best and brightest. It will have to address an acquisition system structured around platforms and long-term programs of record. The current military is one where highly advanced systems have to be made to work with legacy systems and cobbled together with commercial, off-the-shelf technology. This is less than optimal and creates hidden vulnerabilities in these systems, risking cascading mission failure and putting lives in jeopardy.

Finally, Congress, the Department of Defense, and the broader intelligence and homeland security communities can work together to establish a center of excellence for the information and cyber domain that can provide the detailed system-of-systems analysis, analytic tools, and capability development necessary to operate and defend in this space. Such centers have been established in other domains, such as land (e.g., National Geospatial Intelligence Agency), sea (e.g., Office of Naval Intelligence) and air and space (e.g., National Air and Space Intelligence Center).

Conclusion

It is important to understand that this competition is not limited to “DOD versus PLA.” The U.S. must evaluate how it is postured as a nation is whether it is prepared fight and defend its information space, to include critical infrastructure, networks, strategic resources, economic arrangements, and the industries that mold and shape public understanding, attitude, and opinion. It must decide whether defense of the information space and the homeland is a matter of national security or one of law enforcement, because each path is governed by very different approaches to rules, roles, policies, and responses. Policymakers should consider how to best address the need to provide critical indications, warnings, threat detection, as well as the system-of-systems network intelligence required for the U.S. to develop the capabilities necessary to operate in and through cyberspace. For all other domains in which the U.S. operates, there is a lead intelligence agency devoted to that space (Office of Naval Intelligence for the maritime domain, National Air and Space Intelligence Center for the air and space domains, etc.).

It must always be remembered that for China, this is a zero-sum competition – there will be a distinct winner and loser. It intends to be that winner, and it believes that the longer it can mask the true nature of that competition and keep America wedded to its own view of the competition as a positive-sum game, it will enjoy significant leverage within the American-led system and retain strategic advantage. China is pursuing successfully, so far, a very clever strategy of working through the system the U.S. built in order to supplant it – and much of it is happening openly and in full view. This strategy can be countered in many ways, but first the U.S. must recognize its approach and decide to act.

No comments: