Cyberwar and the Deterrence Calculus: Assessing a U.S.-China Balance in the Digital Realm
41
Cyberwar and the Deterrence Calculus Assessing a U.S.-China Balance in the Digital Realm Julia Yrani & William Handel Dr. Phillip Karber - GOVT451 12/26/2012
-
Upload
potomacfoundation -
Category
Documents
-
view
2.451 -
download
2
description
http://www.asianarmscontrol.org/
Transcript of Cyberwar and the Deterrence Calculus: Assessing a U.S.-China Balance in the Digital Realm
Cyberwar and the Deterrence Calculus Assessing a U.S.-China Balance in the Digital Realm
Julia Yrani & William Handel
Dr. Phillip Karber - GOVT451
12/26/2012
2
Introduction Former Director of National Intelligence (DNI) Mike McConnell worries that the United
States is ‘losing the cyber war.’1 “Cyber Peal Harbor”2 and “Digital 9/11”3 are supposedly
threats forecasted upon our nation by the highest echelons of policy-making. China is almost
exclusively pinpointed as the culprit that, by leap-fogging developmental stages in this new
domain of conflict, will be able to overcome the détente long enforced by traditional kinetic (not
to mention nuclear) means and exact dreadful vengeance upon our military establishment and
critical infrastructure. Admittedly, the introduction of cyber-war does disturb the military
balance as it would have existed in centuries past, but to exactly what extent has not been
conclusively studied. This paper will analyze this balance – as it exists between China and
United States in the age of cyber-war – and place the issue in historical, doctrinal, and
topographical context. It will attempt to define what a cyber-war would look like in the event
that one did concur, and conclude that, despite affording the PRC inherent advantages, this new
terrain (and the opposing capabilities of the United States and China therein) will not sufficiently
shift the balance of power to render traditional, systemic deterrence obsolete.
A History of Conflict
Within the policy world there has been significant speculation over a potential
confrontation of cyber capabilities between the United States of America and the People’s
Republic of China. This concern is not entirely unfounded. Over the decade, as the digital
arsenals of militaries and private groups around the world have exponentially expanded and
increased in potency, numerous cyber ‘attacks’ have been reported by the United States
government, the media, and the private sector; more often than not, the prime culprit for the
attacks is speculated to be the China’s People’s Liberation Army, whether directly or indirectly.
The United States-China Economic and Security Review Commission (USCC) estimates that
there are as many as 250 distinct hacker groups within China that are capable of effectively
1 Mike McConnell, “Mike McConnell on how to win the cyber-war we're losing,” Washington Post, (28 February 2010), <http://www.cyberdialogue.ca/wp-content/uploads/2011/03/Mike-McConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf> [accessed 20 December 2012].
2Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of U.S. Cyberattack,” New York Times, < http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all&_r=0> [accessed 20 December 2012]. 3 Jason Healey, “Preparing for a Cyber 9/12,” The Atlantic Council, <http://www.acus.org/files/publication_pdfs/403/060112_ACUS_Cyber912.pdf>[accessed 20 December 2012].
3
attacking U.S. servers and networks. This body, and many other policy experts and government
officials, believe that these intrusions and ‘attacks’ are done at the urging of the PLA, or at very
least tacitly encouraged.4
According to security expert Bruce Schneier, primarily “young, male, patriotic Chinese
citizens demonstrating they’re as good as everyone else” carry out these incursions into
American domains. They sell their tools and techniques, as well as data ‘exfiltrated’ from
compromised sources to the highest bidder. That said, they fit well into the PLA’s strategy of
‘informationalization’ by allowing the key terrain of conflict to shift away from the kinetic
realms in which the United States maintains a clear upper hand. As the PLA treats cyber as a
‘leapfrog technology,’ they view these hacker groups as a breeding ground for strategy –
adopting many of their tactics, recruiting from their member bases, and exploited the
vulnerabilities they expose. This, according to Schneier, could present an even more serious
threat to U.S. national security than conventional adoption strategies, because the long-leash
afforded to these largely autonomous groups ensures that there is no possibility of entirely
centralized coordination, standardization of protocol, or ‘rational actor’ mentality in place.5
Because, at a larger scale, norms and rules of engagement do not exist, this tactic may persist;
China and Chinese nationals can continue to use U.S. networks to steal intellectual property (IP)
and conduct economic, political, and military espionage, creating a deficit on the U.S. cyber
balance sheet of up to $13 billion a year.6
China’s attempts (both of passive and active variety) to cultivate a hacker culture and
crowd-source cyberwarfare strategies in a way discouraged by the United States7 has led to
significant documentation of their ventures into blurry areas of foreign aggression. While attacks
can never be successfully attributed to the upper echelons of the PLA, continuous incursions 4 “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” (prepared for The U.S.-China Economic and Security Review Commission by Bryan Krekel; McLean, Virginia, October 2009). This report contains a detailed account of the interplay between Chinese hacker groups and the government. 5 Bruce Schneier, “Chinese Cyber Attacks: Myth or Menace,” (July 2008) <http://www.schneier.com/essay-227.html>[accessed 20 December 2012]. 6 Justin Rohrlick, “Chinese Cyber Warfare: Has the U.S. Found its Smoking Gun?” Minyanville, (08 November 2012) <http://www.minyanville.com/sectors/technology/articles/china-cyber-warfare-report-cyber-attacks/11/8/2012/id/45654?page=full> [accessed 20 December 2012]. 7 Nathan Thornburgh, “The Invasion of the Chinese Cyberspies,” Time Magazine, (29 August 2005) <http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> [accessed 20 December 2012]. This article details the plight of Shawn Carpenter, an employee of Sandia, who was encouraged by the FBI to follow leads on Chinese hackers in conjunction with Titan Rain, only to be fired from his job and blocked out by the IC for engaging in illegal activity.
4
over the years traced back to consistent servers in China lead many to assume that these
connections must exist. U.S. government offices and private contractors are continuously subject
to probing and exfiltration attempts by sources largely linked back to sovereign Chinese territory
(see figure 18), of these, a few have stood out as particularly suspect.
Largely occurring between 2003 and 2006, the sustained assault on U.S. defense
contractors labeled as ‘Titan Rain’ was traced back to suspected PLA servers in Guangdong and
was responsible for tens of thousands of classified military documents pertaining to aviation and
missile command being compromised from U.S. affiliates including Lockheed Martin, Sandia
National Laboratories, Redstone Arsenal, and NASA.9 In 2009, a different capability of the
supposed Chinese cyber-threat was laid bare with the discovery of ‘GhostNet,’ a large-scale and
widespread spying operation in which malware-laden attachments dropped a Trojan into the
servers of governmental organizations and foreign ministries, and downloaded a program called
‘gh0st_rat’ that granted hardware utilization capabilities (including video camera and recording
functionality) to a command and control interface traced back to China. The most conclusive
connection to-date between such espionage efforts and China has been through work done on
analyzing another rash of cyber-attacks – this time on oil, energy, and petrochemical companies 8 Source: USCC report. 9 Richard Norton-Tayler, “Titan Rain – how Chinese hackers targeted Whitehall,” The Guardian, (4 September 2007) <http://www.guardian.co.uk/technology/2007/sep/04/news.internet>[accessed 20 December 2012].
5
– known as ‘Night Dragon,’ in which certain individuals with ties to the military and government
infrastructure were tentatively identified.10
Figure 2:
Perhaps the most well-known of these assaults, ‘Operation Aurora,’ targeted Google and
as many as 34 other companies between 2009-2010, exploiting backdoors installed in their
programs to comply with U.S. surveillance regulations in order to compromise their security.11 It
is speculated that political motivations may have prompted these attacks (they occurred right
around a spat between Google and the Chinese government over user privacy rights and had
prompted Google to threaten to leave China altogether), which gained access to Google servers,
10 This McAffee report details the entire attribution process behind the uncovering of Night Dragon. <http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf> 11 Bruce Schneier, “U.S. Enables Chinese Hacking of Google,” (23 January 2010) <http://www.schneier.com/essay-306.html>[accessed: 20 December 2012].
6
modified source code repositories using zero day vulnerabilities, stole IP, and accessed both the
email and bank accounts of Chinese dissidents.12 The group behind Aurora has remained active
to a frightening degree, exploiting eight zero days in the past three years, with speculation that it
is hoarding many more to use as part of ‘digital cascade’ assaults later. It has expanded its
intrusion capabilities from solely ‘Spear Phishing’ (malware and authentication-error delivery
vectors) to ‘Watering Hole’ methods as well (lying in wait on websites the target frequents). This
capacity for attacks with multiple zero days, multiple Trojans, and multiple delivery vectors is
run off of a consistent service known as the ‘Elderwood platform’ (see Figure 213 for platform
detail) and allows for attacks to be sustained and directed for much longer periods of time.14
This continuous intrusion is not letting up any time soon. Shaoxing, China has been
denoted the ‘world hacker hub,’ with 21.3% of the world’s malicious emails stemming from the
province alone. Advanced schematics on the design of the United States’ highly advanced F-35
joint strike fighter have also been said to have been recently compromised by the Chinese.15 That
said, the United States could not be said to be innocent in all of this. Indeed, many suspect that
Chinese manipulations of U.S. satellite trajectory and other defense capabilities are a response to
American-based espionage attempts. Through its military and civilian networks, the United
States is presumed to also have immense offensive capabilities to disable enemy telecoms, power
grids, rail systems, and air defense. In fact, it is likely that the U.S. has already infiltrated
thousands of networks, and set up ‘trap doors’ for easy access and ‘logic bombs’ software
capable of wiping an entire network clean, in case such capacity is needed.16 Such retaliatory
potential should be remembered when taking stock of the deterrence and response metrics
employed by this systemic analysis.
12 Richard Adhikari, “In Google Attack Aftermath, Operation Aurora Keeps on Hacking,” Tech News World, (08 September 2012), <http://www.technewsworld.com/story/76109.html>[accessed: 20 December 2012]. 13 Source: Symantec report. 14 Full details on the capabilities of this platform and its signatures can be found through this Symantec report: “The Elderwood Project,” <https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf>. 15 Jason Healey, “The F-35’s Cyber Death Spiral?” The New Atlanticist, (29 March 2012), <http://www.acus.org/new_atlanticist/f-35s-cyber-death-spiral>[accessed: 20 December 2012]. 16 Richard Clarke, “War from Cyberspace,” The National Interest, (November/December 2009): 33-34.
7
Topography in the Cyber Realm
With regards to the above Chinese ‘cyberattacks,’ the majority can be described as
examples of Advanced Persistent Threat (APT)-based incursions, having quite lengthy life-
cycles and goals that require a significant about of round-the-clock effort (see Figure 317 for a
visual). However, in regards to the realms of possible uses of APT, they are largely confined to
the first and most tame of three categories outlined by the Department of Defense in its 2011
report to congress on Chinese potential use of the cyber-weapons at their disposal, being for:
1. Data collection through exfiltration
2. Constraining an adversary’s actions or slowing their response time by targeting network
based logistics, communications, or commercial activities,
3. Serving as a force multiplier when coupled with kinetic attacks.18
Therefore, before we can speculate on the potential balance of power between the
American and Chinese cybersecurity sectors, we must first work to gain a better understanding
of the topography of the realm in which they would do battle. Outside of this first category, very
few examples exist to calibrate theory. Indeed, very little unified theory exists. This section thus
serves to standardize terms and gain an understanding of the terrain before analysis can be viably
imparted.
Figure 3:
First, it is important to note the inherent ambiguity and obfuscation that exists within a
terrain as new as that of cyber – where norms and standards bodies have not yet been set up to 17 Source: Dell SecureWorks: <http://www.secureworks.com/resources/articles/featured_articles/20120719-hcr/> 18 Military and Security Developments Involving the People’s Republic of China, United States Department of Defense, (Annual report to Congress, 2011). <http://www.defense.gov/pubs/pdfs/2011_cmpr_final.pdf>.
8
pacify the ‘state of nature’ that still exists therein. This largely stands because, without cohesive
domestic and international rulings, there is no monopoly on the use of force19 meaning that there
exists a ‘multiplicity problem’ –it is often difficult to target state actors because it is impossible
to define the connection between a transgressing group and a legitimate political authority. This
issue is compounded by the fact that accessibility to cyber weapons is very easy to come by –
with up to 140 nations possessing cyberwarfare capabilities – and the fact that no states have
established clear ‘red lines’ regarding their responses in the face of specific attacks, creating a
‘vagueness problem’ akin to that between the Soviet Union and the United States during the
Cold War.20 Finally, there also exists an acute ‘attribution problem’ due to the fact that the
terrain makes it easy to rout attacks through foreign servers (in the case of Titan Rain, the
perpetrators had to be chased through Canada, South Korea, and Taiwan before servers in China
were even identified) and, in the case of some blunter weapons such as some Distributed Denial
of Service (DDoS) attacks, use a ‘botnet’ to orchestrate engagements through vast numbers of
foreign terminals. This makes ‘false flag’ operations much easier to conduct and retaliatory
gestures harder to plan and execute with any sense of assurance.21
This complex system has led some to conclude that ‘Cyber’ occupies a separate domain
from land, air, and space. Cyberwarfare expert Jeffery Carr derides this miscategorization that
pervades even the U.S. Department of Defense22 stating, “in modern physics, matter is associated
with the complex relationship: substance-energy-information-space-time. The semantic shift
from material to immaterial is not merely naïve, for it can lead to dangerous fantasies.”23 Indeed,
cyber is not some immaterial realm without physical manifestations and warfare is not freed
from concepts of Clausewitzean key terrain, centers of gravity, and threat vectors. Plenty of key
terrain exists; data centers, commercial internet service providers, undersea cables, international
standards bodies, basic input output systems (BIOS), supply chains, and even the personnel of
19 Lacking in the realm of cyber are key areas of legitimacy of governance, as discussed by Max Weber regarding the “monopoly on the legitimate use of physical force” in Politics as a Vocation. 20 Kenneth Lieberthal and Peter W. Singer, “Cybersecurity and U.S.-China Relations,” Brookings, (Febuary 2012), <http://www.brookings.edu/~/media/research/files/papers/2012/2/23%20cybersecurity%20china%20us%20singer%20lieberthal/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf>[accessed 20 December 2012]. 21 Herbert Lin, “Escalation Dynamics and Conflict Termination in Cybespace,” Strategic Studies Quarterly, Vol., No. 3, (Fall 2012): 53. 22 One need not venture farther than the DoD website to witness them proudly proclaim this new policy: <http://www.defense.gov/home/features/2011/0411_cyberstrategy/>. 23 Jeffrey Carr, “Why the U.S. Will Lose a Cyber War,” The Diplomat, (10 August 2011), <http://thediplomat.com/flashpoints-blog/2011/08/10/why-us-will-lose-cyber-war/>[accessed: 20 December 2012].
9
the cyber workforce are very much grounded in the physical realm and play an integral part of
any combat assessment.24 As such, it is incredibly vital to note that cyber attacks cannot be
stand-alone if they are truly to be ‘attacks.’ The notion of cyberwarfare is very much grounded
on conceptions of territory, borders, power balances, and alliances. It is a new tool in the arsenal
of nations wishing to engage in combat – no more and no less.
When assessing issues of deterrence and balance, it is important to separate and define
different types of aggressive action – more so when attribution, multiplicity, and vagueness
problems make it difficult to link rogue actors to states who always possess certain levels of
plausible deniability.25 Catherine Lotrionte, director of the Institute for Law, Science, and Global
Security notes that because issues of cyber-conflict are bounded by key terrain, issues of
sovereignty and international law still apply. She distinguishes between a ‘use of force’ and an
‘armed attack,’ stating that only the latter should justify retaliation (at the scale of a ‘war’) under
international guidelines, the determining factor being whether or not the incursion exacted
analogous destruction to that which could be inflicted by a kinetic attack. Of course, as in
conventional warfare, laws of proportionality still apply.26 It is important to clarify the nature of
engagement when dealing with deterrence-based issues such that the scale of the rubric used is
appropriate.
24 John Mills, “The Key Terrain of Cyber,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 99-109. 25 As Irving Lachow of the Center for a New American Security notes, “the whole question of deterrence in cyber doesn’t really apply to espionage. Every nation is spying. The only question is who’s spying better.” Zachary Fryer-Briggs, “U.S. Cyber Experts: Deterrence not Enough,” DefenseNews, (21 October 2012), <http://www.defensenews.com/article/20121021/DEFREG02/310210001/U-S-Cyber-Experts-Deterrence-Not-Enough>[accessed: 20 December 2012]. 26 Catherine Lotrionte, “Cyber Operations: Conflict Under International Law,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 20-25.
10
As none exist yet, we shall delineate state-to-state (of some nature) interaction in the key terrain
of cyber as follows: Classification Characteristics Justified Response Examples
Cyber-espionage Tampering with secure networks for the purpose of exfiltrating data, schematics, or communications. Covert, quiet, and non-disruptive.
Little other than pursue claims of IP theft in international courts (if attribution successful) and patch zero days uncovered.
Titan Rain, Operation Aurora, GhostNet.
Cyber-sabotage The active manipulation or disruption of system processes to destroy or delay functionality through viruses, worms, or DDoS attacks.27
Per Nicaragua vs. United States charges and damages claims can be pursued in international courts, but kinetic retaliation not permitted as these constitute a ‘use of force’ without being an ‘armed attack.’
Stuxnet (and its spawn Flame and Duqu), 2007 Estonia Attacks, 2008 attacks during South Ossetia war.28
Cyber-war Operations by any means that are resultant in the objectives of traditional warfare: the loss of life, the acquisition of foreign key terrain, and to facilitate the ease of combat through kinetic means.
Full-scale cyber and kinetic retaliation.
None of note to date. You have to go to movie villains for inspiration here.29
It is important to overcome this ‘hype’ regarding cyberwarfare in order to effectively
conceptualize what such a scenario would actually look like and how it would affect state-level
calculations regarding engagement and proportionality. In conducting this assessment we will
compare the offensive capabilities of the Chinese cyber-force against the defense (both passive
and active in nature) capacity of the American operators and systems in place to see how it alters
the aforementioned dynamics. We will focus on this one-sided engagement in an attempt to add
clarity to potential Chinese military postures, understanding that, due to the offense-dominated,
opaque nature of the system, it is one conducive to lighting-quick, preemptive strikes in hopes of
27 It is interesting to note that DDoS attacks, while less penetrating and invasive that worms and viruses upon a system, can have a more destabilizing affect. 28 Though conducted in conjunction with a conventional invasion, these attacks had little to do with facilitating kinetic involvement, and were largely confined to DDoS and defacement efforts on Georgian websites. In response to the hype of these instances of ‘cyberwarfare,’ Schneier notes, “a real world comparison might be if an army invaded another country, then all got in a line in front of people at the DMV so they couldn’t renew their licenses. If that’s what war looks like in the 21st Century, we have little to fear.” Bruce Schneier, “Threat of ‘Cyberwar’ has been Hugely Hyped,” (7 July 2010), <http://www.schneier.com/essay-320.html>[accessed 20 december 2012]. 29 One example can be found in the cinematic masterpiece Live Free or Die Hard: <http://www.imdb.com/title/tt0337978/>.
11
crippling the opponent before their arsenal (kinetic, cyber, and ballistic) can be deployed.30
Cyber is a unique system in that offensive and defensive capabilities are entirely distinct.31 We
will assess these capabilities specifically at the moment of zero day exploitation to see how they
will shift the balance of power leading into a sustained and messy kinetic (and cyber) assault.
A Period of Experimentation Military capabilities have long represented the projectable power that a country can bring
to bear against competitors which, in the anarchic system of international politics, composes its
first line of defense. All the while, military doctrine has integrated theory, history,
experimentation and practice to provide an evolving framework for military forces to guide their
actions in support of objectives. Cyber warfare, however, adds a new dimension to this
projectable power by creating a space for anonymous battlefields, where aggressors can organize
targets around countless qualifiers, however specific or broad they need be. Despite the growing
complexities of cyberspace and the significant strategic challenge cyber warfare poses to the
vital interests of states, few specific doctrinal rules for cyber warfare exist.
Similar to the uncertainty that plagued nuclear deterrence policy during the Cold War
Era, cyber warfare doctrine remains largely underdeveloped due to inexperience and lack of
historical evidence surrounding its combative nature. The cyberspace domain connects
commercial, governmental and private equipment as well as networks and systems; such is a
forum for an unparalleled continuum of activities that range from legal commerce to acts of war.
States must challenge themselves to craft a working definition for a cyber attack and, equally
important, an appropriate response to a threat that knows no rules of sovereignty. China and the
US will likely need to act first, as their palpable national power mark them an ideal target for
asymmetrical attacks from belligerent state and non-state actors and, perhaps most realistically,
each other.
Each to a varying extent, China and the U.S. have hesitated to release an extensive cyber
warfare doctrine, fully aware that an overreaching framework could limit operations in an
engagement that is decidedly unpredictable. As cyber attacks continue to escalate in frequency
and intensity, however, there is an active platform for conversation around cyber warfare 30 Lieberthal & Singer, 13-15. 31 Successful defense against APT or DDoS will not damage enemy infrastructure in any way, whereas shooting back at an armed opponent can take them out of commission; similarly, effective offensive deployment does not inherently correlate to defensive capabilities the way that more effective kinetic weaponry, to some extent, does. In short, cyber-tools are generally not dual-purposed in offense and defense in the way many kinetic tools are.
12
doctrine in both countries that is worth exploring. The outcome of which is critical, as the
international community will look to world powers, such as the U.S. and China, to shape
international norms when dealing with cyberspace.
China’s Doctrine
When considering China’s cyber warfare doctrine, there are two distinct narratives that
one must piece together to generate the most comprehensive and accurate understanding of the
PLA’s intent: a) open source publications from the Chinese government, and b) claims from
independent defense analysts.
The Chinese government operates under minimal transparency, and the PLA is no
exception. China’s National Defense in 2010 (defense white paper) states that China pursues a
national defense policy that is strictly defensive in nature. On its most basic level, such a
defensive strategy strictly allows for “attacking after being attacked.”32 The whitepaper briefly
touches on the issue of “cyber space” when listing all areas where it intends to “maintain its
security interests.”33 Thus, the publication makes no mention of cyber attacks specifically, but it
does distinguish cyberspace as a domain of vested interest and thereby, worthy of defense.
Since cyber warfare is not directly addressed in unclassified Chinese government
documents, it is useful to explore the PLA’s approach to the broader category under which it
falls—information warfare (IW). Largely a byproduct of the 1999 principles of joint operations
(PJO) movement-- Zhongguo renmin jiefangjun lianhe zhanyi gangyao (中国人解放军联合战
役纲要), IW efforts are one facet of the PLA’s decisive move toward an Informatized Joint
Operations campaign.34 This new nonviolent means for the protection, manipulation,
degradation, and denial of information, with its profound effects on an opponent’s war machine,
economic infrastructures, and society, is the PLA’s foremost version of preemption for
facilitating a quick victory. 35
The broader scope of Informatized Joint Operations is one that extends beyond cyber
warfare, contending that “information as a leading factor interacts with other combat strength
elements, such as maneuverability, firepower, control, and protection, to form an integrated 32 USCC 2012 Annual Report,” 12(report for the U.S.-China Economic and Security Review Commission; Washington, D.C., November 2012). 33 Ibid. 34 Ibid.
35 Lewis, James. "Cyber Security Doctrine." E-mail interview. 17 Dec. 2012.
13
combat capability.”36 Yet, cognizant of the far reaches of the cyber domain, Chinese theorists
note that all battles of this sort pass through cyberspace: “The natural geographical environment
and virtual space of the multi-dimensional battlefield will be represented in digital form, which
will provide a precision operation space for informatized joint operations.”37
The PLA’s most authoritative modern work on military strategy, The Science of Military
Strategy, discusses its “Center of Gravity Strategy,” detailing China’s readiness to employ IW in
a war against a technologically superior adversary. In exact words, the text describes the
operation:
Organizing all the services and arms to conduct active counterattacks… against
the enemy’s command, intelligence and communications systems, and his
airports and the launch sites of strategic assault weapons, and disrupt his
strategic air raid plan, and wear down and contain his air raid forces to win the
victory.38
It is interesting to note, however, that the model of development for cyber capabilities breaks
from the traditional model of evolution in Chinese military doctrine (see figure below), insomuch
as “threat perception” is not the driving force but rather it is the desire to gain an asymmetrical
advantage. As James Lewis, an expert of Chinese cyber security at CSIS, explains, “The main
doctrine on cyberwar strategy, advocates for a combination of cyber and electronic warfare
capabilities in the early stages of conflict to paralyze control and command and intelligence
centers.” 39
Figure 4: Traditional Model of Evolution of China’s Military Doctrine
36 USCC 2012 Annual Report (2012). 37 Ben Buchanan, “The United States and Cyberwarfare Strategy” Institute for Law, Science, & Global Security, (November 2010). 38 Peng GUANGQIAN. "The Science of Military Strategy." The Science of Military Strategy: PENG GUANGQIAN AND YAO YOUZHI: 9787801378927 (2005. Web.) 39 Ibid.
14
Thus, the PLA’s argument is simple but convincing: highly developed IW can act as an
asymmetric tool to neutralize the military capabilities of a technologically superior opponent and
thereby, enable them to overcome their relative laggardness in military hardware. Chinese
strategists also assess that political and economic conditions confine the scope of modern war,
and this provides an opportunity for the combatant who dominates the information battlefield in
the opening of a conflict to control its outcome.
In short, the overall aim in this “limited war under high-tech conditions” doctrine is to
cause heavy attrition and disrupt the enemy's combat forces and logistics so as to bring about a
negotiated end to the conflict or dictate terms if possible. The Chinese war doctrine goes further
to define informatized war as a clash of systems of systems, and that only 20% of systems are
especially critical for operations, but that the importance of those select systems can be
exploited.40 This offers an opportunity of equalization for lesser powers:
If the inferior side grasps this law and applies it, seizing the key systems or key
elements in the enemy’s combat systems and attacking them, it will be able to use
what is small to fight what is large, leading to a structural change in the systems
and weakening the entire effectiveness of the enemy’s combat systems.41
The PLA identifies electronic networks as the important systems in modern warfare and thus,
focus strategy on the nodes of the information distribution and command and control nodes on a
network, because “it is quite possible they will be unable to bear a single blow when confronted
with a deliberate, coordinated, focused attack.”42
The Chinese doctrine does not limit the Joint Informatized Operations to military network
targets. They explicitly state that an attack on a non-military target to achieve the end of
paralysis would be strategic in that all economic activities and social events are becoming
digitized and network-based. The Chinese theorists state, “ It would be easier to force the will of
war onto the enemy by using networks to attack and paralyze its economic system and create a
chaos in its society.”43
40 Informatized Joint Operations, edited by Cao Zhengrong, Wu Runbo, Sun Jianjun, (Beijing, PRC: PLA Press, 2nd edition August 2008) at [partial translatioin by Open Source Center CPP20100828318001001: “PRC Book Excerpt: 'Informatized Joint Operations' on Blockade, Island Landing;” accessed 20 Nov. 2010] 41 Ibid. 42 Ibid. 43 Ibid.
15
Since 2000, US government sources claim, however, the PLA is actively assembling a
specialized force of “hackers.” According to a US Congressional Research Service report
entitled “Cyberwarfare,” authored by Steve Hildreth, China is developing a strategic Information
System unit called “Net Force’” to carry out its IW agenda. This study and a more recent study
completed by the NATO senior military officer Brig. Gurmeet Kanwal, confirm that this
unreported force is designed to level the playing field in a future war with better-equipped
Western armed forces that rely on Revolution in Military Affairs (RMA) technologies.44 They
also argue that based on recent cyber attacks traced back to China, it is possible and perhaps even
likely that this ‘Net Force’ breaks from the overarching PLA “defense policy” and is
experimenting with far more offensive operations.
Emerging Threats from China
In recent years, Chinese hackers have begun to move beyond the typical procedures used
by state-sponsored actors and into increasingly advanced types of operations or operations
against specialized targets. Here are the most likely types of attacks.
• Defeating secure authentication – with the increase of two-factor authentication,
in addition to simple password entry, Chinese hackers continue to find a way to
defeat these measures. In January 2012, security researchers identified a China-
based cyber espionage operation that targeted the U.S. DoD’s Common Access
Card Standard.45
• Bridging air gaps – In order to protect resources from high-risk networks,
engineers use physical isolation of networks or “air gaps.” Indian media reported
that China successfully used removable media to compromise air-gapped
computers at the Indian Eastern Naval Command.46
• Targeting deployed platforms – It appears that China is also seeking to target
various military platforms that operate in forward or otherwise remote areas,
including sea and space. Military officials, including the U. S. Navy chief of
operations describe of security threats to ships at sea.47
44 Clarke, Richard A, and Robert Knake. Cyber War: The Next Threat to National Security and What to Do About It. New York: HarperCollins, 2010. 45 USCC 2012 Annual Report (2012). 46 Ibid. 47 Ibid.
16
• Leveraging the cloud – even though there is little evidence to show proof of
compromised cloud services, cloud systems can either reduce defender’s visibility
of threats and thereby limit detection of malicious activity or help identify
targeted campaigns, by aggregating intelligence.48
• Compromising mobile devices – there have been several cases in which malware
has propagated within China geared toward mobile devices. CrowdStrike
demonstrated how China’s malware could compromise mobile devices in
February 2012.49
The US Doctrine
In 2010, William J. Lynn III, US Deputy Secretary of Defense, stated that the Pentagon
had formally recognized cyberspace as the fifth domain of warfare. As a doctrinal matter, this
means that the US military community considers cyberspace to be equally as critical to military
operations as land, sea, air and space. It makes sense that the Pentagon established the US Cyber
Command (USCYBERCOM) shortly thereafter with the mission of centralizing command of
cyberspace operations and synchronizing a defense of US military networks.
In July 2011, Deputy Lynn announced at the National Defense University that the US did
in fact posses a full spectrum of capabilities, and echoing the PLA rhetoric, that “the thrust of
strategy is defensive.”50 He articulated a “five pillar” strategy for US Cyber Command
(USCYBERCOM), as follows: treat cyber as a domain of warfare; employ more active defenses;
support the Department of Homeland Security in protecting critical infrastructure networks;
practice collective defense with allies and international partners; and reduce the advantages
attackers have on the internet.51
The US made significant change in its cybersecurity policies in 2012, despite the failure
to pass comprehensive legislation in the American Congress. In November, media reports said
that the U.S. had concluded work on Presidential Decision Directive 20, governing military
activities in cyberspace. The Directive itself is classified but remarks by the Secretary of
Defense suggest that the military would play a greater role in defending against cyber attacks
48 Ibid. 49 Ibid. 50 “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” (prepared for The U.S.-China Economic and Security Review Commission by Bryan Krekel; McLean, Virginia, October 2009). 51 Ibid.
17
from foreign sources. The new policy was preceded by stories in the media attributing the
"Stuxnet" cyber attack against an Iranian nuclear facility to the United States (and Israel). Other
announcements showed a continued increase in the development of military capabilities,
including a Defense Advanced Research Projects Agency program known as "Plan X" to
develop a range of cyber capabilities and the creation of "cyber city," a test range for various
kinds of cyber attacks.52
The efforts of USCYBERCOM, however, do not extend beyond DOD networks, or the
“dot-mil” world. The span of the USCYBERCOM protection umbrella has spurred debate
among government agencies that have trickled down to Congress and recently, to the public. As
it stands now, the Department of Homeland Security is responsible for government networks and
working with the private sector on defending critical infrastructure. Concerns that the DOD and
NSA will dominate efforts to protect the nation’s computer networks, civilian networks included,
are rampant among experts across disciplines and are effectively pushing privacy trepidations
(reminiscent of the Patriot Act) to the attention of the American public.
Cyber Command, originally responsible for dealing with threats to the military cyber
infrastructure, may now have some broader national cyber defense responsibilities because of the
Presidential Directive. Cyber Command's service elements include Army Forces Cyber
Command, the Twenty-fourth Air Force, Fleet Cyber Command and Marine Forces Cyber
Command. In order to facilitate cooperation, the Department of Defense and the Department of
Homeland Security signed a memorandum of agreement on cybersecurity in October 2010 to
increase interdepartmental collaboration. Media reports suggest that Cyber Command will
become an independent command in 2013 (rather than remaining a military "subcommand"
under US Strategic Command).53
Still other concerns from LTC Gregory Conti and COL John “Buck” Surdu, chief of staff
of the United States Army Research, Development and Engineering Command, argue that the
skills valued in the armed forces, i.e. marksmanship and physical strength, are irrelevant to cyber
warfare. They explain that if combat in cyberspace is now a military domain than winning in that
domain would require a military organization that can recruit, train and retain highly qualified
cyber warfare combatants for offensive campaigns. In other words, Conti and Surdu suggest a
52 Lewis (2012). 53 Ibid.
18
fourth branch of the military for Information Service, or cyber missions. In response, General
Keith Alexander, head of USCYBERCOM, stresses that the purpose of cyber command is “not
about an effort to militarize cyber space. Rather it’s about safeguarding our military assets.”54
The most cited example for the critical need of a unified cyber platform in this debate
dates back to 2008 Saudi Arabia. The Pentagon did not approve of a Saudi government-CIA
website used to uncover terrorist plots, arguing that the site was putting Americans at risk. The
Pentagon overrode CIA objections and launched a cyber attack that dismantled the online forum.
Thus, USCYBERCOM aims to eliminate such interagency friction by consolidating US military
cyber doctrine. The US must be mindful of inefficiency because opponents like the PLA and its
directive under an authoritarian regime experience minimal, if any, delay in deploying cyber
policy. It may make sense, however, that the US military prolonged development of official
cyber capabilities when considering their other RMA technologies are the most advanced in the
world.55
Despite the ambiguity in U.S. and China’s cyber warfare doctrine, one conclusion is for
certain: cyberspace is a new battleground. Like the early stages of disruptive military
technologies—nuclear bombs, other, other— a period of experimentation often precedes any
official guiding principles. More importantly, the dynamic created between China and the US
during this period of experimentation could be longstanding: the US holds the place of the
technologically superior military and China, as a potential adversary, seeks out asymmetric
capabilities to exploit US vulnerabilities and thus, offset its current advantage. The reelection of
the Obama Administration and its proposed cuts to the defense budget juxtaposed to the PLA’s
ever-growing defense budget provides space for this cyber dynamic to shift in favor the of China.
Chinese Offensive Capabilities Military capabilities can best be understood as a resultant product of the continual,
cyclical interaction of both national resources and national performance: resources may be
“building blocks,” but these building blocks, far form existing in nature, must be consciously
produced as a result of human artifice, which is captured, however imperfectly, by the domain of
national performance. In the case of cyberspace, China’s burgeoning IT infrastructure, its
54 Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012). 55 Ibid.
19
building block, is at the hands of an increasing number of highly trained technical personnel,
unambiguously yielding a positive reinforcement to present IW capabilities.
Many traditional indexes of military capabilities are done through the use of summary
variables such as the level of military expenditure in gross size of the armed forces. An analysis
of cyber capabilities requires a greater level of detail, as the talent exploited extends beyond
military personnel. This section explores two tools employed by China to proliferate its cyber
prowess: the IW military branch and private hacker groups. A 2012 U.S.-China Economic and
Security Review Commission report has organized the perpetrators of increasingly regularized
attacks into the follow categories:
Who Carries Out Chinese Cyber Exploitation and Attack?56
Military Groups
Key entities are:
(1) 2PLA—The Second Department of the PLA General Staff Department (2PLA) is
responsible for military intelligence. It may use cyber operations as part of its
collection activities.
(2) 3PLA—The Third Department of the PLA General Staff Department (3PLA) is
responsible for the collection of signals intelligence. This includes computer
network exploitation, reportedly drawing upon Technical Reconnaissance
Bureaus geographically distributed across the country. It may also lead the PLA’s
computer network defense efforts.
(3) 4PLA—The Fourth Department of the PLA General Staff Department (4PLA)
engages in electronic warfare. In addition, it appears to be responsible for
computer network attack.
(4) PLA services—The PLA Navy and PLA Air Force, like 3PLA, operate Technical
Reconnaissance Bureaus that may engage in computer network operations. The
Second Artillery Forces, a PLA service-level branch responsible for nuclear and
conventional missiles, may also have cyber-related responsibilities.
(5) Cyber warfare militias—A subset of the PLA militia has cyber-related
responsibilities. These units, usually comprised of workers with high-tech day
56 U.S.-China Economic and Security Review Commission (2012).
20
jobs, focus on various aspects of military communications, electronic warfare, and
computer network operations.
Intelligence and Security Services
Though little is known about China’s intelligence and security services’ roles and
missions in cyberspace, several entities are probably active in the domain:
(1) Ministry of State Security—As China’s foreign intelligence service, the
organization may engage in various cyber operations.
(2) Ministry of Public Security—As China’s domestic security service, the
organization engages in surveillance, including in cyberspace, of Chinese citizens.
Foreigners traveling within China are similarly subject to various forms of digital
monitoring (though it is unclear which organization has this responsibility).
‘‘Independent’’ Actors
Although not always on government payrolls, several categories of nominally
independent actors conduct exploitation activities. In some cases, their actions may be
sanctioned or overlooked by authorities:
(1) ‘‘Hacktivists’’—Sometimes called ‘‘patriotic hackers,’’ these groups appear to
act primarily on the basis of nationalistic sentiments, often engaging in denial of
service attacks or website defacements. The Chinese government has on occasion
acted to curtail their activities, but enforcement is uneven.
(2) For-profit hackers—Some groups may commit industrial or traditional espionage
on behalf of private sector, state-owned sector, or government clients. A variety
of notable Chinese hackers have formed security firms or consulting firms that
may engage in these activities.
(3) Purely criminal hackers—There is a range of strictly nonstate hacking activities,
such as identify theft, perpetrated by those seeking status or income. Although
these activities are illegal in China and perpetrators are sometimes punished
(China recently reported 9,000 cyber-related arrests), government agencies may
recruit from this pool.
21
‘‘Corporate’’ Actors
Some corporate entities in China may engage in, support, or benefit from cyber espionage.
The prevalence of state- owned or -controlled enterprises in the telecommunications and
IT sectors in China mean that such activities would often constitute state sponsorship.
(1) Telecommunications providers—Internet service providers, web services
providers, domain registrars, and similar organizations may perform, enable, or
conceal malicious cyber activities.
(2) Information technology companies—IT components and systems manufacturers,
assemblers, or support staff may introduce ‘‘backdoors’’ (i.e., surreptitious access
points) or other vulnerabilities into their systems.
Official Military Cyber Capabilities
The exact cyber warfare capabilities of the Chinese military cannot be known due to the
lack of transparency in the PLA. From a close analysis of PLA cyber strategy, however, one can
make a reasonable assumption that the PLA is actively adapting its human resources to meet
these cyber conflict goals.
In times of peace, Chinese theorists call for significant preparation for potential
informatized operations against likely opponents. In practice, this means “only by relying on
peacetime collection, creating an information superiority and operational superiority before the
enemy in wartime is it then possible to win a small space for information confrontation.” Such
preparation lays the foundation for future operations in cyberspace. It also indicates, though not
explicitly, a reason for the continued penetration of U.S. networks, as it is China’s most
threatening adversary.
In the event of heightened tensions, the PLA would launch a first strike cyber attack. “As
soon as it has been discovered that war is inevitable,” Chinese theorists write, “a contest should
be made to resolutely take all kinds of effective attack measures to destroy the opponent’s
preparations for offense and informatized combat systems by creating an advance attack ‘time
gap’ to make up for the equipment ‘technology gap’ before the adversary carries out a firepower
attack or main assault.”57 According to Chinese cyber doctrine, the goal of the first strike is to
prevent the quick conclusion of the war and heighten the costs for the opponent to the extent that
it becomes no longer worth the effort to continue fighting.
57 Buchanan (2010).
22
If the first strike attack fails to swiftly terminate the conflict, the Chinese offer a few
potential vectors for subsequent cyber attacks, as organized in the table below.
Goal of
Secondary
Offensive
Campaign
Evidence from Chinese Doctrine
Attack
vulnerabilities
in the enemy
computer
networks
"We implant computer viruses into the enemy’s C41 system through various
means. Once it is needed in the operation, we could use wireless activation
virus to paralyze the enemy's operation system.”
Use electronic
measures to
counter
physical forces
"When the enemy's stealth aircrafts, cruise missiles, and gunships enter the
effective airspace of our electronic equipment, we can use radio input and
ignite all the computer network bombs. It would cause the enemy's weaponry
system to lose control, direction and eventually break down."
Attack
targeting the
U.S.
"When the GPS is under interference, the cruise missile which it is guided by it
may deviate from the original course, or even be guided to an interference
designated area. Currently we are able to enter the network system through
wireless radio."
Military Training
Perhaps more important than cyber strategy itself is the variable that determines how
successfully these plans are converted into effective capabilities—human resources. China seems
keenly aware of its need for cyber-savvy officers and soldiers, as the PLA has jumpstarted a
basic training program to prepare its soldiers for cyber conflict. The program targets the basic
education of soldiers:
The first thing officers are set up with after arrive at the school is a notebook
computer, the first documents they receive are an Intranet password, identification
code, and email address, and the first education they receive is an understanding
of networks. It is the same at West Point. Instead of he air conditioners found in
normal universities, the students’ dorm rooms are equipped with a bedside
23
computer for each person, and everyone has been swept up in the tide of
networking, from the school president to the drivers, from three-star generals to
hired hands.58
This approach seeks to familiarize soldiers of all ranks with the functionality and power of
network systems. Ultimately, the PLA aims to make computer skills as fundamental to the
military as marksmanship.
China’s flourishing IT sector and the PLA’s focus on the informationization of its force
structure have led Chinese leaders outside of the military to call the protection of the
electromagnetic domain vital to national security, creating a form of military-civilian teamwork.
Chinese leaders understand the mounting dependence of the civilian economy on access to the
international telecommunications infrastructure and military commanders understand their
reliance upon advanced communications to plan and execute their missions. Thus, to reinforce
its information infrastructure, the PLA has divided primary operational responsibility for
network attack, defense, and exploitation between the Third and Fourth Departments of the
General Staff Department for the majority of the past decade. 59
Also, in an effort to develop new computer networks operations technologies and
capabilities, Beijing has looked to its maturing commercial IT sector for R&D support, often
using national funding vehicles to support technical research into information warfare and
information security. State funding of commercial and academic research is building formal
R&D relationships between elite universities and industry that look similar to models used in
Western defense industries to leverage the efficiencies and cost savings found in these sectors. A
great example of this relationship is the National University of Defense Technology (NUDT),
located in Changsha, Hunan Province. NUDT is a technology-oriented university heavily
engaged in military research and development, jointly administered by the Ministry of National
Defense and the Ministry of Education. NUDT, the development hub for China’s Tianhe-IA
supercomputer, lists among its key research areas electronic and information warfare target
recognition.60
58 Buchanan (2010). 59 U.S.-China Economic and Security Review Commission (2012). 60 Ibid.
24
Private hacker groups
Despite a lagging understanding of cyber space in the Chinese military, China benefits
from the segments of its population that are technically-savvy and that, unlike the military, can
claim reasonable deniability when accused of an attack. The United States-China Economic and
Security Review Commission approximates that there are 250 hacker groups in China that are
capable of attacking the United States, and who are “tolerated and may even be encourage” by
the Chinese government. China seems to understand that although computers may be the
weapons of any cyber attack, people are the soldiers in command of it. Thus, China works
tirelessly to attract more and more IT talent. Signs of these efforts have appeared over the past
couple of years in Chinese diplomatic missions in the United States and other countries have
taken advantage of the recession in the West to recruit hundreds of Chinese graduates from the
best compute science departments in Western universities.61
The Comment Group, or the “Byzantine Candor” as termed by the U.S. Air Force Office
of Special Investigation, is highly active hacking group in China. The Comment Group is a
highly organized effort behind a group that more than any other is believed to be at the spear
point of the vast hacking industry in China. Byzantine Candor is linked to the PLA according to
a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the
substance of the document. What sets the Comment group apart is the frenetic pace of its
operations. 62
61 Buchanan (2010). 62 Riley, Michael, and Dune Lawrence. "Hackers Linked to China's Army Seen From EU to D.C." Bloomberg, 26 July 2012. Web. 22 Dec. 2012.
25
Figure 5: 63 Documented Attacks Launched by the Comment Group in July 2012
The attacks documented last summer represent a fraction of the Comment group’s
projects, which date back at least to 2002, according to incident reports and interviews with
investigators. Milpitas, California-based FireEye Inc. alone has tracked hundreds of victims in
the last three years and estimates the group has hacked more than 1,000 organizations, said Alex
Lanstein, a senior security researcher. Stolen information is flowing out of the networks of law
firms, investment banks, oil companies, drug makers, and high technology manufacturers in
threatening quantities so much so that intelligence officials now say it could cause long-term
harm to U.S. and European economies.64
American Defense The United States’ cyber defense infrastructure employs multi-layered capabilities to
ensure that it is protected at all levels.65 On the military front, the United States has recently put
up a sub-unified command of the Second Army, the Tenth Fleet, and the Twenty Fourth Air
Force known as CYBERCOM, which reached full capability in October 2010 under the 63 Ibid. 64 Riley, Lawrence (2012). 65 This is an attempt to avoid a tempting mistake akin to that made in World War II by the French: to establish robust perimeter security – a Maginot Line – and neglect to enforce stringent internal security measures as backup.
26
command of General Keith Alexander (also director of the National Security Agency).
CYBERCOM is responsible for the protection and defense of all dot-mil sites, which includes
15,000 military networks. CYBERCOM is divides Computer Network Operations (CNOs) into
those dealing with attack, defense, and exploitation, and has worked to build functional
capabilities in all identified areas, especially focusing on ridding military systems of human-
error-based vulnerabilities through a sanitization of best practices and educational schemes.66
While their track record is largely classified, Gen. Alexander has stated that CYBERCOM
successfully repels an average of 200,000 to 250,000 probes and scans on military servers every
hour. Recently, through Operation Buckshot Yankee, CYBERCOM went to great lengths to
better address the air gap jumping concerns in response to an incident of a thumb drive
transferring a worm and stealing data from a military server. CYBERCOM also employs ‘red
teams’ that sift through networks to quickly identify intrusions, track them, and neutralize their
capacities before any malicious endeavors are undertaken.67 In the works as well is a secure,
protected zone for unclassified networks modeled off the DoD Secret Internet Protocol Router
Network (SIPRNet) to ensure that defense is tightened at all levels.68
To complement CYBERCOM in dealing with dot-gov servers and protect critical civilian
infrastructure, the Department of Homeland Security (DHS) has stood up a National Cyber
Security Division (NCSD) led by John Streufert, former chief information security officer for the
U.S. State Department. While much work can still be done on integrating a unified cyber bureau
in the DHS, NCSD has worked hard to build and maintain an effective national cyberspace
response system, implementing a cyber-risk management program for the protection of critical
infrastructure.69 Critical to this mission is the U.S. Cyber Emergency Response Team (US-
CERT), which continuously releases information on system vulnerabilities and zero day exploits
through its National Cyber Alert System in real-time, and works closely with private vendors to
create patches immediately. Resources for better securing networks and data are available to both
the public and private sector in an attempt to ensure that at all levels the nation is able to recover
and remain resilient to foreign-based cyberattacks. Over the past year, DoD and DHS have 66 “Department of Defense Strategy for Operating in Cyberspace,” (July 2011). Found at: <http://www.defense.gov/news/d20110714cyber.pdf>. 67 U.S. Cyber Command: Organizing Cyberspace Operations (Washington DC: 111th Congress, 2nd Session, Committee on Armed Services, House of Representatives, 23 September 2010). 68 Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012): 35. 69 See DHS website for further detail: <http://www.dhs.gov/national-cyber-security-division>.
27
worked closely to streamline their efforts and implement burden sharing initiatives. DoD’s 2012
Cyber budget was $3.2 billion while DHS’s was $936 million, illustrating the concentration on
offensive capabilities over defensive measures.70
Complementing these initiatives to secure American cyberspace, the White House has
responded to calls for increased and centralized leadership, launching a Cyber Space Policy
Review with priorities in promoting awareness in the private sector about critical issues,
establishing more cohesive operating protocols, and securing alliances with international
partners.71 While the technical aspects of this initiative are classified, they are said to
complement the efforts of the Comprehensive National Cyberspace Initiative (CNCI) undertaken
by the previous administration that worked with the Office of Management and Budget (OMB)
and the DHS on a Trusted Internet Connections Initiative (TIC) to successfully consolidate
external access points to the internet from government servers by 60%. CNCI also worked in
areas of education and R&D to identify ‘leap-ahead’ technologies and better define roles within
government.72 In response to recent successful attacks including the Shamoon virus that hit many
companies in the oil sector including Saudi Aramco73 and the yet-unnamed DDoS breaches of
the U.S. financial sector including JPMorgan Chase and WellsFargo,74 the Obama administration
is circulating an order that will make it necessary for the intelligence community (IC) to share
relevant threat signatures with companies operating electric grids, water plants, railroads, and
other vital industries.
Defense happens at all levels of government and civil society as well. The Federal
Energy Regulatory Committee (FERC) has recently issued guidelines to require US power
companies to separate operations systems from the Internet – though admittedly compliance and
auditing issues persist.75 Policy recommendations from the 2011 Black Hat Conference (which
boasts attendance from federal agencies, corporations, and private hackers working together to
70 Donna Miles, “DoD, Homeland Security Collaborate in Cyber Realm,” DoD Website, (3 June 2012), <http://www.defense.gov/news/newsarticle.aspx?id=64186> [accessed: 20 December 2012]. 71 The Review in full can be viewed at: <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf> 72 Obama released details on the CNCI for the first time in 2011. They can be found here: <http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative> 73 Richard Lardner, “Draft order would give companies cyberthreat info,” Huffington Post, (20 October 2012), <http://www.huffingtonpost.com/huff-wires/20121020/us-cybersecurity-order/>.[accessed: 20 December 2012]. 74 Chris Strohm and Eric Engleman, “Cyber Attacks on U.S. Banks Expose Vulnerabilities,” BusinessWeek, (28 September 2012), <http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability>[accessed: 20 December 2012]. 75 Clarke 34.
28
deal with compliance and standards issues) have gone into getting DARPA re-involved in
cybersecurity, working towards establishing Federal cyber regulations (which have thus far
failed to pass through congress), and developing techniques to better air gap utility networks.76
Public and private entities have combined talent to draw detailed pictures of Chinese hacking
capabilities such that the United States infrastructure will be prepared to deal and stop incursions
as they arise.
Yet, despite this progress, much vulnerability still remains, in part due to the lack of
cohesive direction and absence of a clear set of rules of engagement, which is rumored to still be
in the works.77 In large part, the United States’ exposure to cyber-threats stems from the fact that
it is the much more reliant on digital systems than many of its potential adversaries both due to
the fact that it invented the sphere and that as a highly industrialized society, many sectors were
able to migrate quickly to more intensive technology. Despite attempts at defense, this vast
exposure results in an asymmetry relative to developing powers such as China. In another sense,
its democratic values and institutionalized norms leave it more vulnerable than opponents - the
government is not able to regulate the Internet and enforce protocol as tightly as other states
might be.78 However, these systemic factors aside, many agree that the problem is largely
political because there exists so little will to pass legislation through congress and share threat
signatures across sectors.79 This is in part due to the age-gap that exists between policy makers
and those adroit at navigating the nuances of this terrain – many in the upper echelons of public
and private management grew up without exposure to the technology that is now at their
fingertips and thus have a difficult time fully grasping the intricacies and gravity of cyber.80
Similarly, due to the lack of understanding, too much money and effort is being funneled into
standard military protocol to militarize the terrain, and little is being done to work with
commercial regulators such as the Securities and Exchange Commission (SEC), the Federal
76 Spade 31-35. 77 “Hype and Fear,” The Economist, (8 December 2012), <http://www.economist.com/news/international/21567886-america-leading-way-developing-doctrines-cyber-warfare-other-countries-may> [20 December 2012]. 78 Buchanan 13. 79 Jason Healey, “Cyber Legislation and White House Executive Orders,” New Atlanticist, (26 October 2012), <http://www.acus.org/new_atlanticist/cyber-legislation-and-white-house-executive-orders>[accessed: 20 December 2012]. 80 Carr.
29
Communications Commission (FCC), and the Federal Trade Commission (FTC) to create
uniform standards and shore up security procedures on all vulnerable fronts.81
Critical infrastructure, such as that related to power, water, nuclear, transportation, and
financial services is particularly vulnerable to foreign cyberattacks because it is operated in
private hands and not easily standardized. This ties directly into defense capabilities; for example,
31 of 34 critical sectors within the DoD are dependant on the 90% privately owned public power
grid.82 These grids are by no means impenetrable – it has recently been revealed that in 2008
they were hacked causing power outages in multiple cities.83 Grids have a myriad of access
points (see Figure 684 for full detail) and once inside, an aggressor can wreak havoc – pushing
circuit breaker oscillations out of synch causing the inertia of the grid and that of the generator to
work against each other, tearing apart the physical infrastructure. Botnets and concentrated
DDoS attacks can also work at command stations, slowing down relay mechanisms and causing
signals to lose pace. Issues in critical infrastructure such as grids are extremely difficult to fix
because they cannot feasibly stand idle for long enough to install patches.
The North American Electric Reliability Corporation (NERC) has worked to implement
new standards and auditing techniques, but much work needs to be done to tighten air-gaps and
implement one-way hash functions to prevent unidentified code from running on these critical
infrastructures.85 That said, sophisticated coders could always exploit human error problems that
linger. The Department of Energy (DOE) inspector general recently found 38 cyber
vulnerabilities in energy infrastructure when conducting an investigation (the number declined
from 56 in the previous round) including some in areas related to nuclear technology. 58% of
computers inspected had unpatched software holes and weak password protection issues, while
29 web applications related to finance, human resources, and general support were deemed
‘vulnerable to hacking.’86 To combat such issues of poor ‘IT hygiene’ across sectors, US-CERT
81 Melissa Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs: International Engagement on Cyber, (December 2011): 163-170. 82 Buchanan 16. 83 Glenn Derene, “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack,” Popular Mechanics, (1 October 2009), <http://www.popularmechanics.com/technology/military/4307521>[accessed: 20 December 2012]. 84 Source: Nicol article. 85 David Nicol, “Hacking the Lights Out,” Scientific American, (July 2011): 70-75. 86 John Reed, “Dozens of cyber vulnerabilities found at Department of Energy facilities,” Foreign Policy, Blog: Killer Apps, (16 November 2012), < http://killerapps.foreignpolicy.com/posts/2012/11/16/dozens_of_cyber_vulnerabilities_found_at_department_of_energy_facilities>[accessed: 20 December 2012].
30
continuously works to provide the U.S. infrastructure with education and fixes to areas of
concern including local area networks (LAN), remote terminal units (RTUs), and human
machine interfaces (HMIs), with details of typical vulnerabilities and how they can be
addressed.87 Of course, as long as problems remain in enforcing standard practices, doubt will
remain regarding the possibility of exploitation of these systems.
Figure 6:
Finally, due to the increasing complexity of everything from basic computers to the F-35,
supply chains have become more globalized and interconnected than ever before, with parts and
87 An example of their regimen can be found here: < http://www.us-cert.gov/control_systems/csvuls.html#top>.
31
circuits contributed by private enterprises in countries around the world. The USCC worries that
this development might present new vulnerabilities in U.S. technology and ability, and suspects
based on past instances of corruption that many vital technologies with circuits contributed by
Chinese firms might come preloaded with malware.88 Of particular concern in this ongoing
debate over supply chains remain Huawei and Zhongxing Telecommunications Equipment
(ZTE), which are eyed with suspicion by the USCC as potential sources of exploitation due to
the subsides and above-market priced contracts they receive from the Chinese government.
Aside from issues with economic protectionism and suspect dealings with pariah states such as
Iran, a recent congressional report speculates that Huawei and ZTE appliances could potentially
afford unauthorized backdoor access to the Chinese government or inject malware into servers
linked to their networks should the situation demand it. These companies have not been
compliant with investigations and could potentially serve as another bridge in the case of a
Chinese cyber attack into the heart of the United States’ infrastructure.89 Because of the
interconnectedness of these telecom giants with U.S. supply chains, it is unlikely that mitigation
measures could fully address this threat.
The Clash
The following section is a speculative consideration of a Chinese computer network operation
against U.S. networks in the context of a possible conflict over Taiwan.
As indicated by Chinese military doctrine, the PLA is actively preparing for possible
conflict with technologically advanced nations such as the United States, particularly in the event
of a forceful reunification of Taiwan with the mainland. Now, The New Historic Missions now
requires the PLA to develop capabilities for other possibilities beyond China’s littoral waters and
88 2012 Report to Congress of the U.S.-China Economic and Security Review Commission: (Washington DC: 112th Congress, 2nd Session, November 2012): 161-162.
89 The report also states that, “Chinese intelligence services, as well as private companies an other entities, often recruit those with direct access to corporate networks to steal trade secrets and other sensitive proprietary data” and that “it appears that under Chinese law, ZTE and Huawei would be obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.” It warns that systems are vulnerable as, “Inserting malicious hardware or software implants into Chinese-manufactured telecommunications components and systems headed for US customers would allow Beijing to shut down or degrade critical national security systems in times of crisis. Malicious implants in the components of critical infrastructure such as power grids or financial networks would also be a tremendous weapon in China’s arsenal.” Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE (Washington DC: 112th Congress, 8 October 2012).
32
for goals more economic than territorial. Despite the fact that military modernization primarily
focuses on traditional conventional weapons that can target U.S. forces well before they are in
range to support Taiwan or otherwise intervene, IW weapons are becoming coordinated with
conventional weapons units under as dictated by the information confrontation theory in joint-
style operations.90
A U.S. victory for Taiwan would require speed of response and the ability to arrive on
station with sufficient forces in the western Pacific. A conflict in Taiwan and its distance would
certainly place the greatest strain on U.S. logistics and command and control infrastructures.
Thus, it makes sense that PLA analysts consistently identify these two components as strategic
centers of gravity that potentially both help and hinder U.S. military success in the region.91
In the particular context of Taiwan, PLA strategists are keenly aware that U.S. access to
bases in the region face challenges even in times of peace. Specifically, non-naval forces operate
from a few fixed bases in the region during a crisis and access can be unstable. Further, doctrinal
and strategic writings proscribe the use of IW tools for their potential deterrent effect.
Accordingly, a preemptive CNA campaign against U.S. Pacific Command (PACOM) forces
would likely come first. This means the PLA may start deploying tools via access created prior
to any direct U.S.-China conflict to affect or disable logistics networks, command and control
infrastructure, intelligence collection systems, and potentially civilian targets that directly
support military operations such as transportation or other commercial logistics providers.92
Phase One—A Preemptive IW Attack
Using a vastly improved C4ISR infrastructure—partly a byproduct of the close
cooperation between China’s commercial IT sector and the PLA—U.S. and allied deployments
in the region are likely to be more readily detected and attacked with greater precision than even
five years ago. The effects of preemptive penetrations may not be readily observable or detected
until after combat has begun or after Chinese CNA teams have executed their tools against
targeted networks. Even if circumstantial evidence points to China as the culprit, no legislation
or policy currently exists to easily determine appropriate response options to attacks on U.S.
military or civilian networks in which definitive attribution is lacking. Beijing, understanding
90 U.S.-China Economic and Security Review Commission (2012). 91 Ibid. 92 Ibid.
33
this, could easily exploit such gray areas in U.S. policymaking and legal frameworks to create
delays in U.S. command decision-making.93
Phase Two—Corrupt Command and Control
Chinese commanders may elect to use deep access to critical U.S. networks carrying
logistics and command and control data to collect highly valuable real time intelligence or to
corrupt, the data without destroying the networks or hardware. Although U.S. network defenses
and other countermeasures may call into question the effectiveness of some Chinese tools or
approaches to targeting, the PLA’s adoption of INEW and information confrontation concepts,
which advocate using network operations against C4ISR systems, increases the likelihood that
they will be a target during a conflict. Chinese commanders may elect to use deep access to
critical U.S. networks carrying logistics and command and control data to collect highly valuable
real time intelligence or to corrupt, the data without destroying the networks or hardware.94
Phase Three—IW on the Home Front
PLA planners and commentators have long assessed that the source of U.S. military
effectiveness stems from the ability to integrate military and civilian information systems and
leverage this global access to information in combat. Chinese decision makers see this prowess
in information technology as both a force multiplier for the United States and a vulnerable center
of gravity, calculating that if an adversary is able to disrupt these networks and access
information, the effect would leave U.S. combat forces and commanders in a state of paralysis.
PLA publications and authors from some of the military's more authoritative institutions have
labeled C4ISR systems as “vital point” targets because of this perceived U.S. dependence on the
immediate access to information to fight effectively.95
PLA writers affiliated with the Academy of Military Science in a 2011 article in the
Academy’s primary journal, China Military Science, Zhongguo Junshi Kexue, underscored the
high return on investment that network paralysis warfare offers when applied to key nodes on the
enemy’s network, noting that this type of targeting focus makes it possible to achieve an
immense operational effect with just a small investment.96
93 U.S.-China Economic and Security Review Commission (2012). 94 Ibid. 95 Ibid. 96 U.S.-China Economic and Security Review Commission (2012).
34
American Response
While the United States has gone to great length to protect its military hardware and
critical infrastructure from exploitation and corruption, the sheer scale of the cyber realm and the
fact that China, like the United States and other capable nations, most likely hoards some zero
day vulnerabilities of its adversaries, renders it incredibly likely that attacks would get through
and have an initially crippling effect. However, stopgap measures in place and back-up secure
networks mean that these exploitations would most likely be inconsistent in affect. At the
forefront of the U.S. defense would be the new EINSTEIN 2 and EINSTEIN 3 programs
operated by US-CERT to deal with intrusion detection and intrusion prevention respectively.
These should have a moderately successful effect at weeding out latent worms and poised viruses
that would otherwise contribute to the havoc caused on zero day.97
However, the United States integrated cyber command recognizes that these measures are
not perfect and that widespread vulnerabilities still exist. In order to deal with disaster recovery
and resilience measures, should critical infrastructure be taken down, the NCSD has instituted a
National Cyber Incident Response Plan (NCIRP) to establish a framework for organizational
roles, responsibilities, and actions to prepare for, respond to, and begin to coordinate recovery
from a major cyber attack (see Figure 798 for visualization).99 NCRIP is capable of providing a
backbone for centralized execution of response and retaliation in the case of an emergency, and
has been tested and fine–tuned over a series of ‘Cyber Storm’ exercises to account for
widespread malware and logic bomb intrusions, as would be the case in a scenario of Chinese
cyberattack. Cyber Storm III, which contained participation from public, private, and
international entities, concluded in July 2011 and concluded that NCIRP was capable of
effectively organizing a response and recovery effort to quickly combat foreign threat between
agencies as diverse as US-CERT, FERC, the FBI, and CYBERCOM.100 Cyber Storm IV is
presently underway and should do more to strength the response-time and magnitude of U.S.
military and civilian capabilities.
97 Part of released CNCI documentation. 98 Source: NCIRP. 99 National Cyber Incident Response Plan, Department of Homeland Security, (September 2010), <http://www.federalnewsradio.com/pdfs/NCIRP_Interim_Version_September_2010.pdf>. 100 Cyberstorm III: Final Report, Department of Homeland Security, (July 2011), <http://www.dhs.gov/sites/default/files/publications/nppd/CyberStorm%20III%20FINAL%20Report.pdf>.
35
Figure 7:
In short, while a Chinese cyber-strike would have a devastating effect upon the United
States, measures in place at all levels of command would ensure that the United States’ ability to
project itself kinetically would not be entirely crippled and those areas affected would be able to
recover in a rapid fashion. As James Lewis of CSIS notes, “If I were China and I were going to
invade Taiwan, and I needed to complete the conquest in seven days, then it’s an attractive
option to turn off all the electricity, screw up the banks, and so on. Could the entire U.S. grid be
taken down in such an attack? The honest answer is we don’t know. And I don’t like that.”101
The good thing is, China doesn’t know either. That ambiguity is enough to allow common 101 Derene.
36
deterrence methods to safeguard the prizes of warfare, which continue to remain in physical
space.
Conclusion
As previously argued, while in an isolated system Chinese cyber-capabilities could exact
significant damage on the digital architecture of the United States, victory through cyber-warfare
cannot exist without defined gains in Clausewitzian key terrain or without successfully shifting a
power-balance. As such, cyber-war, as defined by Chinese doctrine, must be conducted as a
support function in tandem with kinetic operations of some kind – it does not exist as a new
domain for-the-taking itself. Without follow-up, the cyber capabilities of the adversary will
quickly recover and the power balance, as existed previously, will be restored. To this end, for
cyber-war to be an appealing option to China, the PRC would have to be able to predict that the
advantages in this domain could translate into battle victory in the material realm. In other words,
cyber’s force-multiplier would have to disrupt traditional calculations of deterrence that keep it,
like every other nation, in check. As it currently stands, they do not. With its current capabilities,
the United States would be able to recover from a zero day cyber-attack quickly enough to thwart
the stated-Chinese goal of irreversibly crippling its opponents, and deploy forces (and nuclear
weapons) to physical fronts as needed. This calculus should be sufficient to prevent China from
desiring to launch a cyberwar with the intent of taking Taiwan (which remains well behind U.S.
kinetic red lines), much less in hopes of invading American sovereign territory. It should also be
noted that China itself lacks a structured cyber-defense strategy, leaving it very susceptible to
retaliatory measures that may already be in place.
The good news is, as cyber-policy becomes more organized, the threat of disruption to
deterrence architecture will diminish to an even greater extent and cyber-weaponry will settle in
sovereign arsenals. The White House’s newly released strategy for cyber, the first of its kind, is
sure to facilitate this process further by directing the United States to take a multilateral approach
to protection and establishing norms.102 Alliance structures will further decrease the disruption of
cyber-capabilities to traditional deterrence by amplifying possible retaliatory measures.
Technology advances will too. As former Deputy Secretary of Defense William Lynn III states,
102 The report in all its glory can be found here: <http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf>. See page 21 specifically.
37
“If we can minimize the impact of attacks on our operations and attribute them quickly and
definitively, we may be able to change the decision calculus of an attacker.”103 (Pellerin).
This past year witnessed an increasingly sophisticated array of cyber-threats between the
likes of Shamoon, Flame, Duqu, and Gauss, but this need not mean that cyber warfare is looming
on the horizon. As Schneier and Hathway note, the threat we’re facing is one of cyber-crime, and
is something detrimental to the economies and infrastructures of all nations in the digital age.104
As such, emphasis should be placed on setting up norms, establishing red lines, building
frameworks for collaboration and cooperation, and updating laws, not on increasingly
militarizing cyberspace.105
103 Cheryl Pellerin, “DoD Releases First Strategy for Operating in Cyberspace,” DoD Website, (14 July 2011), <http://www.defense.gov/news/newsarticle.aspx?id=64686>[accessed: 20 December 2011]. 104 Schneier, “Threat of Cyberwar.” 105 Hathaway.
38
Bibliography:
Alan D. Campen, et al., Cyberwar: Security, Strategy, and Conflict in the Information Age, (Fairfax, VA: International Press, 1996).
Catherine Lotrionte, “Cyber Operations: Conflict Under International Law,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 20-25.
Chris Strohm and Eric Engleman, “Cyber Attacks on U.S. Banks Expose Vulnerabilities,” BusinessWeek, (28 September 2012), <http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability>[accessed: 20 December 2012].
Cyberstorm III: Final Report, Department of Homeland Security, (July 2011), <http://www.dhs.gov/sites/default/files/publications/nppd/CyberStorm%20III%20FINAL%20Report.pdf>.
Ben Buchanan, “The United States and Cyberwarfare Strategy” Institute for Law, Science, & Global Security, (November 2010).
Bruce Schneier, “Chinese Cyber Attacks: Myth or Menace,” (July 2008) <http://www.schneier.com/essay-227.html>[accessed 20 December 2012].
Bruce Schneier, “U.S. Enables Chinese Hacking of Google,” (23 January 2010) <http://www.schneier.com/essay-306.html>[accessed: 20 December 2012].
Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, (report prepared for The US-China Economic and Security Review Commission by Northrop Grumman, Mclean, VA: 9 October 2009). <http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA509000>
Col. Jayson M. Spade, “Information as Power, China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012). < http://www.carlisle.army.mil/dime/documents/China's%20Cyber%20Power%20and%20America's%20National%20Security%20Web%20Version.pdf>
Cyberpower and National Security, edited by Franklin Kramer, Stuart Starr and Larry Wentz, (Dulles, VA: Potomac Books Inc. 2009).
David Nicol, “Hacking the Lights Out,” Scientific American, (July 2011): 70-75.
Edward G. Amoroso, Cyber Attacks, (Burlington, MA: Elsevier Inc., 2011).
Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of U.S. Cyberattack,” New York Times, < http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all&_r=0> [accessed 20 December 2012].
39
Glenn Derene, “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack,” Popular Mechanics, (1 October 2009), <http://www.popularmechanics.com/technology/military/4307521>[accessed: 20 December 2012].
Gregory Rattray, Strategic Warfare in Cyberspace, (Cambridge, MA: MIT Press, 2001).
Herbert Lin, “Escalation Dynamics and Conflict Termination in Cybespace,” Strategic Studies Quarterly, Vol., No. 3, (Fall 2012): 53.
“Hype and Fear,” The Economist, (8 December 2012), <http://www.economist.com/news/international/21567886-america-leading-way-developing-doctrines-cyber-warfare-other-countries-may> [20 December 2012].
Informatized Joint Operations, edited by Cao Zhengrong, Wu Runbo, Sun Jianjun, (Beijing, PRC: PLA Press, 2nd edition August 2008) at [partial translatioin by Open Source Center CPP20100828318001001: “PRC Book Excerpt: 'Informatized Joint Operations' on Blockade, Island Landing;” accessed 20 Nov. 2010).
Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE (Washington DC: 112th Congress, 8 October 2012).
James Lewis, "Cyber Security Doctrine." E-mail interview. 17 Dec. 2012.
Jason Healey, “Cyber Legislation and White House Executive Orders,” New Atlanticist, (26 October 2012), <http://www.acus.org/new_atlanticist/cyber-legislation-and-white-house-executive-orders>[accessed: 20 December 2012].
Jason Healey, “Preparing for a Cyber 9/12,” The Atlantic Council, <http://www.acus.org/files/publication_pdfs/403/060112_ACUS_Cyber912.pdf>[accessed 20 December 2012].
Jason Healey, “The F-35’s Cyber Death Spiral?” The New Atlanticist, (29 March 2012), <http://www.acus.org/new_atlanticist/f-35s-cyber-death-spiral>[accessed: 20 December 2012].
Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012).
Jeffrey Carr, Inside Cyber Warfare, (Sebastopol, CA: O’Reilly Media Inc., 2012).
Jeffrey Carr, “Why the U.S. Will Lose a Cyber War,” The Diplomat, (10 August 2011), <http://thediplomat.com/flashpoints-blog/2011/08/10/why-us-will-lose-cyber-war/>[accessed: 20 December 2012].
John Mills, “The Key Terrain of Cyber,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 99-109.
40
Justin Rohrlick, “Chinese Cyber Warfare: Has the U.S. Found its Smoking Gun?” Minyanville, (08 November 2012) <http://www.minyanville.com/sectors/technology/articles/china-cyber-warfare-report-cyber-attacks/11/8/2012/id/45654?page=full> [accessed 20 December 2012].
Kenneth Lieberthal and Peter W. Singer, “Cybersecurity and U.S.-China Relations,” Brookings, (Febuary 2012), <http://www.brookings.edu/~/media/research/files/papers/2012/2/23%20cybersecurity%20china%20us%20singer%20lieberthal/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf>[accessed 20 December 2012].
Melissa Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs: International Engagement on Cyber, (December 2011): 163-170. Michael Riley and Dune Lawrence. "Hackers Linked to China's Army Seen From EU to D.C." Bloomberg, 26 July 2012. Web. 22 Dec. 2012.
Mike McConnell, “Mike McConnell on how to win the cyber-war we're losing,” Washington Post, (28 February 2010), http://www.cyberdialogue.ca/wp-content/uploads/2011/03/Mike-McConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf
Military and Security Developments Involving the People’s Republic of China 2011, A Report to Congress, Department of Defense (2011), <http://www.defense.gov/pubs/pdfs/2011_cmpr_final.pdf>
Nathan Thornburgh, “The Invasion of the Chinese Cyberspies,” Time Magazine, (29 August 2005) <http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> [accessed 20 December 2012].
National Cyber Incident Response Plan, Department of Homeland Security, (September 2010), <http://www.federalnewsradio.com/pdfs/NCIRP_Interim_Version_September_2010.pdf>.
Peng GUANGQIAN. "The Science of Military Strategy." The Science of Military Strategy: PENG GUANGQIAN AND YAO YOUZHI: 9787801378927 (2005. Web.)
Richard Adhikari, “In Google Attack Aftermath, Operation Aurora Keeps on Hacking,” Tech News World, (08 September 2012), <http://www.technewsworld.com/story/76109.html>[accessed: 20 December 2012].
Richard A. Clarke, Cyberwar, The Next Threat to National Security and What to Do About It, (New York, NY: HarperCollins Publishers, 2010).
Richard Clarke, “War From Cyberspace,” The National Interest, Nov/Dec 2009. http://web.clas.ufl.edu/users/zselden/coursereading2011/Clarkecyber.pdf
41
Richard Lardner, “Draft order would give companies cyberthreat info,” Huffington Post, (20 October 2012), <http://www.huffingtonpost.com/huff-wires/20121020/us-cybersecurity-order/>.[accessed: 20 December 2012].
Richard Norton-Tayler, “Titan Rain – how Chinese hackers targeted Whitehall,” The Guardian, (4 September 2007) <http://www.guardian.co.uk/technology/2007/sep/04/news.internet>[accessed 20 December 2012].
Susan W. Brenner, Cyberthreats: The Emerging Fault Lines of the Nation State, (Oxord, NY: Oxford University Press, 2009).
Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, edited by William A. Owens et al. (Washington DC, DC: The National Academies Press, 2009)
USCC 2012 Annual Report,” 41(report for the U.S.-China Economic and Security Review Commission; Washington, D.C., November 2012).
U.S Cyber Command: Organizing for Cyberspace Operations, (H.A.S.C. No. 111–179; Washington, DC: 111th Congress, Second Session, House Committee on Armed Services, 23 September, 2010).http://www.gpo.gov/fdsys/pkg/CHRG-111hhrg62397/pdf/CHRG-111hhrg62397.pdf
William F. Lynn III, “Defending a New Domain - The Pentagon's Cyberstrategy,” Foreign Affairs vol. 89, No. 5 (September/October 2010): pp. 97-108
2012 Report to Congress of the U.S.-China Economic and Security Review Commission: (Washington DC: 112th Congress, 2nd Session, November 2012): 161-162.
