Cyber Weapons Gap: What do We Really Know about China’s Cyber Capabilities?
The journalist, Joseph Alsop, was not mincing words in his syndicated column on August 1, 1958: “The Eisenhower Administration is guilty of gross untruth concerning the national defense of the U.S.” The reason behind this vitriol was the now infamous (and fictional) missile gap—a presumed strategic advantage for the Soviet Union over the United States in bombers and nuclear missiles—that Alsop believed was factual.
When Ike read the paper he supposedly threw it across the room. The president knew the gap was fictional due to top secret, U-2 spy flights over the Soviet Union, but he could not inform the public about the non-existing missile gap due to the top-secret nature of the flights. Alsop had received incomplete intelligence from the Air Force and a couple of US senators. For years the fear of a missile gap poisoned the discourse about Soviet capabilities and led to an increase in military spending under the Kennedy administration.
Today, we are in danger of falling into a “cyber weapons gap”—exaggerating the capabilities of the Chinese People’s Liberation Army—when it comes to waging cyber war. Halting just short of an Alsop indictment, the press and various national security experts have sensationalized the technology developments of the PLA and the exploits of Chinese hackers. Fear of a cyber “Pearl Harbor” against critical US information infrastructure is exaggerated. While some of the danger of cyber espionage from China is real, doomsday scenarios distort the true nature of the threat.
One reason is that there has been little clarity in public debates about the true impact of cyber war: How much damage would it really inflict? The simple truth is that much of the debate surrounding the PLA’s cyber war capabilities is mere speculation based on evidence of its undoubted success in cyber espionage. Yet the capabilities needed for cyber spying compared with those needed for cyber operations with strategic military impact are very different. High school hackers can chance upon a breach, but a fully mobilized and prepared cyber force, supported by advanced intelligence methods and human intelligence activity, is needed for cyber operations in a theater of war.
Actual strategic vulnerabilities create a context for speculative jitters. A report prepared for the US-China Economic and Security Review Commission from March 2012 is careful in outlining consequences of cyber war with China: “The majority of the clearance and settlement infrastructure has become concentrated in the U.S. over the past three decades, potentially magnifying the international effects of an attack against U.S.-based financial systems.” Or, “CNE tools with BIOS destruct payloads….could create catastrophic hardware failures in key networks.” Or: “BIOS destruct tools pre-placed via network reconnaissance and exploitation efforts….might be activated to destroy the circuit board…” It seems every objective report on Chinese cyber war capabilities is marked by conjecture and cyber angst, as it is virtually impossible (unlike with nuclear war) to assess the true impact of cyber war without actual attacks being launched.
This has not stopped certain commentators to raise Cassandra warnings about the threat originating from cyberspace and China: “There’s almost universal agreement that the U.S. faces a catastrophic threat from cyber attacks by terrorists, hackers and spies.” Such sweeping claims are unsupported by convincing evidence and rely mostly on the hyperbole of fear mongering officials. However, while we cannot know the entire Chinese cyber weapons arsenal or its precise capabilities, we can draw some broad conclusions drawn from external variables to determine China’s capabilities and intentions in cyber space. In short, they appear to be limited and conventional.
First, China never issued a formal cyber warfare strategy document. At the 16th Party Congress in 2002 then General Secretary Jiang Zemin announced that the PLA’s future mission will be to persevere in “local wars under informationized conditions” by 2050. This strategic guidance set in motion a time table of modernization with the end result of a total “informatization” of the PLA by 2050. Single Service stovepipes and the low level of military IT applications in the PLA will be hard challenges to overcome to meet the outlined objective for a decade at least, and consequently severely limit the capabilities for large scale offensive operations in cyber space.
Second, China is mostly preparing for a local war with very specific objectives in the Taiwan region—not a “cyber Armageddon.” Chinese military writing singles out U.S. logistics, command and control, as well as C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) systems as centers of gravity to target in a future conflict over Taiwan (the only presumptive casus belli between the two countries). Consequently, China will especially target systems of United States Pacific Command and United States Transportation Command rather than the entire U.S. critical information infrastructure.
Third, as my colleague Greg Austin pointed out, severe weaknesses persist in China’s cyber warfare capabilities. Despite intensifying attempts to improve expertise, Chinese technology institutes and universities still cannot compete with the United States in the highly specialized areas that support cyber warfare. (On a micro level Chinese specialists can compete with their Western analogs, but postgraduate training for military personnel in cyber related spheres is not as good as in the United States. The PLA also has other competing military priorities, such as mechanization of the army, modernizing the air force and deploying a more robust navy.) Most importantly, the private sector capacity in China—the true center of gravity in any cyber conflict—is inferior to the US private sector’s capacity to support cyber war operations because of a lack of coordination. As Jimmy Goodrich pointed out: “US-China engagement must take into account China’s fractured cybersecurity space.”
Last, as the report “Occupying the Information Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage” points out: “Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks.” News about Chinese hackers penetrating US networks should not be seen as testimony of a flaccid United States cyber security. Those responsible are trying to pass the buck. It is not a testimony to Chinese superiority in the field, but merely underlines the fact that cyber defense may be at a disadvantage vis-à-vis offensive cyber operations.
To conclude, the first lesson from the Alsop-missile gap analogy is to acknowledge that every debate on national security issues is incomplete without access to a wide array of classified information from the intelligence community. More importantly, however, the major lesson to be drawn from this neo-missile gap is to rely on CSA (common sense analysis). Good security policy analysts can draw more accurate conclusions from various external factors as outlined above. In December 1962, during budget discussions with the president, then Secretary of Defense, Robert McNamara, stated that the missile gap,was created by “emotionally guided but nonetheless patriotic individuals in the Pentagon.” Lest, we fall for similarly guided emotional appeals to national honor, we need more common sense analysis of a greater store of relevant facts to realistically assess China’s cyber warfare capabilities.