The practical lesson was to not point a camera toward uniformed groups of soldiers or police. The broader hint I took was to be more careful when asking about or discussing military matters than when asking about most other aspects of modern China’s development. I did keep asking people in China—carefully—about the potential military and strategic implications of their country’s growing strength. Ever since the collapse of the Soviet Union and consequent disappearance of the U.S. military’s one superpower rival, Western defense strategists have speculated about China’s emergence as the next great military threat. (In 2005, this magazine published Robert Kaplan’s cover story “How We Would Fight China,” about such a possibility. Many of the international-affairs experts I interviewed in China were familiar with that story. I often had to explain that “would” did not mean “will” in the article’s headline.)

The cynical view of warnings about a mounting Chinese threat is that they are largely Pentagon budget-building ploys: if the U.S. military is “only” going to fight insurgents and terrorists in the future, it doesn’t really need the next generation of expensive fighter planes or attack submarines. Powerful evidence for this view—apart from familiarity with Pentagon budget debates over the years—is that many of the neoconservative thinkers who since 9/11 have concentrated on threats from Iraq, Afghanistan, and Iran were before that time writing worriedly about China. The most powerful counterargument is that China’s rise is so consequential and unprecedented in scale that it would be naive not to expect military ramifications. My instincts lie with the skeptical camp: as I’ve often written through the past three years, China has many more problems than most Americans can imagine, and its power is much less impressive up close. But on my return to America, I asked a variety of military, governmental, business, and academic officials about how the situation looks from their perspective. In most ways, their judgment was reassuringly soothing; unfortunately, it left me with a new problem to worry about.

Without meaning to sound flip, I think the strictly military aspects of U.S.-China relations appear to be something Americans can rest easy about for a long time to come. Hypercautious warnings to the contrary keep cropping up, especially in the annual reports on China’s strategic power produced since 2000 by the Pentagon each spring and by the U.S.-China Economic and Security Review Commission each fall. Yet when examined in detail, even these show the limits of the Chinese threat. To summarize:

• In overall spending, the United States puts between five and 10 times as much money into the military per year as China does, depending on different estimates of China’s budget. Spending does not equal effectiveness, but it suggests the difference in scale.

• In sophistication of equipment, Chinese forces are only now beginning to be brought up to speed. For instance, just one-quarter of its naval surface fleet is considered “modern” in electronics, engines, and weaponry.

• In certain categories of weaponry, the Chinese don’t even compete. For instance, the U.S. Navy has 11 nuclear-powered aircraft-carrier battle groups. The Chinese navy is only now moving toward construction of its very first carrier.

• In the unglamorous but crucial components of military effectiveness—logistics, training, readiness, evolving doctrine—the difference between Chinese and American standards is not a gap but a chasm. After a natural disaster anywhere in the world, the American military’s vast airlift and sealift capacity often brings rescue supplies. The Chinese military took days to reach survivors after the devastating Sichuan earthquake in May of 2008, because it has so few helicopters and emergency vehicles.

• For better and worse, in modern times, American forces are continually in combat somewhere in the world. This has its drawbacks, but it means that U.S. leaders, tactics, and doctrine are constantly refined by the realities of warfare. In contrast, vanishingly few members of the People’s Liberation Army have any combat experience whatsoever. The PLA’s last major engagement was during its border war with Vietnam in February and March of 1979, when somewhere between 7,000 of its soldiers (Chinese estimate) and 25,000 (foreign estimates) were killed within four weeks.

Beyond all this is a difference of military culture rarely included in American discussions of the Chinese threat—and surprising to those unfamiliar with the way China’s Communist government chose to fund its army. The post-Vietnam American military has been fanatically devoted to creating a “warrior” culture of military professionalism. The great struggle of the modern PLA has been containing the crony-capitalist culture that comes from its unashamed history of involvement in business. Especially under Deng Xiaoping, the Chinese military owned and operated factories, hotels and office buildings, shipping and trucking companies, and other businesses both legitimate and shady. In the late 1990s President Jiang Zemin led a major effort to peel the PLA’s military functions away from its business dealings, but by all accounts, corruption remains a major challenge in the Chinese military, rather than the episodic problem it is for most Western forces. One example: at a small airport in the center of the country, an airport manager told me about his regular schedule of hong bao deliveries—“red envelopes,” or discreet cash payoffs—to local air-force officers, to ensure airline passage through the sector of airspace they controlled. (Most U.S. airspace is controlled by the Federal Aviation Administration; nearly all of China’s, by the military.) A larger example is the widespread assumption that military officials control the vast Chinese traffic in pirated movie DVDs.

The Chinese military’s main and unconcealed ambition is to someday be strong enough to take Taiwan by force if it had to. But the details of the balance of power between mainland and Taiwanese forces, across the Straits of Taiwan, have been minutely scrutinized by all parties for decades, and shifts will not happen by surprise. The annual reports from the Pentagon and the Security Review Commission lay out other possible scenarios for conflict, but in my experience it is rare to hear U.S. military or diplomatic officials talk about war with China as a plausible threat. “My view is that the political leadership is principally focused on creating new jobs inside the country,” I was told by retired Admiral Mike McConnell, a former head of the National Security Agency and the director of national intelligence under George W. Bush. Another former U.S. official put it this way: “We tend to think of everything about China as being multiplied by 1.3 billion. The Chinese leadership has to think of everything as being divided by 1.3 billion”—jobs, houses, land. Russell Leigh Moses, who has lived in China for years and lectures at programs to train Chinese officials, notes that the Chinese military, like its counterparts everywhere, is “determined not to be neglected.” But “so many problems occupy the military itself—including learning how to play the political game—that there is no consensus to take on the U.S.”

Yes, circumstances could change, and someday there could be a consensus to “take on the U.S.” But the more you hear about the details, the harder it is to worry seriously about that now. So why should we worry? After conducting this round of interviews, I now lose sleep over something I’d generally ignored: the possibility of a “cyberwar” that could involve attacks from China—but, alarmingly, could also be launched by any number of other states and organizations.

The cyber threat is the idea that organizations or individuals may be spying on, tampering with, or preparing to inflict damage on America’s electronic networks. Google’s recent announcement of widespread spying “originating from China” brought attention to a problem many experts say is sure to grow. China has hundreds of millions of Internet users, mostly young. In any culture, this would mean a large hacker population; in China, where tight control and near chaos often coexist, it means an Internet with plenty of potential outlaws and with carefully directed government efforts, too. In a report for the U.S.-China Economic and Security Review Commission late last year, Northrop Grumman prepared a time line of electronic intrusions and disruptions coming from sites inside China since 1999. In most cases it was impossible to tell whether the activity was amateur or government-planned, the report said. But whatever their source, the disruptions were a problem. And in some instances, the “depth of resources” and the “extremely focused targeting of defense engineering data, US military operational information, and China-related policy information” suggested an effort that would be “difficult at best without some type of state-sponsorship.”

The authorities I spoke with pooh-poohed as urban myth the idea that an electronic assault was behind the power failures that rippled from the Midwest to the East Coast in August of 2003. By all accounts, this was a cascading series of mechanical and human errors. But after asking corporate and government officials what worried them, I learned several unsettling things I hadn’t known before.

First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big—bigger than the Google-China case—is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long. Electronic-commerce systems are already in a constant war against online fraud. “The real skill to running a successful restaurant has relatively little to do with producing delicious food and a lot to do with cost and revenue management,” an official of an Internet commerce company told me, asking not to be named. “Similarly, the real business behind PayPal, Google Checkout, and other such Internet payment systems is fraud and risk management,” since the surge of attempted electronic theft is comparable to the surge of spam through e-mail networks.

At a dinner in Washington late last year, I listened to two dozen cyber-security experts compare tales of near-miss disasters. The consensus was that only a large-scale public breakdown would attract political attention to the problem, and that such a breakdown would occur. “Cyber crime is not conducted by some 15-year-old kids experimenting with viruses,” Eugene Spafford, a computer scientist at Purdue, who is one of the world’s leading cyber-security figures (and was at the dinner), told me later via e-mail.

It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries’) toleration if not support. It is already responsible for billions of dollars a year in losses, and it is growing and becoming more capable. We have largely ignored it, and building our military capabilities is not responding to that threat.

With financial, medical, legal, intellectual, logistic, and every other sort of information increasingly living in “the cloud,” the consequences of collapse or disruption are unpleasant to contemplate. A forthcoming novel, Directive 51, by John Barnes, does indeed contemplate them, much as in the 1950s Nevil Shute imagined the world after nuclear war in On the Beach. Barnes’s view of the collapse of financial life (after all, our “assets” consist mostly of notations in banks’ computer systems), the halt of most manufacturing systems, the evaporation of the technical knowledge that now exists mainly in the cloud, and other consequences is so alarming that the book could draw attention in a way no official report can.

Next, the authorities stressed that Chinese organizations and individuals were a serious source of electronic threats—but far from the only one, or perhaps even the main one. You could take this as good news about U.S.-China relations, but it was usually meant as bad news about the problem as a whole. “The Chinese would be in the top three, maybe the top two, leading problems in cyberspace,” James Lewis, a former diplomat who worked on security and intelligence issues and is now at the Center for Strategic and International Studies, in Washington, told me. “They’re not close to being the primary problem, and there is debate about whether they’re even number two.” Number one in his analysis is Russia, through a combination of state, organized-criminal, and unorganized-individual activity. Number two is Israel—and there are more on the list. “The French are notorious for looking for economic advantage through their intelligence system,” I was told by Ed Giorgio, who has served as the chief code maker and chief code breaker for the National Security Agency. “The Israelis are notorious for looking for political advantage. We have seen Brazil emerge as a source of financial crime, to join Russia, which is guilty of all of the above.” Interestingly, no one suggested that international terrorist groups—as opposed to governments, corporations, or “normal” criminals—are making significant use of electronic networks to inflict damage on Western targets, although some groups rely on the Internet for recruitment, organization, and propagandizing.

This led to another, more surprising theme: that the main damage done to date through cyberwar has involved not theft of military secrets nor acts of electronic sabotage but rather business-versus-business spying. Some military secrets have indeed leaked out, the most consequential probably being those that would help the Chinese navy develop a modern submarine fleet. And many people said that if the United States someday ended up at war against China—or Russia, or some other country—then each side would certainly use electronic tools to attack the other’s military and perhaps its civilian infrastructure. But short of outright war, the main losses have come through economic espionage. “You could think of it as taking a shortcut on the ‘D’ of R&D,” research and development, one former government official said. “When you create a new product, a competitor can cherry-pick the good parts and introduce a competitive product much more rapidly than he could otherwise.” Another technology expert, who serves on government advisory boards, told me, when referring to the steady loss of technological advantage, “We should not forget that it was China where ‘death by a thousand cuts’ originated.” I heard of instances of Western corporate officials who arrived for negotiations in China and realized too late that their briefing books and internal numbers were already known by the other side. (In the same vein: I asked security officials whether the laptops and BlackBerry I had used while living in China would have been bugged in some way while I was there. The answers were variations on “Of course,” with the “you idiot” left unsaid.)

The final theme was that even though these cyber concerns are not confined to China, the Chinese aspects do deserve consideration on their own, because China’s scale, speed of growth, and complex relationship with the United States make it a unique case. Hackers in Russia or Israel might be more skillful one by one, but with its huge population China simply has more of them. The French might be more aggressive in searching for corporate secrets, but their military need not simultaneously consider how to stop the Seventh Fleet. According to Mike McConnell, everything about China’s military planning changed after its leaders saw the results of U.S. precision weapons in the first Gulf War. “They were shocked,” he told me. “They had no idea warfare had progressed to that point, and they went on a crash course to take away our advantage.” This meant both building their own information systems—thus China’s aspiration to create a Beidou (the Chinese name for the Big Dipper) system of satellites comparable to America’s GPS—and being prepared in time of war to “attack what they see as our soft underbelly, our military’s dependence on networking,” as McConnell put it, noting the vast emerging PLA literature on defending and attacking data networks.

Ed Giorgio, formerly of the NSA, has prepared charts showing the points of “asymmetric advantage” China might have over the long run in such competition. Point nine on his 12-point chart: “They know us much better than we know them (virtually every one of their combatants reads English and virtually none of ours read Mandarin. This, in itself, will surely precipitate a massive intelligence failure).” But James Lewis, of CSIS, pointed out an “asymmetric handicap”: “For all the effort the Chinese put into cyber competition, external efforts”—against a potential foe like the United States—“are second priority. The primary priority is domestic control and regime survival. The external part is a side benefit.” For many other reasons, the China-cyber question will, like the China-finance and China-environment and China-human-rights questions, demand special attention and work.

The implications of electronic insecurity will be with us in the long run, among the other enduring headaches of the modern age. The “solution” to them is like the solution to coping with China’s rise: something that will unfold over the years and require constant attention, adjustments, and innovations. “Cyber security is a process, not a patch,” Eugene Spafford said. “We must continue to invest in it—and for the long term as well as the ‘quick fix,’ because otherwise we will always be applying fixes too late.”

No doubt because I’ve been so preoccupied for so long with the implications of China’s growth, I thought I heard a familiar note in the recommendations that many of the cyber-security experts offered. The similarity lies in their emphasis on openness, transparency, and international contact as the basis of a successful policy.

In overall U.S. dealings with China, it matters tremendously that so many Chinese organizations are led or influenced by people who have spent time in America or with Americans. Today’s financial, academic, and business elite in China is deeply familiar with the United States, many of its members having studied or worked here. They may disagree on points of policy—for instance, about trade legislation—but they operate within a similar set of concepts and facts. This is less true of China’s political leaders, and much less true of its military—with a consequently much greater risk of serious misunderstanding and error. The tensest moment in modern China’s security relationship with the outside world came in January of 2007, when its missile command shot one of its own weather satellites out of the sky, presumably to show the world that it had developed anti-satellite weaponry. The detonation filled satellite orbits with dangerous debris; worse, it seemed to signal an unprovoked new step in militarizing space. By all accounts, President Hu Jintao okayed this before it occurred; but no one in China’s foreign ministry appeared to have advance word, and for days diplomats sat silent in the face of worldwide protests. The PLA had not foreseen the international uproar it would provoke—or just didn’t care.

Precisely in hopes of building familiarity like that in the business world, the U.S. Navy has since the 1980s taken the lead in military-to-military exchanges with the PLA. “I think both sides are trying to figure out what kind of a military-to-military relationship is feasible and proper,” David Finkelstein, of the Center for Naval Analyses, in suburban Washington, D.C., told me. “We have two militaries that, in some circumstances, see each other as possible adversaries. At the same time, at the level of grand strategy, the two nations are trying to accommodate each other. There is a major chasm, but both sides are working hard to bridge it.” Such exposure obviously doesn’t eliminate the real differences of national interest between the two countries, but I believe it makes outright conflict less likely.

A similar high-road logic seems to lie behind recommendations for cyber security in general, and for dealing with the Chinese cyber threat in particular. The NSA, which McConnell directed and where Giorgio worked, is renowned for its secrecy. But both men, along with others, now argue that to defend information networks, the U.S. should talk openly about risks and insecurities—and engage the Chinese government and military in an effort to contain the problem.

As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. No credit-card company wants to admit how often or how easily it is cheated. No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don’t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.

While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

We’re naturally skeptical of abstractions like “cooperation” or “greater openness” as the solutions to tough-guy, real-world problems. But in making the best of a world that will inevitably be changed by increasing Chinese power and increasing electronic threats from many directions, those principles may offer the right, realistic place to start.

The URL for this page is http://www.theatlantic.com/doc/201003/china-cyber-war

“History teaches us that the character of each individual war is always different and most certainly will change, but the enduring nature of war as a human endeavor will remain largely unchanged.”

—General James N. Mattis

The United States Army War College in partnership with The SecDev Group conducted a workshop examining cyberspace operations from the warfighter’s perspective. The workshop was held 26–28 January 2010 at the Collins Center for Strategic Leadership, U.S. Army War College, Carlisle Barracks, Pennsylvania.

BACKGROUND
The U.S. Department of Defense defines cyberspace operations as “the employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace.” Cyberspace emerged as a national level concern through several recent events of geo-strategic significance. Estonian infrastructure was attacked in the spring of 2007 allegedly by Russian hackers. In August 2008, Russia allegedly again conducted cyber attacks this time in a coordinated and synchronized kinetic and non-kinetic campaign against Georgia. It is plausible that this may become the norm in future warfare among those nation-states having the capabilities to conduct such complex excursions. Much has been written about the issues of cyberspace at the national strategic level: lack of attribution; applicability to the law of armed conflict and international treaties; determination of criminality vice act of war. But
the body of knowledge does not inform us about how this concept of cyberspace operations impacts and will be adapted by warfighting commanders in the contemporary and future operational environment. The workshop seeks to examine this issue and use the Georgia-Russia case study to draw lessons to apply to current and future warfare.

The workshop will center on three themes. The first theme considers the strategic frame from the perspective of defining cyberspace as a domain of military operations including a consideration of what defines “maneuver” in cyberspace. The second will consider situational understanding in terms of how cyberspace operations fit within the warfighting commander’s mission set across the full spectrum of conflict. It will specifically consider how to gain
situational understanding as input to planning and executing joint operations. The final theme considers cyberspace “fires,” that is the toolset such as authorities and rules of engagement that determine strategic utility and tactical applicability.

OVERALL WORKSHOP OBJECTIVE

The objective of the workshop is to examine the strategic utility of cyberspace operations in the existing contemporary and future operational environment from the perspective of the warfighter.

WORKSHOP DESIGN

The workshop will bring together an international audience of military, national security community and intelligence community leaders as well as experts from academia. It will be conducted over the course of three days and will begin with a plenary session and a dinner and keynote speech to set the stage for the subsequent presentations and discussions.

Day two will include additional plenary presentations to establish a foundation of understanding followed by breakout groups which will address the key issues involved in order to satisfy workshop objectives. Day three will be devoted to briefing the recommendations, observations and insights gained from the breakout groups to the plenary group.

PROPOSED PLENARY SESSION AND BREAKOUT GROUP TOPICS

The plenary sessions will define and analyze the scope, nature and impact of cyberspace operations employed in conjunction with other actions by parties to the conflict during the Georgia-Russia conflict of 2008. Specifically, these sessions will seek to better understand the assumptions, intent, and the strategic frame (or lack thereof) employed by military actors in the conflict. The plenary also provides an opportunity to debate a key question: has the recognition of cyberspace operations as a capability within a new warfighting domain changed the nature of warfare…or is it more simply another capability to be integrated into an age-old system and process of planning and execution?

Breakout groups look to draw lessons from the case study for application to current and future conflict. Three groups will consider: operating in a constrained cyberspace domain; integrating cyberspace operations into the overarching campaign plan across the spectrum of conflict; and, achieving situational understanding to enable effective cyberspace operations.

WORKSHOP DELIVERABLES

A report reviewing the key issues, discussions, findings and recommendations of the workshop will published by the Center for Strategic Leadership and The SecDev Group.

CONTACT INFORMATION
For additional information regarding this event please contact Professor Dennis Murphy at 717-245-3937, or Mr. Jerry Johnson at 717-245-3392. Email: dennis.murphy@us.army.mil or jerry.dwayne.johnson@us.army.mil

“Some unknown foreign power … broke into the Department of defence, to the Department of State, the Department of Commerce, probably the Department of Energy, probably Nasa. They broke into all of the high tech agencies, all of the military agencies and downloaded terabytes of information,” said Lewis.

This isn’t just America’s pulp fiction tale either. Russia allegedly swarmed the computers of most major facets of Estonian life in 2007, hitting banks, newspapers, broadcasters, telephones and Parliament, allegedly in anger over Estonia’s plans to relocate a bronze soldier.

It is still disputed whether Brazil, a nation with reputedly the highest number of cyber criminals in the world, was hit with a cyber attack that blacked out the electrical grid north of Rio in 2005 and 2007. A bigger blackout this November plunged half the nation into darkness.

This past year University of Toronto researchers were called in to help the Dalai Lama’s infiltrated network. They uncovered what has now been dubbed GhostNet, a huge spy network based in China that has infiltrated embassies, foreign ministries and media in 103 countries. The malware even has the ability to turn on a computer’s camera and microphone to record a user’s conversations in the room.

Indeed, in a survey done at this year’s World Economic Forum by McAfee, 54 per cent of IT security executives report their systems had already been attacked, almost two-thirds of them believe by foreign governments. Power and fuel companies were hit hardest.

Who do they believe are the two most likely threats? The United States [36 per cent] and China [33 per cent].

But it was last month’s Operation Aurora that I believe will go down in the history books as the day our airy information age crashed headlong into the real-world political arena.

You might know Operation Aurora more familiarly as the breach that triggered Google to threaten to pull out of China. Google found its servers being used to target Chinese dissidents and 34 US companies, from Adobe to Dow Chemical.

Why should this story be any different from any of the others that have come before?

Simply put, how it was played. Not only did we find out about this attack quickly, but Google and the US Government gave it to us on a plate, standing like twin countries on the world stage.

Hillary Clinton shook her finger directly at China. Instead of hiding the breach for years until consumers could hear it was safely fixed, one of the world’s most powerful corporations very publicly used the attack to try to leverage another nation’s international policy.

While US reports mused over lost market share, Ernest J. Wilson, Dean of the Annenberg School for Communication and Journalism wrote in the Huffington Post, “They ignored what may be the biggest really important story, which is Google’s impact on the future of US international relations in the coming decades.”

Governments spent the last century fighting to defend the open dissemination of the building blocks of our industrial age, from steel to cars. While we were distracted with talk of terrorism at the turn of this new millennium, the first significant battles of the information age were raging when we weren’t looking.

Google’s spin that this is about human rights is a red herring. This is about the age-old battle for access to open markets. The difference today is that nearly the entire value of Google’s product is the free worldwide access itself.

In a game of chicken, Google is playing as if they were any other nation state. I’ll face-shame you to every potential foreign investor if you don’t play by our rules, Google has threatened.

The irony is that China is rightly making the exact same argument but with real, not virtual, muscle to back it up. Google’s timing couldn’t be worse.

This week China is now spitting tacks at the news of America’s sale of arms to Taiwan. That won’t bode well for the Chinese seeing Google as a pawn, not a player.

I believe Google will lose this battle, and badly. The bigger question is who will be the new political players in a new world order that will, by necessity, fight for control of what is now the world’s most valuable currency – information.

www.traceybarnett.co.nz

The Joint Chiefs of Staff want the ability to destroy an enemy’s computer network “so badly that it cannot perform any function,” according to the handbook on what the Pentagon calls “Information Operations.” The U.S. military wants to keep foes “from accessing and using critical information, systems and services” and to spoof adversaries “by manipulating their perception of reality.” Just how such wizardry is to be accomplished is contained in a classified supplement. But hints can be gleaned in a trickle of contracts and budget documents, larded with geek-speak, that have begun seeping onto the public record. (See pictures of technological advances in the military.)

The Air Force wants the ability to burrow into any computer system anywhere in the world “completely undetected.” It wants to slip computer code into a potential foe’s computer and let it sit there for years, “maintaining a ‘low and slow’ gathering paradigm” to thwart detection. Clandestinely exploring such networks, the Dominant Cyber Offensive Engagement program’s goal is to “stealthily exfiltrate information” in hopes it might “discover information with previously unknown existence.” The U.S. cyberwarriors’ goal: “complete functional capabilities” of an enemy’s computer network — from U.S. military keyboards. The Army is developing “techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications.” And the Navy is developing “a non-lethal, non-attributable system designed to offer non-kinetic offensive information operation solutions,” according to Pentagon budget documents. (See how cyberwar was envisioned in 1995.)

Yet concepts that have regulated war forever, such as deterrence and attribution, are slippery or missing in cyberspace. National boundaries don’t exist, making moot the question of sovereignty. Asymmetries abound: defenders must defend everything, all the time, while an attacker can prevail by exploiting a single vulnerability. Tracking down the source of cybersabotage, routed like a skipping stone through a series of innocent servers, can be all but impossible. Are the attackers curious teenagers, criminal gangs, a foreign power — or, more likely, a criminal gang sponsored by a foreign power? Deterrence becomes meaningless when the identity of an attacker is unknown. (See an invasion of Chinese cyberspies.)

“We’re in the stage before warfare,” cyberwarfare expert James Lewis told a Washington audience on Jan. 27. “We’re in the stages of people poking around.” Lewis, with the Center for Strategic and International Studies (CSIS), said cyberdefenses are inadequate. “Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense,” he said, “we will be unable to defeat these opponents.” CSIS also released last week a survey of cybersecurity experts from around the world who “rank the U.S. as the country ‘of greatest concern’ in the context of foreign cyberattacks, just ahead of China.”

It’s the instantaneous nature of cyberattacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyberarmor and opts to exploit it, it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). Far better to be on the prowl for cybertrouble and — with a few keystrokes or by activating secret codes long ago secreted in a prospective foe’s computer system — thwart any attack. Cyberdefense “never works” by itself, says the senior Pentagon officer. “There has to be an element of offense to have a credible defense.”

Such cyberbattles are already happening in miniature. In Afghanistan and Iraq, U.S. cyberwarriors are hard at work denying enemy commanders the ability to direct their forces, the senior Pentagon officer says. “I shut it down, take away your electricity, take away the radio, infect your phone,” he explains. “Now you don’t know where I’m coming from, or if you do, you can’t tell the rest of your force what’s going on.” More insidiously, the U.S. can doctor the information the foe gets. “I can alter the messages coming across,” he says.

But there is mounting concern that U.S. offensive capability in cyberspace is growing too fast and too secretly. “I have no doubt we’re doing some very profoundly sophisticated things on the attack side,” says William Owens, a retired Navy admiral and cyberwar expert who led a federal study on U.S. offensive cyberwarfare last year. “But that is little realized by many people in Congress or the Administration.” That study, by the National Research Council, concluded that “the U.S. armed forces are actively preparing to engage in cyberattacks, and may have done so in the past.” But it added that a lack of public debate has led to “ill-formed, undeveloped and highly uncertain” policies regarding its use, which could lead the U.S. to stumble inadvertently into a cyberwar.

* Find this article at:
* http://www.time.com/time/nation/article/0,8599,1957679,00.html

Future state-on-state conflict, as well as conflicts involving non-state actors such as al-Qaida, would increasingly be characterised by reliance on asymmetric warfare techniques, chiefly cyber-warfare, Chipman said. Hostile governments could hide behind rapidly advancing technology to launch attacks undetected. And unlike conventional and nuclear arms, there were no agreed international controls on the use of cyber weapons.

“Cyber-warfare [may be used] to disable a country’s infrastructure, meddle with the integrity of another country’s internal military data, try to confuse its financial transactions or to accomplish any number of other possibly crippling aims,” he said. Yet governments and national defence establishments at present have only limited ability to tell when they were under attack, by whom, and how they might respond.

Cyber-warfare typically involves the use of illegal exploitation methods on the internet, corruption or disruption of computer networks and software, hacking, computer forensics, and espionage. Reports of cyber-warfare attacks, government-sponsored or otherwise, are rising. Last month Google launched an investigation into cyber attacks allegedly originating in China that it said had targeted the email accounts of human rights activists.

In December the South Korean government reported an attack in which it said North Korean hackers may have stolen secret defence plans outlining the South Korean and US strategy in the event of war on the Korean peninsula. Last July, espionage protection agents in Germany said the country faced “extremely sophisticated” Chinese and Russian internet spying operations targeting industrial secrets and critical infrastructure such as Germany’s power grid.

One of the most notorious cyber-warfare offensives to date took place in Estonia in 2007 when more than 1 million computers were used to jam government, business and media websites. The attacks, widely believed to have originated in Russia, coincided with a period of heightened bilateral political tension. They inflicted damage estimated in the tens of millions of euros of damage.

China last week accused the Obama administration of waging “online warfare” against Iran by recruiting a “hacker brigade” and manipulating social media such as Twitter and YouTube to stir up anti-government agitation.

The US Defence Department’s Quadrennial Defence Review, published this week, also highlighted the rising threat posed by cyber-warfare on space-based surveillance and communications systems.”On any given day, there are as many as 7 million DoD (Department of Defence) computers and telecommunications tools in use in 88 countries using thousands of war-fighting and support applications. The number of potential vulnerabilities, therefore, is staggering.” the review said.

“Moreover, the speed of cyber attacks and the anonymity of cyberspace greatly favour the offence. This advantage is growing as hacker tools become cheaper and easier to employ by adversaries whose skills are growing in sophistication.”

Defensive measures have already begun. Last June the Pentagon created US Cyber Command and Britain announced it was opening a cyber-security operations centre attached to GCHQ at Cheltenham, in coordination with MI5 and MI6.

William Lynn, US deputy defence secretary, described the cyber challenge as unprecedented. “Once the province of nations, the ability to destroy via cyber now also rests in the hands of small groups and individuals: from terrorist groups to organised crime, hackers to industrial spies to foreign intelligence services … This is not some future threat. The cyber threat is here today, it is here now,” Lynn said.

• The IISS 2010 Military Balance, published yesterday, said the insurgency in Afghanistan is complex and Pakistan’s full cooperation remains elusive.

• Al-Qaida retains the capability to launch regular attacks in Baghdad.

• The report said technical difficulties frustrate Iran’s nuclear ambitions but all the same Iran’s stockpile of enriched uranium continues to grow.

• The IISS looked forward to increased defence co-operation between France and Britain,saying both countries needed to “spend smarter” because they cannot afford to “spend more”.

But the strategy, parts of which have already been put in place, has met with resistance from arms manufacturers who fear the loss of multibillion-dollar weapons contracts and so could face difficulties with their allies in Congress.

Some critics also say the strategy is little more than a PR exercise aimed at justifying another increase in defence spending to a record $708bn (£443bn) in Barack Obama’s budget announced today – although that is likely to rise to closer to $900bn with additional spending – as well as the cancellation or delay of major military equipment including navy cruisers, transport aircraft and a satellite system.

Gates described the document as “truly a wartime” defence review. “For the first time, it places the current conflicts at the top of our budgeting, policy, and programme priorities,” he said.

“It breaks from the past, however, in its insistence that the US armed forces must be capable of conducting a wide range of operations, from homeland defence and defence support to civil authorities, to deterrence and preparedness missions, to the conflicts we are in and the wars we may someday face,” he added.

The report said the US faces “a broad range of security challenges” from established military threats to “non-state groups developing more cunning and destructive means” to attack the US and its allies.

“The instability or collapse of a weapons of mass destruction-armed state is among our most troubling concerns,” the report said.

The review calls for the establishment of a “joint task force elimination headquarters to plan, train and execute WMD-elimination operations”.

The report also warns of a growing threat of cyber attacks on space-based surveillance and communications systems that could leave the US military blind.

“On any given day, there are as many as 7 million DoD (Department of Defence) computers and telecommunications tools in use in 88 countries using thousands of warfighting and support applications. The number of potential vulnerabilities, therefore, is staggering.

Moreover, the speed of cyber attacks and the anonymity of cyberspace greatly favour the offence. This advantage is growing as hacker tools become cheaper and easier to employ by adversaries whose skills are growing in sophistication,” the review said. Although the report does not identify any particular threat, analysts say the Pentagon has one eye on China.

However, the Pentagon said that the conflicts in Afghanistan and Iraq would continue to have the most significant influence on strategy for years to come.

“These efforts will substantially determine the size and shape of major elements of US military forces for several years,” it said. “In the mid-to-long term we expect there to be enduring operational requirements in Afghanistan and elsewhere to defeat al-Qaida and its allies”

But critics, such as Winslow Wheeler, who worked on national security issues on the staff of several senators and now leads a military reform project at the Centre for Defence Information, said that the review does not confront some of the military’s most basic problems.

“It’s a profoundly disappointing document in terms of addressing the serious and fundamental problems our defences face. We are currently at a post world war two high in terms of spending, adjusted for inflation, and our forces have never been smaller or older,” he said. “None of these trends are being reversed. Manpower costs are growing much faster than the rest of the defence budget which sets up a competition between hardware and people. All these forces of decay and ever growing costs are continuing.”

Wheeler also challenged Gates’s claim to be implementing a new strategy, saying that President Bush’s defence secretary, Donald Rumsfeld, backed away from the large-scale wars strategy.

“Last year, secretary Gates complained about next war-itis, focusing on high-end conventional systems when we’re getting our asses whipped in low-end irregular warfare.

“There is of course more of that in this QDR. More for helicopters, more for drones, that kind of thing. But overall this is merely an endorsement of existing policy,” he said.

* guardian.co.uk © Guardian News and Media Limited 2010