Cybersecurity studies distinguish between a cyber-attack, which alters, degrades, or destroys adversary computer systems or the information in or transiting through those systems, and cyber-expolitation, which involves no disruption of an adversary computer system, but rather merely monitoring and related espionage on computer systems, as well as the copying (and thus theft) of data that is on those systems. To date the main threat to the United States has come from cyber-exploitations, especially, according to government and press reports, from China. Michael Joseph Gross’s recent essay in Vanity Fair summarizes the latest allegations about “China’s aggressive campaign of cyber-espionage” against U.S. government agencies and U.S. firms. It is a scary story about Chinese infiltration into government and private computer systems (including the systems of high-end cybersecurity firms like RSA), and of massive theft of important information and intellectual property found on those systems.
Gross’s story says nothing about the extent to which the United States is doing very similar things to the Chinese. Nor does the U.S. government talk much about this. This is a real problem, I think. I presume that the National Security Agency and other intelligence agencies spend a lot of time inside, or trying to get inside, China’s government networks, especially its military and intelligence networks. As for NSA cyber-exploitation of private firms, I believe (but do not know) that the official policy of the U.S. government remains the one articulated in the 1996 Aspin-Brown Report: U.S. intelligence agencies do not collect “proprietary information of foreign commercial firms to benefit private firms in the United States,” but they do “identify situations abroad where U.S. commercial firms are being placed at a competitive disadvantage as a result of unscrupulous actions, e.g. bribery and ‘kickbacks.’” Former CIA Director James Woolsey said in 2000 that the United States “steal[s] secrets with espionage, with communications, with reconnaissance satellites” from “foreign corporations and foreign government’s assistance to them in the economic area,” for three reasons: (1) to understand how sanctions regimes are operating; (2) to monitor dangerous dual-use technologies in private hands; and (3) to learn about bribery practices. Presumably the United States also gathers intelligence from foreign private defense and intelligence firms.
In this light, one wonders precisely what the U.S. complaint is about Chinese cyber-espionage in the United States. It cannot be that Chinese spying on U.S. government networks is illegal under international law, for it is not. Nor can it be that cyber-espionage of government networks is an illegitimate tool of statecraft, since the United States does the same. Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs, or at least much better than in the past. As for Chinese espionage of private firms, the United States might complain that that practice gives the Chinese an unfair relative commercial advantage since the United States does not engage in that practice nearly as robustly as the Chinese. But again, the practice does not violate international law (and though it does violate domestic U.S. law, there is no likelihood of enforcing that law against the Chinese). Moreover, from the Chinese perspective the public/private and national security/commercial affairs distinctions are neither as sharp nor as normatively salient as they are in the United States.
The United States should obviously take whatever steps it can to prevent or slow the damage caused by Chinese cyber-espionage. But I have yet to see any coherent strategy for doing so. The government recently published two cybersecurity strategy documents: The White House’s International Strategy for Cyberspace, issued in May, and the Defense Department’s Strategy for Operating in Cyberspace, issued last month. As Richard Clarke and others argued, the documents are disappointing. They add practically nothing to what the government has said many times before, and they fail to acknowledge most of the very hard questions and expensive tradeoffs that the government faces in the cybersecurity realm. In particular, they say little concrete about what the United States should do to slow the growing cyberexploitation threat. The strategies do emphasize the need to develop international norms to address this threat. “One of the core things we’re trying to do diplomatically is to build a consensus internationally to build norms of behavior, rules of the road,” a senior State Department official told Gross in Vanity Fair. But how will the U.S. government square its push for international norms with its aggressive cyber-exploitation practices? Is the United States seeking norms that allow it to continue to engage in cyber-exploitation in other nations but that slows other nations from using cyber-exploitation tools against us? How exactly will that work? Which cyber-exploitation activities (if any) might the United States be willing to give up in exchange for reciprocal constraint from the Chinese and others? And how, exactly, can international cybersecurity norms develop and operate in the largely-anonymous digital world, where attribution of cyber-espionage is slow, uncertain, sometimes impossible, and always very difficult to prove in the public realm? I have not seen any serious public discussion of these questions by U.S. officials.