Adam Segal at CFR, the person from whom I learn most about China and cybersecurity (here is a sampling of his posts), has a post that links to a China Defense Daily article on why Chinese experts think the U.S. military will have difficulty achieving its cybersecurity deterrence aims. As Segal reports (based, I think, on his translation):
The article [in China Defense Daily] sees the U.S. as being unable to secure its networks. The announcement of the Defense Department’s Strategy for Operating in Cyberspace, in the Chinese view, encouraged other countries to develop their own offensive capabilities. Attribution is hard, and providing proof of who is behind an attack that would convince others is still extremely difficult. Detection and monitoring capabilities in cyberspace are underdeveloped so it is a real question whether the U.S. military can detect, provide warning of, and deter an attack before it happens. Finally, if the United States decides to retaliate through offensive cyberattacks, it can have no certainty about the outcomes. The impacts on networks are often limited and can be quickly recovered from.
The most interesting point here, I think, is that even if U.S. officials are (as they increasingly say) better able to attribute cyber-operations, the credibility of their public responses to the operations depends in part on being able to convince various audiences in the United States and abroad that the attribution is accurate. To the extent that this is hard to do (it is very hard, I think), the credibility of the threatened response is diminished, as is the deterrent effect.
But what is the point of the article? Segal speculates:
U.S. intelligence officials are going to AP and The Wall Street Journal and telling them they have identified the specific Chinese groups behind attacks on Google, RSA, and other companies is an attempt to diminish Chinese confidence that they can remain hidden and, thus, strengthen deterrence. Going further down the hall of mirrors, it may be that the purpose of the article in China Defense Daily is to undermine these U.S. efforts. Can Washington believe that it has achieved a credible deterrent if the potential adversary keeps saying it is not possible?
Segal is right that some in the government think that the USG’s recent acknowledgment that China is a source of significant cyber-exploitations is big step in advancing deterrence. I am not so sure. Letting an adversary know that the USG knows what it is up to might enhance deterrence if the USG is willing to retaliate. But as the basis for public retaliation, naming names without providing public proof (or a credible threat to provide public proof) does little to enhance the credibility of a public response, and to that degree does not enhance deterrence.