Amid all of the recent news flow on US-Chinese cyber-security and the on-going saga of Edward Snowden, the NSA whistle blower, cyber-issues have moved to the centres of the national and international agendas. As leaders consider these issues and their broader implications for foreign, domestic and security policy there are a number of critical questions they will need to ask themselves, including the following: How important are the accusations and counter accusations of cyber-snooping in the public today? Are we focusing on the right issues? If not, what is the importance of the cyber-arena for nation states and how does it relate to power and Superpower? The growing importance of the cyber-arena is undeniable and nations will need to develop long-term strategies to incorporate cyber in into their national agendas. For the US and China, two countries facing off against one another as the potential superpowers of the 21st century, these questions are particularly urgent.
The wars of the 21st century will be waged physically and electronically. While it is clear that this century’s wars will continue to require the superior exercise of physical power, it is also clear that this will not be enough in the rapidly developing sophistication of the electronic information age we live in. It is important for superpower contenders to determine whether it is possible to sustain the position of superpower or rise to such a position without the ability to wage cyber-warfare. If cyber-warfare is important to a nation’s defence, the development and deployment of cyber-ware – the tools that enable one to attack, defend and secure oneself in all arenas that concern electronic information – is set to secure a critical place in a nation’s military apparatus. This will lead to a revolution in military affairs. The starting point for the assessment is the role of information and its potential value to nation states. “it is impossible to be a superpower without the ability to attack, defend and secure your position in the multiplicity of cyber arenas as well as the physical world”If information is one of the most valuable assets in our modern world, then the power and success of nations will increasingly depend on their ability to accumulate, utilize and protect information. Indeed, if this is true, it is impossible to be a superpower without the ability to attack, defend and secure one’s position in the multiplicity of cyber arenas as well as the physical world. Indeed, possessing a superior cyber military capability will allow one to undermine a power that possesses only a physical military capability. The public debate today on cyber-security is focused on the surface issues – of whether America’s effort which seems focused predominantly on collecting information to forestall attacks on the homeland and as yet not focused on evolving to anything greater and China’s effort focused predominantly on achieving limited economic goals is something we should or will have to accept - and is missing the deeper underlying significance of cyber capabilities for the future of power. Understanding this significance is critical for the US in preserving its power and evolving into a modern 21st century Superpower and also for China if it seeks to become one in the future. Both the US and China - and others such as Europe, Japan and India who cannot remain mere bystanders or victims - will need to consider not only the role of cyber in securing power but also fully grasp the possibilities and impact of cyber warfare, the tools required to wage it, and the behaviours and rules that might prevent it..
Emergence of Cyber-security in the Public Domain
Information security has its place in the public consciousness alongside the deciphering of codes during the Second World War and the Cold War. As the threat of military conflict between superpower rivals vanished with the fall of the Soviet Union, the code-breakers have also disappeared from the public eye. Information security was thrust back onto the public domain as the issue of the decade focusing on computer network or cyber-security, with allegations of China’s hacking of the US. It was alleged that China had hacked into private companies such as Google, government agencies, NGOs and the US press. The ensuing accusations from the American military, political analysts and politicians heightened public awareness and concern about China’s activities, casting the country as a secretive Soviet-style enemy force. China’s vigorous denials did not seem credible to Americans and a Pew Survey conducted in 2012 identified cyber-attacks from China as the fourth biggest Sino-US problem. The issue was of such importance that even in their first meeting to form a personal bond and understanding on major global issues, President Obama reportedly raised the issue with President Xi and made America’s concerns known. The suspicions and mistrust of China that had over the years led to the exclusion of numerous Chinese companies being rejected their full entry into the US - China’s leading telecoms equipment manufacturer, HuaWei, wind generator Ralls Corp, and oil and gas company CNOOC – and this now seemed justified to observers.
The scene was perfectly set for revelations by a former Central Intelligence Agency (CIA) employee and former technical contractor for the National Security Agency (NSA), Edward Snowden, of Booz Allen Hamilton, a major US government contractor, over the NSA’s PRISM data collection initiative, a classified international security electronic surveillance program. Overnight, the tables were turned. China called the US stance hypocritical and accused the US of double standards. Russia was able to dismiss US accusations as illegitimate and blogs painted America as a rogue player in the midst of a trusting world public. The world’s press united against America’s infringement of their privacy and even its allies were united in their condemnation of American actions. The German press and politicians called the programme “unacceptable”, a position mirrored in much of the Eurozone; in the UK attention shifted partially over subsequent revelations that its government was operating its own PRISM-like initiative. America’s defence was that the systematic collection of information in the cyber-arena was an essential tool in helping to protect America from terrorism. The episode made clear that American software based businesses such as Google and Facebook were knowingly or unknowingly being used to spy on the world. International analysis and discussion has focused predominantly on the important issue of personal privacy rights, in what looks to be the first stage of a wider backlash on the widespread use of cyber-spyware. If successful, it could delay or stall the development of a comprehensive system of cyber-spyware for purposes beyond the invasion of personal privacy. So, what is beyond the obvious issue of invasion of privacy, the snooping for sensitive corporate information on bids for big business and the search for advance notice of press reports?
When Information Becomes the Determinant of Value
In a global networked world with interconnected media, communications, information systems and financial markets, what is more valuable than a ton of gold, or the entire market capitalization of Apple Inc.? The answer is the information based upon which their value is determined, and by extension, any information on events that causes that value to change.
The saying that “information is power” has never been more accurate than it is today. For millennia, power was something measured in purely physical terms, and in the case of nations, specifically in the form of landmass controlled, the size of the population available to tax and conscript and the amount of goods generated or resources recovered. Today, although these things continue to be critical, another dimension has been added to them, their electronic information profile. In the information age money is largely electronic rather than minted precious metals, health is measured by machines and stored electronically and having a global impact does not depend on a global physical presence. The attribution, tracking, and transfer of almost every tradable and many non-tradable assets is digital, so in a very practical sense, information is not only wealth but coveys power too.
On a deeper level, information about people can be even more valuable and powerful than information about things or events. Personal and private information, which has been the area that most alarmed the public in the recent Snowden affair, is of great value in exercising influence and in security. Personal information is broadly defined as (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; (2) any other information that is linked or linkable to an individual, "You've probably grasped the basic legalistic drawback to precrime methodology. We're taking in individuals who have broken no law ... we get them first, before they can commit an act of vi-olence. So the commission of the crime itself is absolute metaphysics. We claim they're culpable. They, on the other hand, eternally claim they're innocent. And, in a sense, they are innocent."
Philip K Dick, Minority Report such as medical, educational, financial, and employment information , and: (3) any information that profiles the character and preferences of an individual such as their political allegiances, corrupt acts, sexual inclinations and emotional content. Even fairly innocuous pieces of data such as addresses, names and birth dates can be very valuable using predictive data analytics on sufficiently large data sets. The digital world creates repositories of highly personal information about the individual. So, it provides the opportunity to get to a truly deeper understanding of the individual without every meeting the individual because of its associated tactile nature (the devices we use are held in our hands and so we trust them), devices have become personalised vehicles for managing our lives (we store on devices the most personal audio, textual and video information about us, our relationships, our activities, aims and goals), the internet captures the relationship between us and a wide range of topics (captured in our search behaviour like an extensive word-association game played out with an ever-present silent invisible psychiatrist) and our buying behaviour, all captured electronically, demonstrates our life style priorities. The aim in advanced predictive profiling is particularly to find information that has leverage potential, that is, the ability to influence the individual’s actions and also to determine what the individual might do and whether this might be a security threat.
With even this private and personal information, formerly only communicated verbally, if at all, captured in a wide range of communication, social media and financial media, virtually all critical information today is digital. International cyber-competition needs to be seen therefore in the context of a post-industrial, information based world where information itself is the most valuable asset of all. It follows that from a state security perspective, the translation of information into value requires the creation of military-grade logistics, supply chain and operations to protect a nation’s citizens, assets and interests and this implies the full capability to conduct cyber-security and warfare,
Military Logistics, Supply Chains, Digital Operatives and Google
The blur between the boundaries of the military field and the cyber field is one of the critical connections of defence in the 21st century. Winning wars without information is risky, if not impossible, and the cyber-world contains the information that is needed to win wars. It is well understood that the prosecution of war requires a supply of information to pass through the information chain to reach the physical military chain in order to enable military strategy, tactics and operations. In the absence of this, one fights without the critical input to properly calibrate attack and response. Taking Sun Tzu’s famous advice on the matter, “Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge … Hence the use of spies … Be subtle! Be subtle! And use your spies for every kind of business.”
In the networked world, information is deposited by mobile phone users, internet users, accountants, trading machines, government departments and just about everybody on the planet. The spies or, more accurately, the unwitting or legally-obliged agents of governments’ cyber espionage agencies in today’s cyber world are search engines such as Google, accounting outsourcing providers such as IBM, personal diaries such as Facebook and the IT databases of everyone.
In the cyber world, digital agents replace physical field agents. Their aim, very much like the spies’ of the Cold War, is to gather information about a person or an organization without their knowledge, to plant information without the target's consent and to assert control over a device such as a computer or phone without the target's knowledge. So, the challenge of cyber espionage is to marshal a global network of digital agents (or spyware) to trawl the world riding on the back of the massive transit ways, such as Google, arriving at major virtual gathering points and also having the intelligence to search in the furthest corners of cyber space for the whispered or encrypted voices of a potential enemy. The skill, cost and magnitude of the task to achieve this comprehensively is currently beyond anybody’s capabilities, except America’s.
What it Takes to be a Force on the Cyber Battlefield
Superiority of position in the cyber-battlefield has a daunting requirement set, namely, cryptology and applied code-breaking experience applied in complex and mission critical scenarios; investment in high tech fields to build scaled processing capability; sophistication in multiple fields of hardware, software and communications technology; advanced data analytics; national influence over the leading global internet platforms, and; a culture that fosters innovation to find new ways to use digital information in civilian and military applications; and of course, world class mathematical capability. In this regard, America has the history, has made the investment, has created world dominating companies, has top of world class mathematical capabilities and has the culture to continue to do so. Clearly, the build-out of US cyber-capabilities over the past decades has been driven off of a solid base, leveraging the US’ unique position and assets. Following the end of the Second World War, America created a military-industrial complex that made huge investments in high tech and communications technology used during the Cold War.
In cryptology, building on the work done in Great Britain during the Second World War, the US went on to establish a government-wide data encryption standard which was developed and modified by researchers and cryptographers at IBM. America today of course continues to develop cryptographic protocols, quantum cryptography, code-breaking methods for their own codes and new and improved codes.
In the application of mass computing to complex tasks particularly in the military fields, America has also led the world since the end of the Second World War. In supercomputing, America held the top spot since supercomputers were introduced in the 1960s, designed initially and, for decades, primarily by private sector companies such as Cray Research. Although more recently Japanese and Chinese built supercomputers have taken the top spot as the fastest processers, traditional supercomputers have been surpassed for utility by grid computing, a field again pioneered by American engineers and companies.
In communications, the US military and intelligence community invented the ECHELON global communication interception systems in the 1950s, the computer networking upon which the internet is built in the early 1960s, and the global position system in the 1970s.
As we see from our summary above, military innovations aside, the US has the world’s most advanced high tech and communications industries and has been responsible for or been the first to capitalise on most of the major digital breakthroughs made in the past 50 years, having given birth to the modern high tech industry in Silicon Valley following the invention of the semiconductor. This industry’s high-tech ecosystem had the breadth and depth to drive the global adoption of the internet and allowed American entrepreneurs to create industry leaders in virtually every field of the high tech and internet sectors: networking, databases, applications, operating systems, search, social networking, e-commerce, platforms and IT services. American high tech sector leaders have included eight of the top ten software companies (including Microsoft, Oracle and Symantec), six of the top twelve IT companies (including Apple, HP, IBM and Intel), in the internet world America leads (with companies such as Google, Amazon and eBay). In advanced data analytics, nine of the top ten are American (including IBM, HP Teradata). None of these are Chinese.
Despite all of the capabilities and assets, September 11th caught the intelligence community unaware and was a shock to America’s intelligence capabilities. The world’s only superpower had relied on a Cold War espionage network that had missed the biggest attack ever on the US homeland. In addition to the more visible physical military elements of the War on Terror, America’s response to the events was a comprehensive upgrade of the system to A constant stream of revolutionary new technologies erode existing protections, and greatly expanded powers for our security agencies allow the government to peer into our lives without due process or meaningful oversight. Our rights and liberties have undergone constant erosion since 9/11 … Sadly, it is no longer so hard to imagine a world straight out of the mind of Philip K. Dick
American Civil Liberties Union create an unparalleled cyber espionage capability. Under President Bush, Congress signed into law the USA PATRIOT Act of 2001 which expanded the Secretary of the Treasury’s authority to regulate financial transactions and broadened the discretion of the authorities in detaining and deporting terrorist suspects. President Obama extended three key provisions in the USA PATRIOT Act regarding wiretaps, business records and surveillance of lone terrorist suspects. Additionally, the US launched a series of major programmes to meet its intelligence objectives. These include the Terrorist Surveillance Program, an electronic surveillance programme as part of the War on Terror. The US also established the Information Awareness Office (IAO) to bring together several existing projects focused on applying surveillance and information technology to track and monitor terrorists and other threats to US national security. The aim was to achieve total information awareness (indeed this part of the project was called Total Information Awareness (TIA).) This highly ambitious project’s aim was to create enormous computer databases to gather and store the personal information of everyone in the United States without a search warrant, including e-mails, financial records, social network information, phone calls, medical records and biometric information gathered from surveillance cameras. The analysis of this information would then seek suspicious behaviour, connections between suspicious individuals and identify potential threats.
A third initiative, which has recently come under public scrutiny, is the PRISM programme. PRISM is an international electronic surveillance programme for the purpose of mass data collection from the internet. The NSA has built an infrastructure that allows it to intercept almost everything… We hack everyone everywhere… we are in almost every country in the world” Edward Snowden, Former NSA contractor, Jun 2013 The programme collects data and communications through a wide range of consumer internet companies including, Microsoft, Yahoo!, Google, Facebook, Apple and others. Based on these assets and capabilities, America today is the world’s only cyber-superpower. The NSA, responsible for signals intelligence (SIGINT) and the protection of US information systems and security, has an estimated annual budget of US$8-10bn and 40,000 employees. With regards to cyber-espionage, SIGINT is emerging as the most important element of foreign intelligence gathering, and although exact numbers remain classified, the NSA consumes an estimated 20% of the total US intelligence budget, which funds 16 separate government agencies. In addition to the domestic wiretapping, internet monitoring and data mining, the agency harvests massive amounts of data and intelligence from foreign computers and networks, the total volume of which has been estimated at 2.1m gigabytes per hour, the equivalent of hundreds of millions of pages of text.
The US has also augmented its military cyber-capabilities, creating in 2009 the US Cyber Command under the US Strategic Command, led by a full general, who is also the Director of the NSA. In terms of more detailed intelligence capabilities, the recent revelations around the NSA’s PRISM program are likely only the tip of the iceberg, with many programs and activities remaining highly classified. Regarding offensive capabilities though, the past decade has seen some indication of American cyber-war capabilities. The US is widely believed to be the creator of the Stuxnet virus, which remotely attacked and seriously damaged Iran’s nuclear program, by targeting the industrial software and equipment used for uranium enrichment. The US is also a candidate for the creation and control of other sophisticated spyware programs such as Flame. Regardless of any further specific technologies subject to speculation, in a potential all-out cyber war, America is likely capable of threatening the very stability of an opponent by corrupting their banking and financial system, government records, its corporations’ operations, operational and financial information, manipulating news flow, its citizens’ records and its communications networks.
In comparison to the US’s likely cyber-capabilities, China’s alleged cyber-incursions, stealing plans for US weapons systems and hacking into US newspapers, pale as no more than petty theft and eavesdropping. While China today has a 30,000 strong domestic “internet police force” monitoring and censoring its citizens’ internet usage, there is little evidence to support an attack capability to rival anything that the US can launch. Nevertheless, China’s government hackers are alleged to have stolen a variety of US secrets, including gas pipeline control systems and missile technology, as well as commercial secrets from Google and other Silicon Valley companies. While the US today is subject to thousands of cyber-attacks every year, many of them from countries like Brazil and Russia, more attacks originate from China than from any other country. “In comparison to the US’s likely cyber-capabilities, China’s alleged cyber-incursions, stealing plans for US weapons systems and hacking into US newspapers, pale as no more than petty theft and eavesdropping.” While it is true that China today has large groups of those that are identified by China as non-government hackers targeting international companies and governments, given China’s ability to monitor organised actors on the internet very well, the evidence also suggests that Chinese authorities would have given these groups free reign, as long as they refrain from attacking domestic targets. However, the scale and sophistication of many of the attacks leaves little doubt in the international analyst community regarding the involvement of state affiliated groups. A unit of the People’s Liberation Army based in Shanghai, Unit 61398, has been identified internationally as the likely base for thousands of attacks on North American corporate and government targets. Based on the analysis available on the targets allegedly attacked from China it is clear that, regardless of their point of origin, the PRC’s cyber-engagement priorities include a significant amount of economic objectives in addition to narrower foreign and domestic security issues. However, it is highly unlikely that China’s cyber-capabilities today extend far beyond cyber-theft and cyber-espionage to full-on attack capabilities like the ones possessed by the US.
However opaque or complex their underlying objectives may be, both countries continue arguing that they are pursuing legitimate security interests, identifying and neutralising threats to domestic security, and continue building their defensive and offensive cyber-capabilities. For example, President Obama recently instructed the Department of Defense to draw up a global cyber-attack target list at which it can deploy digital weapons with “little or no warning to the adversary or the target.” The US Cyber Command is also scaling rapidly by building a $350m new headquarters designed as a base of operations for over 5,000 people, with the unit expecting to quadruple its manpower by late 2015. China of course has not publicly announced any initiatives to build their capabilities and has been consistent in pointing to the US as a cyberspace monopolist. However, the rise of China over the past 30 years has proven time and again how quickly the country can catch-up to the West across a number of areas.
Given what is required to be a competent international player in the cyber arena, in this instance a catch-up may not be possible given the enormity of the challenge. The Soviet aim to catch up with the US and to prove its model to be politically, economically and culturally superior faltered due to the lack China’s closed and relatively compliant and disciplined environment turned against itself, “a virus-friendly environment – that it should obey a program of coded instructions – is again only quantitatively less true for brains than for cells or computers.”
Richard Dawkins, Viruses of the Mind (1993)
Note: Only the parts in parenthesis are from Dawkins of freedoms across all these fronts without which genuine innovation was just not possible. However, unlike the Soviet Union, we can expect China over a long run horizon to evolve into a state that allows for the freedoms necessary to innovate. The big question is how long that will take: after more than two decades of liberalization, high prioritisation in the five year plan, and a near monopoly in providing services to state-owned enterprises, the services revenues of the largest indigenous IT services company of China is still only less than 3% the size of IBM’s services unit. In the absence of a catastrophic disaster in America or a revolutionary change leading to a fully open and still stable society in China, the gap between the US and China in the cyber arena may just be too big for China to be a threat to America for at least half a century or so. This high level assessment cannot lead to complacency since as we have seen in the physical world, China has a fraction of the nuclear weapons of the US but, still has the capability to threaten the American homeland if it were so minded or were provoked by US actions.
In conclusion, America has built a cyber-surveillance capability that is unmatched by any nation in the world. This capability includes the ability to defend and attack too and in the process of surveillance there have been many opportunities to poach other’s valuable information too for political, commercial and military use. However, we are at a turning point. In the face of attacks and skirmishes from independent agents and the high visibility given to China recently in particular, America will soon need to decide whether it should develop a comprehensive cyber military capability or/and through its leadership strike the agreements and introduce the supervision that prevent anyone else from building one; the equivalent of a nuclear disarmament programme before anyone builds the weapons.
The Shape of Warfare to Come
Many concepts critical to conventional warfare such as geographic distance or terrain are all meaningless in a virtual setting, while others, such as firepower or unit formation, are only vaguely applicable in a very high level sense. Preparing for a cyber-conflict will require a fundamental rethink of the most of the core precepts of modern warfare including a reweighting of attack and defence capabilities, the nature of weapons used, the need for rules of engagement and a rethink of strategies and tactics used to wage war.
Firstly, a cyber-war requires a rethink of attack and defence capabilities. The relationship between attack and defence in a virtual setting is fundamentally different to the relationship in a physical one. Given the lack of virtual borders and the global nature of communication systems, there is no bright line defensive barrier that countries can erect to protect themselves against cyber-attacks. There is no physical Berlin Wall or missile defence system to shield nations from incursions and however large its conventional armed forces may be, every country is vulnerable to digital threats. Also, the virtual nature of cyber-weapons means that these can have a disproportionate impact in terms of their effectiveness and the damage created. A single virus theoretically has the potential to shut down a military or civil network communication system. For example disrupting a country’s entire banking system would cause massive disruption to stability. Potentially, cyber-attacks can have a much greater impact on its defence and attack capabilities than any single conventional weapon, nuclear ones aside. The conclusions of these facts for the US and China are therefore clear: the advantage in a cyber-conflict will lie with the party that takes the offensive, not the defence. Within the primacy of offence, strategies will be focused on attack-readiness, the identification of triggers for an offensive attack as well as on the amount and nature of resources that needs to be brought to bear in an engagement to achieve a decisive victory.
Secondly, attacking an enemy in cyber-war can be catastrophic to stability. In a virtual conflict, the ability to read, corrupt or appropriate information is a weapon of great importance. There are six offensive strategies in a cyber-war, namely
- Attack the integrity of civil and military establishment. This attack involves corrupting the physical military attack and defence systems as well as the civil infrastructure of a country such as its water, food, medical and emergency response systems. Given the highly sensitive nature of these systems and information, these can quickly escalate to governments declaring a state of war. In an all-out cyber- or physical war, this would likely be the biggest and most disruptive strategy, provided the attacker has the resources to launch an all-out offensive and to counter a retaliation.
- Destroy the value of money. A key act in undermining the value of money is the undermining of banking records (e.g. erasing savings and loans records), crashing banking transfer and settlement processes and disrupting the working of markets by introducing false transactions into financial systems. With less than 10% of the total US money supply is held in physical form, there are nearly $10 trillion of digital currency in “circulation” in the US today. Further though, virtually every other store of value is recorded in digital form as well. While assets like stocks, commodities and fund shares may continue to issue certificates of physical ownership, practical ownership and its transfer is determined and stored digitally. An attack on a country’s records of wealth, financial and banking system therefore has the ability to completely paralyse its economy and the functioning of its markets, which in advanced economies are required to deliver goods and services to its citizen’s.
- Misappropriate corporate information. A cyber-attack strategy might also focus on the misappropriation and use of corporate information. This information has value in disrupting corporate operations, extracting trading value and ruining the efficacy of negotiations, since includes a broad range of data relating to the business’s operations, strategy and finances and can include anything from customer information, employee contract details, product pipelines and plans, intellectual property and patent information and business plans. A company’s ability to effectively compete relies on its ability to protect this sensitive information from competitors and the nature of confidential business information is such that even single data points can be highly valuable. A concerted attack strategy of this nature is most likely to be part of a longer-term and more subtle undermining of an enemy’s corporation’ rather than the all-out attacks described above, but have the potential of causing significant long-term damage to an opponent’s economy and corporate leaders, while benefiting the attacker and the domestic corporations they share the information with.
- Undermine personal information and security. Additionally, the prosecution of an all-out cyber war could extend into the realm of personal and private information. The dissemination of personal information through the form of leaks or other targeted campaigns has the potential to significantly destabilise key individuals in a government, and by extension, society as a whole. The most important information has always been about people to provide those deep “secrets” that provide the leverage to intelligence agencies to “manage” people. More subtly releasing personal information into the wrong hands enables mistrust to be created between “key men” in the opposition camp.
- Undermine beliefs and attitudes. The aim of such an attack is to undermine the confidence in the government and its initiatives using falsified blogs, twitter, websites, personal broadcasts and online news. The most effective way to destroy people is to deny and obliterate their own understanding of their history.
George Orwell, Nineteen Eighty-Four The value of information that shape beliefs and attitudes has been clearly understood throughout history, particularly by governments, where it was formerly known as propaganda in a non-pejorative sense. Governments have of course always sought to shape public opinions both at home at abroad during war. During the Second World War the Allies dropped leaflets on German soldiers and broadcast radio shows featuring famous German emigrees. In a digital world, the media through which we communicate and disseminate information have multiplied, become ubiquitous and always “on”, creating the potential for a comprehensive 360 degree information war for the hearts and minds of the enemy’s people.
- Attack the cyber-attack system itself. Finally, a cyber-attack might focus on eliminating or weakening an opponent’s cyber-attack and defence system and the information, tools and cyber-weapons that support it. An attack of this nature requires information about a country’s or an actors’ capability to use information to conduct cyber-attacks and includes people, systems, methods, analytics, cryptography, and processing capabilities. Depending on the sophistication of the opponent’s technology, this type of attack becomes increasingly difficult but with corresponding pay-offs, given that a fully cyber-enabled opponent will have their cyber-capabilities linked into all other critical assets of the nation, including military and intelligence, financial and other key assets.
Analysis of public documentation, official pronouncements and political rhetoric, suggests that America has not yet built this comprehensive capability. More importantly, the effectiveness and completeness of such an attack would so fully undermine America’s opponent that the latter would either lie defeated and unable to retaliate or would retaliate through a physical war, if it still could. Hence the probability of a fully armed cyber war is highly unlikely.
Thirdly, any cyber conflict requires the establishment of new rules if peace is to be maintained. The US today is a formidable rival to anyone in cyberspace. Its technological innovation places it in a position to stand unmatched in the arena. America and the Soviet Union stood as two forces against each other and it took decades for the battle of the mind to play out such that one prevailed and so the Cold War unfolded in parallel. The equivalent Cold War in the cyber arena would be based on the agreement to respect and treat information as equivalent to physical assets. Its conduct would be driven by an agreed delineation between acts of espionage and theft on the one hand and acts of war and aggression on the other, implying the acceptance of highly covert and limited excursions over a “wall” – a defined Great Firewall of cyber-space would replace the Cold War’s Berlin Wall – into a limited area of the opponent’s networks, as well as an agreed communications protocol and the assurance of mutual destruction. Given the overwhelming superiority of the US in cyber-weaponry, the US may not wish to agree to such a code of conduct. The lessons of escalation and de-escalation of weapons of mass destruction in the nuclear arena may well lead the US as the key player to create the international agreements in its own and others interests. It is, as ever, important for the US to decide which type of superpower it wishes to be. As the recent public outcry demonstrates, trust can be lost in the physical world through one’s conduct in the cyber world.
Finally, a cyber-war requires new tactics and strategies. It is also important to consider that, since the fall of the Soviet Union, most of the axiomatic assumptions about the shape of the world underlying the Cold War have been challenged: the existence, thus far, of only one Superpower rather than the notion of the need for balanced power or a multi-polar world, the importance of non-state actors, the advent of single defining actions rather than long-drawn out conflicts, the intentional targeting of civilians and the absence of clear rules. Potential 21st century cyber-conflicts, however virtual they may be, will need to adapt to these new real-world conditions. The key features of non-war cyber-conflicts will be as follows:
- The players will divide between coordinated players and independent players.
- Coordinated players will divide into two camps America and the rest.
- America, for a long time to come, will be the only player capable of playing out a broad and deep strategy of cyber espionage and attack.
- The rest will make attacks as part of a game plan to win something tactical.
- The rest will use smaller and mobile coordinated “units”, disguised to appear to be independent, to gain something of advantage; these attacks will be in the nature of raids, mostly for economic gain.
- The terrorists among this group will, by definition, seek to terrorise.
- Independent players will generally seek to make a single “heroic” strike and withdraw
- Independents will also rally to an attack based on perceiving a common cause but their psyche will demand they remain “Player X”; and even if they come to know each other’s code name and form a communication network, their aim will still be to be independent players.
- The primary tactic of independents will be the use of sudden “surges” to overwhelm a barrier, take what they can and leave.
The nature of all these cyber-engagements will be more like raids rather than like set battles or even protracted campaigns.
It is clear that preparing for a world where the internet (and other transactional systems such as market trading and payments systems) which have become platforms for social and financial transactions can become the platform for waging war and the spill-over of this war will be in the physical world with the potential for catastrophic loss of life. This calls for a fundamental rethink of the most of foreign relations and the international agreements that protect them. In parallel, there will also need to be a focus on the core precepts of modern warfare including a reweighting of attack and defence capabilities, the nature of weapons used, the need for rules of engagement and a rethink of strategies and tactics used to wage war
The Need for New Rules of Engagement
Within this framework, there are no agreed upon triggers which justify the launch of an all-out cyber-war by one country on another. Potential triggers could include the launch of a physical attack, the escalation of initially defensive actions to offensive cyber-moves by an opponent, or even a pre-emptive strike “How long do you want these messages to remain secret? … I want them to remain secret for as long as men are capable of evil.”
Neal Stephenson, Cryptonomicon against an expected attack, real or virtual. Further, there is no agreed upon scope within which a potential cyber-war could take place. With virtually everything of value in the world today either in or at least represented or manipulated in some way in digital form, the potential battleground of any future cyber-conflict between America and China will be vast. Financial and banking systems, intelligence networks, communications systems, government records, corporate information are all potential theatres of a future digital conflict between China and the US.
However, despite the multiple triggers for and the vast scope of a potential hostile cyber-engagement, there are as of today no established rules of engagement or codes of conduct for deescalating a potential cyber-conflict, or if it came to it, prosecuting a cyber-war. In the absence of clear protocol and rule of engagement, countries today need to rely on precedents or analogies to determine their response to cyber-threats. In terms of military principles, the established rules of engagement fail to encompass the complexity of and the potential issues arising in a cyber-conflict. Just War Theory for example, raises potentially unresolvable questions around the definition of the aggression suffered to justify a counter-attack, the distinction between combatants and civilians, and the principle of proportionality between the levels of force used and the damaged incurred that justify retaliation, particularly since there is no clear threshold established as to what constitutes an act of aggression or an attack in the virtual space. The Bush Doctrine, which allows countries to launch a pre-emptive strike when it “knows” an attack is imminent, raises serious issues around whether one really has the knowledge and whether the attack is “imminent”, given that a weapon in a virtual setting can be readied and deployed with the push of a single button, potentially creating immanence from the point and time when the weapon is first developed, and logically allowing a potential attack on any possibly hostile country with cyber-attack capabilities. The Geneva Conventions, while not directly addressing the question of a just casus belli, seek to restrict war as being waged between transparent state actors, a challenging proposition in cyber-warfare for two reasons: first, the attribution of cyber-attacks is increasingly difficult given the ease of masking a source or an attacker on the internet and second, many potential attacks may well come from non-state representatives, making it difficult for states to identify the appropriate target for counter-attacks. Finally, the Obama Doctrine provides a number of principles that govern the US’s current perspective on defence, making a distinction in practice between waging war and attacking enemies, recognising the importance of attacking and disarraying an enemy through methods such as non-military attack (assassination), the use of limited, small-scale military action (popularly known as surgical strikes) and unmanned combat vehicles (drones), all of which have potential parallels in the virtual environment that have yet to be clearly formulated by the current administration
Beyond accepted or clearly formulated military principles, the potential for an international cyber-war will require consideration of the fundamental rules of conduct and the agreements that America and its allies have forged. The critical ones are:
(1). The notion of United Action under the leadership of America. The principle of United Action has been built on the alliances forged during the Second World War, the need to enshrine lessons learnt during the War and the long collaboration against the Soviet Union during the Cold War. This will to act together has driven the creation of wide range of multi-lateral organisations, including the United Nations, International Monetary Fund, NATO, the World Bank, the Transatlantic Alliance and OPEC among others. The international community to date has established little in the way of international bodies governing rights and duties of nations regarding the internet. ICANN, the body that governs internet domain names, for example is a private non-profit organization based in the US rather than a true multi-lateral organization.
(2). The value of Globalization as an expression of the right to participate anywhere in the world. The authority of globalization has been embedded in the laws governing the practices of multinational corporations and financial institutions to do business all over the world; the deregulation and common practices of investment banks, hedge funds, private equity firms, mutual funds, commercial banks to finance international transactions, and; the flow of foreign direct and institutional investment into economies and projects all over the world. The internet today is perhaps the most global entity in the world today, and is a major facilitator of the trends above. A change in thinking about the value and goals of globalization would require a major shift in the way countries govern and use the internet.
(3). The principle of Free Trade. This principle is embodied in the WTO and other free trade agreements to govern trade and resolve disputes, and also in the idea of freely floating currencies, open markets and industry liberalization. Again, the internet has been a key enabler of facilitating trade links and transactions and nations have sought to extend existing legal frameworks and concepts to online commerce. Countries seeking to erect trade barriers and protectionism will be challenged to reign in e-commerce on the essentially borderless internet.
(4). The increasing importance of the idea of Human Rights. For Americans and Europeans, two world wars had aligned them on the need to enshrine such rules and much of this thinking has in turn been enshrined in agreements such as International Bill of Human Rights which consists of the Universal Declaration of Human Rights, the International Covenant on Economic, Social and Cultural Rights, and the International Covenant on Civil and Political Rights. For Americans, the basic principles underlying the Bill of Rights has been the backdrop for holding the world accountable for human rights and leading to their pressure on China, African leaders, the Islamic Middle East and many authoritarian regimes all over the world to adhere. The internet’s value, or risk, depending on the point of view, as a tool of free speech and for facilitating free assembly was impressively demonstrated in the Arab Spring and the ongoing disagreement over the level of national and international control over internet content is a testimony to the gap between the two positions.
(5). Democracy as a model of fair conduct and the right of the people to choose who rules. In its simplified form it distinguishes between nations that elect their leaders through a transparent and fair system of popular voting and those that do not, and it has become one of two generally-accepted principles of governance following the collapse of communism.
(6). The principle of Capitalism as the winning model of economic conduct. Its narrower embodiment has to translated ideas, legislation and contractual terms into mechanisms that enable the proliferation of capital for mergers and acquisition, cross-border transactions, leveraged finance, offshore tax havens, ceiling-less executive compensation and the like.
(7). The non-proliferation of weapons of mass destruction (WMDs) and the reduction of destructive capacity. This has been embodied in agreements such as the Nuclear Non-Proliferation Treaty, Strategic Arms Limitation Talks Agreement, Anti-Ballistic Missile Treaty, Comprehensive Test Ban Treaty and the powers of the UN Nuclear Inspectorate. A recent study sponsored by the Pentagon has listed cyber-weapons as a new category of WMDs, saying that, in an age where 2 billion people use the internet, “a coordinated cyber-attack could compromise national security, shut down commerce and destroy the U.S. power grid.” While the destructive potential of cyber-weapons has clearly been recognized, the international community and America have not yet taken steps to regulate their proliferation, development and control.
While the current frameworks governing traditional conflicts between nations are not adequate to prevent or resolve potential cyber-conflicts, the high risk of escalation as well as the extent of destruction such a conflict might create implies that one is needed by the international community. Creating one will require political leadership by a country displaying cyber-leadership. While America today is the only country that could take this role, it is unclear whether this would serve US interests, given the size of its advantage over potential cyber-competitors.
Empires of the Mind, Superpowers and Digital Superpowers of the 21st Century
It is clear that America enjoys superiority in the physical and cyber-world and that this is unlikely to be challenged for a long time to come. So, is America recognising its position at this time in history and consciously redefining itself as a modern 21st century superpower? America’s dominance of cyber space seems to be following a similar pattern to its eventual dominance of physical warfare: reluctant leadership in response to events. In the physical world, this was in response to two world wars. In the cyber arena, this is in response to an attack on the American homeland. If America chooses to do so, it is clearly best placed to translate what is heading towards being a comprehensive surveillance system into a comprehensive cyber-warfare capability that is likely to be unrivalled for decades if not until the eventual decline of America for other reasons.
Why has the decision come to the fore now? History demonstrates that parallel and rival superpowers do rise in the same era as other major world powers and China is clearly one that America recognizes as such. From the early 1990s, China has developed rapidly into an industrialised economic giant with interests in all the parts of the world where America had left space for someone else to enter. In parallel, in the digital space, China “We are at a turning point. In the face of attacks and skirmishes from independent agents and the high visibility given to China recently in particular, America faces the decision as to whether it should develop a comprehensive cyber military capability.” understood that its ability to control the pace of change at home was at threat if American digital companies dominated its nation’s payments, information or media. In 2002, China introduced UnionPay with the intent of preventing American and European payment systems such as Visa and MasterCard from penetrating China in a meaningful manner. In 2008, China stopped American internet hubs taking control of the personal computer and smart mobile device in every Chinese home, school, workplace and palm in a confrontation with Google. To date, China remains largely closed to foreign media corporations. Meanwhile, China has continued to strengthen its focus on its initial physical bases. With time and effort, China can make these hubs into fortresses. Once China has deeply embedded itself into a nation’s economy, financial markets and infrastructure it will become increasingly difficult to dislodge. However, this will take much time and will depend on the goodwill of the hosts and its global rivals for natural resources.
For its part, America has failed to grasp the full architecture and nature of the modern American empire and needs to consciously develop it if they seek to enjoy another 50 years of hegemony. In recognition of the fact that a cyber-attack that is too successful would spill-over into a physical world war too, America would also need to lead in establishing the rules of conduct for the cyber arena.
First let us examine the definition of the architecture of a modern 21st century superpower. It is not the twentieth century definition of the sum of the land it owns. It is also not the twentieth century post-colonial definition of the sum of a nation’s military bases. A modern superpower like American has hubs, networks and transactions all over the world and these link the world to the home base. Hubs - whether military, diplomatic, corporate or financial - are focal points for power. If well built, there are barriers to others entering and the hubs become fortresses. Networks consist of the people, communications and financial systems which link the hubs to the rest of the world. Transactions are the inter-personal, information and financial exchanges by the hubs keep the networks relevant. All of these are linked in some way to the home base. Given that this is a system, it can be attacked, infected, undermined and destroyed. It is a self-sustaining system too – absent a catastrophic attack on it - and can therefore usually recover, evolve and expand on its own. It can be engineered too, re-engineered and mis-engineered; in developing the cyber arena for security, there is a real chance that we may end up turning it into a platform for war rather than where it might have evolved to as most likely a benevolent or politically neutral platform for peaceful social and economic exchange. America today is evolving with the potential to become the modern 21st century superpower. This evolution is unfolding in four major stages.
The First Stage: Physical Wins through Allying, Collaborating and Subsuming. America’s overseas territories around the world at the start of the Second World War were negligible. At the end of the First World War and particularly at the end of the Second World War, America's tentacles reached throughout the territory it had fought in with its allies. As empires do, it established its base on that of its imperial ally, Great Britain - which was the biggest empire in human history at that time - and effectively the British Empire became the American Empire; ceded by a financially and politically exhausted Britain. Since America was also a winner of the Second World War, it also established bases in all the territories that it defeated. The military bases at the end of the Second World War consisted of over thirty thousand installations located at just over a thousand military bases (two thousand base sites) residing in approximately one hundred countries and regions, and stretching from the Arctic Circle to Antarctica. Add these up and one has an American “Empire” from 1945 onward.
The Second Stage: Military and Diplomacy. During the next four decades, America reduced its military bases in times of peace and increased them in times of war. The Cold War with the Soviets also led to the need to expand the base in non-military spheres, especially intelligence and diplomatic ones. At the beginning of the Second World War, America had 60 diplomatic missions; by 1988, it had over 180. In total, it is estimated that America had approximately 800 military bases by 1988. By the time the Soviet Union collapsed in 1988, the US had a diversified mix of military and diplomatic bases throughout the “American Empire.”
The Third Stage: Physical and Electronic, Mass and Individual, Point and Networked. A simple definition of “empire” in terms of military and diplomatic territory would be too simplistic and out-of-sync with the realities of the world that has been developing. The hubs of empire are multiple. American military bases lay out one set of hubs. American embassies lay out more hubs. American corporations expand all over the world and lay out a third set of hubs. This set of hubs links companies to companies and also companies to people, creating a massive network indeed. American trade treaties enable a series of networks to be established between the homeland and the world's shipping, road and airline hubs. American investment banks and financiers finance everything they can understand and hire the smartest people they can find in every country to make sure they can understand everything worth understanding that is relevant to their mission. This establishes another set of hubs which include financial institutions, companies, projects and peoples. American card payment systems place a card in the hand of individuals around the world, a point of sale terminal in every shop and processing centres to link it all together and make every one of these part of a complex personal payment network where the card and the merchant is a hub. American film and television media establishes a series of one-way transmissions to each individual on the planet through their own personal hub, their television. The internet makes every personal computer and smart mobile device in everybody's home, school, workplace and palm a hub. American corporations own every major generators of global content and every major internet business in the world. The hubs once interlinked are the most systematic network ever established in the history of mankind. This defines the nature of empire at the end of the twentieth century.
The Fourth Stage: From Responsive to Pre-emptive. In the twenty-first century, we can add to that a series of technological changes which will create the next generation of the empire and include interlinked surveillance, identity cards, online networked personal digital assistants and spyware, bio-metrics, sensors and other personal monitoring and networking devices. This will lead to a profound change, namely, the move from responsive-reactive systems to intelligent pre-emptive systems. Networked systems also become platforms for the individual player. So, the internet can be used by both state players and individuals. The impact of ideas is much like a virus that crosses unpredictably across personal, national, cultural, legal and formal boundaries. This implies a chaotic impact on ordered and structured hierarchies and formal systems. Modern empires will see the value of this and will learn how to propagate their own ideas to advance their interests and values in the international community. Many of the elements of this twenty-first century empire are already of course visible in some of the most advanced societies. Their impact on others became self-evident during the Middle East revolutions that began in 2010. In this phase of its development, the American government was not the architect of the revolutions but merely the domicile of privately developed American corporations such as Facebook and Twitter that enabled the revolutions through their technology. Given the pace of change, America as a superpower has lagged behind its possibilities. This may be an advantage.
The Fifth Stage is the downfall of the absolute power and the rise of some other superior force, optimistically, an enlightened leadership. It is not the Chinese cyber-capability that is a threat to America. It is also not the UK’s, Germany, France’s or Japan’s capability. It is certainly not Al Qaeda’s. The first threat to America’s ideals comes from itself and from its own power, particularly when it becomes absolute. Without the benefit of continued checks on executive power, keeping it attuned to its fundamental values, it will be difficult for its leaders not to make a series of small decisions over time that cumulatively add up to placing some future president of the United States in the position of being a dictator in practice, if not in name.
The second threat to America’s domination of the cyber-world comes from the individual. In dominating the cyber-world, America will need to be wary that it does not overturn the ideal of a global platform for the open and free expression by individuals. The internet has connected ideas in ways that have expanded exponentially the power of the individual. In the last few years, some crucial balance has been tipped and individuals have been willing to sacrifice their lives in large numbers for the idea of freedom. Although this fight has been most bloody in the Middle East following the Arab Spring, this is not a phenomenon of the poor or downtrodden, it is a global change in consciousness. It is the life force behind the Middle East’s Arab Spring of course but it is also behind America’s Tea
Party and America’s Wall Street occupiers, China’s spontaneous protesters, rioters “The individual is asked to trust the state to look through theirs and their children’s most personal and private affairs, to let them draw and record conclusions from it, to allow that state to hold that information indefinitely and to see the simple failings and never use it against them or their children” and micro-bloggers, Japan’s nuclear leak protests, India’s anti-corruption hunger strikes, the UK’s nationwide rioting and looting, Russia’s “non-revolutionists” who protested their election process, Israel’s social justice protests, anti-austerity protests in Greece, Spain and France and many others. The people are increasingly saying no to the assumptions, policies and actions of the incumbent powerful. The triggers for doing so have been small. It was the self-immolation of a Tunisian street vendor, after a police-woman confiscated his cart and produce, that was the tipping point for Tunisia’s leaders to be ousted in January 2011. America’s actions in the cyber arena will be scrutinised by the internet public and if found wanting will be challenged and the nation may well find itself held to account for decisions being made that are out of sync with this new reality.
Unexpected events are magnified in today’s interconnected world to be far more powerful than ever before in human history. Edward Snowden has not yet become “The Tunisian” that tips the world against America, but it will be difficult to determine which events or circumstances will tip the balance. This is especially so once the individual realizes that they are being asked to trust a state to look through theirs and their children’s most personal and private affairs, to let them draw and record conclusions from it, to allow that state to hold that information indefinitely and to see through the simple human failings and never use it against them or their children. Even if this is argued to be the only way to prevent terrorist threats, once the message is fully understood, it will stretch the limits of credibility.
In conclusion, America’s unique position as the world’s political, military and economic leader is mirrored in its position as the leader in the cyber-arena. While cyber-capabilities are becoming increasingly critical for countries to effectively defend themselves, and so are driving both innovation and rhetoric in the space, America today is an effective cyber-hegemon. As laid out above, China today is not a threat to America’s position through it activities in the cyber-arena, and may well possibly never be. America is simply too far ahead of China, and China cannot catch up unless it enacts major structural socio-political changes of the sort it has been hesitant to allow in the past. It is clear that America’s leadership in a number of mission critical areas where technology developed for personal application overlaps with that for commercial use and for military use places it in a unique position to create the world’s first cyber military force. For this to become a full military force, the cyber-force would sit next to the Army, Navy, Marine Corps, Air Force, and Coast Guard as the 6th military force. Early steps have been taken in that direction. If America chooses to pursue this route, in designing this new armed force, America will need to internalise the lessons learned on September 11th and in its engagements in Afghanistan and Iraq, particularly around the challenges of asymmetric warfare. A US cyber-force will need to both support large engagements coordinated with other armed services branches as well as fight small engagements against multiple and changing enemies. This will of course lead others, both state and non-state actors, to more actively develop and adapt their own military units. So, even more importantly, America will need to recognise that it is possible to suffer a catastrophic terrorist attack on America through the cyber arena too and that this can be no less damaging to human life. America was the leader with its allies after the Second World War in establishing a set of rules of conduct between and within nations which encompassed the principles, treaties and laws to enshrine united action, globalization, free trade, human rights, democracy, capitalism and the non-proliferation of weapons of mass destruction. America chose not to be a dictatorial power and saw its role as a guardian of some important ideals and values. It seems valid to assume that America as a modern 21st century physical and cyber-superpower can also be the dominant military force in the cyber-arena while introducing such values. It is worth remembering that one is a Superpower because others allow it, especially in a global interlinked world of individuals with a say. A rethink of the Grand Strategy is much needed to keep up with the new possibilities.
1. See appendix for definitions and sources
2. See http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?pagewanted=all or http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?pagewanted=all
3. Behind American debt held by China, the loss of US jobs and the trade deficit. See http://www.pewglobal.org/2012/09/18/chapter-2-threats-and-concerns/#china-concerns
6. China's defense ministry spokesman Yang Yujun called the U.S. government surveillance program "hypocritical behavior" and said "This 'double standard' approach is not conducive to peace and security in cyber space”. Reported in http://www.reuters.com/article/2013/06/27/us-usa-security-snowden-idUSBRE95Q0SW20130627
9. Philip K. Dick: Minority Report (Gollancz: London, 2002)
10. The NSA PRISM program collects data from a wide range of consumer internet companies including Apple, Yahoo, Google, Facebook, Twitter and AOL.
11. See http://www.top500.org/ which ranks the 500 most powerful (non-distributed) computing systems globally
12. Forbes "The World's Biggest Public Companies". 22 January 2013 ".
13. Top 50 Global Technology Companies". Datamonitor
14. Market capitalization of the largest U.S. internet companies as of April 2013 (in billion U.S. dollars) http://www.statista.com/statistics/209331/largest-us-internet-companies-by-market-cap/
15. Big Data Vendor Revenue and Market Forecast 2012-2017, http://wikibon.org/wiki/v/Big_Data_Vendor_Revenue_and_Market_Forecast_2012-2017#Big_Data_Vendor_Revenue
24. Reprinted in Richard Dawkins, The Devil’s Chaplain, (Houghton Mifflin: Boston, 2003)
25. Comparing Digital China’s 2012/13 IT services revenues with the 2012 revenues of IBM’s Global Business Services unit
26. China’s newest generation of ICBMs has a range of 14,000km as reported by Chinese state broadcaster CCTV and reprinted in http://articles.economictimes.indiatimes.com/2012-08-28/news/33450570_1_ballistic-missile-nuclear-warheads-global-times
27. Based on the M2 money supply less the M0 base. US Federal Reserve
28. George Orwell, Nineteen Eighty-Four (Secker and Warburg: London, 1949)
29. Neal Stephenson, Cryptonomicon (Avon: New York City, 1999)
30. as encapsulated in the 2010 National Security Strategy
32. James Baker, former Senior Advisor to the Vice Chairman of the Joint Chiefs of Staff, ‘United States Overseas Basing’, New York: Praeger, 1990
Creating Prosperity for a Billion People: Re-architecting the System of Wealth Creation