China’s Dangerous View of Cyber Deterrence

Uploaded on 2016-02-10 in INTELLIGENCE-Hot Spots-China, GOVERNMENT-Defence, FREE TO VIEW

In most open source writings, Chinese analysts tend to discount the possibility of deterrence in cyberspace. Attribution, detection, and monitoring are hard. Attacks can come from state and non-state actors. Retaliatory cyber attacks have no certainty of outcome. All of these conditions combine to make it difficult to deter cyber attacks on national networks.

Given this skepticism, it was interesting to find a long, Sun Tzu-quote-filled discussion of cyber deterrence published on a website affiliated with People’s Daily. Like many other open source writers, Yuan Yi, a researcher at the Academy of Military Sciences, takes a very expansive view of deterrence in cyberspace.

According to Dean Cheng, China traditionally views deterrence, or weishe (威慑), as both deterrence in the Western sense–threats intended to raise the costs high enough so a potential adversary does not act in the first place–and compellence–displays of military power or threats to use military power in order to compel an opponent to take an action or submit. In the vast majority of cases where Yuan’s article refers to deterrence, it appears to be talking about offensive cyber operations and compellence.

So the strengths of cyber deterrence, in Yuan’s view, include the fact that cyberattacks are more humane than nuclear, chemical, or biological attacks; deterrence is cost effective because cyber weapons are cheap; deterrence methods are diverse because cyber weapons can target multiple types of systems; and deterrence uses are repeatable and flexible because, unlike nukes, cyber weapons can be used multiple times. Western analysts tend to associate all of these characteristics with cyber offense not deterrence.

The list of negatives that characterize cyber deterrence also mirrors what Western strategists have traditionally associated with the weaknesses of cyber weapons. Cyber deterrence, for Yuan, lacks credibility because cyber weapons have not yet been used in real warfare; the defense is dynamic and may eliminate vulnerabilities and thus make a weapon useless; the effects of a weapon may spread to connected networks and may even boomerang back to the attackers; states with low levels of connectivity provide few targets and are not easily deterred; and the distributed nature of networks makes the creation of a unified military force difficult.

After laying out these strength and weaknesses, Yuan describes four types of deterrence, three by appearance, the fourth by actual combat. Deterrence by appearance includes technical tests with widespread publicity about the results as well as the displays of cyber equipment.

Displays can happen through doctrine, white papers, diplomatic pronouncements, newspapers, or other official channels. It can also occur through social media and may involve misinformation in an attempt to confuse the enemy and create a psychology of fear and restraint. Combat exercises are also a form of deterrence by appearance and may involve real or virtual troops. Yuan mentions Cyber Storm, the biennial exercise run by the Department of Homeland Security, as an example of deterrence by exercise.

Yuan argues that there are two opportunities for deterrence by combat operations.

  • First, when one side believes the other is on the verge of initiating war, it may launch cyberattacks on critical defensive networks, thus conducting “preventive, restraining deterrence.”
  • The second is when the enemy is conducting cyberattacks on your side in a deterrent effort, then you must immediately launch “retaliatory, reprimanding deterrence.” The types of attacks Yuan believes could be launched include disseminating propaganda on cell phones and interrupting television broadcasts as well as damaging telecommunication networks and power grids.

According to Yuan, a successful deterrence strategy requires preparation. Cyber forces must conduct comprehensive network reconnaissance and install backdoors and logic bombs to launch future attacks. Decision makers need to find the right intensity of the fight in cyberspace to achieve combat deterrence.

Attacks that are too restrained will do little to dismay the enemy. Attacks that cause too much damage may provoke a conventional military response or bring international criticism. There should be a clear and controlled progression. Warnings should be issued, and attacks should move up a ladder of difficulty and impact, with scheduled breaks and resumptions when necessary. In addition, a clear deterrence strategy demands centralized command and unified planning. All military cyber forces must form a joint force, and Yuan argues that decision makers “must organize and coordinate amateur civilian cyberwar forces, particularly patriotic hackers.”

While Yuan’s call for unified forces, centralized political control, and a clear escalatory ladder could provide for greater predictability in cyberspace, most of the article’s suggestions are highly destabilizing, especially the belief that cyberattacks are relatively low risk and the call for network reconnaissance and prepping the battlefield.

The article is almost definitely not an authoritative overview of what the People’s Liberation Army thinks about deterrence but at the same time it is equally unlikely to be completely outside the mainstream. One of the outcomes of the Xi-Obama was supposed to be the creation of a cyber “senior experts group.” It would be good if that group could meet soon, and start the discussion on the meaning of deterrence and other basic concepts.

DefenseOne:      Council On Foreign Relations: 

 

« HSBC Bank In The Line Of Cyber Fire
How to Recover From The Hack Nightmare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Arxan Technologies

Arxan Technologies

Arxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT), Mobile, Desktop, and other applications.

Site24x7

Site24x7

Site24x7 is an AI-powered observability platform for DevOps and IT operations.

TNO Cyber Security Lab

TNO Cyber Security Lab

TNO Cyber Security Lab is a dedicated facility for innovative and experimental research with the goal of a safe and resilient cyberspace.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

IAmI Authentications

IAmI Authentications

IAmI is a first in Tokenization Cloud-based IAM Security Services, delivering the most advanced form of Two-Factor Authentication.

SOCOTEC Certification International

SOCOTEC Certification International

SOCOTEC Certification International has been providing management systems assessment and accredited ISO certification services to organisations around the world since 1995.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

Haven Group

Haven Group

Haven Group and its companies are a cyber security one-stop-shop for our clients offering a full range of cyber security services to our clients in a unified and united way.

CyNam

CyNam

CyNam is a platform for enabling the growth and development of people and organisations within Cheltenham’s flourishing cyber technology ecosystem.

RB42

RB42

RB42 (formerly Nexa Technologies) provide cyber defense solutions (ComUnity, secure and encrypted messaging, detection of interception tools, etc) and cyber defense consultancy service.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.

Scope AI

Scope AI

Scope AI is an innovative technology company specializing in quantum security and machine learning.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.