China’s Dangerous View of Cyber Deterrence

In most open source writings, Chinese analysts tend to discount the possibility of deterrence in cyberspace. Attribution, detection, and monitoring are hard. Attacks can come from state and non-state actors. Retaliatory cyber attacks have no certainty of outcome. All of these conditions combine to make it difficult to deter cyber attacks on national networks.

Given this skepticism, it was interesting to find a long, Sun Tzu-quote-filled discussion of cyber deterrence published on a website affiliated with People’s Daily. Like many other open source writers, Yuan Yi, a researcher at the Academy of Military Sciences, takes a very expansive view of deterrence in cyberspace.

According to Dean Cheng, China traditionally views deterrence, or weishe (威慑), as both deterrence in the Western sense–threats intended to raise the costs high enough so a potential adversary does not act in the first place–and compellence–displays of military power or threats to use military power in order to compel an opponent to take an action or submit. In the vast majority of cases where Yuan’s article refers to deterrence, it appears to be talking about offensive cyber operations and compellence.

So the strengths of cyber deterrence, in Yuan’s view, include the fact that cyberattacks are more humane than nuclear, chemical, or biological attacks; deterrence is cost effective because cyber weapons are cheap; deterrence methods are diverse because cyber weapons can target multiple types of systems; and deterrence uses are repeatable and flexible because, unlike nukes, cyber weapons can be used multiple times. Western analysts tend to associate all of these characteristics with cyber offense not deterrence.

The list of negatives that characterize cyber deterrence also mirrors what Western strategists have traditionally associated with the weaknesses of cyber weapons. Cyber deterrence, for Yuan, lacks credibility because cyber weapons have not yet been used in real warfare; the defense is dynamic and may eliminate vulnerabilities and thus make a weapon useless; the effects of a weapon may spread to connected networks and may even boomerang back to the attackers; states with low levels of connectivity provide few targets and are not easily deterred; and the distributed nature of networks makes the creation of a unified military force difficult.

After laying out these strength and weaknesses, Yuan describes four types of deterrence, three by appearance, the fourth by actual combat. Deterrence by appearance includes technical tests with widespread publicity about the results as well as the displays of cyber equipment.

Displays can happen through doctrine, white papers, diplomatic pronouncements, newspapers, or other official channels. It can also occur through social media and may involve misinformation in an attempt to confuse the enemy and create a psychology of fear and restraint. Combat exercises are also a form of deterrence by appearance and may involve real or virtual troops. Yuan mentions Cyber Storm, the biennial exercise run by the Department of Homeland Security, as an example of deterrence by exercise.

Yuan argues that there are two opportunities for deterrence by combat operations.

  • First, when one side believes the other is on the verge of initiating war, it may launch cyberattacks on critical defensive networks, thus conducting “preventive, restraining deterrence.”
  • The second is when the enemy is conducting cyberattacks on your side in a deterrent effort, then you must immediately launch “retaliatory, reprimanding deterrence.” The types of attacks Yuan believes could be launched include disseminating propaganda on cell phones and interrupting television broadcasts as well as damaging telecommunication networks and power grids.

According to Yuan, a successful deterrence strategy requires preparation. Cyber forces must conduct comprehensive network reconnaissance and install backdoors and logic bombs to launch future attacks. Decision makers need to find the right intensity of the fight in cyberspace to achieve combat deterrence.

Attacks that are too restrained will do little to dismay the enemy. Attacks that cause too much damage may provoke a conventional military response or bring international criticism. There should be a clear and controlled progression. Warnings should be issued, and attacks should move up a ladder of difficulty and impact, with scheduled breaks and resumptions when necessary. In addition, a clear deterrence strategy demands centralized command and unified planning. All military cyber forces must form a joint force, and Yuan argues that decision makers “must organize and coordinate amateur civilian cyberwar forces, particularly patriotic hackers.”

While Yuan’s call for unified forces, centralized political control, and a clear escalatory ladder could provide for greater predictability in cyberspace, most of the article’s suggestions are highly destabilizing, especially the belief that cyberattacks are relatively low risk and the call for network reconnaissance and prepping the battlefield.

The article is almost definitely not an authoritative overview of what the People’s Liberation Army thinks about deterrence but at the same time it is equally unlikely to be completely outside the mainstream. One of the outcomes of the Xi-Obama was supposed to be the creation of a cyber “senior experts group.” It would be good if that group could meet soon, and start the discussion on the meaning of deterrence and other basic concepts.

DefenseOne:      Council On Foreign Relations: 

 

« HSBC Bank In The Line Of Cyber Fire
How to Recover From The Hack Nightmare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

SQA Service

SQA Service

SQA Service provide independent software and process Quality Assurance services.

Cybereason

Cybereason

Cybereason provides attack protection with cutting edge EDR and XDR, and industry recognized consulting services to support organizations throughout any stage of the incident lifecycle.

Minerva Labs

Minerva Labs

Minerva’s patent pending solution keeps malware in a constant sleep state before it can infiltrate your network and cause any damage.

Identify Security Software

Identify Security Software

Our mission is to bring in a new age of autonomous human authentication in the security and identity space.

Flipside

Flipside

Information Security training provider specialized in personalized training and security awareness campaigns.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Nanitor

Nanitor

Nanitor is a powerful cybersecurity management platform focusing on hardening security fundamentals across your global IT infrastructure.

Threat Con

Threat Con

Threat Con is a one of its kind event in Nepal, a series of annual international security conventions similar to the famous Black Hat and DEF CON conferences.

Cysurance

Cysurance

Cysurance is a next-generation risk mitigation company that insures, warranties and certifies security solutions.

Xact IT Solutions

Xact IT Solutions

Xact IT Solutions are a certified cybersecurity firm offering cybersecurity, compliance and managed services.

QEDIT

QEDIT

QEDIT is leading the standardization of Zero-Knowledge Proofs through the ZKProof.org Workshops, and builds production-grade ZKP systems for blockchain.

CYBRI

CYBRI

CYBRI is a cybersecurity company helping businesses detect and remediate mission-critical vulnerabilities before they get exploited by hackers.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.

New Relic

New Relic

After inventing application performance monitoring (APM), New Relic stands at the forefront of observability with the most advanced platform for eliminating digital interruptions.

Stack Overflow

Stack Overflow

Founded in 2008, Stack Overflow’s public platform is used by nearly everyone who codes to learn, share their knowledge, collaborate, and build their careers.