China’s Dangerous View of Cyber Deterrence

Uploaded on 2016-02-10 in INTELLIGENCE-Hot Spots-China, GOVERNMENT-Defence, FREE TO VIEW

In most open source writings, Chinese analysts tend to discount the possibility of deterrence in cyberspace. Attribution, detection, and monitoring are hard. Attacks can come from state and non-state actors. Retaliatory cyber attacks have no certainty of outcome. All of these conditions combine to make it difficult to deter cyber attacks on national networks.

Given this skepticism, it was interesting to find a long, Sun Tzu-quote-filled discussion of cyber deterrence published on a website affiliated with People’s Daily. Like many other open source writers, Yuan Yi, a researcher at the Academy of Military Sciences, takes a very expansive view of deterrence in cyberspace.

According to Dean Cheng, China traditionally views deterrence, or weishe (威慑), as both deterrence in the Western sense–threats intended to raise the costs high enough so a potential adversary does not act in the first place–and compellence–displays of military power or threats to use military power in order to compel an opponent to take an action or submit. In the vast majority of cases where Yuan’s article refers to deterrence, it appears to be talking about offensive cyber operations and compellence.

So the strengths of cyber deterrence, in Yuan’s view, include the fact that cyberattacks are more humane than nuclear, chemical, or biological attacks; deterrence is cost effective because cyber weapons are cheap; deterrence methods are diverse because cyber weapons can target multiple types of systems; and deterrence uses are repeatable and flexible because, unlike nukes, cyber weapons can be used multiple times. Western analysts tend to associate all of these characteristics with cyber offense not deterrence.

The list of negatives that characterize cyber deterrence also mirrors what Western strategists have traditionally associated with the weaknesses of cyber weapons. Cyber deterrence, for Yuan, lacks credibility because cyber weapons have not yet been used in real warfare; the defense is dynamic and may eliminate vulnerabilities and thus make a weapon useless; the effects of a weapon may spread to connected networks and may even boomerang back to the attackers; states with low levels of connectivity provide few targets and are not easily deterred; and the distributed nature of networks makes the creation of a unified military force difficult.

After laying out these strength and weaknesses, Yuan describes four types of deterrence, three by appearance, the fourth by actual combat. Deterrence by appearance includes technical tests with widespread publicity about the results as well as the displays of cyber equipment.

Displays can happen through doctrine, white papers, diplomatic pronouncements, newspapers, or other official channels. It can also occur through social media and may involve misinformation in an attempt to confuse the enemy and create a psychology of fear and restraint. Combat exercises are also a form of deterrence by appearance and may involve real or virtual troops. Yuan mentions Cyber Storm, the biennial exercise run by the Department of Homeland Security, as an example of deterrence by exercise.

Yuan argues that there are two opportunities for deterrence by combat operations.

  • First, when one side believes the other is on the verge of initiating war, it may launch cyberattacks on critical defensive networks, thus conducting “preventive, restraining deterrence.”
  • The second is when the enemy is conducting cyberattacks on your side in a deterrent effort, then you must immediately launch “retaliatory, reprimanding deterrence.” The types of attacks Yuan believes could be launched include disseminating propaganda on cell phones and interrupting television broadcasts as well as damaging telecommunication networks and power grids.

According to Yuan, a successful deterrence strategy requires preparation. Cyber forces must conduct comprehensive network reconnaissance and install backdoors and logic bombs to launch future attacks. Decision makers need to find the right intensity of the fight in cyberspace to achieve combat deterrence.

Attacks that are too restrained will do little to dismay the enemy. Attacks that cause too much damage may provoke a conventional military response or bring international criticism. There should be a clear and controlled progression. Warnings should be issued, and attacks should move up a ladder of difficulty and impact, with scheduled breaks and resumptions when necessary. In addition, a clear deterrence strategy demands centralized command and unified planning. All military cyber forces must form a joint force, and Yuan argues that decision makers “must organize and coordinate amateur civilian cyberwar forces, particularly patriotic hackers.”

While Yuan’s call for unified forces, centralized political control, and a clear escalatory ladder could provide for greater predictability in cyberspace, most of the article’s suggestions are highly destabilizing, especially the belief that cyberattacks are relatively low risk and the call for network reconnaissance and prepping the battlefield.

The article is almost definitely not an authoritative overview of what the People’s Liberation Army thinks about deterrence but at the same time it is equally unlikely to be completely outside the mainstream. One of the outcomes of the Xi-Obama was supposed to be the creation of a cyber “senior experts group.” It would be good if that group could meet soon, and start the discussion on the meaning of deterrence and other basic concepts.

DefenseOne:      Council On Foreign Relations: 

 

« HSBC Bank In The Line Of Cyber Fire
How to Recover From The Hack Nightmare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CERT.GOV.AZ

CERT.GOV.AZ

Azerbaijan Government Computer Incident Response Team

Keyfactor

Keyfactor

Keyfactor is a leader in cloud-first PKI as-a-Service and crypto-agility solutions. Our Crypto-Agility Platform seamlessly orchestrates every key and certificate across the enterprise.

CyberDef

CyberDef

CyberDef is a consulting company specialising in cyber defence services for small and medium enterprises.

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

RBCCPS is an interdisciplinary research and academic centre within the Indian Institute of Science focused on research in cyber-physical systems.

Trapmine

Trapmine

TRAPMINE is an innovative cybersecurity products company mainly focusing on protecting organizations from Advanced Persistent Threat & Zero-Day attacks.

Corelight

Corelight

Corelight is the most powerful network visibility solution for information security professionals.

Cryptshare

Cryptshare

Cryptshare is a communication solution that enables you to share e-mails and files of any size securely.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

Red Alert Labs

Red Alert Labs

Red Alert Labs is an IoT security provider. We created an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.

Riddle&Code

Riddle&Code

Riddle&Code is a product-led services company specializing in onboarding industries to Web3. The team's mission is to provide a trusted connection between the digital and physical worlds.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

apiiro

apiiro

apiiro invented the industry-first Code Risk Platform™ that uses developers and code behavior analysis to accelerate delivery and automatically remediate product risk.

N-able

N-able

N-Able deliver simple and sophisticated monitoring, security, and business solutions that empower you to solve your toughest IT challenges.

SafePaas

SafePaas

SafePaas is a leading Enterprise Risk Management Platform. One source of truth for all your Audit, Risk, and Compliance requirements. Complete governance across your systems.

Var Group

Var Group

Var Group is one of the main partners for innovation in the ICT sector in Italy.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.