This action might not be possible to undo. Are you sure you want to continue?
Assessing a U.S.-China Balance in the Digital Realm
Julia Yrani & William Handel
Dr. Phillip Karber - GOVT451 12/26/2012
Former Director of National Intelligence (DNI) Mike McConnell worries that the United States is ‘losing the cyber war.’1 “Cyber Peal Harbor”2 and “Digital 9/11”3 are supposedly threats forecasted upon our nation by the highest echelons of policy-making. China is almost exclusively pinpointed as the culprit that, by leap-fogging developmental stages in this new domain of conflict, will be able to overcome the détente long enforced by traditional kinetic (not to mention nuclear) means and exact dreadful vengeance upon our military establishment and critical infrastructure. Admittedly, the introduction of cyber-war does disturb the military balance as it would have existed in centuries past, but to exactly what extent has not been conclusively studied. This paper will analyze this balance – as it exists between China and United States in the age of cyber-war – and place the issue in historical, doctrinal, and topographical context. It will attempt to define what a cyber-war would look like in the event that one did concur, and conclude that, despite affording the PRC inherent advantages, this new terrain (and the opposing capabilities of the United States and China therein) will not sufficiently shift the balance of power to render traditional, systemic deterrence obsolete. A History of Conflict Within the policy world there has been significant speculation over a potential confrontation of cyber capabilities between the United States of America and the People’s Republic of China. This concern is not entirely unfounded. Over the decade, as the digital arsenals of militaries and private groups around the world have exponentially expanded and increased in potency, numerous cyber ‘attacks’ have been reported by the United States government, the media, and the private sector; more often than not, the prime culprit for the attacks is speculated to be the China’s People’s Liberation Army, whether directly or indirectly. The United States-China Economic and Security Review Commission (USCC) estimates that there are as many as 250 distinct hacker groups within China that are capable of effectively
Mike McConnell, “Mike McConnell on how to win the cyber-war we're losing,” Washington Post, (28 February 2010), <http://www.cyberdialogue.ca/wp-content/uploads/2011/03/Mike-McConnell-How-to-Win-the-CyberwarWere-Losing.pdf> [accessed 20 December 2012].
Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of U.S. Cyberattack,” New York Times, < http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-ofcyberattack.html?pagewanted=all&_r=0> [accessed 20 December 2012]. 3 Jason Healey, “Preparing for a Cyber 9/12,” The Atlantic Council, <http://www.acus.org/files/publication_pdfs/403/060112_ACUS_Cyber912.pdf>[accessed 20 December 2012].
attacking U.S. servers and networks. This body, and many other policy experts and government officials, believe that these intrusions and ‘attacks’ are done at the urging of the PLA, or at very least tacitly encouraged.4 According to security expert Bruce Schneier, primarily “young, male, patriotic Chinese citizens demonstrating they’re as good as everyone else” carry out these incursions into American domains. They sell their tools and techniques, as well as data ‘exfiltrated’ from compromised sources to the highest bidder. That said, they fit well into the PLA’s strategy of ‘informationalization’ by allowing the key terrain of conflict to shift away from the kinetic realms in which the United States maintains a clear upper hand. As the PLA treats cyber as a ‘leapfrog technology,’ they view these hacker groups as a breeding ground for strategy – adopting many of their tactics, recruiting from their member bases, and exploited the vulnerabilities they expose. This, according to Schneier, could present an even more serious threat to U.S. national security than conventional adoption strategies, because the long-leash afforded to these largely autonomous groups ensures that there is no possibility of entirely centralized coordination, standardization of protocol, or ‘rational actor’ mentality in place.5 Because, at a larger scale, norms and rules of engagement do not exist, this tactic may persist; China and Chinese nationals can continue to use U.S. networks to steal intellectual property (IP) and conduct economic, political, and military espionage, creating a deficit on the U.S. cyber balance sheet of up to $13 billion a year.6 China’s attempts (both of passive and active variety) to cultivate a hacker culture and crowd-source cyberwarfare strategies in a way discouraged by the United States7 has led to significant documentation of their ventures into blurry areas of foreign aggression. While attacks can never be successfully attributed to the upper echelons of the PLA, continuous incursions
“Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” (prepared for The U.S.-China Economic and Security Review Commission by Bryan Krekel; McLean, Virginia, October 2009). This report contains a detailed account of the interplay between Chinese hacker groups and the government. 5 Bruce Schneier, “Chinese Cyber Attacks: Myth or Menace,” (July 2008) <http://www.schneier.com/essay227.html>[accessed 20 December 2012]. 6 Justin Rohrlick, “Chinese Cyber Warfare: Has the U.S. Found its Smoking Gun?” Minyanville, (08 November 2012) <http://www.minyanville.com/sectors/technology/articles/china-cyber-warfare-report-cyberattacks/11/8/2012/id/45654?page=full> [accessed 20 December 2012]. 7 Nathan Thornburgh, “The Invasion of the Chinese Cyberspies,” Time Magazine, (29 August 2005) <http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> [accessed 20 December 2012]. This article details the plight of Shawn Carpenter, an employee of Sandia, who was encouraged by the FBI to follow leads on Chinese hackers in conjunction with Titan Rain, only to be fired from his job and blocked out by the IC for engaging in illegal activity.
over the years traced back to consistent servers in China lead many to assume that these connections must exist. U.S. government offices and private contractors are continuously subject to probing and exfiltration attempts by sources largely linked back to sovereign Chinese territory (see figure 18), of these, a few have stood out as particularly suspect.
Largely occurring between 2003 and 2006, the sustained assault on U.S. defense contractors labeled as ‘Titan Rain’ was traced back to suspected PLA servers in Guangdong and was responsible for tens of thousands of classified military documents pertaining to aviation and missile command being compromised from U.S. affiliates including Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.9 In 2009, a different capability of the supposed Chinese cyber-threat was laid bare with the discovery of ‘GhostNet,’ a large-scale and widespread spying operation in which malware-laden attachments dropped a Trojan into the servers of governmental organizations and foreign ministries, and downloaded a program called ‘gh0st_rat’ that granted hardware utilization capabilities (including video camera and recording functionality) to a command and control interface traced back to China. The most conclusive connection to-date between such espionage efforts and China has been through work done on analyzing another rash of cyber-attacks – this time on oil, energy, and petrochemical companies
Source: USCC report. Richard Norton-Tayler, “Titan Rain – how Chinese hackers targeted Whitehall,” The Guardian, (4 September 2007) <http://www.guardian.co.uk/technology/2007/sep/04/news.internet>[accessed 20 December 2012].
– known as ‘Night Dragon,’ in which certain individuals with ties to the military and government infrastructure were tentatively identified.10 Figure 2:
Perhaps the most well-known of these assaults, ‘Operation Aurora,’ targeted Google and as many as 34 other companies between 2009-2010, exploiting backdoors installed in their programs to comply with U.S. surveillance regulations in order to compromise their security.11 It is speculated that political motivations may have prompted these attacks (they occurred right around a spat between Google and the Chinese government over user privacy rights and had prompted Google to threaten to leave China altogether), which gained access to Google servers,
This McAffee report details the entire attribution process behind the uncovering of Night Dragon. <http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf> 11 Bruce Schneier, “U.S. Enables Chinese Hacking of Google,” (23 January 2010) <http://www.schneier.com/essay306.html>[accessed: 20 December 2012].
modified source code repositories using zero day vulnerabilities, stole IP, and accessed both the email and bank accounts of Chinese dissidents.12 The group behind Aurora has remained active to a frightening degree, exploiting eight zero days in the past three years, with speculation that it is hoarding many more to use as part of ‘digital cascade’ assaults later. It has expanded its intrusion capabilities from solely ‘Spear Phishing’ (malware and authentication-error delivery vectors) to ‘Watering Hole’ methods as well (lying in wait on websites the target frequents). This capacity for attacks with multiple zero days, multiple Trojans, and multiple delivery vectors is run off of a consistent service known as the ‘Elderwood platform’ (see Figure 213 for platform detail) and allows for attacks to be sustained and directed for much longer periods of time.14 This continuous intrusion is not letting up any time soon. Shaoxing, China has been denoted the ‘world hacker hub,’ with 21.3% of the world’s malicious emails stemming from the province alone. Advanced schematics on the design of the United States’ highly advanced F-35 joint strike fighter have also been said to have been recently compromised by the Chinese.15 That said, the United States could not be said to be innocent in all of this. Indeed, many suspect that Chinese manipulations of U.S. satellite trajectory and other defense capabilities are a response to American-based espionage attempts. Through its military and civilian networks, the United States is presumed to also have immense offensive capabilities to disable enemy telecoms, power grids, rail systems, and air defense. In fact, it is likely that the U.S. has already infiltrated thousands of networks, and set up ‘trap doors’ for easy access and ‘logic bombs’ software capable of wiping an entire network clean, in case such capacity is needed.16 Such retaliatory potential should be remembered when taking stock of the deterrence and response metrics employed by this systemic analysis.
Richard Adhikari, “In Google Attack Aftermath, Operation Aurora Keeps on Hacking,” Tech News World, (08 September 2012), <http://www.technewsworld.com/story/76109.html>[accessed: 20 December 2012]. 13 Source: Symantec report. 14 Full details on the capabilities of this platform and its signatures can be found through this Symantec report: “The Elderwood Project,” <https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwoodproject.pdf>. 15 Jason Healey, “The F-35’s Cyber Death Spiral?” The New Atlanticist, (29 March 2012), <http://www.acus.org/new_atlanticist/f-35s-cyber-death-spiral>[accessed: 20 December 2012]. 16 Richard Clarke, “War from Cyberspace,” The National Interest, (November/December 2009): 33-34.
Topography in the Cyber Realm With regards to the above Chinese ‘cyberattacks,’ the majority can be described as examples of Advanced Persistent Threat (APT)-based incursions, having quite lengthy lifecycles and goals that require a significant about of round-the-clock effort (see Figure 317 for a visual). However, in regards to the realms of possible uses of APT, they are largely confined to the first and most tame of three categories outlined by the Department of Defense in its 2011 report to congress on Chinese potential use of the cyber-weapons at their disposal, being for: 1. Data collection through exfiltration 2. Constraining an adversary’s actions or slowing their response time by targeting network based logistics, communications, or commercial activities, 3. Serving as a force multiplier when coupled with kinetic attacks.18 Therefore, before we can speculate on the potential balance of power between the American and Chinese cybersecurity sectors, we must first work to gain a better understanding of the topography of the realm in which they would do battle. Outside of this first category, very few examples exist to calibrate theory. Indeed, very little unified theory exists. This section thus serves to standardize terms and gain an understanding of the terrain before analysis can be viably imparted. Figure 3:
First, it is important to note the inherent ambiguity and obfuscation that exists within a terrain as new as that of cyber – where norms and standards bodies have not yet been set up to
Source: Dell SecureWorks: <http://www.secureworks.com/resources/articles/featured_articles/20120719-hcr/> Military and Security Developments Involving the People’s Republic of China, United States Department of Defense, (Annual report to Congress, 2011). <http://www.defense.gov/pubs/pdfs/2011_cmpr_final.pdf>.
pacify the ‘state of nature’ that still exists therein. This largely stands because, without cohesive domestic and international rulings, there is no monopoly on the use of force19 meaning that there exists a ‘multiplicity problem’ –it is often difficult to target state actors because it is impossible to define the connection between a transgressing group and a legitimate political authority. This issue is compounded by the fact that accessibility to cyber weapons is very easy to come by – with up to 140 nations possessing cyberwarfare capabilities – and the fact that no states have established clear ‘red lines’ regarding their responses in the face of specific attacks, creating a ‘vagueness problem’ akin to that between the Soviet Union and the United States during the Cold War.20 Finally, there also exists an acute ‘attribution problem’ due to the fact that the terrain makes it easy to rout attacks through foreign servers (in the case of Titan Rain, the perpetrators had to be chased through Canada, South Korea, and Taiwan before servers in China were even identified) and, in the case of some blunter weapons such as some Distributed Denial of Service (DDoS) attacks, use a ‘botnet’ to orchestrate engagements through vast numbers of foreign terminals. This makes ‘false flag’ operations much easier to conduct and retaliatory gestures harder to plan and execute with any sense of assurance.21 This complex system has led some to conclude that ‘Cyber’ occupies a separate domain from land, air, and space. Cyberwarfare expert Jeffery Carr derides this miscategorization that pervades even the U.S. Department of Defense22 stating, “in modern physics, matter is associated with the complex relationship: substance-energy-information-space-time. The semantic shift from material to immaterial is not merely naïve, for it can lead to dangerous fantasies.”23 Indeed, cyber is not some immaterial realm without physical manifestations and warfare is not freed from concepts of Clausewitzean key terrain, centers of gravity, and threat vectors. Plenty of key terrain exists; data centers, commercial internet service providers, undersea cables, international standards bodies, basic input output systems (BIOS), supply chains, and even the personnel of
Lacking in the realm of cyber are key areas of legitimacy of governance, as discussed by Max Weber regarding the “monopoly on the legitimate use of physical force” in Politics as a Vocation. 20 Kenneth Lieberthal and Peter W. Singer, “Cybersecurity and U.S.-China Relations,” Brookings, (Febuary 2012), <http://www.brookings.edu/~/media/research/files/papers/2012/2/23%20cybersecurity%20china%20us%20singer% 20lieberthal/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf>[accessed 20 December 2012]. 21 Herbert Lin, “Escalation Dynamics and Conflict Termination in Cybespace,” Strategic Studies Quarterly, Vol., No. 3, (Fall 2012): 53. 22 One need not venture farther than the DoD website to witness them proudly proclaim this new policy: <http://www.defense.gov/home/features/2011/0411_cyberstrategy/>. 23 Jeffrey Carr, “Why the U.S. Will Lose a Cyber War,” The Diplomat, (10 August 2011), <http://thediplomat.com/flashpoints-blog/2011/08/10/why-us-will-lose-cyber-war/>[accessed: 20 December 2012].
the cyber workforce are very much grounded in the physical realm and play an integral part of any combat assessment.24 As such, it is incredibly vital to note that cyber attacks cannot be stand-alone if they are truly to be ‘attacks.’ The notion of cyberwarfare is very much grounded on conceptions of territory, borders, power balances, and alliances. It is a new tool in the arsenal of nations wishing to engage in combat – no more and no less. When assessing issues of deterrence and balance, it is important to separate and define different types of aggressive action – more so when attribution, multiplicity, and vagueness problems make it difficult to link rogue actors to states who always possess certain levels of plausible deniability.25 Catherine Lotrionte, director of the Institute for Law, Science, and Global Security notes that because issues of cyber-conflict are bounded by key terrain, issues of sovereignty and international law still apply. She distinguishes between a ‘use of force’ and an ‘armed attack,’ stating that only the latter should justify retaliation (at the scale of a ‘war’) under international guidelines, the determining factor being whether or not the incursion exacted analogous destruction to that which could be inflicted by a kinetic attack. Of course, as in conventional warfare, laws of proportionality still apply.26 It is important to clarify the nature of engagement when dealing with deterrence-based issues such that the scale of the rubric used is appropriate.
John Mills, “The Key Terrain of Cyber,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 99-109. 25 As Irving Lachow of the Center for a New American Security notes, “the whole question of deterrence in cyber doesn’t really apply to espionage. Every nation is spying. The only question is who’s spying better.” Zachary FryerBriggs, “U.S. Cyber Experts: Deterrence not Enough,” DefenseNews, (21 October 2012), <http://www.defensenews.com/article/20121021/DEFREG02/310210001/U-S-Cyber-Experts-Deterrence-NotEnough>[accessed: 20 December 2012]. 26 Catherine Lotrionte, “Cyber Operations: Conflict Under International Law,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 20-25.
As none exist yet, we shall delineate state-to-state (of some nature) interaction in the key terrain of cyber as follows:
Classification Cyber-espionage Characteristics Tampering with secure networks for the purpose of exfiltrating data, schematics, or communications. Covert, quiet, and non-disruptive. The active manipulation or disruption of system processes to destroy or delay functionality through viruses, worms, or DDoS attacks.27 Justified Response Little other than pursue claims of IP theft in international courts (if attribution successful) and patch zero days uncovered. Per Nicaragua vs. United States charges and damages claims can be pursued in international courts, but kinetic retaliation not permitted as these constitute a ‘use of force’ without being an ‘armed attack.’ Full-scale cyber and kinetic retaliation. Examples Titan Rain, Operation Aurora, GhostNet.
Stuxnet (and its spawn Flame and Duqu), 2007 Estonia Attacks, 2008 attacks during South Ossetia war.28
Operations by any means that are resultant in the objectives of traditional warfare: the loss of life, the acquisition of foreign key terrain, and to facilitate the ease of combat through kinetic means.
None of note to date. You have to go to movie villains for inspiration here.29
It is important to overcome this ‘hype’ regarding cyberwarfare in order to effectively conceptualize what such a scenario would actually look like and how it would affect state-level calculations regarding engagement and proportionality. In conducting this assessment we will compare the offensive capabilities of the Chinese cyber-force against the defense (both passive and active in nature) capacity of the American operators and systems in place to see how it alters the aforementioned dynamics. We will focus on this one-sided engagement in an attempt to add clarity to potential Chinese military postures, understanding that, due to the offense-dominated, opaque nature of the system, it is one conducive to lighting-quick, preemptive strikes in hopes of
It is interesting to note that DDoS attacks, while less penetrating and invasive that worms and viruses upon a system, can have a more destabilizing affect. 28 Though conducted in conjunction with a conventional invasion, these attacks had little to do with facilitating kinetic involvement, and were largely confined to DDoS and defacement efforts on Georgian websites. In response to the hype of these instances of ‘cyberwarfare,’ Schneier notes, “a real world comparison might be if an army invaded another country, then all got in a line in front of people at the DMV so they couldn’t renew their licenses. If that’s what war looks like in the 21st Century, we have little to fear.” Bruce Schneier, “Threat of ‘Cyberwar’ has been Hugely Hyped,” (7 July 2010), <http://www.schneier.com/essay-320.html>[accessed 20 december 2012]. 29 One example can be found in the cinematic masterpiece Live Free or Die Hard: <http://www.imdb.com/title/tt0337978/>.
crippling the opponent before their arsenal (kinetic, cyber, and ballistic) can be deployed.30 Cyber is a unique system in that offensive and defensive capabilities are entirely distinct.31 We will assess these capabilities specifically at the moment of zero day exploitation to see how they will shift the balance of power leading into a sustained and messy kinetic (and cyber) assault.
A Period of Experimentation
Military capabilities have long represented the projectable power that a country can bring to bear against competitors which, in the anarchic system of international politics, composes its first line of defense. All the while, military doctrine has integrated theory, history, experimentation and practice to provide an evolving framework for military forces to guide their actions in support of objectives. Cyber warfare, however, adds a new dimension to this projectable power by creating a space for anonymous battlefields, where aggressors can organize targets around countless qualifiers, however specific or broad they need be. Despite the growing complexities of cyberspace and the significant strategic challenge cyber warfare poses to the vital interests of states, few specific doctrinal rules for cyber warfare exist. Similar to the uncertainty that plagued nuclear deterrence policy during the Cold War Era, cyber warfare doctrine remains largely underdeveloped due to inexperience and lack of historical evidence surrounding its combative nature. The cyberspace domain connects commercial, governmental and private equipment as well as networks and systems; such is a forum for an unparalleled continuum of activities that range from legal commerce to acts of war. States must challenge themselves to craft a working definition for a cyber attack and, equally important, an appropriate response to a threat that knows no rules of sovereignty. China and the US will likely need to act first, as their palpable national power mark them an ideal target for asymmetrical attacks from belligerent state and non-state actors and, perhaps most realistically, each other. Each to a varying extent, China and the U.S. have hesitated to release an extensive cyber warfare doctrine, fully aware that an overreaching framework could limit operations in an engagement that is decidedly unpredictable. As cyber attacks continue to escalate in frequency and intensity, however, there is an active platform for conversation around cyber warfare
Lieberthal & Singer, 13-15. Successful defense against APT or DDoS will not damage enemy infrastructure in any way, whereas shooting back at an armed opponent can take them out of commission; similarly, effective offensive deployment does not inherently correlate to defensive capabilities the way that more effective kinetic weaponry, to some extent, does. In short, cyber-tools are generally not dual-purposed in offense and defense in the way many kinetic tools are.
doctrine in both countries that is worth exploring. The outcome of which is critical, as the international community will look to world powers, such as the U.S. and China, to shape international norms when dealing with cyberspace. China’s Doctrine When considering China’s cyber warfare doctrine, there are two distinct narratives that one must piece together to generate the most comprehensive and accurate understanding of the PLA’s intent: a) open source publications from the Chinese government, and b) claims from independent defense analysts. The Chinese government operates under minimal transparency, and the PLA is no exception. China’s National Defense in 2010 (defense white paper) states that China pursues a national defense policy that is strictly defensive in nature. On its most basic level, such a defensive strategy strictly allows for “attacking after being attacked.”32 The whitepaper briefly touches on the issue of “cyber space” when listing all areas where it intends to “maintain its security interests.”33 Thus, the publication makes no mention of cyber attacks specifically, but it does distinguish cyberspace as a domain of vested interest and thereby, worthy of defense. Since cyber warfare is not directly addressed in unclassified Chinese government documents, it is useful to explore the PLA’s approach to the broader category under which it falls—information warfare (IW). Largely a byproduct of the 1999 principles of joint operations (PJO) movement-- Zhongguo renmin jiefangjun lianhe zhanyi gangyao (中国人解放军联合战 役纲要), IW efforts are one facet of the PLA’s decisive move toward an Informatized Joint Operations campaign.34 This new nonviolent means for the protection, manipulation, degradation, and denial of information, with its profound effects on an opponent’s war machine, economic infrastructures, and society, is the PLA’s foremost version of preemption for facilitating a quick victory. 35 The broader scope of Informatized Joint Operations is one that extends beyond cyber warfare, contending that “information as a leading factor interacts with other combat strength elements, such as maneuverability, firepower, control, and protection, to form an integrated
USCC 2012 Annual Report,” 12(report for the U.S.-China Economic and Security Review Commission; Washington, D.C., November 2012). 33 Ibid. 34 Ibid.
Lewis, James. "Cyber Security Doctrine." E-mail interview. 17 Dec. 2012.
combat capability.”36 Yet, cognizant of the far reaches of the cyber domain, Chinese theorists note that all battles of this sort pass through cyberspace: “The natural geographical environment and virtual space of the multi-dimensional battlefield will be represented in digital form, which will provide a precision operation space for informatized joint operations.”37 The PLA’s most authoritative modern work on military strategy, The Science of Military Strategy, discusses its “Center of Gravity Strategy,” detailing China’s readiness to employ IW in a war against a technologically superior adversary. In exact words, the text describes the operation: Organizing all the services and arms to conduct active counterattacks… against the enemy’s command, intelligence and communications systems, and his airports and the launch sites of strategic assault weapons, and disrupt his strategic air raid plan, and wear down and contain his air raid forces to win the victory.38 It is interesting to note, however, that the model of development for cyber capabilities breaks from the traditional model of evolution in Chinese military doctrine (see figure below), insomuch as “threat perception” is not the driving force but rather it is the desire to gain an asymmetrical advantage. As James Lewis, an expert of Chinese cyber security at CSIS, explains, “The main doctrine on cyberwar strategy, advocates for a combination of cyber and electronic warfare capabilities in the early stages of conflict to paralyze control and command and intelligence centers.” 39 Figure 4: Traditional Model of Evolution of China’s Military Doctrine
USCC 2012 Annual Report (2012). Ben Buchanan, “The United States and Cyberwarfare Strategy” Institute for Law, Science, & Global Security, (November 2010). 38 Peng GUANGQIAN. "The Science of Military Strategy." The Science of Military Strategy: PENG GUANGQIAN AND YAO YOUZHI: 9787801378927 (2005. Web.) 39 Ibid.
Thus, the PLA’s argument is simple but convincing: highly developed IW can act as an asymmetric tool to neutralize the military capabilities of a technologically superior opponent and thereby, enable them to overcome their relative laggardness in military hardware. Chinese strategists also assess that political and economic conditions confine the scope of modern war, and this provides an opportunity for the combatant who dominates the information battlefield in the opening of a conflict to control its outcome. In short, the overall aim in this “limited war under high-tech conditions” doctrine is to cause heavy attrition and disrupt the enemy's combat forces and logistics so as to bring about a negotiated end to the conflict or dictate terms if possible. The Chinese war doctrine goes further to define informatized war as a clash of systems of systems, and that only 20% of systems are especially critical for operations, but that the importance of those select systems can be exploited.40 This offers an opportunity of equalization for lesser powers: If the inferior side grasps this law and applies it, seizing the key systems or key elements in the enemy’s combat systems and attacking them, it will be able to use what is small to fight what is large, leading to a structural change in the systems and weakening the entire effectiveness of the enemy’s combat systems.41 The PLA identifies electronic networks as the important systems in modern warfare and thus, focus strategy on the nodes of the information distribution and command and control nodes on a network, because “it is quite possible they will be unable to bear a single blow when confronted with a deliberate, coordinated, focused attack.”42 The Chinese doctrine does not limit the Joint Informatized Operations to military network targets. They explicitly state that an attack on a non-military target to achieve the end of paralysis would be strategic in that all economic activities and social events are becoming digitized and network-based. The Chinese theorists state, “ It would be easier to force the will of war onto the enemy by using networks to attack and paralyze its economic system and create a chaos in its society.”43
Informatized Joint Operations, edited by Cao Zhengrong, Wu Runbo, Sun Jianjun, (Beijing, PRC: PLA Press, 2nd edition August 2008) at [partial translatioin by Open Source Center CPP20100828318001001: “PRC Book Excerpt: 'Informatized Joint Operations' on Blockade, Island Landing;” accessed 20 Nov. 2010] 41 Ibid. 42 Ibid. 43 Ibid.
Since 2000, US government sources claim, however, the PLA is actively assembling a specialized force of “hackers.” According to a US Congressional Research Service report entitled “Cyberwarfare,” authored by Steve Hildreth, China is developing a strategic Information System unit called “Net Force’” to carry out its IW agenda. This study and a more recent study completed by the NATO senior military officer Brig. Gurmeet Kanwal, confirm that this unreported force is designed to level the playing field in a future war with better-equipped Western armed forces that rely on Revolution in Military Affairs (RMA) technologies.44 They also argue that based on recent cyber attacks traced back to China, it is possible and perhaps even likely that this ‘Net Force’ breaks from the overarching PLA “defense policy” and is experimenting with far more offensive operations. Emerging Threats from China In recent years, Chinese hackers have begun to move beyond the typical procedures used by state-sponsored actors and into increasingly advanced types of operations or operations against specialized targets. Here are the most likely types of attacks. • Defeating secure authentication – with the increase of two-factor authentication, in addition to simple password entry, Chinese hackers continue to find a way to defeat these measures. In January 2012, security researchers identified a Chinabased cyber espionage operation that targeted the U.S. DoD’s Common Access Card Standard.45 • Bridging air gaps – In order to protect resources from high-risk networks, engineers use physical isolation of networks or “air gaps.” Indian media reported that China successfully used removable media to compromise air-gapped computers at the Indian Eastern Naval Command.46 • Targeting deployed platforms – It appears that China is also seeking to target various military platforms that operate in forward or otherwise remote areas, including sea and space. Military officials, including the U. S. Navy chief of operations describe of security threats to ships at sea.47
Clarke, Richard A, and Robert Knake. Cyber War: The Next Threat to National Security and What to Do About It. New York: HarperCollins, 2010. 45 USCC 2012 Annual Report (2012). 46 Ibid. 47 Ibid.
• Leveraging the cloud – even though there is little evidence to show proof of compromised cloud services, cloud systems can either reduce defender’s visibility of threats and thereby limit detection of malicious activity or help identify targeted campaigns, by aggregating intelligence.48 • Compromising mobile devices – there have been several cases in which malware has propagated within China geared toward mobile devices. CrowdStrike demonstrated how China’s malware could compromise mobile devices in February 2012.49 The US Doctrine In 2010, William J. Lynn III, US Deputy Secretary of Defense, stated that the Pentagon had formally recognized cyberspace as the fifth domain of warfare. As a doctrinal matter, this means that the US military community considers cyberspace to be equally as critical to military operations as land, sea, air and space. It makes sense that the Pentagon established the US Cyber Command (USCYBERCOM) shortly thereafter with the mission of centralizing command of cyberspace operations and synchronizing a defense of US military networks. In July 2011, Deputy Lynn announced at the National Defense University that the US did in fact posses a full spectrum of capabilities, and echoing the PLA rhetoric, that “the thrust of strategy is defensive.”50 He articulated a “five pillar” strategy for US Cyber Command (USCYBERCOM), as follows: treat cyber as a domain of warfare; employ more active defenses; support the Department of Homeland Security in protecting critical infrastructure networks; practice collective defense with allies and international partners; and reduce the advantages attackers have on the internet.51 The US made significant change in its cybersecurity policies in 2012, despite the failure to pass comprehensive legislation in the American Congress. In November, media reports said that the U.S. had concluded work on Presidential Decision Directive 20, governing military activities in cyberspace. The Directive itself is classified but remarks by the Secretary of Defense suggest that the military would play a greater role in defending against cyber attacks
Ibid. Ibid. 50 “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” (prepared for The U.S.-China Economic and Security Review Commission by Bryan Krekel; McLean, Virginia, October 2009). 51 Ibid.
from foreign sources. The new policy was preceded by stories in the media attributing the "Stuxnet" cyber attack against an Iranian nuclear facility to the United States (and Israel). Other announcements showed a continued increase in the development of military capabilities, including a Defense Advanced Research Projects Agency program known as "Plan X" to develop a range of cyber capabilities and the creation of "cyber city," a test range for various kinds of cyber attacks.52 The efforts of USCYBERCOM, however, do not extend beyond DOD networks, or the “dot-mil” world. The span of the USCYBERCOM protection umbrella has spurred debate among government agencies that have trickled down to Congress and recently, to the public. As it stands now, the Department of Homeland Security is responsible for government networks and working with the private sector on defending critical infrastructure. Concerns that the DOD and NSA will dominate efforts to protect the nation’s computer networks, civilian networks included, are rampant among experts across disciplines and are effectively pushing privacy trepidations (reminiscent of the Patriot Act) to the attention of the American public. Cyber Command, originally responsible for dealing with threats to the military cyber infrastructure, may now have some broader national cyber defense responsibilities because of the Presidential Directive. Cyber Command's service elements include Army Forces Cyber Command, the Twenty-fourth Air Force, Fleet Cyber Command and Marine Forces Cyber Command. In order to facilitate cooperation, the Department of Defense and the Department of Homeland Security signed a memorandum of agreement on cybersecurity in October 2010 to increase interdepartmental collaboration. Media reports suggest that Cyber Command will become an independent command in 2013 (rather than remaining a military "subcommand" under US Strategic Command).53 Still other concerns from LTC Gregory Conti and COL John “Buck” Surdu, chief of staff of the United States Army Research, Development and Engineering Command, argue that the skills valued in the armed forces, i.e. marksmanship and physical strength, are irrelevant to cyber warfare. They explain that if combat in cyberspace is now a military domain than winning in that domain would require a military organization that can recruit, train and retain highly qualified cyber warfare combatants for offensive campaigns. In other words, Conti and Surdu suggest a
Lewis (2012). Ibid.
fourth branch of the military for Information Service, or cyber missions. In response, General Keith Alexander, head of USCYBERCOM, stresses that the purpose of cyber command is “not about an effort to militarize cyber space. Rather it’s about safeguarding our military assets.”54 The most cited example for the critical need of a unified cyber platform in this debate dates back to 2008 Saudi Arabia. The Pentagon did not approve of a Saudi government-CIA website used to uncover terrorist plots, arguing that the site was putting Americans at risk. The Pentagon overrode CIA objections and launched a cyber attack that dismantled the online forum. Thus, USCYBERCOM aims to eliminate such interagency friction by consolidating US military cyber doctrine. The US must be mindful of inefficiency because opponents like the PLA and its directive under an authoritarian regime experience minimal, if any, delay in deploying cyber policy. It may make sense, however, that the US military prolonged development of official cyber capabilities when considering their other RMA technologies are the most advanced in the world.55 Despite the ambiguity in U.S. and China’s cyber warfare doctrine, one conclusion is for certain: cyberspace is a new battleground. Like the early stages of disruptive military technologies—nuclear bombs, other, other— a period of experimentation often precedes any official guiding principles. More importantly, the dynamic created between China and the US during this period of experimentation could be longstanding: the US holds the place of the technologically superior military and China, as a potential adversary, seeks out asymmetric capabilities to exploit US vulnerabilities and thus, offset its current advantage. The reelection of the Obama Administration and its proposed cuts to the defense budget juxtaposed to the PLA’s ever-growing defense budget provides space for this cyber dynamic to shift in favor the of China.
Chinese Offensive Capabilities
Military capabilities can best be understood as a resultant product of the continual, cyclical interaction of both national resources and national performance: resources may be “building blocks,” but these building blocks, far form existing in nature, must be consciously produced as a result of human artifice, which is captured, however imperfectly, by the domain of national performance. In the case of cyberspace, China’s burgeoning IT infrastructure, its
Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012). 55 Ibid.
building block, is at the hands of an increasing number of highly trained technical personnel, unambiguously yielding a positive reinforcement to present IW capabilities. Many traditional indexes of military capabilities are done through the use of summary variables such as the level of military expenditure in gross size of the armed forces. An analysis of cyber capabilities requires a greater level of detail, as the talent exploited extends beyond military personnel. This section explores two tools employed by China to proliferate its cyber prowess: the IW military branch and private hacker groups. A 2012 U.S.-China Economic and Security Review Commission report has organized the perpetrators of increasingly regularized attacks into the follow categories: Who Carries Out Chinese Cyber Exploitation and Attack?56 Military Groups Key entities are: (1) 2PLA—The Second Department of the PLA General Staff Department (2PLA) is responsible for military intelligence. It may use cyber operations as part of its collection activities. (2) 3PLA—The Third Department of the PLA General Staff Department (3PLA) is responsible for the collection of signals intelligence. This includes computer network exploitation, reportedly drawing upon Technical Reconnaissance Bureaus geographically distributed across the country. It may also lead the PLA’s computer network defense efforts. (3) 4PLA—The Fourth Department of the PLA General Staff Department (4PLA) engages in electronic warfare. In addition, it appears to be responsible for computer network attack. (4) PLA services—The PLA Navy and PLA Air Force, like 3PLA, operate Technical Reconnaissance Bureaus that may engage in computer network operations. The Second Artillery Forces, a PLA service-level branch responsible for nuclear and conventional missiles, may also have cyber-related responsibilities. (5) Cyber warfare militias—A subset of the PLA militia has cyber-related responsibilities. These units, usually comprised of workers with high-tech day
U.S.-China Economic and Security Review Commission (2012).
jobs, focus on various aspects of military communications, electronic warfare, and computer network operations. Intelligence and Security Services Though little is known about China’s intelligence and security services’ roles and missions in cyberspace, several entities are probably active in the domain: (1) Ministry of State Security—As China’s foreign intelligence service, the organization may engage in various cyber operations. (2) Ministry of Public Security—As China’s domestic security service, the organization engages in surveillance, including in cyberspace, of Chinese citizens. Foreigners traveling within China are similarly subject to various forms of digital monitoring (though it is unclear which organization has this responsibility). ‘‘Independent’’ Actors Although not always on government payrolls, several categories of nominally independent actors conduct exploitation activities. In some cases, their actions may be sanctioned or overlooked by authorities: (1) ‘‘Hacktivists’’—Sometimes called ‘‘patriotic hackers,’’ these groups appear to act primarily on the basis of nationalistic sentiments, often engaging in denial of service attacks or website defacements. The Chinese government has on occasion acted to curtail their activities, but enforcement is uneven. (2) For-profit hackers—Some groups may commit industrial or traditional espionage on behalf of private sector, state-owned sector, or government clients. A variety of notable Chinese hackers have formed security firms or consulting firms that may engage in these activities. (3) Purely criminal hackers—There is a range of strictly nonstate hacking activities, such as identify theft, perpetrated by those seeking status or income. Although these activities are illegal in China and perpetrators are sometimes punished (China recently reported 9,000 cyber-related arrests), government agencies may recruit from this pool.
‘‘Corporate’’ Actors Some corporate entities in China may engage in, support, or benefit from cyber espionage. The prevalence of state- owned or -controlled enterprises in the telecommunications and IT sectors in China mean that such activities would often constitute state sponsorship. (1) Telecommunications providers—Internet service providers, web services providers, domain registrars, and similar organizations may perform, enable, or conceal malicious cyber activities. (2) Information technology companies—IT components and systems manufacturers, assemblers, or support staff may introduce ‘‘backdoors’’ (i.e., surreptitious access points) or other vulnerabilities into their systems. Official Military Cyber Capabilities The exact cyber warfare capabilities of the Chinese military cannot be known due to the lack of transparency in the PLA. From a close analysis of PLA cyber strategy, however, one can make a reasonable assumption that the PLA is actively adapting its human resources to meet these cyber conflict goals. In times of peace, Chinese theorists call for significant preparation for potential informatized operations against likely opponents. In practice, this means “only by relying on peacetime collection, creating an information superiority and operational superiority before the enemy in wartime is it then possible to win a small space for information confrontation.” Such preparation lays the foundation for future operations in cyberspace. It also indicates, though not explicitly, a reason for the continued penetration of U.S. networks, as it is China’s most threatening adversary. In the event of heightened tensions, the PLA would launch a first strike cyber attack. “As soon as it has been discovered that war is inevitable,” Chinese theorists write, “a contest should be made to resolutely take all kinds of effective attack measures to destroy the opponent’s preparations for offense and informatized combat systems by creating an advance attack ‘time gap’ to make up for the equipment ‘technology gap’ before the adversary carries out a firepower attack or main assault.”57 According to Chinese cyber doctrine, the goal of the first strike is to prevent the quick conclusion of the war and heighten the costs for the opponent to the extent that it becomes no longer worth the effort to continue fighting.
If the first strike attack fails to swiftly terminate the conflict, the Chinese offer a few potential vectors for subsequent cyber attacks, as organized in the table below. Goal of Secondary Offensive Campaign Attack vulnerabilities in the enemy computer networks Use electronic measures to counter physical forces Attack targeting the U.S. "When the enemy's stealth aircrafts, cruise missiles, and gunships enter the effective airspace of our electronic equipment, we can use radio input and ignite all the computer network bombs. It would cause the enemy's weaponry system to lose control, direction and eventually break down." "When the GPS is under interference, the cruise missile which it is guided by it may deviate from the original course, or even be guided to an interference designated area. Currently we are able to enter the network system through wireless radio." Military Training Perhaps more important than cyber strategy itself is the variable that determines how successfully these plans are converted into effective capabilities—human resources. China seems keenly aware of its need for cyber-savvy officers and soldiers, as the PLA has jumpstarted a basic training program to prepare its soldiers for cyber conflict. The program targets the basic education of soldiers: The first thing officers are set up with after arrive at the school is a notebook computer, the first documents they receive are an Intranet password, identification code, and email address, and the first education they receive is an understanding of networks. It is the same at West Point. Instead of he air conditioners found in normal universities, the students’ dorm rooms are equipped with a bedside "We implant computer viruses into the enemy’s C41 system through various means. Once it is needed in the operation, we could use wireless activation virus to paralyze the enemy's operation system.” Evidence from Chinese Doctrine
computer for each person, and everyone has been swept up in the tide of networking, from the school president to the drivers, from three-star generals to hired hands.58 This approach seeks to familiarize soldiers of all ranks with the functionality and power of network systems. Ultimately, the PLA aims to make computer skills as fundamental to the military as marksmanship. China’s flourishing IT sector and the PLA’s focus on the informationization of its force structure have led Chinese leaders outside of the military to call the protection of the electromagnetic domain vital to national security, creating a form of military-civilian teamwork. Chinese leaders understand the mounting dependence of the civilian economy on access to the international telecommunications infrastructure and military commanders understand their reliance upon advanced communications to plan and execute their missions. Thus, to reinforce its information infrastructure, the PLA has divided primary operational responsibility for network attack, defense, and exploitation between the Third and Fourth Departments of the General Staff Department for the majority of the past decade. 59 Also, in an effort to develop new computer networks operations technologies and capabilities, Beijing has looked to its maturing commercial IT sector for R&D support, often using national funding vehicles to support technical research into information warfare and information security. State funding of commercial and academic research is building formal R&D relationships between elite universities and industry that look similar to models used in Western defense industries to leverage the efficiencies and cost savings found in these sectors. A great example of this relationship is the National University of Defense Technology (NUDT), located in Changsha, Hunan Province. NUDT is a technology-oriented university heavily engaged in military research and development, jointly administered by the Ministry of National Defense and the Ministry of Education. NUDT, the development hub for China’s Tianhe-IA supercomputer, lists among its key research areas electronic and information warfare target recognition.60
Buchanan (2010). U.S.-China Economic and Security Review Commission (2012). 60 Ibid.
Private hacker groups Despite a lagging understanding of cyber space in the Chinese military, China benefits from the segments of its population that are technically-savvy and that, unlike the military, can claim reasonable deniability when accused of an attack. The United States-China Economic and Security Review Commission approximates that there are 250 hacker groups in China that are capable of attacking the United States, and who are “tolerated and may even be encourage” by the Chinese government. China seems to understand that although computers may be the weapons of any cyber attack, people are the soldiers in command of it. Thus, China works tirelessly to attract more and more IT talent. Signs of these efforts have appeared over the past couple of years in Chinese diplomatic missions in the United States and other countries have taken advantage of the recession in the West to recruit hundreds of Chinese graduates from the best compute science departments in Western universities.61 The Comment Group, or the “Byzantine Candor” as termed by the U.S. Air Force Office of Special Investigation, is highly active hacking group in China. The Comment Group is a highly organized effort behind a group that more than any other is believed to be at the spear point of the vast hacking industry in China. Byzantine Candor is linked to the PLA according to a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the substance of the document. What sets the Comment group apart is the frenetic pace of its operations. 62
Buchanan (2010). Riley, Michael, and Dune Lawrence. "Hackers Linked to China's Army Seen From EU to D.C." Bloomberg, 26 July 2012. Web. 22 Dec. 2012.
Figure 5: 63 Documented Attacks Launched by the Comment Group in July 2012
The attacks documented last summer represent a fraction of the Comment group’s projects, which date back at least to 2002, according to incident reports and interviews with investigators. Milpitas, California-based FireEye Inc. alone has tracked hundreds of victims in the last three years and estimates the group has hacked more than 1,000 organizations, said Alex Lanstein, a senior security researcher. Stolen information is flowing out of the networks of law firms, investment banks, oil companies, drug makers, and high technology manufacturers in threatening quantities so much so that intelligence officials now say it could cause long-term harm to U.S. and European economies.64
The United States’ cyber defense infrastructure employs multi-layered capabilities to ensure that it is protected at all levels.65 On the military front, the United States has recently put up a sub-unified command of the Second Army, the Tenth Fleet, and the Twenty Fourth Air Force known as CYBERCOM, which reached full capability in October 2010 under the
Ibid. Riley, Lawrence (2012). 65 This is an attempt to avoid a tempting mistake akin to that made in World War II by the French: to establish robust perimeter security – a Maginot Line – and neglect to enforce stringent internal security measures as backup.
command of General Keith Alexander (also director of the National Security Agency). CYBERCOM is responsible for the protection and defense of all dot-mil sites, which includes 15,000 military networks. CYBERCOM is divides Computer Network Operations (CNOs) into those dealing with attack, defense, and exploitation, and has worked to build functional capabilities in all identified areas, especially focusing on ridding military systems of humanerror-based vulnerabilities through a sanitization of best practices and educational schemes.66 While their track record is largely classified, Gen. Alexander has stated that CYBERCOM successfully repels an average of 200,000 to 250,000 probes and scans on military servers every hour. Recently, through Operation Buckshot Yankee, CYBERCOM went to great lengths to better address the air gap jumping concerns in response to an incident of a thumb drive transferring a worm and stealing data from a military server. CYBERCOM also employs ‘red teams’ that sift through networks to quickly identify intrusions, track them, and neutralize their capacities before any malicious endeavors are undertaken.67 In the works as well is a secure, protected zone for unclassified networks modeled off the DoD Secret Internet Protocol Router Network (SIPRNet) to ensure that defense is tightened at all levels.68 To complement CYBERCOM in dealing with dot-gov servers and protect critical civilian infrastructure, the Department of Homeland Security (DHS) has stood up a National Cyber Security Division (NCSD) led by John Streufert, former chief information security officer for the U.S. State Department. While much work can still be done on integrating a unified cyber bureau in the DHS, NCSD has worked hard to build and maintain an effective national cyberspace response system, implementing a cyber-risk management program for the protection of critical infrastructure.69 Critical to this mission is the U.S. Cyber Emergency Response Team (USCERT), which continuously releases information on system vulnerabilities and zero day exploits through its National Cyber Alert System in real-time, and works closely with private vendors to create patches immediately. Resources for better securing networks and data are available to both the public and private sector in an attempt to ensure that at all levels the nation is able to recover and remain resilient to foreign-based cyberattacks. Over the past year, DoD and DHS have
“Department of Defense Strategy for Operating in Cyberspace,” (July 2011). Found at: <http://www.defense.gov/news/d20110714cyber.pdf>. 67 U.S. Cyber Command: Organizing Cyberspace Operations (Washington DC: 111th Congress, 2nd Session, Committee on Armed Services, House of Representatives, 23 September 2010). 68 Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012): 35. 69 See DHS website for further detail: <http://www.dhs.gov/national-cyber-security-division>.
worked closely to streamline their efforts and implement burden sharing initiatives. DoD’s 2012 Cyber budget was $3.2 billion while DHS’s was $936 million, illustrating the concentration on offensive capabilities over defensive measures.70 Complementing these initiatives to secure American cyberspace, the White House has responded to calls for increased and centralized leadership, launching a Cyber Space Policy Review with priorities in promoting awareness in the private sector about critical issues, establishing more cohesive operating protocols, and securing alliances with international partners.71 While the technical aspects of this initiative are classified, they are said to complement the efforts of the Comprehensive National Cyberspace Initiative (CNCI) undertaken by the previous administration that worked with the Office of Management and Budget (OMB) and the DHS on a Trusted Internet Connections Initiative (TIC) to successfully consolidate external access points to the internet from government servers by 60%. CNCI also worked in areas of education and R&D to identify ‘leap-ahead’ technologies and better define roles within government.72 In response to recent successful attacks including the Shamoon virus that hit many companies in the oil sector including Saudi Aramco73 and the yet-unnamed DDoS breaches of the U.S. financial sector including JPMorgan Chase and WellsFargo,74 the Obama administration is circulating an order that will make it necessary for the intelligence community (IC) to share relevant threat signatures with companies operating electric grids, water plants, railroads, and other vital industries. Defense happens at all levels of government and civil society as well. The Federal Energy Regulatory Committee (FERC) has recently issued guidelines to require US power companies to separate operations systems from the Internet – though admittedly compliance and auditing issues persist.75 Policy recommendations from the 2011 Black Hat Conference (which boasts attendance from federal agencies, corporations, and private hackers working together to
Donna Miles, “DoD, Homeland Security Collaborate in Cyber Realm,” DoD Website, (3 June 2012), <http://www.defense.gov/news/newsarticle.aspx?id=64186> [accessed: 20 December 2012]. 71 The Review in full can be viewed at: <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf> 72 Obama released details on the CNCI for the first time in 2011. They can be found here: <http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative> 73 Richard Lardner, “Draft order would give companies cyberthreat info,” Huffington Post, (20 October 2012), <http://www.huffingtonpost.com/huff-wires/20121020/us-cybersecurity-order/>.[accessed: 20 December 2012]. 74 Chris Strohm and Eric Engleman, “Cyber Attacks on U.S. Banks Expose Vulnerabilities,” BusinessWeek, (28 September 2012), <http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-exposecomputer-vulnerability>[accessed: 20 December 2012]. 75 Clarke 34.
deal with compliance and standards issues) have gone into getting DARPA re-involved in cybersecurity, working towards establishing Federal cyber regulations (which have thus far failed to pass through congress), and developing techniques to better air gap utility networks.76 Public and private entities have combined talent to draw detailed pictures of Chinese hacking capabilities such that the United States infrastructure will be prepared to deal and stop incursions as they arise. Yet, despite this progress, much vulnerability still remains, in part due to the lack of cohesive direction and absence of a clear set of rules of engagement, which is rumored to still be in the works.77 In large part, the United States’ exposure to cyber-threats stems from the fact that it is the much more reliant on digital systems than many of its potential adversaries both due to the fact that it invented the sphere and that as a highly industrialized society, many sectors were able to migrate quickly to more intensive technology. Despite attempts at defense, this vast exposure results in an asymmetry relative to developing powers such as China. In another sense, its democratic values and institutionalized norms leave it more vulnerable than opponents - the government is not able to regulate the Internet and enforce protocol as tightly as other states might be.78 However, these systemic factors aside, many agree that the problem is largely political because there exists so little will to pass legislation through congress and share threat signatures across sectors.79 This is in part due to the age-gap that exists between policy makers and those adroit at navigating the nuances of this terrain – many in the upper echelons of public and private management grew up without exposure to the technology that is now at their fingertips and thus have a difficult time fully grasping the intricacies and gravity of cyber.80 Similarly, due to the lack of understanding, too much money and effort is being funneled into standard military protocol to militarize the terrain, and little is being done to work with commercial regulators such as the Securities and Exchange Commission (SEC), the Federal
Spade 31-35. “Hype and Fear,” The Economist, (8 December 2012), <http://www.economist.com/news/international/21567886america-leading-way-developing-doctrines-cyber-warfare-other-countries-may> [20 December 2012]. 78 Buchanan 13. 79 Jason Healey, “Cyber Legislation and White House Executive Orders,” New Atlanticist, (26 October 2012), <http://www.acus.org/new_atlanticist/cyber-legislation-and-white-house-executive-orders>[accessed: 20 December 2012]. 80 Carr.
Communications Commission (FCC), and the Federal Trade Commission (FTC) to create uniform standards and shore up security procedures on all vulnerable fronts.81 Critical infrastructure, such as that related to power, water, nuclear, transportation, and financial services is particularly vulnerable to foreign cyberattacks because it is operated in private hands and not easily standardized. This ties directly into defense capabilities; for example, 31 of 34 critical sectors within the DoD are dependant on the 90% privately owned public power grid.82 These grids are by no means impenetrable – it has recently been revealed that in 2008 they were hacked causing power outages in multiple cities.83 Grids have a myriad of access points (see Figure 684 for full detail) and once inside, an aggressor can wreak havoc – pushing circuit breaker oscillations out of synch causing the inertia of the grid and that of the generator to work against each other, tearing apart the physical infrastructure. Botnets and concentrated DDoS attacks can also work at command stations, slowing down relay mechanisms and causing signals to lose pace. Issues in critical infrastructure such as grids are extremely difficult to fix because they cannot feasibly stand idle for long enough to install patches. The North American Electric Reliability Corporation (NERC) has worked to implement new standards and auditing techniques, but much work needs to be done to tighten air-gaps and implement one-way hash functions to prevent unidentified code from running on these critical infrastructures.85 That said, sophisticated coders could always exploit human error problems that linger. The Department of Energy (DOE) inspector general recently found 38 cyber vulnerabilities in energy infrastructure when conducting an investigation (the number declined from 56 in the previous round) including some in areas related to nuclear technology. 58% of computers inspected had unpatched software holes and weak password protection issues, while 29 web applications related to finance, human resources, and general support were deemed ‘vulnerable to hacking.’86 To combat such issues of poor ‘IT hygiene’ across sectors, US-CERT
Melissa Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs: International Engagement on Cyber, (December 2011): 163-170. 82 Buchanan 16. 83 Glenn Derene, “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack,” Popular Mechanics, (1 October 2009), <http://www.popularmechanics.com/technology/military/4307521>[accessed: 20 December 2012]. 84 Source: Nicol article. 85 David Nicol, “Hacking the Lights Out,” Scientific American, (July 2011): 70-75. 86 John Reed, “Dozens of cyber vulnerabilities found at Department of Energy facilities,” Foreign Policy, Blog: Killer Apps, (16 November 2012), < http://killerapps.foreignpolicy.com/posts/2012/11/16/dozens_of_cyber_vulnerabilities_found_at_department_of_ene rgy_facilities>[accessed: 20 December 2012].
continuously works to provide the U.S. infrastructure with education and fixes to areas of concern including local area networks (LAN), remote terminal units (RTUs), and human machine interfaces (HMIs), with details of typical vulnerabilities and how they can be addressed.87 Of course, as long as problems remain in enforcing standard practices, doubt will remain regarding the possibility of exploitation of these systems. Figure 6:
Finally, due to the increasing complexity of everything from basic computers to the F-35, supply chains have become more globalized and interconnected than ever before, with parts and
An example of their regimen can be found here: < http://www.us-cert.gov/control_systems/csvuls.html#top>.
circuits contributed by private enterprises in countries around the world. The USCC worries that this development might present new vulnerabilities in U.S. technology and ability, and suspects based on past instances of corruption that many vital technologies with circuits contributed by Chinese firms might come preloaded with malware.88 Of particular concern in this ongoing debate over supply chains remain Huawei and Zhongxing Telecommunications Equipment (ZTE), which are eyed with suspicion by the USCC as potential sources of exploitation due to the subsides and above-market priced contracts they receive from the Chinese government. Aside from issues with economic protectionism and suspect dealings with pariah states such as Iran, a recent congressional report speculates that Huawei and ZTE appliances could potentially afford unauthorized backdoor access to the Chinese government or inject malware into servers linked to their networks should the situation demand it. These companies have not been compliant with investigations and could potentially serve as another bridge in the case of a Chinese cyber attack into the heart of the United States’ infrastructure.89 Because of the interconnectedness of these telecom giants with U.S. supply chains, it is unlikely that mitigation measures could fully address this threat. The Clash The following section is a speculative consideration of a Chinese computer network operation against U.S. networks in the context of a possible conflict over Taiwan. As indicated by Chinese military doctrine, the PLA is actively preparing for possible conflict with technologically advanced nations such as the United States, particularly in the event of a forceful reunification of Taiwan with the mainland. Now, The New Historic Missions now requires the PLA to develop capabilities for other possibilities beyond China’s littoral waters and
2012 Report to Congress of the U.S.-China Economic and Security Review Commission: (Washington DC: 112th Congress, 2nd Session, November 2012): 161-162.
The report also states that, “Chinese intelligence services, as well as private companies an other entities, often recruit those with direct access to corporate networks to steal trade secrets and other sensitive proprietary data” and that “it appears that under Chinese law, ZTE and Huawei would be obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.” It warns that systems are vulnerable as, “Inserting malicious hardware or software implants into Chinese-manufactured telecommunications components and systems headed for US customers would allow Beijing to shut down or degrade critical national security systems in times of crisis. Malicious implants in the components of critical infrastructure such as power grids or financial networks would also be a tremendous weapon in China’s arsenal.” Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE (Washington DC: 112th Congress, 8 October 2012).
for goals more economic than territorial. Despite the fact that military modernization primarily focuses on traditional conventional weapons that can target U.S. forces well before they are in range to support Taiwan or otherwise intervene, IW weapons are becoming coordinated with conventional weapons units under as dictated by the information confrontation theory in jointstyle operations.90 A U.S. victory for Taiwan would require speed of response and the ability to arrive on station with sufficient forces in the western Pacific. A conflict in Taiwan and its distance would certainly place the greatest strain on U.S. logistics and command and control infrastructures. Thus, it makes sense that PLA analysts consistently identify these two components as strategic centers of gravity that potentially both help and hinder U.S. military success in the region.91 In the particular context of Taiwan, PLA strategists are keenly aware that U.S. access to bases in the region face challenges even in times of peace. Specifically, non-naval forces operate from a few fixed bases in the region during a crisis and access can be unstable. Further, doctrinal and strategic writings proscribe the use of IW tools for their potential deterrent effect. Accordingly, a preemptive CNA campaign against U.S. Pacific Command (PACOM) forces would likely come first. This means the PLA may start deploying tools via access created prior to any direct U.S.-China conflict to affect or disable logistics networks, command and control infrastructure, intelligence collection systems, and potentially civilian targets that directly support military operations such as transportation or other commercial logistics providers.92 Phase One—A Preemptive IW Attack Using a vastly improved C4ISR infrastructure—partly a byproduct of the close cooperation between China’s commercial IT sector and the PLA—U.S. and allied deployments in the region are likely to be more readily detected and attacked with greater precision than even five years ago. The effects of preemptive penetrations may not be readily observable or detected until after combat has begun or after Chinese CNA teams have executed their tools against targeted networks. Even if circumstantial evidence points to China as the culprit, no legislation or policy currently exists to easily determine appropriate response options to attacks on U.S. military or civilian networks in which definitive attribution is lacking. Beijing, understanding
U.S.-China Economic and Security Review Commission (2012). Ibid. 92 Ibid.
this, could easily exploit such gray areas in U.S. policymaking and legal frameworks to create delays in U.S. command decision-making.93 Phase Two—Corrupt Command and Control Chinese commanders may elect to use deep access to critical U.S. networks carrying logistics and command and control data to collect highly valuable real time intelligence or to corrupt, the data without destroying the networks or hardware. Although U.S. network defenses and other countermeasures may call into question the effectiveness of some Chinese tools or approaches to targeting, the PLA’s adoption of INEW and information confrontation concepts, which advocate using network operations against C4ISR systems, increases the likelihood that they will be a target during a conflict. Chinese commanders may elect to use deep access to critical U.S. networks carrying logistics and command and control data to collect highly valuable real time intelligence or to corrupt, the data without destroying the networks or hardware.94 Phase Three—IW on the Home Front PLA planners and commentators have long assessed that the source of U.S. military effectiveness stems from the ability to integrate military and civilian information systems and leverage this global access to information in combat. Chinese decision makers see this prowess in information technology as both a force multiplier for the United States and a vulnerable center of gravity, calculating that if an adversary is able to disrupt these networks and access information, the effect would leave U.S. combat forces and commanders in a state of paralysis. PLA publications and authors from some of the military's more authoritative institutions have labeled C4ISR systems as “vital point” targets because of this perceived U.S. dependence on the immediate access to information to fight effectively.95 PLA writers affiliated with the Academy of Military Science in a 2011 article in the Academy’s primary journal, China Military Science, Zhongguo Junshi Kexue, underscored the high return on investment that network paralysis warfare offers when applied to key nodes on the enemy’s network, noting that this type of targeting focus makes it possible to achieve an immense operational effect with just a small investment.96
U.S.-China Economic and Security Review Commission (2012). Ibid. 95 Ibid. 96 U.S.-China Economic and Security Review Commission (2012).
American Response While the United States has gone to great length to protect its military hardware and critical infrastructure from exploitation and corruption, the sheer scale of the cyber realm and the fact that China, like the United States and other capable nations, most likely hoards some zero day vulnerabilities of its adversaries, renders it incredibly likely that attacks would get through and have an initially crippling effect. However, stopgap measures in place and back-up secure networks mean that these exploitations would most likely be inconsistent in affect. At the forefront of the U.S. defense would be the new EINSTEIN 2 and EINSTEIN 3 programs operated by US-CERT to deal with intrusion detection and intrusion prevention respectively. These should have a moderately successful effect at weeding out latent worms and poised viruses that would otherwise contribute to the havoc caused on zero day.97 However, the United States integrated cyber command recognizes that these measures are not perfect and that widespread vulnerabilities still exist. In order to deal with disaster recovery and resilience measures, should critical infrastructure be taken down, the NCSD has instituted a National Cyber Incident Response Plan (NCIRP) to establish a framework for organizational roles, responsibilities, and actions to prepare for, respond to, and begin to coordinate recovery from a major cyber attack (see Figure 798 for visualization).99 NCRIP is capable of providing a backbone for centralized execution of response and retaliation in the case of an emergency, and has been tested and fine–tuned over a series of ‘Cyber Storm’ exercises to account for widespread malware and logic bomb intrusions, as would be the case in a scenario of Chinese cyberattack. Cyber Storm III, which contained participation from public, private, and international entities, concluded in July 2011 and concluded that NCIRP was capable of effectively organizing a response and recovery effort to quickly combat foreign threat between agencies as diverse as US-CERT, FERC, the FBI, and CYBERCOM.100 Cyber Storm IV is presently underway and should do more to strength the response-time and magnitude of U.S. military and civilian capabilities.
Part of released CNCI documentation. Source: NCIRP. 99 National Cyber Incident Response Plan, Department of Homeland Security, (September 2010), <http://www.federalnewsradio.com/pdfs/NCIRP_Interim_Version_September_2010.pdf>. 100 Cyberstorm III: Final Report, Department of Homeland Security, (July 2011), <http://www.dhs.gov/sites/default/files/publications/nppd/CyberStorm%20III%20FINAL%20Report.pdf>.
In short, while a Chinese cyber-strike would have a devastating effect upon the United States, measures in place at all levels of command would ensure that the United States’ ability to project itself kinetically would not be entirely crippled and those areas affected would be able to recover in a rapid fashion. As James Lewis of CSIS notes, “If I were China and I were going to invade Taiwan, and I needed to complete the conquest in seven days, then it’s an attractive option to turn off all the electricity, screw up the banks, and so on. Could the entire U.S. grid be taken down in such an attack? The honest answer is we don’t know. And I don’t like that.”101 The good thing is, China doesn’t know either. That ambiguity is enough to allow common
deterrence methods to safeguard the prizes of warfare, which continue to remain in physical space. Conclusion As previously argued, while in an isolated system Chinese cyber-capabilities could exact significant damage on the digital architecture of the United States, victory through cyber-warfare cannot exist without defined gains in Clausewitzian key terrain or without successfully shifting a power-balance. As such, cyber-war, as defined by Chinese doctrine, must be conducted as a support function in tandem with kinetic operations of some kind – it does not exist as a new domain for-the-taking itself. Without follow-up, the cyber capabilities of the adversary will quickly recover and the power balance, as existed previously, will be restored. To this end, for cyber-war to be an appealing option to China, the PRC would have to be able to predict that the advantages in this domain could translate into battle victory in the material realm. In other words, cyber’s force-multiplier would have to disrupt traditional calculations of deterrence that keep it, like every other nation, in check. As it currently stands, they do not. With its current capabilities, the United States would be able to recover from a zero day cyber-attack quickly enough to thwart the stated-Chinese goal of irreversibly crippling its opponents, and deploy forces (and nuclear weapons) to physical fronts as needed. This calculus should be sufficient to prevent China from desiring to launch a cyberwar with the intent of taking Taiwan (which remains well behind U.S. kinetic red lines), much less in hopes of invading American sovereign territory. It should also be noted that China itself lacks a structured cyber-defense strategy, leaving it very susceptible to retaliatory measures that may already be in place. The good news is, as cyber-policy becomes more organized, the threat of disruption to deterrence architecture will diminish to an even greater extent and cyber-weaponry will settle in sovereign arsenals. The White House’s newly released strategy for cyber, the first of its kind, is sure to facilitate this process further by directing the United States to take a multilateral approach to protection and establishing norms.102 Alliance structures will further decrease the disruption of cyber-capabilities to traditional deterrence by amplifying possible retaliatory measures. Technology advances will too. As former Deputy Secretary of Defense William Lynn III states,
The report in all its glory can be found here: <http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf>. See page 21 specifically.
“If we can minimize the impact of attacks on our operations and attribute them quickly and definitively, we may be able to change the decision calculus of an attacker.”103 (Pellerin). This past year witnessed an increasingly sophisticated array of cyber-threats between the likes of Shamoon, Flame, Duqu, and Gauss, but this need not mean that cyber warfare is looming on the horizon. As Schneier and Hathway note, the threat we’re facing is one of cyber-crime, and is something detrimental to the economies and infrastructures of all nations in the digital age.104 As such, emphasis should be placed on setting up norms, establishing red lines, building frameworks for collaboration and cooperation, and updating laws, not on increasingly militarizing cyberspace.105
Cheryl Pellerin, “DoD Releases First Strategy for Operating in Cyberspace,” DoD Website, (14 July 2011), <http://www.defense.gov/news/newsarticle.aspx?id=64686>[accessed: 20 December 2011]. 104 Schneier, “Threat of Cyberwar.” 105 Hathaway.
Bibliography: Alan D. Campen, et al., Cyberwar: Security, Strategy, and Conflict in the Information Age, (Fairfax, VA: International Press, 1996). Catherine Lotrionte, “Cyber Operations: Conflict Under International Law,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 20-25. Chris Strohm and Eric Engleman, “Cyber Attacks on U.S. Banks Expose Vulnerabilities,” BusinessWeek, (28 September 2012), <http://www.businessweek.com/news/2012-09-27/cyberattacks-on-u-dot-s-dot-banks-expose-computer-vulnerability>[accessed: 20 December 2012]. Cyberstorm III: Final Report, Department of Homeland Security, (July 2011), <http://www.dhs.gov/sites/default/files/publications/nppd/CyberStorm%20III%20FINAL%20Re port.pdf>. Ben Buchanan, “The United States and Cyberwarfare Strategy” Institute for Law, Science, & Global Security, (November 2010). Bruce Schneier, “Chinese Cyber Attacks: Myth or Menace,” (July 2008) <http://www.schneier.com/essay-227.html>[accessed 20 December 2012]. Bruce Schneier, “U.S. Enables Chinese Hacking of Google,” (23 January 2010) <http://www.schneier.com/essay-306.html>[accessed: 20 December 2012]. Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, (report prepared for The US-China Economic and Security Review Commission by Northrop Grumman, Mclean, VA: 9 October 2009). <http://www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA509000> Col. Jayson M. Spade, “Information as Power, China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012). < http://www.carlisle.army.mil/dime/documents/China's%20Cyber%20Power%20and%20Ameri ca's%20National%20Security%20Web%20Version.pdf> Cyberpower and National Security, edited by Franklin Kramer, Stuart Starr and Larry Wentz, (Dulles, VA: Potomac Books Inc. 2009). David Nicol, “Hacking the Lights Out,” Scientific American, (July 2011): 70-75. Edward G. Amoroso, Cyber Attacks, (Burlington, MA: Elsevier Inc., 2011). Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of U.S. Cyberattack,” New York Times, < http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-ofcyberattack.html?pagewanted=all&_r=0> [accessed 20 December 2012].
Glenn Derene, “How Vulnerable is U.S. Infrastructure to a Major Cyber Attack,” Popular Mechanics, (1 October 2009), <http://www.popularmechanics.com/technology/military/4307521>[accessed: 20 December 2012]. Gregory Rattray, Strategic Warfare in Cyberspace, (Cambridge, MA: MIT Press, 2001). Herbert Lin, “Escalation Dynamics and Conflict Termination in Cybespace,” Strategic Studies Quarterly, Vol., No. 3, (Fall 2012): 53. “Hype and Fear,” The Economist, (8 December 2012), <http://www.economist.com/news/international/21567886-america-leading-way-developingdoctrines-cyber-warfare-other-countries-may> [20 December 2012]. Informatized Joint Operations, edited by Cao Zhengrong, Wu Runbo, Sun Jianjun, (Beijing, PRC: PLA Press, 2nd edition August 2008) at [partial translatioin by Open Source Center CPP20100828318001001: “PRC Book Excerpt: 'Informatized Joint Operations' on Blockade, Island Landing;” accessed 20 Nov. 2010). Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE (Washington DC: 112th Congress, 8 October 2012). James Lewis, "Cyber Security Doctrine." E-mail interview. 17 Dec. 2012. Jason Healey, “Cyber Legislation and White House Executive Orders,” New Atlanticist, (26 October 2012), <http://www.acus.org/new_atlanticist/cyber-legislation-and-white-houseexecutive-orders>[accessed: 20 December 2012]. Jason Healey, “Preparing for a Cyber 9/12,” The Atlantic Council, <http://www.acus.org/files/publication_pdfs/403/060112_ACUS_Cyber912.pdf>[accessed 20 December 2012]. Jason Healey, “The F-35’s Cyber Death Spiral?” The New Atlanticist, (29 March 2012), <http://www.acus.org/new_atlanticist/f-35s-cyber-death-spiral>[accessed: 20 December 2012]. Jayson Spade, “Information as Power: China’s Cyber Power and America’s National Security,” U.S. Army War College, (May 2012). Jeffrey Carr, Inside Cyber Warfare, (Sebastopol, CA: O’Reilly Media Inc., 2012). Jeffrey Carr, “Why the U.S. Will Lose a Cyber War,” The Diplomat, (10 August 2011), <http://thediplomat.com/flashpoints-blog/2011/08/10/why-us-will-lose-cyber-war/>[accessed: 20 December 2012]. John Mills, “The Key Terrain of Cyber,” Georgetown Journal of International Affairs: International Engagement on Cyber 2012, (December 2012): 99-109.
Justin Rohrlick, “Chinese Cyber Warfare: Has the U.S. Found its Smoking Gun?” Minyanville, (08 November 2012) <http://www.minyanville.com/sectors/technology/articles/china-cyberwarfare-report-cyber-attacks/11/8/2012/id/45654?page=full> [accessed 20 December 2012]. Kenneth Lieberthal and Peter W. Singer, “Cybersecurity and U.S.-China Relations,” Brookings, (Febuary 2012), <http://www.brookings.edu/~/media/research/files/papers/2012/2/23%20cybersecurity%20china %20us%20singer%20lieberthal/0223_cybersecurity_china_us_lieberthal_singer_pdf_english.pdf >[accessed 20 December 2012]. Melissa Hathaway, “Creating the Demand Curve for Cybersecurity,” Georgetown Journal of International Affairs: International Engagement on Cyber, (December 2011): 163-170. Michael Riley and Dune Lawrence. "Hackers Linked to China's Army Seen From EU to D.C." Bloomberg, 26 July 2012. Web. 22 Dec. 2012. Mike McConnell, “Mike McConnell on how to win the cyber-war we're losing,” Washington Post, (28 February 2010), http://www.cyberdialogue.ca/wp-content/uploads/2011/03/MikeMcConnell-How-to-Win-the-Cyberwar-Were-Losing.pdf Military and Security Developments Involving the People’s Republic of China 2011, A Report to Congress, Department of Defense (2011), <http://www.defense.gov/pubs/pdfs/2011_cmpr_final.pdf> Nathan Thornburgh, “The Invasion of the Chinese Cyberspies,” Time Magazine, (29 August 2005) <http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> [accessed 20 December 2012]. National Cyber Incident Response Plan, Department of Homeland Security, (September 2010), <http://www.federalnewsradio.com/pdfs/NCIRP_Interim_Version_September_2010.pdf>. Peng GUANGQIAN. "The Science of Military Strategy." The Science of Military Strategy: PENG GUANGQIAN AND YAO YOUZHI: 9787801378927 (2005. Web.) Richard Adhikari, “In Google Attack Aftermath, Operation Aurora Keeps on Hacking,” Tech News World, (08 September 2012), <http://www.technewsworld.com/story/76109.html>[accessed: 20 December 2012]. Richard A. Clarke, Cyberwar, The Next Threat to National Security and What to Do About It, (New York, NY: HarperCollins Publishers, 2010). Richard Clarke, “War From Cyberspace,” The National Interest, Nov/Dec 2009. http://web.clas.ufl.edu/users/zselden/coursereading2011/Clarkecyber.pdf
Richard Lardner, “Draft order would give companies cyberthreat info,” Huffington Post, (20 October 2012), <http://www.huffingtonpost.com/huff-wires/20121020/us-cybersecurityorder/>.[accessed: 20 December 2012]. Richard Norton-Tayler, “Titan Rain – how Chinese hackers targeted Whitehall,” The Guardian, (4 September 2007) <http://www.guardian.co.uk/technology/2007/sep/04/news.internet>[accessed 20 December 2012]. Susan W. Brenner, Cyberthreats: The Emerging Fault Lines of the Nation State, (Oxord, NY: Oxford University Press, 2009). Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, edited by William A. Owens et al. (Washington DC, DC: The National Academies Press, 2009) USCC 2012 Annual Report,” 41(report for the U.S.-China Economic and Security Review Commission; Washington, D.C., November 2012). U.S Cyber Command: Organizing for Cyberspace Operations, (H.A.S.C. No. 111–179; Washington, DC: 111th Congress, Second Session, House Committee on Armed Services, 23 September, 2010).http://www.gpo.gov/fdsys/pkg/CHRG-111hhrg62397/pdf/CHRG111hhrg62397.pdf William F. Lynn III, “Defending a New Domain - The Pentagon's Cyberstrategy,” Foreign Affairs vol. 89, No. 5 (September/October 2010): pp. 97-108 2012 Report to Congress of the U.S.-China Economic and Security Review Commission: (Washington DC: 112th Congress, 2nd Session, November 2012): 161-162.