It’s All Evan Osnos’ Fault!
Evan Osnos is the China columnist for the New Yorker.
My impression is that he usually covers the social
issues/human rights/dissident beat.
However, yesterday, riffing off the news about organized
Chinese hacking of US government and private websites, he veered off into counter-proliferationblack ops:
The fact is that the United States government has already shown signs of an energetic capacity for cyber war, as in the case of Stuxnet, the software worm that the U.S., working with Israel, is believed to have used to disrupt Iran’s uranium-enrichment program. Coincidentally, I happened to ask some North Korea experts last week if Pyongyang’s latest round of nuclear tests might make it a prime target for a Stuxnet-style intervention. “The only time I heard anything along such lines recently was suspicion that the April launch failure may have resulted from cyber attack—but that was in the realm of conspiracy theory,” John Delury, of Yonsei University, in Seoul, told me.As long as it’s in the realm of the theoretical, here’s another twist: given China’s vocal frustration with its erstwhile allies in Pyongyang, and China’s fondness for cyber adventures, any chance that China might try a Stuxnet approach to slow down a headache on its northeast border? From what I gathered, the chances were slim, in part because of operational differences between Iran and North Korea. “Do the Chinese know which industrial-control systems are in place?” Adam Segal, of the Council on Foreign Relations, asked. “Could they deliver the malware to a system that is most likely ‘air gapped’ and not connected to the Internet? Could they be sure that the infection wouldn’t spread—back to China or to U.S. or others? Do D.P.R.K. nuclear scientists travel? Is it possible to leave thumb drives around with no one noticing?”
On a couple of levels I am gobsmacked by Olnos’ blithe
presumption.
I will set aside for the time being his rather fanciful view
of the dynamics underlying PRC-DPRK relations.
Suffice to say that Beijing’s vision for sustaining its rather
precarious economic and political sway over the northern half of the Korean
peninsula do not involve sabotaging Pyongyang’s most cherished strategic
initiative.
But as to the casual attitude toward a “Stuxnet approach”,
Stuxnet was an act of war. Full
stop. If the PRC or anybody else did
that to us, they would face the prospect of direct, escalating retaliation.
If one is looking for an explanation for why cyberwarfare
has become an obsession of the Department of Defense, with the planned addition
of thousands of specialists to “Cyber Command”, and why President Obama raised
the spectre of cyberwarfare in his State of the Union address, look no further
than Stuxnet.
I believe the stories of massive hacking effort condoned and
directed by the PRC government, and the significant value of the intellectual
property and secrets extracted.
But for the sake of clarity, let’s call it “cyberespionage”.
Cyberwarfare—the destruction of military, industrial, or
infrastructure facilities i.e. acts of war—is qualitatively different.
I also believe that the reason that that the reason that
Chinese cyberespionage is hyped today (and conflated into the “cyberwarfare”
category) is to distract attention from the US complicity in an irrevocable
escalation of cyberwarfare, and to prepare public opinion against the day when
this weapon is turned against us.
In the same article that Osnos advances the narrative of the
dire character of Chinese hacking (After years of warnings that Chinese
hacking was a rising threat, the Mandiant study, and the willingness of U.S.
officials to confirm many of its findings, signal a blunt new American
counteroffensive against the era of Chinese cyber attacks), he proposes
that the PRC might engage in a Stuxnet-type exploit of cross-border military
sabotage.
There’s a qualitative difference in what the PRC has been
accused of in the past, and what the US did with Stuxnet.
That’s not because the PRC is run by wonderful, peace-loving
people--or because the PRC has not developed any cyberwar weapons (for one thing, I expect the PRC's computer scientists have been interested and involved participants in Iran's struggles with Stuxnet).
It’s because the PRC is extremely careful to avoid cycles of
escalation with US power, preferring to counterpunch asymmetrically.
In defense matters, the asymettric doctrine is embodied in “non-interference
in the affairs of sovereign states” as a bedrock value, one that provides China
with a ready, if ever-eroding, bulwark against US “pre-emption” and “R2P”
doctrines which leverage US military and technological superiority across
national borders, and the ability for unmatchable escalation that is at the
heart of the American game.
That isn’t a diplomatic and strategic shield to be abandoned
lightly for the transient pleasures of fucking with North Korea’s nuclear
program, or other cyberwarfare shenanigans, for that matter.
So I found Osnos’ speculation rather clueless, both in the
matter of his understanding of the PRC security mindset and in the matter of
his apparent utter gormlessness as to the significance of the Stuxnet exploit.
I will speculate that Olnos’ level of comfort with the “Stuxnet
approach” has a lot to do with the fact that “we did it first, so it must be
OK.”
Well, it’s not OK, and President Obama realizes it and the
Pentagon realizes it, as can be seen from the attached piece.
But if Evan Osnos thinks it’s OK, and his ignorance is
contagious, we’re closer to the day when US cyberaggression against China can
be excused and advocated as “less than war” and any Chinese retaliation will,
inevitably, be condemned as “an act of war”.
So Evan, if there’s a war with China…it’s your fault!
Crossing the Digital Line
President Obama chose to open the Pandora’s box of cyberwar
with the Stuxnet attack on Iran’s centrifuge operations. In the process, he made a mockery of the
Pentagon’s attempts to establish the rules of cyberwarfare in discussions with
a most active and interested adversary--China.
Now, it is almost inevitable that, in addition to potential battlefields
on land, sea, and in the air, the escalating and repeating cycle of genuine
risk, threat inflation, politicized fearmongering, destabilizing challenges,
and growing polarization, accompanied by expanded missions and fattened budgets
for the security establishment and its defense contractors —will apply to the
US-PRC cyber-arena.
China, of course, is an enthusiastic practitioner of every
commercial, military, and diplomatic hack known to science and, it can be safely
assumed, is developing its own suite of cyberweapons.
I expect Stuxnet also provides adequate inspiration and
justification for the Chinese security and defense establishment to further
formalize and professionalize its cyberwar operation and bloat its budget.
Chinese hacks against US targets have traditionally been
attributed to freelancers indirectly steered by the Chinese government in order
to preserve deniability, as I wrote for Asia Times in April 2012:
China is notorious for its interest in cyber-war as an asymmetric counter to the conventional military superiority of the United States ... and for its apparent willingness to farm out, encourage, or benefit from private hacker initiatives.
On 2010, Mara Hvistendahl wrote in Foreign Policy:[T]he hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented - and sometimes unruly - patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A Lewis, senior fellow for cyber-security and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. "The hacking scene can be chaotic," he says. "There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals." [3]Patriotic hackers in China are called "hong ke" or "red guest", a pun on the phonetic rendering "hei ke" or "black guest" for hacker.
Their patriotic cyber-duties included destroying the online presence of South Korean boy band Super Junior after an unruly and undignified crowd of Chinese fans clamored to hear the band at the Shanghai World Expo and embarrassed Chinese nationalists. [4]
They also weigh in on foreign issues of greater moment, mixing it up with their Japanese counterparts when Sino-Japanese passions are inflamed by visits to the Yasukuni Shrine or the collision between a Chinese fishing boat and Japanese coast guard vessel off Diaoyutai/Senkaku in 2010.
But their major utility to the Chinese government may be their ability to generate chaff - a barrage of cyber-attacks to distract and overwhelm US security specialists trying to cope with China's pervasive, professional program of industrial and military espionage - and give the People's Republic of China (PRC) government deniability when hacking is traced to a Chinese source.
Chinese industrial cyber-espionage has emerged as a dominant near-term security concern of the United States.
