Humble pie for on menu for Xi Jinping at Sunnylands

[This piece originally appeared at Asia Times Online on June 6, 2013.  It can be reposted if ATOl is credited and a link provided.]

The expert consensus is that the Barack Obama-Xi Jinping summit at Sunnylands, California is something of a relationship-building nothingburger. The summit was arranged on short notice, there is no detailed agenda, and the most likely result is that Obama and Xi will get to know each other better and therefore communicate more effectively.

In fact, the main concern of Western adversaries of the People's Republic of China (PRC), from dragon-slayers on the right to human rights crusaders on the left, seems to be that President Obama will surrender to Xi Jinping's burly charm and slacken in his resolve to twist the panda's testicles.

From the right, the American Enterprise Institute's Michael Auslin wrote an op-ed on the Foreign Policy magazine website asserting that the summit shouldn't even have happened.

... [S]summits like this one should be reserved for friends and allies ...

There are almost no shared values between Beijing and Washington, and little complementary policy. The Chinese engage with the United States because it allows them to play the charade of backslapping, while sidestepping tough issues. Unfortunately, Washington finds itself in a dialogue dependency trap ... [1]

Writing at the Asia Society's ChinaFile blog, Professor Andrew Nathan also expressed his concern that excessive comity might break out:

I hope our president avoids signing on to "a new type of great power relationship." This is Chinese code for the US preemptively yielding to what China views as its legitimate security interests. These interests are quite expansive - acceptance of the Chinese regime as it is, human rights violations and all; acceptance of China's territorial demands in the East and South China Seas; deference to China's views on the rules governing international trade, currency, climate change, humanitarian intervention, and so on ... I think a new equilibrium between American and Chinese interests will have to be achieved by painstaking work on concrete issues over a long period of time, often in a contentious environment. [2]

For good measure, Foreign Policy blog's Isaac Fish contributed a post hailing Michelle Obama's non-appearance at the summit, only expressing regret that her absence was officially attributable to obligations surrounding end-of-school for the children in Washington, and not an overt snub to Xi's wife to shame her for her past role as PLA chanteuse.

It is unlikely that President Obama will conduct his meeting with Xi like a middle manager briskly interviewing an unqualified and unattractive job applicant over a latte in the local Starbucks, impatiently checking his Blackberry during the pitch and abruptly leaving to get his car washed.

However, skeptics should be pleased that the United States holds the advantage at this particular juncture of the evolving US-China relationship and is probably prepared to use it.

The "pivot" - also known as "the rebalancing" - is working, albeit in unexpected ways.

The US exercise in "confrontainment" has not produced a united, US-led coalition compelling the PRC to upgrade its adherence to Western universal norms in return for the right to continued full membership in the community of nations.

Instead, Japan, under the rule of the PRC-hostile nationalist Shinzo Abe, is working to co-opt the rhetoric and goals of the pivot to create a favored place for Japan as the crucial economic and security component in an alliance of Asian democracies confronting China, thereby spooking the PRC and also working against the US hegemony in Asia which the pivot was intended to prolong.

Abe is doing the heavy lifting in assembling a Great Wall of Asian democracies containing China, roaming Asia in search of allies (and for the aid/trade/investment opportunities needed to provide some long-term fuel for his program of economic rebirth, "Abenomics").

To China's chagrin, Abe appears to be quite successful in getting open commitments to enhanced economic and security competition with China's regional adversaries (the Philippines, Vietnam), and conducting high profile engagement with erstwhile PRC ally/satellite Myanmar.

The nastiest shock for PRC, however, was the open tilt by India away from China and to Japan. Although Premier Li Keqiang made India the destination for his first overseas trip after assuming office, his visit was overshadowed by a flare-up in border tensions in Ladakh and Indian disgruntlement over China's large surplus in bilateral trade.

Shortly thereafter, Indian Prime Minister Manmohan Singh paid a working visit to Tokyo, and his rhetoric went considerably beyond the triangulating rhetoric usually associated with Indian foreign policy to a full-throated endorsement of the special India-Japan relationship.

An Asia in which the Philippines, Vietnam, and India might be following the lead of Japan in an anti-China coalition is not just a matter of diplomatic embarrassment and potential (if remote) military hazard to the PRC.

There is the matter of the competing trade blocs: the US-led "Trans Pacific Partnership", the "high standards" pact that does not include the PRC, and the ASEAN-based and China-promoted alternative - the Regional Comprehensive Economic Partnership, or RCEP, which has a more hospitable attitude toward mixed economies and state-owned enterprises and does not make a fetish out of the extraterritorial intellectual property and legal rights of multinational corporations as the TPP does; nor does it include the United States.

Japan has seized on TPP as a crucial element in its strategy to push the PRC toward the economic sidelines and assert a more central role for Japan, as a backgrounder in India's Financial Express pointed out:

From its start, the TPP was more than a regional trading arrangement. The US has not shied away from allowing it to be viewed as a response to China's growing economic presence in the Asia-Pacific. Abe has noted that the TPP's impact extends beyond the economic sphere. Participation in the TPP will allow Japan to create a "new economic order" with the US, creating new rules and ensuring stability in the Asia-Pacific region. Importantly, Abe sees the creation of this new order and its new rules as important steps in achieving Japan's national interests. Given that Japan is currently embroiled in a territorial dispute with China over the Senkaku islands, joining the TPP can also be seen as an attempt on the part of Japan to counter increasingly assertive China. ...

On the one hand, regional convergence based on the RCEP model will facilitate China's rise as the dominant Asian power. Conversely, a TPP-driven convergence will allow the US to re-assert itself as the dominant power in Asia. [3]

Since the inner workings of the TPP negotiations are notoriously opaque, it is not clear that Japan's full participation in TPP negotiations will give it the power - which is theoretically the prerogative of other members - to blackball new applicants. However, given Abe's China strategy, it is not unreasonable to speculate that the ability to apply a chokehold to China's TPP plans figured in Japan's decision to join negotiations.

At the same time, Japan is also a participant in the RCEP talks.

Perhaps equally fatally for the PRC's hopes, India, as befits its ambitions if not its location, is also a partner in the TPP talks as well as the RCEP talks.

If Japan and India combine to call for the RCEP to meet the same standards of the TPP, they have enough economic and geopolitical clout to make the TPP negotiations become the de facto standard. The RCEP - and the PRC - can languish on the sidelines.

Sidelining China and allowing Japan to occupy a central position among the smaller Asian maritime democracies - in essence, acting as a big frog in a smaller pond - is a good thing for Abe, but not necessarily for the United States, which will find itself crowding in the smaller pond it will have to share with graying, economically shaky Japan.

With conditions tending towards the unfavorable in Asia, and Japan's independent foreign policy whittling away at US claims to hegemony, the PRC's alternative is to play the US card and persuade the United States there are sound geopolitical advantages in restraining Japan, admonishing India, and allowing China some advantage in its myriad territorial and economic disputes.

In recent days, China has made several conciliatory moves: it sent a high-level delegation to the Shangri La defense ministers gab fest in Singapore to challenge the framing that the PRC is a bunch of confrontational knuckleheads on regional security and territorial issues. The PRC was determined to engage, as Reuters reported in "China turns on the charm at regional security forum":

[T]he charm offensive by the People's Liberation Army (PLA) officers, less than a week before Chinese President Xi Jinping meets US President Barack Obama for an informal summit, appeared to be designed to tone down the recent assertiveness by emphasizing cooperation and discussion ...

[A] senior US official accompanying Defense Secretary Chuck Hagel to the forum saw a big change in the Chinese delegation. "Last year China had a very, very small contingent, a relatively junior-ranking contingent. This year they came in force ... and have been very active in the panels," said the official. "That's very, very good. We want everybody to engage." [4]

Then there was some discreet groveling on the issue of the Trans Pacific Partnership, via People's Daily:

China has been following the talks on the Trans-Pacific Partnership (TPP) and hopes for more transparency in the discussions, Foreign Ministry spokesman Hong Lei said on Friday.

Hong's remarks came after the US Under Secretary of Commerce for International Trade, Francisco J Sanchez, said the United States welcomes China to join the TPP. ...

Hong said China is open-minded about cooperation initiatives that are conducive to economic integration and common prosperity in the Asia-Pacific region, including the TPP and the RCEP. [5]

Add to that conciliatory noises on the vexing issue of North Korea via a leak to Reuters designed to communicate that the Chinese leadership got tough with North Korea's envoy when he showed up in Beijing end-May:

Beijing tried to convince Pyongyang to stop its nuclear and missile tests ...

China has grown increasingly frustrated with Pyongyang. It agreed to new UN sanctions after Pyongyang's latest nuclear test in February, and Chinese banks have curbed business with their North Korean counterparts in the wake of US sanctions on the country's main foreign exchange bank.

A former senior US official said Beijing's insistence that North Korea halt testing would be in line with recent signs it was running out of patience with Pyongyang.

"What I've heard from talking to Chinese officials and American officials who are talking to them is that top Chinese officials now emphasize that the principal goal is to terminate the nuclear weapons program of North Korea," the ex-official said. [6]

And immediately prior to President Xi's arrival in the United States:

A US businessman who was unable to leave China for nearly five years has returned to his home in the US. Hu Zhicheng was detained in China in 2008 when a former business partner accused him of commercial theft. ...

Chinese foreign ministry spokesman Hong Lei told reporters that Mr Hu had been restricted from leaving China because of an ongoing lawsuit.

"Now these restrictions have been cancelled according to legal proceedings. The relevant judicial cases are being handled," he said. [7]

All these initiatives add up to a message of conciliation from the PRC to the United States.

Are these simply the cynical machinations of a hostile regime determined to disguise its motives and shield its actions? A low-cost diplomatic strategy to grease the wheels for an otherwise meaningless friendly photo-op with President Obama to boost Xi Jinping's domestic stature?

Or is Xi prepared to execute as well as offer some genuine concessions in order to obtain, if not the unlikely "US China partnership", more of a tilt toward China and away from the pivot coalition in Pacific affairs? Probably a key indicator will be how the "cyber-outrage" narrative plays out.

The United States has been methodically hyping the Chinese cyber-threat since November 2011, systematically escalating the attributions, the accusations, and the anxiety from initial suspicions of non-state hacking maybe originating in China to current declarations that the Chinese government and military execute a massive state-directed hacking program against US commercial, governmental, and military assets.

A climax of sort will be reached in Sunnylands when President Obama officially gets into Xi Jinping's grill and provides a dossier of alleged Chinese cyber-outrages and the costs they have inflicted on US businesses.

The US cyber-position is rife with contradictions, starting with the fact that the United States - with its technological assets, its central position in the world communications infrastructure, the National Security Agency's pressing need to build server farms the size of the Astrodome to store the petabytes of data it has accidentally stumbled across (which, by US law, is supposed to exclude communications inside the United States), and the fact that the United States followed up its proud record of nuclear first use at Hiroshima to become the first use state for cyber-weapons with Stuxnet, the attack on Iranian centrifuge facilities - is the king of covert cyber-activity.

As Kenneth Lieberthal of Brookings put it:

President Obama needs to be sensitive to the reality that, from a Chinese perspective, the United States nearly owns the cyber arena. America has the most advanced tools and capabilities, and the Chinese political and financial systems largely run on American software. China assumes the US uses that huge capability to its advantage. That is a perception that will be part of the equation in any serious cyber discussion. [8]

One has to wonder if America's "China cyber-threat" posture has something to do with the realization that the Chinese government had allowed the yuan to appreciate to its natural value and a replacement threat narrative was urgently needed to keep the onus on the PRC as a rogue state.

Today, the traditional narrative that "Chinese companies beat out US companies because of an unfair exchange rate advantage" has been superseded by the borderline racist "Chinese companies can't innovate and can only succeed by stealing US secrets" reboot. Per NPR:

[I]f Chinese businesses can steal US technology, they can blunt the one big advantage US companies have in the global economy, which is their capacity to innovate. It is that spirit that explains the emergence of US companies like Microsoft, Apple or Google. Such companies, business experts say, have been far less likely to originate in China, because the business culture in China does not favor creativity. But they can always steal the products of US creativity. [9]

Then there are the accusations of military espionage, which lend themselves to even more dire narratives:

Lou Dobbs, CNBC: Remember, a little over a year ago, the Joint Chiefs made a similar statement, that in certain instances, intrusions in cyberspace will be considered an act of war against the United States and will be treated as such. What more ... what in God's name would it take to create an act of war? You couldn't do this in anything but the virtual world and have there be any doubt about it. It's an act of war. [10]

The Obama administration's high-profile jihad against Chinese hacking would appear to be an exercise in futility from a legal/diplomatic perspective.

Given the opaque nature of the Internet, it is unlikely that the United States will ever be able to document Chinese cyber-intrusion to a degree sufficient for an international commercial tribunal, let alone achieve the level of proof needed to launch a cyber-attack or cruise missile under international law. But that's not a bug, it's a feature.

What President Obama is presumably threatening is unilateral, discretionary, and unattributable off-the-books cyber-retaliation by executive order for cyber-infractions unless Xi acts on his dossier.

Things get better, in other words, or things get fucked up.

Not exactly the Platonic ideal of justice, but extremely useful to the United States: it can unilaterally define the crime, attribute it, demand punishment, and, inevitably, declare that the punishment was insufficiently thorough and sincere, in a fashion that will be immediately familiar to anyone who recalls the US campaign against Iraq's WMDs and Iran's nuclear program.

I expect that, for the sake of improving relations with the United States, President Xi will consider accepting the dossier and ordering up a few cyber-sacrifices in the digital arena. Accepting the dossier and "doing something" will be a relatively momentous step for Xi, if he undertakes it. If the PRC acknowledges the validity of US cyber-complaints the issue will never, ever go away (unless a new, even more effective instrument of China bashing materializes).

I expect Xi will consider assuming his cyber-enforcement duties with the understanding that nothing he can do will ever be considered sufficient by the United States, any benefits China gains in return are conditional, transitory, and subject to immediate revocation, and his domestic stature will not be enhanced by cooperating with the US on this issue.

This impression will be reinforced by the reshuffling of President Obama's national security team. Tom Donilon, President Obama's National Security Advisor, is stepping down in July and will be replaced by UN Ambassador and erstwhile candidate for secretary of state Susan Rice.

Donilon was the architect of the "rebalancing" to Asia, or perhaps the architect of appropriating Kurt Campbell's conception of the pivot, renaming it, and, in the first months of President Obama's second term, repurposing it to achieve a measure of meaningful engagement with the PRC.

Donilon was known for his focus on managing the national security process and its diverse constituencies to secure a range of foreign policy options for the White House. Reportedly, he was very keen to schedule the Sunnylands summit (the first president-to-president meeting was originally scheduled for the G-20 get together in September), quite possibly viewing it as his swan song and a chance to bring to fruition his project for rebalance-driven engagement.

Donilon is probably right to feel a sense of urgency, since his successor is likely to take a jaundiced view at the possibility of a constructive and productive relationship between China and the US.

Judging by preliminary reports and her performance at the United Nations, including her full-throated advocacy of the Libya intervention and disregard for the consequences for the overseas victims of her flawed moral certainty, Ambassador Rice is more likely to be an advocate for a moral interventionist agenda within the bureaucracy and to the president than an objective facilitator of the national security process. [11]

Rice will be replaced at the UN by Samantha Power, who is, perhaps, even more of a moral interventionist (fun fact: Power, an important adviser to President Obama on foreign policy, had been blocked from a high position in the Obama administration because she had called Hillary Clinton a "monster" while acting as an Obama campaign surrogate in 2008. It would be interesting if the trigger for all this musical-chair activity was the retirement of Hillary Clinton and the possibility to finally slot Ms Power into the high foreign policy position it was felt she deserved. With Rice and Power in the top spots President Obama originally intended for them, it will be interesting to see how much influence John Kerry can exert as secretary of state.)

Given staffing trends, President Obama's own inclinations, and its crude political utility, I expect cyber-indignation to remain at the center of US China policy.

And I expect that President Xi, cognizant of the fact that he needs some goodwill from the US, no matter how transitory, will think seriously about the risky and highly consequential step of validating the US cyber-threat bugbear.

Notes:
1. Xi's Not Ready, Foreign Policy, June 4, 2013.
2. What Should Obama and Xi Accomplish at Their California Summit?, ChinaFile, May 29, 2013.
3. Where does India stand amid changing Asia-Pacific trade dynamics?, Financial Express, April 4, 2013.
4. China turns on the charm at regional security forum, Reuters, June 2, 2013.
5. China hopes for transparent U.S.-led TPP talks, People's Daily Online, June 1, 2013.
6. China tried to convince North Korea to give up nuclear tests - source, Reuters, June 4, 2013.
7. US businessman Hu Zhicheng released from China, BBC News, June 5, 2013.
8. U.S.-China Relations: The Obama-Xi California Summit, Brookings, June 3, 2013.
9. U.S. Turns Up Heat On Costly Commercial Cybertheft In China, NPR, May 7, 2013.
10. Dobbs Wants U.S. to Declare War With China for Hacking, C&L, May 28, 2013.
11. Donilon's Legacy, foreignpolicy.com, June 5, 2013. (Subscription only).

China cyber-war: Don't Believe the Hype

I make some basic assumptions about the China cyberinstrusion issue:

First, that the Chinese program of industrial espionage, both conventional and cyber-based, is immense and it's gotten out of hand.  The previous justification--that, as a matter of national security, the PRC had to obtain by hook or by crook vital technologies that the West and Japan refused to share--doesn't hunt.   In my opinion, the PRC should unilaterally wind down the program without trying extract any concessions from the US in return.

Second, I do not think that the cyber industrial espionage issue should be conflated with the "cyberwarfare" scaremongering, which is a transparent exercise in budget and mission enhancement for the NSA and Pentagon, and a China-bashing hobbyhorse for cynical politicians.

Instead, I think the industrial/cyberespionage issue should be linked in the public sphere to the intellectual property issue--another area in which the PRC should be behaving better.

The infrastructure/military issue is too important and too sensitive to serve as public political fodder, and the US hands are far from clean in this regard--see Stuxnet.


Third, I would like to think that the Obama administration's thoughts run along the same track, but the cyber-train is getting hijacked by the cyberwar enthusiasts.  That's the approach I take in this week's Asia Times Online column, by parsing National Security Adviser Tom Donilon's speech at the Asia Society.

Fourth, bitching about Chinese state hacking is not going to solve the hacking/security problem.  The threats are coming from all over (look at Russia, not just China), and they are capable of challenging whatever defenses that nations, militaries, and corporations can come up with.

I think these points are ones that sober, pipe-smoking liberals can consider endorsing.

Here's the last point, which may be a little harder to swallow:

I'm a big believer in the open-architecture free-for-all, but the Internet is now government business, and governments around the world are going to do their best to control the Internet.

As viruses and exploits have proliferated and demonstrated their ability to elude detection programs, the reality of the Internet has evolved away from open architecture to a defensive architecture buttressed by state data collection, surveillance, and legal coercion meant to identify and confront threats.  It sounds like I'm describing the Chinese Internet, but I'm describing the US Internet as well.


I expect "freedom to connect" to survive as a convenient China-bashing talking point for the US government, but I expect the US military and security apparatus will become increasingly sympathetic to Internet-taming strategies by the PRC and other nations, so that threats can be identified, managed, and negotiated in coordination between capable state interlocutors and not left up to corporate players or the miraculous self-perfecting ecology of the untrammeled Internet.

Which is another way of saying get used to the Great Firewall in China and a less overt but similar pattern of data collection, monitoring, and threat identification in the US.  And get used to the PRC believing that US calls to get rid of the Great Firewall are simply hypocritical demands for unilateral disarmament and empty political posturing.


[This piece originally appeared at Asia Times Online on March 15, 2013.  It can be reposted if ATOl is credited and a link provided.]

The United States has made the interesting and perhaps significant decision to generate a crisis around Chinese cyber-intrusions as the Obama administration enters its second term. With its typical careful, methodical preparation, the Obama administration has been gradually rolling out the Chinese cyber-threat product since November 2011 with escalating evidentiary indictments of Chinese hacking, but without overtly linking these activities to the Chinese government or military. [1]

The most recent shoes to drop were the detailed brief drawn up by Mandiant Corp against the PLA's Unit 61398, allegedly the PLA outfit in the white office building in Shanghai's Pudong District that phished, lurked, and drained information from the New York Times and many other US businesses, and the subsequent calling out of the PRC by name for its cyber-sins by National Security Advisor Tom Donilon. [2]

People hoping for a reset in US-Chinese relations - including the PRC - may feel a twinge of disappointment that the United States has decided to hype another point of US-PRC friction.

Then again, there is the interesting question of whether the White House is trying to conduct a measured escalation, but is getting stampeded by the threat inflation/budget boosting priorities of the US national security apparatus and its eager handmaiden, the Western media.

Donilon came up with a nuanced approach to Chinese cyber-mischief during his speech to the Asia Society, which deserves to be quoted at length.

Bypassing the issue of cyber-spying against military and government targets that probably falls into the grey area of "everybody does it and why shouldn't they", and defining and limiting the issue to a specific and remediable problem - the massive state-sponsored PRC program of industrial and commercial espionage against Western targets - Donilon's framing placed "cyber-theft" in a category similar to the intellectual property gripe, also know as systematic piracy of US software, as an info strategy condoned by the Chinese government:

Another such issue is cyber-security, which has become a growing challenge to our economic relationship as well. Economies as large as the United States and China have a tremendous shared stake in ensuring that the Internet remains open, interoperable, secure, reliable, and stable. Both countries face risks when it comes to protecting personal data and communications, financial transactions, critical infrastructure, or the intellectual property and trade secrets that are so vital to innovation and economic growth.

It is in this last category that our concerns have moved to the forefront of our agenda. I am not talking about ordinary cybercrime or hacking. And, this is not solely a national security concern or a concern of the US government. Increasingly, US businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country. As the President said in the State of the Union, we will take action to protect our economy against cyber-threats.

From the President on down, this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses - to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.

We have worked hard to build a constructive bilateral relationship that allows us to engage forthrightly on priority issues of concern. And the United States and China, the world's two largest economies, both dependent on the Internet, must lead the way in addressing this problem. [3]

This rather unexceptionable and reasonable demand that the PRC reign in its gigantic program of economic/commercial hacking, ie cyber-enabled theft as Donilon put it, and give US businesses a break, was not good enough for the Christian Science Monitor, which has apparently shed, together with its print edition, the sober inhibitions that once characterized its news operations.

The CSM's headline:

US tells China to halt cyberattacks, and in a first, lays out demands

Obama's national security adviser, Thomas Donilon, spelled out a more aggressive US stance on the cyberattacks, saying China must recognize the problem, investigate it, and join in a dialogue. [4]

Note in the CSM story the effortless slide down the slippery slope from cyber-theft to cyber-espionage to cyber-attacks (and for that matter, "should" and "needs" to "demands"). Well, fish gotta swim, birds gotta fly, and eyeballs have to be wrenched from their accustomed paths and turned into click-fodder.

And don't get me started on the Pentagon:

A new report for the Pentagon concludes that the US military is unprepared for a full-scale cyber-conflict with a top-tier adversary. The report says the United States must increase its offensive cyberwarfare capabilities. The report also calls on the US intelligence agencies to invest more resources in obtaining information about other countries' cyberwar capabilities and plans.

The Washington Post reports that the report says that the United States must maintain the threat of a nuclear strike as a deterrent to a major cyberattack by other countries. The report notes that very few countries, for example, China and Russia, have the skills and capabilities to create vulnerabilities in protected systems by interfering with components.

The report emphasizes that defensive cyber capabilities are not enough, and that the United States must have offensive cyber capabilities which, when needed, could be used either preemptively or in retaliation for a cyber attack by an adversary. [5]

Security consultant Bruce Schneier addressed the threat inflation issue (and the dangers of trying to design and justify retaliation in the murky realm of cyberspace) in a blog post on February 21:

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency.

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.

Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy.)

Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense.

I agree.

This media frenzy is going to be used by the US military to grab more power in cyberspace. They're already ramping up the US Cyber Command. President Obama is issuing vague executive orders that will result in we-don't-know what. I don't see any good coming of this. [6]

Not to worry, is the US attitude.

The United States apparently feels that it can "win the Internet" by harnessing the power of the invincible American technological knowhow to the anti-Chinese cyber-crusade.

In another of the seemingly endless series of self-congratulatory backgrounders given by US government insiders, the godlike powers of the National Security Agency were invoked to Foreign Policy magazine in an article titled Inside the Black Box: How the NSA is helping US companies fight back against Chinese hackers:

In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a US intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.

Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies - with their permission - to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or "attribute," the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.

And amid the bluster, a generous serving of bullshit:

Now, though, the cumulative effect of Chinese economic warfare - American companies' proprietary secrets are essentially an open book to them - has changed the secrecy calculus. An American official who has been read into the classified program - conducted by cyber-warfare technicians from the Air Force's 315th Network Warfare Squadron and the CIA's secret Technology Management Office - said that China has become the "Curtis LeMay" of the post-Cold War era: "It is not abiding by the rules of statecraft anymore, and that must change."

"The Cold War enforced norms, and the Soviets and the US didn't go outside a set of boundaries. But China is going outside those boundaries now. Homeostasis is being upset," the official said. [7]

A more impressive and evocative term than "upset homeostasis" to describe the US cyber-war conundrum is "Stuxnet".

The Obama administration's cyber-maneuverings have been complicated and, it appears, intensified, by the problem that the United States "did not abide by the rules of statecraft" and "went outside the boundaries" and, indeed, became the "Curtis LeMay of the post Cold War era" when it cooperated with Israel to release the Stuxnet exploit against Iran's nuclear program.

That was a genuine piece of cyber-warfare, the effort to sabotage a critical military facility in a pre-emptive attack.

The Obama administration admitted the central role of the United States and President Obama personally in the Stuxnet attack, apparently in a desire to demonstrate his genuine, Iran-hating credentials to skeptical conservatives and national security types prior to the November 2012 presidential election.
And President Obama, in his usual thoughtful way, 'fessed up to the fact that it was the United States that started drawing outside the cyber-warfare lines, as the New York Times' David Sanger reported in his privileged account:

Mr Obama, according to participants in the many Situation Room meetings on Olympic Games [the Stuxnet program], was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber-weapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.

"We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering". [8]

Yes, the irony, if irony is defined as "the refusal to acknowledge that what you are doing is the precise opposite of what you are advocating that other people do."

The word "Stuxnet" does not appear in the official US lexicon of dastardly cyber-attacks, even though, in terms of its severity and irresponsibility (in addition to disabling the Iranian centrifuge facility, the virus spread to 100,000 hosts in 155 countries; oops!) it is truly the poster child for the dangers of the cyber-warfare option.

Instead, the US government has forcefully if not particularly effectively attempted to divert attention from Stuxnet to "Shamoon", a nasty virus that compromised office systems at a couple of Middle Eastern energy giants, Aramco (Saudi Arabia) and RasGas (Qatar) in August 2012, shortly after the Iranians started grappling with their Stuxnet problem.

As part of the Stuxnet misdirection, Shamoon has become the invoked cyber-attack bugbear of choice, despite the fact that, unlike Stuxnet, it was a very conventional hack that erased data from management computers and defaced homescreens with the taunting image of a burning American flag.

There is, of course, no discussion of the distinct possibility that Iran executed the exploit as a piece of cyber-retaliation for Stuxnet, and not as an unprovoked attack. [9]

Before President Obama acknowledged shared paternity in Stuxnet, the United States was engaged in negotiations with China on the very same cyber-warfare norms that exercised the anonymous source in the Foreign Policy article:

While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report "Military and security developments involving the People's Republic of China", the US secretary of defense considers it likely that "Beijing is using cyber-network operations as a tool to collect strategic intelligence" ...

The report raises China's unwillingness to acknowledge the "Laws of Armed Conflict", which the Pentagon last year determined did apply to cyberspace ... [10]

Not unsurprisingly, post-Stuxnet the Chinese government has even less interest in the "Law of Armed Conflict in cyberspace" norms that the United States wants to peddle to its adversaries but apparently ignore when the exigencies of US interests, advantage, and politics dictate.

Instead, the PRC and Russia have lined up behind a proposed "International Code of Conduct for Internet Security", an 11-point program that says eminently reasonable things like:

Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security. Not to proliferate information weapons and related technologies.

It also says things like:

To cooperate in combating criminal and terrorist activities which use ICTs [information and computer technologies] including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment. [11]

The United States, of course, has an opposite interest in "freedom to connect" and "information freedom," (which the Chinese government regards as little more than "freedom to subvert") and has poured scorn on the proposal.

The theoretical gripe with the PRC/Russian proposal is that it endorses the creation of national internets under state supervision, thereby delaying the achievement of the interconnected nirvana that information technology evangelists assure us is waiting around the next corner - and also goring the ox of West-centric Internet governing organizations like ICANN.

So the Chinese proposal is going exactly nowhere.

The (genuine) irony here is that the Chinese and Russians are showing and driving the rest of the world in their response to the undeniable dangers of the Internet ecosystem, some of which they are themselves responsible for but others - like Stuxnet - can be laid at the door of the US.

In response to hacking, the Internet as a whole has evolved beyond its open architecture to a feudal structure of strongly-defended Internet fortresses, with cyber-surfs free to roam the undefended commons outside the gates, glean in the fields, and catch whatever deadly virus happens to be out there.

In recent months, the word "antivirus" has disappeared from the homepages of Symantec and MacAfee as they have recognized that their reference libraries of viruses can't keep up with the proliferation of millions of new threats emerging every year, let alone a carefully weaponized packet of code like Stuxnet, and protect their privileged and demanding users. Now the emphasis - and gush of VC and government money - has shifted to compartmentalizing data and applications and detecting, reducing the damage, and cleaning up the mess after a virus has started rummaging through the innards of an enterprise.

In other words, the Internet fortresses, just like their medieval analogues, are increasingly partitioned into outer rampart, inner wall, and keep - complete with palace guard - in order to create additional lines of defense for the lords and their treasure.

In other words, they are starting to look like the Chinese and Russian national internets.

Despite the precautions, there will always be people vulnerable to social engineering (clicking on a dodgy attachment or link while at work), and there will always be more talented and motivated hackers. And maybe more talented hackers aren't even necessary.

Barbara Demick of the Los Angeles Times located the personal blog of a PLA cyber-drudge who, in addition to blathering about the presumably classified details of his hacking job (such as perfecting a Trojan known as "Back Orifice 2000"), moaned the boredom of hacking for The Man, and the embarrassment of looking like a loser at his high school reunion:

My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation. [12]

Critical observers declared that the alleged PLA intrusions documented by Mandiant were conducted by the B Team, inviting the analogy that military hacking is to hacking as military music is to music:

Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew [which Mandiant associated with 61398], as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access." [13]

Even so, they were inside the New York Times for months (part of that time, admittedly, they were being tracked and analyzed by Mandiant).

Bottom line: attacks will happen, attacks will succeed, and reliable (or more likely, probable) attribution will emerge only in the days and weeks after detection (detection itself might be a matter of years) through the grinding application of forensics, correlation of information in massive databases, and anxiously parsing leads for reliability and to try and filter out dangerous disinformation.

Absolute cyber-safety, through defense or deterrence against an antagonist, is a chimera. The best hope for the Internet might be "peaceful coexistence" - the move toward cooperation instead of confrontation that characterized the US-USSR relationship when it became apparent that "mutually assured destruction" was leading to a proliferation of dangerous and destabilizing asymmetric workarounds instead of "security through terror".

Or, as the Chinese spokesperson put it in Demick's article:

"Cyberspace needs rules and cooperation, not war. China is willing to have constructive dialogue and cooperation with the global community, including the United States," Foreign Ministry spokeswoman Hua Chunying said at a briefing Tuesday. [14]

It looks like the Obama administration, by carefully and convincingly placing the cyber-theft issue on the table, might be working toward some kind of modus vivendi that leads to a joint reduction of Internet threats - dare I say, win-win solution? - with the PRC.

It remains to be seen if this initiative can withstand the pressures of the US military, security, and technology industries for a profitable threat narrative - and the Obama administration's own inclination toward zero-sum China-bashing.

Notes:
1. If There's a War With China…, China Matters, February 20, 2013.
2. Exposing One of China's Espionage Units, Mandiant.
3. Remarks By Tom Donilon, National Security Advisory to the President: "The United States and the Asia-Pacific in 2013", March 11, 2013.
4. US tells China to halt cyberattacks, and in a first, lays out demands, Christian Science Monitor, March 11, 2013.
5. U.S. military “unprepared” for cyberattacks by “top-tier,” cyber-capable adversary: Pentagon, Homeland Security Newswire, March 6, 2013.
6. More on Chinese Cyberattacks, Schneier on Security, February 21, 2013.
7. Inside the Black Box, Foreign Policy, March 7, 2013. (subscription only)
8. US digs in for cyber warfare, Asia Times Online, October 13, 2012.
9. America Freaked Out by the Cyberboogeyman It Unleashed, China Matters, October 12, 2012.
10. US hopeful China will recognize its cyber rules, CSO, May 21, 2012.
11. China and Russia's 'International Code of Conduct for Information Security', .nxt, September, 2011.
12. China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.
13. APT1, that scary cyber-Cold War gang: Not even China's best, The Register, February 27, 2013.
14. China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.

America Freaked Out by the Cyberboogeyman It Unleashed

The theme of Secretary of Defense Panetta’s remarks at the Intrepid Air and Sea Museum on October 12 before the “Business Executives for National Security”, in the words of the BBC:

Leon Panetta warns of “cyber Pearl Harbor”

Actually, Mr. Panetta, the “cyber Pearl Harbor” has already happened.  

It was called Stuxnet, the virus designed and delivered by the governments of the United States and Israel to sabotage Iran’s nuclear program.

By unleashing Stuxnet—an act of cyberwar—a Rubicon was crossed.  Not my words, but the words of Michael Hayden, the ex-director of the CIA.

Now the United States is scrambling to deal with the consequences…and the Western media is by and large obligingly doing its best to help shove Stuxnet into the memory hole.

Panetta used his speech to push for more cybersecurity legislation by discussing cyberattacks on Aramco in Saudi Arabia and RasGas of Qatar using the “Shamoon” virus.  The attacks—which occurred and were reported in August 2012, a few months after Stuxnet—wiped data from tens thousands of management computers, replaced some files with a taunting image of a burning American flag, and reportedly rendered the computers useless.

I was amused to hear that Mr. Panetta carefully characterized these incidents as “the most destructive [cyber] attack that the private sector has seen to date.”

I assume he added the “private sector” qualifier to put the fear of cyber-God into the security-obsessed executives he was addressing (although applying the term “private sector” to Aramco, the state-owned Saudi Arabian oil behemoth and  RasGas, which is 70% owned by state-owned Qatar Petroleum is a bit of a stretch).  

But limiting the scope of discussion to  “private sector” cyberattacks also excludes the much more significant, expensive, fiendishly complex, and destructive Stuxnet virus, which attacked and disabled a strategic Iranian government installation.

Stuxnet typifies the grave threat to physical infrastructure that Mr. Panetta got so worked up about much more vividly than an office computer data hack along the lines of Shamoon.

And Stuxnet escaped into the wild to infect computer systems around the world!  Collateral damage-wise, there apparently wasn't much for Stuxnet to do in a non-uranium centrifuge environment, but it did spread to 100,000 hosts in 155 (mostly US-friendly) countries. (There has recently been a good deal of techie back and forth as to whether Stuxnet's global romp was really an unplanned escape; presumably people are implying that the Israeli spooks inserted some kind of hunter-killer app that allowed the virus to search Iran and the globe for similar installations to degrade.)

Despite its obvious utility as an object lesson in the genuine, real world dangers of cyberweaponry, Stuxnet did not come up in Mr. Panetta’s remarks, or in much of the media coverage.  

Wonder why.

Instead, DoD backgrounders painted the Shamoon attacks as dastardly underhanded Iranian payback for (legal and public) sanctions regime, not as possible direct retaliation for a (secret and unilateral) cyberattack.

To its credit, the New York Times, which got the Stuxnet story from the Obama White House back in June, did mention the Stuxnet exploit in its coverage of Panetta’s speech.

In any case, the United States, having committed the first cyberattack, is trying to pull up the cyberdrawbridge in anticipation of retaliation.

One of more interesting elements of this exercise is the U.S. efforts to paint its actions as a response to Chinese and Iranian cyberthreats, instead of its own actions.  As indicated above, the Western media has been an obliging enabler, leading to some topsy-turvy reporting.

The Daily News titled the AP report on Panetta’s speech: 

Defense Secretary Leon Panetta: Cyberthreat from Iran has grown.

Maybe a better title would be Anti-Iran Alliance Reaps Viral Retaliation for Stuxnet Sneak Attack.

Now, I’m sometimes accused of promoting false moral equivalence between the PRC and the United States i.e. judging Chinese and US actions by similar standards.

But, in my mind, what is really dangerous is the false assumption of moral superiority that underlies much of the reporting about China and Iran.

According the moral superiority equation, the United States is automatically in the right in any dispute with the PRC and Iran because of the innate superiority of our system and the ideological, economic, and human rights defects of the PRC and Iranian regimes.

Despite the resounding disaster of the Iraq war, this tendency has strengthened in recent years with the further institutionalization of the “responsibility to protect” doctrine as a pretext for US foreign policy intervention.  

Targets of Western intervention are progressively delegitimized so that unprovoked attack elicits no condemnation, and efforts by our adversaries to defend themselves, especially by trying to establish a deterrent by demonstrating an ability to retaliate are ipso facto morally indefensible.

I was struck, for instance, by the reporting of the Daily News and New York Post, albeit tabloid outliers, on President Achmadinejad’s visit to New York to address the UN General Assembly in September (post Stuxnet, of course).

They greeted him with front page, full-sized photos of Ahmadinejad flashing the V sign, garlanded  with the epithet PEACE OF SH!T (Post) and VILE (News).

This sort of stuff is usually forgiven on First Amendment grounds and excused as harmless hyperbole used to sell newspapers.  But it’s certainly not making war with Iran less likely, especially in the minds of the easily excited.

The Daily News reported favorably on the assault by an MEK –linked crowd on a Foreign Ministry official who got separated from his group on the streets of New York:

An Arkansas man landed a blow for democracy Wednesday — right to the gut of an Iranian official.
Gregory Nelson received cheers and handshakes from anti-Iran protesters after slugging Foreign Ministry mouthpiece Ramin Mehmanparast on 48th St. near Second Ave.

“It felt really good,” said Nelson, 50, after delivering his shot to the Iranian bigwig’s stomach. “It wasn’t that hard, but he felt it.”

Nelson was flanked by a horde of protesters, many of them Iranian immigrants demanding democracy in their homeland, when Mehmanparast walked past after President Mahmoud Ahmadinejad’s United Nations speech.

The former Army National Guard member, doing his best Mike Tyson impression, saw an opening and swung at the spokesman’s midsection before he could escape.

“We don’t usually conduct ourselves like that, but he’s a murderer,” said the bearded, ponytailed Nelson. “That whole regime, everybody is responsible for the murders that go on.”

 Maybe Ahmadinjad feels he would have been treated with a little more courtesy if he had the atomic bomb; in any case, I don’t think his reception in New York convinced him Iran should abandon its ideas of a nuclear deterrent.

For those with short memories, the whole “delegitimization from an attitude of Western moral superiority” thing was applied to Saddam Hussein before Mahmoud Ahmadinejad, until invading Iraq became a moral imperative, not just an extremely dubious foreign policy option.

That’s why I consider China-bashing rather worrisome, even though the combination of the PRC’s nuclear deterrent and Western squeamishness about land wars in Asia makes an attack on China proper almost inconceivable.  

As the Iran precedent shows, there’s still plenty of room for terrorism, economic warfare, subversion, cyber wars, proxy wars, and every kind of human misery short of outright invasion.

US policy toward China is getting locked into a self-reinforcing cycle of continued provocation, response, and delegitimization which creates an environment of escalating crisis that some in the United States security establishment seem happy to promote and makes confrontation with the PRC more likely.

Escalating responses to cyberthreats feed this dynamic.

As Secretary Panetta's speech demonstrates, touting the insidious cyberwar designs of our adversaries has too much efficacy as a national security hot button for the US government and the Western media to be squeamish about pushing it, no matter what we did with Stuxnet.  We're the good guys, after all!

That's certainly the case for China, which is a cyber-adversary of considerable notoriety, though (unlike the United States) it has apparently confined the bulk of its efforts to espionage rather than sabotage to date.


In any case, Secretary Panetta (and the media)'s contortions over America's Stuxnet legacy provide a nice and timely segue into my most recent piece for Asia Times.

The piece discusses the hullaballoo over Huawei and ZTE, two Chinese telecommunications vendors who the U.S. House of Representatives Intelligence Committee would like to see banned from any private as well as public U.S. networks.

I argue that the reason why Huawei and ZTE can’t be trusted is because the U.S. can’t be trusted.  It unleashed Stuxnet in a unilateral, secret cyberattack and rendered moot the Pentagon’s hopeful effort to negotiate the rules of cyberwar.   With cyberwar not just on the agenda but actually being practiced out in the field, thanks to President Obama, I’d also worry that somehow the Chinese government would try to diddle with our precious networks and the sensitive infrastructure they control.

Whether or not the PRC’s spooks would go through Huawei and ZTE is, of course, another matter, one for the experts in cybersabotage to consider.  For one thing, many of the network suppliers whom the Intelligence Committee considers trustworthy, like Alcatel, already manufacture a lot of sensitive equipment within Chinese borders.  

Anyway, here’s the story on Huawei, the latest Chinese bugbear.  Readers are invited to consider whether pounding on China this way is making us safer, or pushing us unprepared toward some kind of dangerous and uncertain future.

It can be reposted if ATOl is credited and a link provided.

US digs in for cyber warfare
By Peter Lee

Recently the US House of Representatives Intelligence Committee took a meat-ax to Huawei, the Chinese telecommunications giant, and its little brother ZTE in a 60-page report on national-security issues posed by the two companies.

The conclusion:

They're commies.

We can't trust 'em.        Or, as the executive summary put it:

The United States should view with suspicion the continued penetration of the US telecommunications market by Chinese telecommunications companies. [1]

Specifically, the committee recommended that the government not purchase any Huawei or ZTE equipment.

The committee rubbed further salt in the wound by recommending that private companies not buy any Huawei or ZTE telecommunications equipment either.

It also invited the legislative branch to expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to enable it to block procurement of Chinese telecommunication equipment by US customers, in addition to exercising its traditional powers of blocking foreign investment deemed harmful to US security. CFIUS had previously blocked Huawei's participation in a deal to take 3Com private - which was brokered by Mitt Romney's Bain Capital - and recently denied Huawei's attempt to buy 3Leaf, a California cloud computing company.

Certainly not the clean bill of health that Huawei was hoping for when it invited the US government to investigate its operations.

It is clear that the Chinese companies were given the Saddam Hussein treatment. Just as the Iraqi despot was put in the impossible position of proving a negative - that he did not have any weapons of mass destruction - Huawei and ZTE executives were called upon to prove their companies were not untrustworthy.

Mission unaccomplished, for sure.

The public committee report is little more than a litany of complaints about unclear answers, insufficient disclosure, inadequate clarification, failure to alleviate concerns, making non-credible assertions, failure to document assertions, failure to answer key questions, refusal to be transparent, and so on and so forth. Huawei, in particular, was dinged for "a lack of cooperation shown throughout this investigation".

The committee's conclusion:

Throughout the months-long investigation, both Huawei and ZTE sought to describe, in different terms, why neither company is a threat to US national-security interests. Unfortunately, neither ZTE nor Huawei [has] cooperated fully with the investigation, and both companies have failed to provide documents or other evidence that would substantiate their claims or lend support for their narratives.

To drive a stake into the heart of any dreams that Huawei or ZTE had of providing "mitigation assurances" - bureaucratese for acceptable measures to allay US security concerns - the committee made the interesting decision to dump all over the British government.

Keen on Chinese investment in its backbone telecommunications networks, the British government accepted the reassurance provided by a cyber-security center, funded by Huawei and staffed by UK citizens with security clearances, with the job of vetting Huawei products for hinky bits.

The US intelligence committee dismissed these efforts as futile given the complex, opaque and frequently updated character of telecommunications software:

The task of finding and eliminating every significant vulnerability from a complex product is monumental. If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible.

In terms of specific evidence of Huawei and ZTE malfeasance, there is little meat on the bones of the public document.

On the technical side, the evidence supporting Huawei and ZTE infiltration of the US telecommunications software presented in the public report was less than earth-shaking:

Companies around the United States have experienced odd or alerting incidents using Huawei or ZTE equipment. Officials with these companies, however, often expressed concern that publicly acknowledging these incidents would be detrimental to their internal investigations and attribution efforts, undermine their ongoing efforts to defend their systems, and also put at risk their ongoing contracts.

Similarly, statements by former or current employees describing flaws in the Huawei or ZTE equipment and other potentially unethical or illegal behavior by Huawei officials were hindered by employees' fears of retribution or retaliation.

Presumably, the confidential annex to the committee report makes a more compelling case, but one has to wonder.

According to The Economist:

Years of intense scrutiny by experts have not produced conclusive public evidence of deliberate skulduggery, as opposed to mistakes, in Huawei's wares. BT, a British telecoms company that buys products vetted in [the cyber-security center at] Banbury, says it has not had any security issues with them (though it rechecks everything itself, just to be sure). [2]

In a sign that no existential smoking cyber-guns had been revealed, the worst punishment for Huawei's lack of cooperation that the committee could apparently mete out (other than trying to destroy Huawei's US business) was threatening to forward information to the Justice Department concerning possible corporate malfeasance in the routine areas of immigration violations, fraud and bribery, discrimination, and use of pirated software by Huawei in its US operations.

It can be taken as a given that the People's Republic of China (PRC) is intensely interested in cyber-espionage - diplomatic, military, and commercial - against the United States and cyber-warfare against US government, security, and public infrastructure if and when the need arises.

However, the case that Huawei is a knowing or even a necessary participant in these nefarious schemes is unproved.

Nevertheless, Huawei's attempts to generate a clean bill of health for itself with Western critics are pretty much futile.

That's because government weaponization of communications technology is a given - for everybody, in the West as well as in China.

Beneath the freedom-of-information rhetoric, the West is converging with the East and South when it comes to protecting, monitoring and controlling its networks.

In the United States, providing government law enforcement with back-door access to networks, aka "lawful intercept", is a legal requirement for digital telecom, broadband Internet, and voice-over-IP service and equipment providers under the CALEA (Communications Assistance to Law Enforcement Act) law. The Federal Bureau of Investigation (FBI) is currently lobbying the US administration and the Federal Communications Commission to require that social-media providers such as Facebook provide similar access so that chats and instant messaging can also be monitored in real time or extracted from digital storage.

In Europe, similar law-enforcement access is institutionalized under the standards of the European Telecommunications Standards Institute.

Particularly in the environment after the attacks of September 11, 2001, law enforcement has expressed anxiety about "going dark" - losing the ability to detect and monitor communications by bad actors as data and telecommunications moved from fixed-wire analog systems to digital, wireless, and band-hopping protocols.

The situation is aggravated by the availability of theoretically unbreakable public/private key 128-bit encryption.

(I say "theoretically", by the way, because creation of the private key relies on a random-number generator on the encrypting computer. A recent study found that some programs were spitting out non-random random numbers, raising the possibility that a certain spook agency of a certain government had been able to diddle with the programs to generate certain numbers preferentially, giving said spook agency a leg up to crack the private keys through otherwise ineffective brute-force computing techniques.) [3] 

One way to get around the problem of anonymous users employing unbreakable encryption from multiple devices is the trend around the world toward requiring real name registration - stripping anonymity from Internet posters - and requiring Internet service providers to become active participants in law enforcement by monitoring the activities of their customers.

For encrypted documents and communications using genuinely random numbers - and absent a mandated, law-enforcement-accessible third-party repository for private keys (a demand recently made of RIM, the BlackBerry people, by the Indian government), the government has to employ either judicial compulsion or covert means to obtain information on private keys from individual computers. Covert means presumably involve using a virus or some other means of access to install a keylogger. [4] [5]

A while back, the FBI admitted it had such a program, code-named Magic Lantern - strictly a research operation, of course - creating the interesting issue of whether or not anti-virus software vendors could be dragooned into modifying their programs to ignore the officially sanctioned virus.

One plausible reason for excluding Huawei and ZTE from US networks would be to deny them a possibly privileged view of how the legal intercept cyber-sausage gets made.

Even Western governments have also expressed an interest in flipping the dastardly "kill switch" that deprives Internet users of their precious connectivity and is the badge of shame for totalitarian regimes.

During the riots in England last year, the British government thought of taking a page from the playbooks of former Egyptian leader Hosni Mubarak and Iranian President Mahmoud Ahmadinejad.

British Prime Minister David Cameron, in a statement to the House of Commons earlier today, made reference to and mooted the possibility that social media could be "disrupted" or turned off if riots continue.

Services such as Facebook, Twitter and crucially BlackBerry Messenger - which has been used by rioters and looters to organize disruption across the British capital and other cities in England - could be restricted in a bid to prevent further violence; present day or in future warranted situations.

Speaking in the House of Commons, David Cameron said: "The free flow of information can be used for good. But it can also be used for ill" ...

Conservative Tobias Ellwood MP said in Parliament that police should be given the option to switch off cell network masts "and other social networks" used to coordinate trouble, violence and disorder. [6]

Putting a kill switch in the hands of Huawei is probably the biggest US headache.

With more and more sensitive data encrypted, it is unclear that squatting on a Huawei switch and copying the flow of 1s and 0s will deliver Chinese spies a considerable incremental benefit over the prodigious targeted hacking operations they are allegedly engaging in already.

The real danger from a hostile piece of telecommunications kit would be disablement in time of crisis or war, as Fred Schneider, a computer scientist at Cornell University in New York state, told Technology Review:

A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful "if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops", Schneider says. [7]

There is a good reason Huawei can't be trusted to deliver clean kit to critical US infrastructure customers. That is that we now live in a world in which cyberwar is an acceptable and legitimate national tactic.

This Pandora's box of cyberwar has already been opened ...

... by the United States.

Amid the ferocious Iran-bashing - and "by any means necessary" justifications for covert action against that country's nuclear program - that have become endemic in the West, the true significance of the Stuxnet exploit has been overlooked by many, at least in the West.

Stuxnet was the release of an important cyber-weapon - a virus that did not simply seek sensitive information or attempt to disrupt communication, but one that was reportedly rather effective in damaging a strategic Iranian facility by an act of sabotage.

It was an act of cyberwar.

As David Sanger, The New York Times' national-security adviser, wrote in his White House-sanctioned account:

"Previous cyberattacks had effects limited to other computers," Michael V Hayden, the former chief of the CIA, said, declining to describe what he knew of these attacks when he was in office. "This is the first attack of a major nature in which a cyberattack was used to effect physical destruction", rather than just slow another computer, or hack into it to steal data.

"Somebody crossed the Rubicon," he said. [8]

In true US imperial style, Stuxnet was unleashed unilaterally and without a declaration of war, to satisfy some self-defined imperatives of US President Barack Obama's administration.

That's not a good precedent for other cyber-powers, including China, to rely on US restraint, or to restrain themselves.

The Obama administration's attempt to deal with the issue of its first use of cyber-warfare seems to go beyond hypocritical to the pathetic.

There are rather risible efforts to depict the Stuxnet worm - which caused the centrifuges to disintegrate at supersonic speeds - as little more than a prank, albeit a prank that might impale hapless Iranian technicians with aluminum shards traveling at several hundred kilometres per hour, rather than a massive exercise in industrial sabotage:

"The intent was that the failures should make them feel they were stupid, which is what happened," the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole "stands" that linked 164 machines, looking for signs of sabotage in all of them. "They overreacted," one official said. "We soon discovered they fired people."

According to Sanger, at least President Obama knew what he was getting into:

Mr Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber-weapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.

"We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering". Yet Mr Obama concluded that when it came to stopping Iran, the United States had no other choice ...

Mr Obama has repeatedly told his aides that there are risks to using - and particularly to overusing - the weapon. In fact, no country's infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

 But Obama did it anyway, in the service of a dubious foreign-policy objective - forcibly and unilaterally disabling Iran's (currently) non-military nuclear program - that was arguably an overreaction to Israel's blustering threat to attack Iran unilaterally, and an attempt to get himself some political breathing space from vociferously pro-Israeli interests in US politics.

And of course there were problems.

Stuxnet made a mockery of its reputation as a "surgical strike" magic bullet that would destroy Iran's centrifuges but otherwise do no harm. It escaped into the wild - something that Obama's team likes to blame on the Israelis, but an evasion of culpability that would probably not hold up in a court of law - and infected computer systems around the world.

Presumably, Chinese intelligence services did not have to wait for Stuxnet to arrive in China; they were probably invited to help out with the forensics by the Iranian government, and probably have a very nice idea of how it works, and creative ideas about how it could be modified to target other systems.

The Stuxnet background provides an interesting context to the immense ballyhoo about Chinese cyber-espionage and cyber-warfare threats, of which the House Intelligence Committee report is only one instance.

What better way to distract attention from one's own first use of cyber-weapons than to raise the alarm about what the bad guys might do instead?

One of the sweetest fruits of this exercise in misdirection is an April (pre-Sanger expose) National Public Radio report on what it identified as the real cyber-threat in the Middle East: Iran.

The big fear in the US is that a cyberattacker could penetrate a computer system that controls a critical asset like the power grid and shut it down. Such an effort is probably beyond the capability of Iranian actors right now, according to cyber-security experts. But a less ambitious approach would be to hack into the US banking systems and modify the financial data. [Dmitri] Alperovitch, whose new company CrowdStrike focuses on cyber-threats from nation-states, says such an attack is well within Iran's current capability.

"If you can get into those systems and modify those records, you can cause dramatic havoc that can be very long-lasting," he says.

The possibility that Israel's traditional bugbear, Hezbollah, could be prevailed upon to deliver the fatal code on Iran's behalf is discussed in detail. [9]

The Pentagon's cyberwar strategists did their best to frame the cyberwar issue as law-abiding America vs the unprincipled cyber-predators of the PRC.

With Sanger-assisted Stuxnet hindsight, this May report, with its wonderful title "US hopes China will recognize its cyber war rules", is, well, hypocritical and pathetic:

While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report "Military and security developments involving the People's Republic of China", the US secretary of defense considers it likely that "Beijing is using cyber-network operations as a tool to collect strategic intelligence" ...

The report raises China's unwillingness to acknowledge the "Laws of Armed Conflict", which the Pentagon last year determined did apply to cyberspace ...

Robert Clark, operational attorney for the US Army Cyber Command, told Australian delegates at the AusCERT conference last week how the Laws of Armed Conflict in cyberspace might work internationally to determine when a country can claim self-defense and how they should measure a proportionate response.

One problem with it was highlighted by Iran, following the Stuxnet attack on its uranium-enrichment facility in Natanz, which never declared the incident a cyberattack.

Air Force Colonel Gary Brown, an attorney for US Cyber Command, in March this year detailed dozens of reasons why Iran, in the context of the Laws of Armed Conflicts in cyberspace, didn't declare it an attack. This included that difficulties remain in attributing such an attack to a single state. [10]

A few days later, Sanger's story confirmed that the Obama administration had indeed released Stuxnet, rendering moot the Pentagon's plans for a chivalric, rules-based cyberwar tournament, with the US occupying the moral high ground.

Heightened mutual suspicion - maybe we should call it endemic mistrust - is now a given in cyber-relations between the United States and its adversaries/competitors, for a lot of good reasons that don't necessarily have anything to do with Chinese misbehavior, but have more than a little to do with the US willingness to unleash a cyberattack on an exasperating enemy without setting clearly defined ground rules, and its need to pull up the cyber-drawbridge over the national digital moat to prevent retaliation.

Suspicion of other people's cyber-motives has become a self-fulfilling prophecy, and anxious allies are expressing their cyber-solidarity by banding together against the external threat.

In the midst of important national debates on Chinese investment, Canadian and Australian intelligence services, probably prompted by their opposite numbers in the United States, both issued damning reports on Chinese cyber-threats.

The Australian government has banned Huawei and ZTE from participation in its massive National Broadband Network project. In Canada, cyber-spying is cited as a justification for limiting investment by Chinese state-owned enterprises (such as CNOOC) in any strategic Canadian businesses.

On the other side of the fence, Iran, in a decision that was widely mocked in the United States, is developing a more secure national intranet - with equipment allegedly provided by Huawei.

Of course, in the up-is-down rhetoric that drives US Internet policy, Iran's attempts to shield itself from foreign threats is itself a threat:

"Any attempt by a country to make an intranet is doomed to failure," Cedric Leighton, a retired deputy director at the National Security Agency, said in an interview. But he said Iran's "cyber-army", a network of government-supported hackers that has attacked Western targets in recent years, does stand to gain from the attempted creation of a national network. By connecting thousands of servers inside Iran, the government would "build on their knowledge of networks and how they operate", he said, increasing their capabilities to both launch and repel cyberattacks. [11]

By the way, the largest intranet in the world is the unclassified chunk of the US military's data network, known as NIPRNET, a fact that perhaps escaped Leighton. SIPRNet, the classified part of the US military network, with 4.2 million users, is also doing OK, though it was the source for the WikiLeaks CD.

As The Economist put it, the Internet is becoming balkanized. [12]

And as Winston Churchill might have put it, a digital curtain is descending across the Middle East, Asia, and virtually every significant national border. This phenomenon is a direct expression of the insecurity of governments as they attempt to limit the vulnerabilities that encrypted connectivity reveal to their internal and external enemies, and as they deal with the consequences of their own efforts to exploit and compromise the Internet.

It is easy for governments to blame others, but they might as well blame themselves.

Notes:
1. Click here for full text of the report (pdf file).
2. The company that spooked the world, The Economist, Aug 4, 2012.
3. Crypto-Gram Newsletter, Schneier, Mar 15, 2012.
4. FBI software cracks encryption wall, MSN, Nov 20, 2001.
5. India: We DO have the BlackBerry encryption keys, The Register, Aug 2, 2012.
6. British PM considers turning off social networks amid further riots, ZD Net, Aug 11, 2011.
7. Why the United States Is So Afraid of Huawei, Technology Review, Oct 9, 2012.
8. Obama Order Sped Up Wave of Cyberattacks Against Iran, The New York Times, Jun 1, 2012.
9. Could Iran Wage a Cyberwar on the US?, Apr 26, 2012.
10. US hopeful China will recognise its cyber war rules, CSO, May 21, 2012.
11. Iran tightens online control by creating own network, Guardian, Sep 25, 2012.
12. The company that spooked the world, Economist, Aug 4, 2012

 Newspaper images from Capital New York