There has been a great deal of thinking and writing about why deterrence is difficult in cyberspace. Attacks can be masked, or routed through another country’s networks. And even if you know for sure the attack came from a computer in country X, you can’t be sure the government was behind it. All of this creates the attribution problem: It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack. Moreover, much of the cyber activity is espionage, and it’s hard to imagine a government threatening military action for the theft of data.
China Defense Daily lays out some of the reasons why Chinese experts think deterrence is hard, or to be more specific, why the U.S. military will have difficulty achieving its deterrence aims. First, though, the article addresses all the “advantages” the United States brings to the table: resources (10 of the world’s 13 root servers are in the United States); technology (operating systems, databases, processors, microchips, network switching, and other core technology are all “in the hands of American companies”); power (there is a large gap between the United States and others in the development of weapons, investment, the training of talent, and the scale of armed forces).
Despite these strengths, the article sees the U.S. as being unable to secure its networks. The announcement of the Defense Department’s Strategy for Operating in Cyberspace, in the Chinese view, encouraged other countries to develop their own offensive capabilities. Attribution is hard, and providing proof of who is behind an attack that would convince others is still extremely difficult. Detection and monitoring capabilities in cyberspace are underdeveloped, so it’s a real question whether the U.S. military can detect, provide warning of, and deter an attack before it happens. Finally, if the United States decides to retaliate through offensive cyber attacks, it can have no certainty about the outcomes. The impacts on networks are often limited and can be quickly recovered from.
U.S. intelligence officials are going to AP and The Wall Street Journal and telling them they have identified the specific Chinese groups behind attacks on Google, RSA, and other companies in an attempt to diminish Chinese confidence that they can remain hidden and, thus, strengthen deterrence. Going further down the hall of mirrors, it may be that the purpose of the article in China Defense Daily is to undermine these U.S. efforts. Can Washington believe that it has achieved a credible deterrent if the potential adversary keeps saying it’s not possible?
What deterrence is in cyberspace and how it is achieved is exactly the type of discussion the United States needs to be having with China. This article’s use of deterrence (威慑, wei she) is reflective of the Chinese definition, which can be more expansive and normative than the American use, encompassing threat or menace. As far as I can tell, cyber security discussions have only (officially) been happening once a year at the U.S.-China Strategic and Economic Dialogue.
Cyberspaces are of course a strategic and economic issue, so it makes sense to have a whole government approach. Still, given the distance between Washington and Beijing, and the speed at which the issue is developing, the Pentagon and the People’s Liberation Army should be speaking as frequently, and in as many fora, as possible.
Adam Segal is the Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies at the Council on Foreign Relations. He blogs at Asia Unbound, where this piece originally appeared. Follow him on Twitter @adschina.