As Barack Obama and China’s president, Xi Jinping, prepare to meet in California next week, America’s relations with China are feeling increasingly like the cold war — especially when it comes to cybersecurity.
With the two countries accusing each other of breaking the old rules of the game, a new breed of “cyberhawks” on both sides are arguing for cold-war-like escalation that could turn low-level cyberconflict into total war.
But treating today’s Beijing like Brezhnev’s Moscow distorts the nature of the threat and how Washington should respond to it.
In confronting today’s cyberbattles, the United States should think less about Soviets and more about pirates. Indeed, today’s cybercompetition is less like the cold war than the battle for the New World.
In the era after the discovery of the Americas, European states fought for mastery over the Atlantic. Much like the Internet today, the ocean then was a primary avenue for trade and communication that no country could cordon off.
At that time, the Spanish empire boasted a fearsome navy, but it could not dominate the seas. Poorer and weaker England tested Spain’s might by encouraging and equipping would-be pirates to act on its behalf without official sanction. These semi-state-sponsored privateers robbed Spain of gold and pride as they raided ships off the coasts of the New World and Spain itself, enriching the English crown while augmenting its naval power. Spain’s inability to attribute the attacks directly to England allowed Queen Elizabeth I to level the playing field in an arena lacking laws or customs.
Today’s cyberbattles aren’t so different.
Next week’s summit takes place amid reports of increasingly sophisticated Chinese cyberespionage. Earlier this week, evidence surfaced that Chinese hackers had gained access to several top-secret Pentagon programs. That followed news that cyberunits believed to be linked to the Chinese Army have resumed attacks on American businesses and government agencies.
As tensions deepen, hawkish Chinese military leaders are paving the way for offensive war. A study by a RAND Corporation expert cited Chinese sources calling for pre-emptive cyberstrikes “under the rubric of the rising Chinese strategy of xianfa zhiren, or ‘gaining mastery before the enemy has struck.’ ” And a recent paper found that Chinese military officials have contemplated using cyberweapons like Stuxnet, which the United States and Israel deployed against Iran’s nuclear program, to target critical infrastructure.
American policy makers are beginning to view their cyberstruggle with China through a cold war lens. One Pentagon official recently said that while during the cold war America focused “on the nuclear command centers around Moscow,” today American leaders “worry as much about the computer servers in Shanghai.”
Another senior official declared that “the Cold War enforced norms, and the Soviets and the United States didn’t go outside a set of boundaries.” But, he argued, “China is going outside those boundaries now.”
Among those who view these hostilities as the cold war redux, some are proposing a more strident response. Earlier this year, the United States military announced the formation of 13 units dedicated to offensive cyberstrikes and endorsed pre-emptive cyberattacks. And late last month, Jon M. Huntsman Jr., the former ambassador to China, and Dennis C. Blair, the former director of national intelligence, suggested allowing American companies to retaliate against Chinese hackers on their own.
This emergence of cyberhawks in both nations raises the odds of a hack’s becoming a cyberwar. These voices could pressure both nations to treat any escalating cyberconflict as a latter-day Cuban missile crisis.
But the cold war model of a struggle with calibrated boundaries, clear rules, and the threat of mutual assured destruction simply doesn’t fit cyberspace.
The first major difference is terrain. The United States and the Soviet Union fought for global influence, manning divisions here and infiltrating covert operatives there. The Internet is more fluid. Neither the United States nor China can slice cyberspace into the reassuring structure of spheres of influence. With no obvious borders for states to violate or defend, power in cyberspace is at once easier to exercise and harder to maintain, a battle of subtleties rather than hard-nosed deterrence.
There are also more players today. The United States and the Soviet Union were the world’s unmatched nuclear powers. But in the cyberrealm, the United States and China stand only just ahead of other nations, hacker groups and individuals in their ability to inflict damage. And all of these actors can hide behind layers of networks and third parties, making it difficult to discover not only who attacked but also how and when. There will, in most cases, be plausible deniability. Even if American and Chinese policy makers wanted to manage the Web as carefully as their predecessors did the cold war, no working group could tame this instability.
With nations still navigating how to interact on the Web and arguments persisting about whether international law applies to the Internet, there are few established customs of cyberbehavior, legal or implicit. The United States should not expect China to follow the rules of a previous era. The norms of American-Soviet conflict, which themselves emerged out of years of gunpoint diplomacy, can’t be grafted onto cyberspace.
If American policy makers continue to define the cyberstruggle between Washington and Beijing as a new cold war, they will not meet the challenge. Viewing China’s actions through an obsolete lens will give them a distorted sense of its intentions. And it will limit American retaliation to the outmoded rules of a bygone battle.
If they must look to the past, they should heed the lessons of the 16th century, not the 20th. In 1588, the Spanish crown, in no small part due to its frustration with English piracy, resorted to massive retaliation, sending its armada to overthrow Queen Elizabeth. That move ended in disaster and an overwhelming English victory.
Instead of trying to beat back the New World instability of the Internet with an old playbook, American officials should embrace it. With the conflict placed in its proper perspective, policy makers could ratchet down the rhetoric and experiment with a new range of responses that go beyond condemnation but stop short of all-out cyberwar — giving them the room to maneuver without approaching cyberconflict as a path to Defcon 1.
In these legally uncharted waters, only Elizabethan guile, not cold war brinkmanship, will steer Washington through the storm.
Jordan Chandler Hirsch, a former staff editor at Foreign Affairs, and Sam Adelsberg, a fellow at the Yale Information Society Project, are students at Yale Law School.