Washington's Perceptions about Russian and Chinese Cyber Power
There seems to be a strong divergence in American governmental perception behind Chinese and Russian command of cyberspace and their general cyber interaction with state authority. On the one hand, there is the assumption that this is a natural manifestation of the growing desire on the part of Russia and China to achieve global superpower status. On the other hand, there are the counter-arguments that emphasize China's and Russia’s own perception of inability to operate effectively against the United States in a conventional military confrontation. Indeed, many Chinese and Russian actors suggest cyber warfare is considered an obvious asymmetric instrument for balancing overwhelming US power. This latter argument is more compelling based on the stark military realities:
- In overall spending, the United States invests between five and 10 times as much money into the military per year as does China.
- Chinese forces are only now beginning to modernize. Just one-quarter of its naval surface fleet is considered modern in electronics, engines, and weaponry.
- In certain categories of weaponry, the Chinese do not compete. For instance, the U.S. Navy has 11 nuclear-powered aircraft-carrier battle groups. The Chinese navy is only now moving toward construction of its first carrier.
- In terms of military effectiveness, i.e. logistics, training, readiness, the difference between Chinese and American standards is not a gap but a chasm. The Chinese military took days to reach survivors after the devastating Sichuan earthquake in May of 2008, because it had so few helicopters and emergency vehicles.
With this state of military affairs, a Chinese and Russian perception of insecurity is not surprising. Even more logical is the Chinese and Russian resolve to evolve its asymmetric cyber capabilities: such attacks are usually inexpensive and exceedingly difficult to properly attribute. It is even more complex for states, where cyber-attacks can be ‘launched’ from inside of neutral or allied countries.
Given an authoritarian state’s capacity for paranoia, it is illogical for China not to develop its offensive cyber capabilities. In this case the weak conventional military strength is quite real. To that end, the People's Republic has endeavored to create its own set of lopsided military advantages in the cyber domain:
- The Pentagon's annual assessment of Chinese military strength determined in 2009 that the People's Liberation Army had established information warfare units to develop viruses to attack enemy computer systems and networks.
- The PLA has created a number of uniformed cyber warfare units, including the Technology Reconnaissance Department and the Electronic Countermeasures and Radar Department. These cyber units are engaged on a daily basis in developing and deploying a range of offensive cyber and information weapons.
- China is believed to be engaged in lacing the United States’ network-dependent infrastructure with malicious code known as ‘logic bombs.’
The official newspaper of the PRC, the Liberation Army Daily, confirmed China's insecurity about potential confrontation with the United States in June 2011. In it, the Chinese government proclaimed that, "the US military is hastening to seize the commanding military heights on the Internet…Their actions remind us that to protect the nation's Internet security we must accelerate Internet defense development and accelerate steps to make a strong Internet Army." Clearly, the Chinese have sought to maximize their technological capacity in response to kinetic realities. This is not to say the United States is therefore guaranteed to be in an inferior position (information about American virtual capabilities at the moment remains largely classified), but the overt investment, recruitment, and development of Chinese virtual capabilities presents opportunities the US should also be willing to entertain.
How does all of this compare and contrast with the American governmental perception of the Russian approach to the cyber domain? Anyone studying cyber conflict over the last five years from within Washington DC is well aware of Russia's apparent willingness to engage in cyber offensives. The 2007 incident in which the Estonian government was attacked and the 2008 war with Georgia are universally considered by the White House as examples of Russian cyber technology acting as the tip of its military spear. While it is true Russia actively encourages what has come to be known as ‘hacktivism’ and lauds ‘patriotic nationalist’ cyber vigilantism as part of one's ‘civic duty,’ there are still some disturbing perceptional distortions when it comes to the Washington view of Russian and Chinese cyber activity.
For example, much of Russia’s cyber activity, when not in an open conflict, is considered by Washington to be of the criminal variety and not necessarily tied directly into the state. Indeed, Russia is seen to utilize organized crime groups as a cyber conduit when necessary and then backs away, allowing said groups continued commercial domination. Russia, therefore, almost acts as a rentier state with criminal groups if you ask the powers-that-be in America: cyber weapons are the ‘natural resource’ and the Russian government is the number one consumer. This means that the White House basically considers Russia to embody a criminal-governmental fusion that has permeated the entire state apparatus. The cyber domain there is used for temporary forays to achieve state objectives and then returns to more permanent criminal projects. As such, the domain is not truly state-controlled, is relatively anarchic, and cannot establish any deterring equilibrium. China, on the other hand, may be the first state to truly embrace the importance of tech-war according to Washington: it has realistically assessed its own kinetic shortcomings and looked to cyber for compensation. In short, it has fused Sun Tzu with Machiavelli: better to quietly overcome an adversary's plans than to try to loudly overcome his armies.
This analysis of how Washington views its two biggest global stage rivals clearly paints Russia in a stark strategic light. It is also relevant that it is a highly exaggerated or purposely strident view of how Russia conducts its cyber operations (the ‘Russian bandit theory’ of cyber activity is certainly not considered accurate by the many professionals in Russia working legitimately in the cyber industry, for example, let alone formally for the Russian Federation government). It also explains why America does not ever look to Russia as a potential strategic cyber partner but always instead views it as a ‘problem to be dealt with’, while the manner in which China approaches its cyber domain presents stunning new ideas to Washington about how the US should approach the global cyber commons. These new ideas would be in contrast to both academic literature and journalism as it would mean the United States should begin in earnest building an offensive cyber army akin to the Chinese and in juxtaposition to Russia, so that it remains second-to-none in cyber offense. Perhaps the bigger issue to consider is just how much opportunity for collaboration and partnership is missed between the United States and Russia because of this highly subjective and judgmental characterization of the entire governmental cyber capability in Russia? This is likely to be considerable.
The United States invests heavily in cyber security and several members of the Intelligence Community work to create cyber weapons meant to preserve US military predominance. However, there are still missed opportunities according to authorities in Washington. Recall this is more than anything about ending the zero-sum cyber game to the strategic benefit of the US. That is clearly the goal in Washington DC because of its perceptions of how Russia and China supposedly already work within cyber. Up to now many in the US believe American virtual patriots have not been used in a manner that maximizes impact and effectiveness. To them it would be wise to position offensive cyber capabilities for strategic, overt, preemptive, in other words making American cyber capability truly comprehensive. The question that remains is just what major global consequences will emerge from positions that are being developed based on the worst possible assumptions and not entirely true?