Like a football team without a QB and a receiver, the U.S. is only playing cyber defense. It’s time to put points on the scoreboard.
China will never stop hacking. The same goes for Russia, Iran, Syria, and any of the state challengers to the US world order. It has been said ad nauseam: what most don’t recognize is that cyber power is asymmetric.
The first formal declaration of the conflict came on May 19th when Attorney General Eric Holder indicted 5 officers of the Chinese People’s Liberation Army for hacking and stealing sensitive industrial secrets from six American companies, including Westinghouse Electric, Alcoa, Allegheny technologies, U.S. Steel, United Steelworkers Union, and Solar World. Holder said, “Trade secrets stolen were significant and demands an aggressive response.”
The indictment is essentially meaningless.
Hacking is a cheap and effective weapon the weak use against the strong to even the playing field; like terrorism, or submarines in another age. Cyber power doesn’t take billions of dollars to create an effective threat against the United States – just a computer in the basement. And the only way to stop China’s cyber theft is for American cyber warriors to start stealing back.
Asymmetric threats are tricky for any superpower. All the measures of conventional power that make a hegemon – fleets, nukes, GDP – do not easily translate into victory against cyber power or terrorism. The U.S., for example, has the ability to strike anywhere in the world; but what magnitude of cyber attack would permit a military response? None, most likely, unless people die.
The Chinese know this. So do the Russians, the Iranians, the Syrians, and every other international malcontent with a grindable axe. And in response to cyber theft, the U.S. has done pretty much what other nations have done when faced with an asymmetric weapon: It has tried to delegitimize it.
Formally and informally, in working groups and phone calls, the U.S. has tried to create a norm against stealing data for the benefit of national companies. Make it taboo, and the cyber threat goes away.
Unfortunately, asymmetric weapons are hard to delegitimize. Submarines and terrorism never were; their use stopped only in specific instances when they were beaten. For example, before the First World War, Germany was in a similar position to China today: an increasingly strong power in a disproportionately subordinate global role. After trying and failing to build a battleship fleet that rivaled Britain’s, Germany focused on submarine warfare as a substitute for surface combat.
The established Great Powers had tried to proscribe the submarine’s lethality through international treaties. Prize rules which implicitly disadvantaged submarines (such as prohibiting attacking merchant ships without warning) were included in the Hague Conventions of 1899 and 1907. After Germany eventually ignored these rules in the First World War, the London Naval Treaty of 1930 made prize rules explicitly binding for submarines, which – in a rare burst of unanimity – all Great Powers ignored in the Second.
Perhaps obviously - even with an unjaundiced eye, these rules could look like hypocritical Western attempts to delegitimize the weapons of the little man. Germany ultimately didn’t give up submarine warfare until it became too costly. The Reich halted submarine operations in the heavily contested North Atlantic in 1943, after new Allied equipment and tactics decimated the U-boat packs.
Terrorism is similar. In certain places, in certain cases, it has become too expensive for both the terrorists and their sponsors. But it also works. The U.S. pulled its troops out of Lebanon after Hezbollah bombed the Marine barracks in Beirut in 1983. For the Islamic Republic of Iran, a four-year-old malcontent, the bombing was a cheap way to achieve its political objectives.
Likewise, cyber theft is unlikely to be stopped by new norms; it’s too deniable, too cheap, and too effective. The Chinese hackers indicted by the Justice Department were allegedly helping Chinese companies catch up to the West by stealing economic secrets. And fair enough – for a growing revisionist power that has a lot of ground to make up, cyber theft is an invaluable shortcut. Sure beats generations of R&D spending.
On the other side, squandering those generations of R&D spending is unacceptable for the United States. Right now, China is benefiting much more from the cyber status quo than is the U.S., the NSA be damned. One report, for example, estimates that cyber damage to the U.S. economy may reach $100 billion per year.
To achieve cyber disarmament – a Mutually Assured Cyber Destruction – this status quo has to become unacceptable for China. Until U.S. hackers are stealing secrets from Chinese companies at the rate they are being stolen from American ones, Beijing has no reason to stop.
Thanks to Edward Snowden, some U.S. cyber operations are public knowledge. Unlike Chinese hacking, these are focused on national security and regarded as part of the traditional game of espionage. However, the line that the Justice Department draws is that the US government does not steal information for the benefit of American companies.
It should; or it should at least protect U.S. companies and U.S. hackers that try to steal information from Chinese ones. China is clearly comfortable with its current rate of gain from both national security and economic hacking, since it refuses to stop. The current U.S. cyber policy mix of national security spying and asking nicely is thus not sufficient.
To begin with, the U.S. could issue an annual report with a tiered level of violators, like the U.S. State Department’s Trafficking in Persons report. For the most aggressively hacking countries, the U.S. government could steal secrets and distribute them to the US commercial sector, as well as protect national hackers who also attacked them.
The more a country reforms, the tighter the regulation of offensive cyber theft. Those that reform completely – the squeaky clean – would earn American protection against hacking, like the no-spying agreement between the United States and the Anglosphere.
It’s not a sure fix. But if the current cyber status quo is unacceptable – and it appears to be – then the cyber fight has to be won, not just indicted.
Top Reads from The Fiscal Times:
- Voters Now Rate GOP Ahead of Dems on Foreign Policy
- The 10 Highest Paid CEOs of 2013
- The Piketty Book Problem: Only As Good As Its Data