Deterring cyber-espionage requires a more intelligent US approach
The cyber theft of millions of personal dossiers from the United States Office of Personnel Management (OPM), which was revealed by US authorities in June 2015, has put the US government in an awkward position. In April 2015, US Defense Secretary Ash Carter announced an updated cyber strategy, according to which the United States would retaliate against ‘cyberattacks of significant consequence’.
According to The New York Times, the Obama administration believes that the Chinese government is behind this instance of cyber espionage. Government officials regard it as being of such a large scale and serious nature that retaliation is required in order to deter China from conducting similar operations in the future. In September, during President Xi’s visit to Washington, the United States and China agreed not to conduct or support cyber espionage aimed at benefiting companies or commercial sectors.
But the agreement does not address cyber espionage for national security purposes and is insufficient to deter other countries from conducting cyber espionage of any kind on a massive scale against the US and its allies. To this end the United States must revise its own position on intelligence gathering.
The US government makes a distinction between intelligence operations for national security purposes and government sponsored cyber-espionage for commercial gain. The United States has acknowledged that it undertakes the first, which it says is legitimate, and has accused China of doing also the second, which it considers illegitimate. But the information theft from the OPM seems to fit the first category more than the second.
Michael Hayden, former director of both the National Security Agency (NSA) and the CIA said in an interview with The Wall Street Journal that ‘those records are a legitimate foreign intelligence target. If I, as director of the CIA or NSA, would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice, I would not have asked permission’. Washington cannot legitimise retaliation against the Chinese government for doing something that the US itself also does.
Assuming China is actually responsible for the theft, any retaliatory action would fail to deter Beijing. As long as Washington promotes the notion that its own intelligence gathering for national security purposes is legitimate, this invites foreign governments to do the same against the United States. US retaliation aimed at damaging Chinese national interests would also likely provoke similar actions against the United States.
The matter is complicated further by the apparent inability of the United States to formally identify China as the perpetrator. Either the US government has no reliable evidence that China is behind the OPM thefts, or it does have such evidence but it cannot disclose this without damaging the intelligence instruments with which the evidence was collected.
Under these circumstances, the most likely type of retaliation that Washington may be contemplating is to conduct covert cyber operations against China. It could then send a strong message to Beijing while circumventing the problem of formal attribution. A possible aim of such an operation could be creating a temporary breach in Beijing’s ability to maintain its policy of internet censorship to highlight China’s own vulnerability in the cyber domain. But such an operation risks causing a severe crisis in Sino–US relations since it would be regarded by China’s leadership as an attack on its political security, which is the country’s top national security priority.
Long-standing allies of the United States, such as Australia, Japan, South Korea and NATO countries, have reason to be worried about these developments. On the one hand, they depend to an important degree on the United States for their own security. If the United States cannot deter foreign governments from stealing large amounts of classified data on its own federal employees, smaller countries surely have to expect that their alliance with Washington cannot deliver extended cyber deterrence. On the other hand, American retaliatory actions that severely affect Sino–US relations would destabilise the international system and are highly undesirable to any US ally that has close economic relations with China.
US allies should urge Washington to refrain from seeking cyber deterrence through retaliation as long as the United States itself conducts similar cyber-espionage operations against China and other nations. They should send the message that foreign intelligence-gathering for national security purposes without any limitations can no longer be regarded as legitimate. Instead new norms are needed that put limits on intelligence operations.
At first glance, the costs of pursuing new intelligence norms may seem high, given the benefits that Western intelligence communities have long enjoyed because of their superior technological and financial resources. But in a world in which cyberattacks, including cyber espionage, are becoming ever more damaging and within closer reach of new actors, no country’s national security interests are served by a proliferation of state-sponsored espionage and covert cyber operations.
Article is based on a Clingendael Policy Brief The Danger of Proliferating Covert Cyber Operations.