Below follows the text upon which Dr. Ford based his remarks at the Los Alamos National Laboratory (LANL) on October 14, 2015, for the “Cyber Security Days Colloquium” sponsored by LANL’s National Security Office and the office of its Chief Information Officer.
Good morning, and thanks to Bryan Fearey for having me out here to Los Alamos to talk about cyber strategy. I am a lawyer and policy guy with no particular technical background, so I’m mainly looking forward to learning from you. With the usual caveats about how everything I say is just my own thinking and not necessarily that of anyone else in the U.S. Government, however, I hope you’ll bear with me while I offer some musings on cyber strategy to help get the conversation going. My remarks will be unclassified, though I understand we can go higher in the discussion period afterwards, if we wish.
Just before the summit between President Obama and Chinese President Xi Jinping last month, officials in Washington leaked stories about how they were considering imposing sanctions on Chinese firms that had taken advantage of information stolen from us through computer network penetrations. This issue reportedly threatened to throw the entire summit Chinese “off the rails,” however, and after President Xi sent his domestic security chief to discuss cyber issues with U.S. officials, the Obama Administration apparently backed away from such cyber sanctions, settling instead for an exchange of promises that neither government would undertake commercial espionage against the other country.
It is hard to see the summit-related cyber pledges as a great success. To be sure, Chinese cyber espionage, not just against government networks but against an extraordinary range of U.S. high-technology companies, is clearly a huge threat. The odds of it stopping now, however, are low.
Personally, I thought the idea of sanctioning firms that benefit from such theft was a good idea, and I had been pleased to see President Obama issue an Executive Order in April 2015 that established a framework for such steps. Rather than depending upon implausible promises of Chinese Communist Party (CCP) good faith, it held out at least some possibility of making cyber theft more costly and hence less attractive. It looked a little bit like the tentative beginnings of a strategy of cyber deterrence and strategic signaling, it might just possibly have helped persuade Beijing to be somewhat less aggressive in these regards, and it might even have helped the international community – with American leadership – begin to feel its way toward an elementary system of behavioral norms in the novel domain of cyberspace.
At present, however, it would appear that we’re backing away from cyber sanctions in return for essentially unenforceable mutual Sino-American promises not to do something that we apparently didn’t do in the first place and that they have lied about doing all along. In recent Congressional testimony, President Obama’s own Director of National Intelligence made clear he did not expect that China will comply with Xi’s promise, and it’s hard not to agree with him.
Nor do I take much solace in the arrest last week by Chinese authorities of a handful of local hackers at the urging of U.S. officials. Those arrests aren’t nothing, I suppose, but there are lots of government-sponsored fish in that sea, as well as ample precedent for the People’s Republic of China (PRC) taking insignificant but well-publicized steps as pressures loom – and for the U.S. Government using such symbolic actions as an excuse for inaction.
Do you remember how the occasional imprisoned Chinese dissident would reappear just before Congress voted on each periodic renewal of “Most Favored Nation” (MFN) trade status with China or some high-level U.S. diplomatic visit, yet without there being any meaningful change in the Communist Party’s oppression of its citizenry? I fear we’ll now see something like this working in reverse, with the PRC locking up the occasional hacker just often enough to give the White House an excuse to avoid more proactive approaches. Meanwhile, even assuming the Chinese government keeps such an occasional sacrificial lamb in jail, they are truly expendable, and legions more remain available to keep up the fight.
Anyway, I say this by way of predicate, because it suggests an asymmetry in how U.S. leaders and Chinese leaders think about cyber strategy. Not to put too fine a point on it, they appear to have a real competitive strategy for cyberspace, while we are only just beginning to struggle with such questions. Let’s look a little at this backstory.
I. China’s Longstanding Search for Western Technology
As I describe in my most recent book, though once the Qianlong Emperor rather famously looked with disinterested contempt upon technological products of contemporary England presented to him by Viscount Macartnay in 1793, Chinese elites have envied and coveted Western science and technical know-how from the very earliest years of China’s encounter with Imperialist power in the mid-19th Century. From the first Chinese diplomatic mission to the United States in 1868, Chinese officials lavished attention on Western technology and sent back amazed accounts of modern ships, trains, machines, mines, and factories. They felt it essential to adopt Western learning for China’s use, not least in remedying the disparity in national power so painfully first experienced when mere handfuls of British gunboats trounced the military power of the Qing Dynasty in the Opium Wars.
This emphasis upon building up Chinese power vis-à-vis the West by acquiring Western scientific and technical knowledge never abated, and indeed intensified during what Chinese propaganda outlets refer to as their country’s “Century of Humiliation” at Western and Japanese hands. Chinese have had very different ideas, over the years, about the value to attach to Western political forms, but they have never wavered in their desire for the tools of modern power or their belief that the key to acquiring such power for China lay in mastering the technologies that made the West strong against China.
In the early 20th Century, this manifested itself in large numbers of Chinese coming to the United States for education, which led to America being called “the Chinese Mecca of Education” as early as 1910. Later, despite his hatred of the United States, even Mao Zedong could not resist praising our technology in his essay “Farewell, Leighton Stuart!” (He admired American science and technology, lamenting about them merely that such powerful tools remained “in the grip of the capitalists.”)
Chinese observers have long been fascinated with how the United States could have had such global success with what seemed – to Chinese – to be only a very short history and a small population. One of the secrets to this American success was felt to be scientific and technological superiority. Obtaining such knowledge for China has therefore always been a critical element of successive regimes’ efforts to achieve China’s “rise” and “return” to the position of geopolitical centrality of which they felt it to have been robbed by imperialists who had such knowledge at a time when China did not.
U.S. technology continued to be the object of Chinese awe and jealousy into the 1980s, when even during periods when Party-State propagandists decried American life in order to discourage Chinese from learning Western political values, Chinese writers exempted U.S. technology from their dark picture of our country. If anything, these feelings of technological covetousness intensified as Chinese scholars began to write about the “new ‘technological revolution’” then getting underway in the field of information technology (IT). So profound an impact did they expect modern technologies to have, in fact, that even some doctrinaire Marxists seem to have feared that modern IT might allow American capitalism to forestall its dialectically pre-ordained (and hitherto imminent) collapse for quite a while longer.
And it is here that another conceptual current enters the picture. The 1980s also saw the flowering of an infatuation with what Chinese authors have called “comprehensive national power” (CNP) – that is, the notion that overall national muscle can be quantified and measured, that states can be ranked at any one time on a sort of league table of relative power, and that the ingredients of such power can be acquired and marshaled to national advantage almost in the way a technocratic factory manager might organize material and labor inputs to produce an industrial product. CNP ideas began to take hold in the mid-1980s under Deng Xiaoping, who embraced the idea of pursuing science and technology as a key to China’s “national greatness.” As Deng’s national security advisor Huan Xiang described things in 1986,
“[t]he focal point of competition has been raised from the past emphasis, which was solely on the struggle for military superiority … to a contest of entire economic, scientific and technological, military and political comprehensive strength. Thus for the next several years … strengthening Comprehensive National Power will be the main task.”
The commingling, under Deng Xiaoping, of CNP theory with Chinese longings for Western technology as a way to effect a national “return” to greatness was a watershed in the development of Chinese grand strategy. Hereafter, achievement of what I have termed China’s “Great Telos of Return” – that is, the imperative of reclaiming the country’s alleged birthright of geopolitical primacy – was explicitly linked to the country’s progress in a range of economic, military, technological, political, social, and even cultural arenas. The mastery of technology was a central pillar of CNP calculations, thus making the acquisition of technology, by means fair or foul, into a sine qua non for national “return.”
One cannot understand the PRC’s aggressive campaign of cyber-theft without understanding this history. Broadly speaking, acquiring modern technology and know-how was arguably the key objective of Deng Xiapoing’s economic opening to the outside world.
At first, Deng’s so-called “open policy” called for massive technology imports that would be funded by Chinese oil exports. After initial estimates of China’s oil reserves turned out to have been exaggerated, the emphasis shifted to technology transfers through foreign investment in joint ventures. Western firms were allowed to operate in China if they agreed to demanding technology-transfer terms, and soon PRC officials and their would-be Western business partners were lobbying Congress against U.S. export controls on high-performance computers and other “dual-use” technologies with both civilian and military applications.
With an objective of such overriding national importance, however, it would be surprising if the Party-State’s imperative of technology acquisition had confined itself to the use overt and legal means – and indeed, it did not. As the PRC’s cyber-toolkit improved, computer network penetrations inevitably also became part of the program. It was a logical progression, and as soon as they could, they did.
The critical point, however, is that China’s modern cyber theft is merely one piece of a much bigger picture. The PRC’s systematic campaigns of cyber-facilitated technology theft are not arbitrary or coincidental. Will China abandon a core plank of its grand strategy now that President Obama has had Xi Jinping to stay at Blair House? Don’t hold your breath.
II. Concepts of Cyber Power
And so here’s the contrast to which I’d like to draw attention. China has obviously developed a broad competitive strategy against the United States – indeed, in some sense, a competitive strategy vis-à-vis the entire rest of the world – that rests on a clear concept of power. This concept, in turn, informs how this strategy should be implemented, not least in and through the domain of cyberspace.
This strategy offers relatively coherent ideas not just about what national competitive advantage means and how to get it, but also about China’s strengths and weaknesses relative to the competition. And it would seem to contain elements capable of providing Chinese leaders not just with overall objectives and performance metrics, but also with ways to conceptualize the prioritization of objectives as they struggle to reconcile whatever resource constraints, cost-benefit calculations, and public-policy “triage” issues face Communist Party leaders today.
With regard to the cyber domain, in fact, China’s does not seem really to be a strategy for cyberspace. Instead, it is a strategy that provides broad overall guidance for competitive advantage in any domain, in connection with which the schema of technology-facilitated CNP maximization has clear implications for cyberspace. Cyber espionage is the logical extension of approaches in other arenas that have been a priority for the Party-State for many years.
Remember also that there have been Chinese cyber attacks upon Western media outlets that published stories about corruption by the families of Chinese leaders such as Xi Jinping and Wen Jiabao, and the so-called “Great Cannon” tool has been used to hijack computers outside of China and use them to mount distributed denial-of-service (DDOS) attacks against websites that Chinese citizens like to use to circumvent Internet censorship. These steps suggest that Beijing’s cyber strategy also incorporates elements of signaling based on concepts of active defense and cyber deterrence. The PRC is not only seeking to use cyber tools to augment its national power in service of a longstanding geopolitical grand strategy, in other words, it is also defending Communist Party rule at home through combative engagement with the non-Chinese Internet.
I’m not prepared to take a position on the merits, demerits, and likely future success of the PRC’s overall competitive strategy in and through cyberspace. Nor will I offer a view on whether the “comprehensive national power” idea – with its sometimes bizarre conceits of quantifiability – makes all that much sense in the first place. As with so much about the Chinese Party-State, a good deal of superficial success coexists with signs of deep structural problems that it is not clear even the cleverest autocrat could overcome, and it is not at all clear that the Party’s strategy is really the game-winner it is intended to be.
But it does seem very clear to me that, good or bad, China’s approach really is a coherent strategy. And this naturally suggests the question: “What is our strategy in response?” I look forward to hearing from all of you here at Los Alamos about whatever thoughtful advice is gradually bubbling upwards in our system, but it does not appear to me that we have good answers yet at the level of our overall national policy.
One place at least to look for a real U.S. cyber strategy is surely the “International Strategy for Cyberspace” published by the Obama Administration in May 2011. Unfortunately, however, it doesn’t offer so much. To be sure, it proclaims the desirability of desirable things – among them, an Internet that is “open, interoperable, secure, and reliable,” and protects “free flow of information, the security and privacy of data, and the integrity of the networks themselves.” The document promises a “strategic approach … that empowers the innovation that drives our economy and improves lives here and abroad.” The analytical link between our interests and affairs in cyberspace, however, is apparently no more complicated than that “[t]he more freely information flows, the stronger our societies become.”
Ultimately, therefore, this so-called “international strategy” doesn’t boil down to much more than a sort of techno-utopian vision of a cyber future in which everyone in the world has the benefit of cheap, reliable connectivity without being plagued by malevolent cyber actors. Beyond airy generalities, however, this “strategy” is notably short on how we get to such an Elysium.
It proclaims that “the United States will combine diplomacy, defense, and development to enhance prosperity, security, and openness so all can benefit from networked technology” and “will work to realize this vision of a peaceful and reliable cyberspace” in a “spirit of cooperation and collective responsibility” by building “strengthened partnerships” and “expanded initiatives.” We will, it is said, “defend networks … encourage good actors[,] and dissuade and deter those who threaten peace and stability through actions in cyberspace” while “protect[ing] civil liberties and privacy in accordance with our laws and principles.”
The strategy claims to offer “a roadmap allowing the United States Government’s departments and agencies to better define and coordinate their role in our international cyberspace policy, to execute a specific way forward, and to plan for future implementation.” But it’s really more a stump speech than a navigable “roadmap.”
Nor does it help much to turn for further clarity to the White House’s “Comprehensive National Cybersecurity Initiative” (CNCI). That document is more useful than the Administration’s frustratingly empty “international strategy,” but at its core it is still more a plea for a real cyber strategy than a policy document flowing from any such concept. And indeed the CNCI admits this. It calls for the United States to “[d]efine and develop enduring deterrence strategies and programs.” Clearly implying that we haven’t done so yet, it calls for us to
“think through the long-range strategic options available to the United States in a world that depends on assuring the use of cyberspace [in order to build] … an approach to cyber defense strategy that deters interference and attack in cyberspace.”
I agree we do need to do this, but it seems clear that until we actually have done such things, we cannot be said to have a cyber strategy. Ultimately, therefore, though it does make important points, the CNCI really just highlights our current lack of a competitive strategy for cyberspace.
Last April, the Department of Defense (DOD) took its own swing at articulating a cyber strategy. DOD focuses upon the need “to deter attacks and defend the United States against any adversary,” saying that U.S. cyber capabilities will be integrated with our “diplomatic, informational, military, economic, financial, and law enforcement tools.” It declares that “[t]his new strategy sets prioritized strategic goals and objectives for DoD’s cyber activities and missions to achieve over the next five years, … prescrib[ing] objectives and metrics for meeting each goal.”
The Department sets a number of strategic goals for its cyberspace missions, but while these are very sensible objectives, they still speak more to what DOD hopes to do than how it will accomplish these things – or and why some particular path toward this end is the best approach. At some level, therefore, even this comparatively thoughtful document is still more of a call for a cyber strategy than such a strategy itself.
One challenge is suggested by DOD’s discussion of the targets of cyber deterrence. Though it at one point specifically calls out both Russia and China as key cyber threats, it emphasizes the diversity of the cyber domain and the “variety and number of state and non-state cyber actors” whom we will need to deter by shaping their perceptions of the costs and risks of continued activity against us.
This is all true, but perhaps you can see the problem. At least in this document, the Department seems to be setting itself the goal of being all things deterring and dissuasive to all targets, and at the same time. I certainly accept the importance of being as prepared as we can be for a range of targets and contingencies.
At some level, however, strategy is also about mission prioritization. We clearly face all sorts of cyber threats, from run-of-the-mill cyber criminals to multinational agenda-driven hacktivist collectives, and from the proverbial teen hacker in his parents’ basement to sophisticated near-peer nation-state strategic competitors who use cyberspace as just another domain in which to seek geopolitical advantage. We cannot ignore any of these threats, but we surely shouldn’t prioritize them all equally either.
As the DOD document notes, deterrence is in large part about perception, and this necessarily means that deterrent strategies must be tailored to their targets. If we try to be all things to all targets, my guess is that we won’t do the most important jobs well enough. And if the DOD “cyber strategy” is correct in calling out Russia and China as special threats, we need to be devoting commensurately special attention to how to shape those particular governments’ perceptions to our advantage.
The document, however, suggests nothing about how to do this with any particular target, not even the two adversaries identified as being of special concern. This, I would submit, is a problem. Simply seeking deterrence in the abstract – without some consideration of who we aim to deter and what we wish to keep them from doing – isn’t really a strategy at all.
Nor is there much discussion of the role of cyber power beyond simply the role of deterring aggression by being able to serve as a warfighting tool if necessary. We still seem to lack a basic concept of power in the cyber arena, or concepts of how to operate in cyberspace more broadly, as the United States seeks to preserve and promote its interests.
If you ask them, Defense Department officials can talk your ear off about how to employ regular military assets around the world in “Phase Zero” activities designed to promote U.S. interests, reinforce diplomatic initiatives, and “shape the potential battlespace” in various advantageous ways. But our cyber thinking is as yet nowhere year this level of maturity. In short, though our adversaries have competitive cyber strategies based upon clear concepts of power and its uses in the cyber domain, we ourselves still have some way to go before we have a real cyber strategy.
One problem is we have yet to build a rich enough cyber strategy community. During early years of the Cold War – the last time we struggled to come to grips with issues of competitive advantage, deterrence, strategic signaling, escalation management, and conflict termination in a new domain created by the arrival of a disruptive new technology with dramatic civilian and military implications – it took us a while to develop a body of concepts and theories adequate to this new realm.
Over time, however, we did indeed develop a flourishing ecosystem of public and private strategizing – an arena of diverse thinking and analysis by government experts, think tanks, academics, and public intellectuals that gave rise to a range of competing theories and concepts upon which our strategic planners could draw in formulating national policy. We don’t yet have this kind of conceptual ecosystem in the cyber arena.
As a 2009 National Academy of Sciences study noted, moreover, we need to make sure our cyber-strategizing is tailored specifically to the targets whose behavior we aim to shape and whose attacks we aim to deter – with the goal of “get[ting] into the mind of the adversary and influenc[ing] its decision making at critical times and at all levels. This would include making adversaries question their plans, direction, capabilities, actions, likelihood of success, control, and whether generally they trust their information and knowledge base” at all.
These are important points, but through this prism, we will not have a cyber strategy until we are able to build our cyber agenda not just around some grandiose vision of a desirable cyber future, but around a clear understanding of how and why our adversaries are working in and through cyberspace to shape the world to their own specifications, and of how we can ourselves operate in this new domain to deny them their objectives and advance our own.
That’s why I’m so pleased to be here at Los Alamos for these discussions. I don’t pretend to have the answers to these questions, but I imagine that we won’t have good ones without more debate and discussion than our public policy community has yet had. The national laboratories are surely at the cutting edge of whatever real strategy-building we’re doing, so I am looking forward to learning at lot from you today.
– Christopher Ford