National Security & Defense

How the U.S. Should Respond to the Latest Chinese Hack

(Photo Illustration: NRO)
The Chinese consider many peacetime activities to be a part of war. We need to start thinking, and responding, in those terms.

Having written about the hacking of the Office of Personnel Management (OPM) for the print magazine last week, I polled friends over the weekend about the impact of OPM director Katherine Archuleta’s resignation on Friday. The most positive response was that whoever replaced Archuleta would likely follow her precedent in declaring snow days early and often the first winter on the job. But while it may address the problem of insufficient vacation days, the resignation is not likely to solve the most serious issues created by Chinese hackers’ theft of personnel files, including security-clearance disclosure forms, for more than 20 million people. In light of Chinese perceptions of what is at stake, the United States urgently needs to establish deterrence in the cyber realm and also to build up its defenses.

Regrettably, there is little evidence that either the deterrence or the defense priority is being addressed. As my article mentioned, the most common response to the OPM news has been to worry about identity theft or the exposure of U.S. spies operating clandestinely overseas. Intelligence experts have pointed out that those holding clearances are also more at risk of being subjected to blackmail now that the hackers can read about private aspects of their lives that they disclosed in the process of being vetted. These are valid concerns. But they are typically American, rather than Chinese, ways of thinking about the situation.

Director of National Intelligence James Clapper has been quoted to the effect that, given the chance, he would have done what the Chinese did — as if this were just another round in the perennial game of spy vs. spy. But this obscures the uniqueness of the Chinese military’s perspective on future wars and the way the OPM hacks, together with scores of other recent intelligence feats, fit into this perspective. For Chinese strategists, stealing the secrets of the American national-security establishment is a coup not just in the espionage competition but also in the global contest for power and influence. This is because the Chinese see the data as valuable both in economic terms and in terms of identifying targets for attacks designed to knock the United States out of the contest.

RELATED: Why Are We Ignoring a Cyber Pearl Harbor?

On the economic side, the United States will have difficulty quantifying the damage done by the OPM strikes. It is fair to say that whatever China invested in those hackers has paid off in spades — as the information garnered from OPM’s databases would otherwise have taken untold man-years of intelligence work to collect. Nor is it known how much the Chinese have gained from cyber penetrations and other forms of espionage aimed at American weapons systems and defense plans. A new book by David Hoffman tells the story of a Soviet engineer who became a spy for the United States in the late 1970s and was known as the “billion dollar” agent because the U.S. Air Force estimated that the data he provided on Soviet air-defense systems saved us $2 billion in research-and-development expenses. Contrast that with the cost overruns that the Chinese have stimulated on programs like the U.S. Joint Strike Fighter by hacking into defense contractors’ networks and stealing proprietary information, which then necessitates redesigning elements of the aircraft.

But these costs that Beijing has imposed are probably dwarfed by the amount that the Chinese have saved on their own R&D expenses by stealing the intellectual property behind advanced foreign systems. This allows the Chinese military to free-ride on R&D investments made by other countries, particularly the United States, which is relevant to the contest over global power and influence because the lesson that Chinese strategists draw from the Cold War is that the United States prevailed by winning the economic competition.

RELATED: Obama Needs to Respond to Chinese Government Hack — and All Their Other Provocations, Too

With regard to strategic targeting, there is reason to suspect that Chinese strategists will try to use the OPM data, along with other information collected over the past several decades, to map out the U.S. national-security establishment and identify the most critical nodes to strike. For more than a decade, Chinese military thinkers have been expounding a vision of the future security environment in which conventional war recedes in importance and acts of aggression in peacetime serve as critical supplements to, or even substitutes for, direct uses of military force. The logic behind this perspective is that nuclear weapons have made great-power clashes so lethal as to be all but unthinkable. Great powers will still vie for control of resources, territory, and influence, though, so their outlets for this competition will increasingly be “non-military” operations, or “war beyond the battlefield.” The 1999 book Unrestricted Warfare, written by two Chinese colonels, one of whom is now a major general, points out, “Only by adding all ‘non-military combat operations’ aside from military operations can total dimensional war’s complete significance be realized.” While the age of “total dimensional war” has dawned in part thanks to the conventional predominance of the U.S. military, the authors go on to observe with surprise that no appreciation of this fact has “ever emerged in all of the theoretical research of the U.S. military since the Gulf War.” In other words, the United States lags China in understanding the importance of “war beyond the battlefield” to great-power competition.

RELATED: Want to Read Hillary’s E-mail: Ask China

Unrestricted Warfare particularly emphasizes the importance of cyber capabilities in “war beyond the battlefield.” This, too, is an area where the United States should be ahead but seems not to grasp the competitive potential of dominating the information domain. In discussing future warfare, Chinese strategists tend to begin with the observation that many of the information technologies critical to modern weapons exist within the civilian economy. The inherently dual-use — i.e., civilian and military — nature of these technologies is described as a great opportunity for China, as they can therefore be acquired via commercial transactions (or through commercial espionage). As the authors of Unrestricted Warfare put it:

With the progressive breaking down of the distinction between military technology and civilian technology, and between the professional soldier and the non-professional warrior, the battlespace will overlap more and more with the non-battlespace, serving also to make the line between these two entities less and less clear. . . . Thus, the battlefield is omnipresent. Just think, if it’s even possible to start a war in a computer room or a stock exchange that will send an enemy country to its doom, then is there non-battlespace anywhere?

According to the model envisioned by Chinese strategists, rival states will compete by trying to ferret out each other’s weakest points, or “nerve centers,” and then target those points using whatever means are most appropriate — from missiles or bombs to computer viruses. Such attacks, the natural outgrowth of technology trends that enable highly precise targeting, will be the hallmark of war and competition in the 21st century.

The United States needs both better deterrence of, and improved defenses against, Chinese cyber attacks.

There is a serious asymmetry between this kind of writing in China and the behavior of Chinese hackers on the one hand, and the strategic literature and conduct of the U.S. military on the other. No U.S. colonels or senior officers can be found arguing for the use of cyber or other unconventional operations to uncover the most optimal targets on the mainland of China. The only time kinetic strikes on the mainland are raised is in the context of discussions of what to do in the aftermath of a Chinese strike on Taiwan or another American ally. While it is possible that the National Security Agency has penetrated Chinese information systems and is capable of gathering targeting data from such penetrations, there is no American strategic literature to put such efforts in context or to guide them.

#related#What can be done? The United States needs both better deterrence of, and improved defenses against, Chinese cyber attacks. Deterrence could be established by demonstrating the U.S. capability to penetrate critical Chinese systems, though each demonstration would risk the loss of such capabilities, as the Chinese would move to plug whatever vulnerability was exploited. Alternatively or in addition, the United States might pursue targeted economic sanctions against particular elite interests tied to cyber attacks, so that these attacks would no longer be largely costless for decision-makers in Beijing.

Finally, on the defense side, the extreme openness of the U.S. population has become a liability that demands attention. A famous experiment involved the depositing of thumb drives in the parking lots of U.S. government office buildings housing sensitive information. The experiment revealed that many personnel in these classified settings saw fit to pick up the thumb drives and plug them into their work computers. While we may never become as careful as we ought to be, some cyber civil-defense training could only help. Just as Americans in the 1950s and 60s engaged in duck-and-cover drills, so Generations X, Y, and Z need to become literate in the basics of computer safety and hygiene. Perhaps mandatory online courses on the subject for people with access to sensitive information would be a fitting use of the federal government’s snow days this winter.

— Jacqueline Newmyer Deal is president and CEO of the Long Term Strategy Group, a Washington, D.C.–based defense consultancy.


The Latest