The classic 1964 film “Dr. Strangelove or: How I learned to Stop Worrying and Love the Bomb,” parodied the Cold War between the U.S. and the Soviet Union, and in particular, made fun of the “deterrence” military strategy—the strategy that we all must hope governs the use or lack thereof of nuclear arsenals.
The idea behind deterrence, and its supporting “MAD” theory (for “mutually assured destruction”) is like a child’s schoolground taunt: “If you do it to me, I’ll do it to you but worse—so don’t try it.” Now that cyber warfare is here, these same tenets are being applied to the digital world by nation-states that have the capability and desire to “give as good as they get.”
How do we know? Let’s start with the “Paris Call for Trust and Security in Cyberspace” agreement, which was signed by over 50 countries in collaboration with some private organizations just a few weeks ago. The agreement establishes international norms for responsible, ethical use of the internet, and outlines nine specific goals, including non-interference in elections and preventing intellectual property theft.This sounds like something most morally responsible citizens of the world could agree with, right? Well, surprise—or maybe not to some. The U.S., Russia, and China, as well as North Korea, Saudi Arabia, Israel, Australia, and Iran refused to sign it. Google, Microsoft, Kapersky Labs, and Facebook signed it, but among others, Chinese telecom firms ZTE and Huawei declined.
Playing but by different rules
Now, add a couple of developments that occurred in recent months: In August, Donald Trump signed a classified executive order that loosened the restrictions surrounding offensive cyber attacks by the U.S. government. Although cybersecurity strategies have been put in place by previous U.S. administrations, this one, according to unclassified comments, lessens the interagency cooperation required among different U.S. government departments. In essence this reduces oversight and gives more power to General Paul M. Nakasone, who took over this year as both the director of the National Security Agency and the commander of The U.S. Cyber Command, part of the Department of Defense.
Then, on September 20, the White House published the Cyber Security Strategy of the United States of America: 2018 which is the first public document to call out past cyber attacks from specific nation-state actors, including—with little surprise— Russia, China, Iran, and North Korea as cyber aggressors. In addition, it reads, “The U.S. will develop swift and transparent consequences, which we will impose… to deter future bad behavior.” National Security Advisor John Bolton, whose career was forged during the cold war, has advocated for taking the gloves off for a long time. He’s said that he wants to impose “retaliatory cyber campaigns” to malicious actors that are “disproportionate” and so damaging “…that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.”
Is it a bluff?
Is this bold rhetoric part of a deterrence strategy that will stop there, or will it result in retaliatory, offensive cyber strikes issued from the U.S. and its cyber allies in the future? Right now, no one knows, but based on the widely-held belief that America has participated in known cyber attacks—for example, one known as “Stuxnet” that targeted Iranian nuclear centrifuges—it seems likely that this will go beyond a war of just words.
“Made in” or “stolen by” China?
The U.S. is particularly concerned about Chinese cyber threats. A report released in March by the U.S. Office of the Trade Representative accuses China of unfair trade practices and violations of existing Trade pacts including cyber theft of “trade secrets, technical data, negotiating positions, and sensitive and proprietary internal communications” of U.S. companies. The findings in this report are thought by many to be the impetus for the new U.S. tariffs imposed on Chinese goods this summer. It should not have come as a surprise. Chinese cyber attacks are mounting, and back in 2015, China announced its “Made in China 2025” policy, with a goal that 70% of “core materials” in ten industries be fabricated in China by 2025. To achieve such an ambitious goal, China has embarked upon another “great leap forward” that is moving right along, but with the help of (it’s pretty certain) an army of hackers.
Hard decisions: the Chinese market and business risk
Those doing business in China are keenly aware of the requirements of the Chinese National Security Law, which came into effect in June of 2017. This very restrictive law dictates that companies doing business in China must store data that is “gathered or produced” in China on servers physically located there, and must turn over any such data to Chinese security agencies if requested. Some well-known companies have refused to comply, such as Skype (Microsoft) and WhatsApp (Facebook), but others like Apple have tried to make accommodations such as storing Chinese-customer data at a “Chinese partner” company so as not to lose a market of over 800 million internet users.
Western firms have been especially concerned about this law’s potential to harm their businesses due to business espionage that’s sanctioned by the Chinese government—perhaps in direct support of the “Made in China” initiative. They, and human rights groups, are also concerned about the requirements, codified in this law, to turn over personal data about any Chinese citizens.
Hope for the movie
It seems we have a new type of cold war occurring in the cyber universe, with China taking the place of the Soviet Union to a large extent. Will the deterrence theory work, so in a few years some director from Hollywood or Shanghai can make a satirical film about it? Or will we find ourselves in an out-and-out cyber “shooting war,” which would be unintended yet dire?