Photo courtesy of flickr/Dano
Cyber conflict remains an issue in search of a conceptual framework. In his widely noted, and controversial piece in the Washington Post, Michael McConnell, the former director of the NSA and national intelligence, relys on nuclear deterrence and cold war strategy, arguing that we were already fighting a cyber war and losing it. In his review of Richard Clarke’s new book, Cyber War (co-written with our colleague Rob Knake), Fred Kaplan jumps back and forth between the beginning of the nuclear age and today. In contrast, cyber security czar Howard Schmidt has said that he did not think that cyber war exists: "“I think that is a terrible metaphor and I think that is a terrible concept.” For my part, I think Greg Rattray and his co-authors at the Center for New American Security do a convincing job of arguing that dealing with cyber is more like addressing global public health risks.
Not to muddy the waters any more, but reading Shadows in the Cloud, the excellent report on the attacks on the computer networks of the Dalai Lama and the Indian government among others, made me wonder if there is not another set of experiences policy makers should be drawing on: China and the non-proliferation regime. One of the reports’ central points is that the ecosystems of crime and espionage are converging. Those who hack for political reasons or to commit espionage exploit criminal techniques and ally with criminal groups not only to increase deniability but also to cultivate uncertainty. While there is no concrete evidence of the involvement of the government of China (or any other state) in these shadow networks, the pressing question is will the PRC do anything to shut them down?
This is the question that made me think of non-proliferation, and the comparison works like this. In both cases, Beijing authorized/encouraged/turned a blind eye to illegal markets for strategic, ideological, and economic reasons. Faced with the more powerful potential adversary, cyber and technology sales to rogue states were attractive assymetrical weapons. And as with cyber hackers, there was a degree of deniability involved with the sale of WMD technologies; the Chinese government often claimed that it could not control some of the companies making sales to Syria or Iran.
Beijing’s approach to non-proliferation began to change in the 1990s as documented in Evan Medeiros’ Reluctant Restraint. To varying degrees depending on whether you are looking at nuclear, chemical, or missile-related technologies, Beijing gradually accepted international norms, entered international organizations, and introduced domestic regulations on exports. Why? Medeiros looks at four reasons. Beijing became more sensitive to the threat the spread of WMD had on its own interests, it worried about its international image, it saw non-proliferation as a means to improving the bilateral relationship, and U.S. policy shaped Beijing’s interests and incentives. Of the four, Medeiros puts the most explanatory weight on U.S. policy (though its impact is significantly shaped by the other three)--the United States enaged China on non-proliliferation broadly and used a wide array of carrots and sticks to move it.
It’s worth thinking more about how the United States might do the same with cyber, or if we’re talking about apples and oranges: has the world, and Sino-US relations in particular, changed too much to have as much of an impact? What carrots and sticks does the United States still have?