David Sanger has a very interesting article in Saturday’s New York Times, reporting that the United States has decided to retaliate against China for the hacking of the Office of Personnel Management. According to Sanger, how the United States will respond is still a matter of debate. The White House is uncertain whether the response will be symbolic or something more substantial; whether it will be public, known only to the Chinese, or secret; and whether it will happen soon or sometime in the future.
Over at Lawfare, Jack Goldsmith argues that the White House’s inability to craft a response highlights the challenges of deterring an adversary through counterstrikes, and that deterrence through resilience and defense may be a better option.
I am going to pick up on one of the policy responses mentioned in the article, what Sanger calls "one of the most innovative actions" discussed in the U.S. intelligence agencies: finding a way to breach the Great Firewall so as to demonstrate to the Chinese leadership that the thing they value most—"keeping absolute control over the country’s dialogue"—could be at risk.
First, a quibble. I am not sure that the idea of attacking the Great Firewall is innovative. I have heard it raised at conferences and other discussions since at least 2010. It may have also happened before. The drop of the Shanghai stock market by 64.89 points on the 23rd anniversary of the Tiananmen massacre (which occurred on June 4, 1989, or 6/4/89) may have been a weird coincidence, or the type of innovative policy Sanger is describing—an effort to show the Chinese leadership that their control was vulnerable.
Even if this is an old idea that is seeing new light, it is hard to see how it would deter future Chinese attacks, if only because Beijing appears to believe that the United States is already using the Internet to undermine domestic stability and regime legitimacy. As an article in PLA Daily put it in May (translation by Rogier Creemers):
Cybersovereignty symbolized national sovereignty. The online space is also the security space of a nation. If we do not occupy the online battlefield ourselves, others will occupy it; if we do not defend online territory ourselves, sovereignty will be lost, and it may even become a “bridgehead” for hostile forces to erode and disintegrate us.
Sanger’s article does not get into details, but there are at least three types of attacks that could be considered: hacks that expose information embarrassing to the leadership; allow Chinese users access to blocked websites outside of China; and lessen or dismantle controls on information within China. Beijing is likely to believe that Washington is already engaging in the first two types of attacks. A hack that exposes corruption or offshore bank accounts, for example, will not be seen as any less a hostile act than the New York Times’ reporting on the hidden wealth of former prime minister Wen Jiabao’s family or Bloomberg’s on the assets of Xi Jinping’s family. In addition, the State Department has spent over $100 million to help develop anti-censorship technology and train online activists, and some of that funding has gone to groups trying to give Chinese users tools to jump over the Great Firewall. Given this perception, counterattacks may not look like tit-for-tat retaliation for the OPM hack but instead as part of ongoing battle in and over cyberspace. In the best case scenario, the Chinese would simply react with more hacking of U.S. targets.
In the worst case scenario, attacks directed at the Great Firewall risk significant escalation. Despite the White House’s framing of Chinese cyberattacks as a threat to the U.S. economy and the bilateral relationship, Beijing has probably discounted the importance of the issue to the United States. China’s leadership probably calculates that Washington does not want to scuttle Beijing’s cooperation on a range of global issues over cybersecurity. They also view the United States as the predominant power in cyberspace, willing to use claims of Chinese hacking as a precursor to and justification for more cyberattacks on others. Beijing would likely view the types of responses being debated by U.S. intelligence agencies as disproportionate to the OPM hack, and deem them new threats to national security that call for a Chinese response.
This is not argue that the United States should not retaliate for Chinese state-sponsored cyberattacks. Rather, it suggests trying to keep the responses as proportionate as possible—economic sanctions for the cyber-enabled theft of intellectual property; counterintelligence operations for political and military espionage—and, perhaps most importantly, improving defenses and making it much harder for an attacker to breach U.S. networks.