Normalizing Cyber Warfare

By: Ian Daviscyber

There is little denial that China will one day overtake the United States’s preeminent role as the global economic hegemon. A new report issued by the American computer security firm Mandiant however, suggests that this eventual ascension might be state-sponsored. Released on Feb. 19, the report correlates an overwhelmingly large percentage of commercial cyber-hacking on American companies to a group of individual hackers called the “Comment Crew.” More importantly, Mandiant traced more than a thousand servers used by the Comment Crew across dozens of countries back to networks in a residential area of Shanghai. Not just any residential area – the Gaoqiaozhen neighborhood of Shanghai, home to Unit 61398, an elite force in the People’s Liberation Army of China. Such an association could have immense ramifications for the American government and corporations alike.

While the United States vehemently opposes the theft of internal commercial secrets, they cannot claim complete innocence in the realm of cyber warfare. When dealing with cyber warfare, the country has consistently used offensive force only in the case of a perceived threat to national security. For example, in 2007 America and Israel co-developed a virus called ‘Stuxnet’ which would eventually destroy 1,000 of the 5,000 operable uranium-enriching centrifuges in Iran’s Natanz underground nuclear facility. In response to Iran’s nuclear ambitions, a clear threat to American and Israeli security, the two countries used cyber force to sustain a level of comfortable security.

If Mandiant’s report is valid, China will be responsible for engaging in a class of cyber warfare that is not a reaction to weakened national security. In stealing the secrets of American companies, the Chinese politburo, not simply Chinese individuals, is blatantly attempting to increase the country’s competitive edge over other governments. While America has set a precedent of only utilizing cyber attacks in response to security risks, China has yet to establish such a standard.

To constrain China’s use of commercial cyber warfare, America must align itself among nations with similar interests and converge on virtual warfare norms. Countries like the United States must first create an open environment for victims of commercial cyber theft to come out and report their losses. Currently, most companies do not report their temporary loss of cyber security as to not risk tipping off competitors or distressing investors.  While this is an understandable approach, companies must sacrifice for a certain collective security by being far more transparent to the U.S. government at the very least.

While intellectual knowledge is freer than it has ever been, theft has always been a universally condemned act. The United States must take steps to isolate China’s behavior as unacceptable in today’s open society. The release of the Mandiant report itself will force China to respond to the claims of cyber theft, and even a denial will cause pressure to continue to build.  In “naming and shaming” the cyber criminals, China will be increasingly forced to take responsibility of its hackers, if not its own role behind the hacks.

Finally, it is in almost every state’s interest, China included, to establish international standards that will help govern cyber warfare. All forms of conventional warfare have global norms that states abide by, unless they wish to be punished. Why should cyber warfare lack such codified principles? If international institutions are set up that monitor the extent of commercial cyber hacking, annual reports can notify the international community and show the frequency, origin and costs of such attacks. With this shared information, states will be forced to confront the offenders, and likewise reciprocate beneficial behaviors to those that abide. An obstacle that must be acknowledged is the already secretive nature behind cyber attacks. It is inevitable that in response to increased monitoring, hackers will adapt to more clandestine forms of intrusion. Increased attention in this area will be the surest way to draw attention to the need to fortify against cyber attacks.

Nothing suggested here is groundbreaking. Similar levels of global transparency and forms of international institutions exist in issue areas such as human rights abuse and climate change. It is now time to fully acknowledge the risk of commercial cyber warfare and take action against it.