US-China cyber warfare's new face


THE five officers from China's People's Liberation Army (PLA) indicted by the United States on charges of computer hacking and economic espionage will never have to stand trial in an American court: China and the US do not have an extradition treaty, and the accused are hardly likely to volunteer for trial.

But the Chinese authorities would be gravely mistaken if they dismiss this episode as just a US publicity prank. For the indictment - the first of its kind in American legal history - represents a considerable shift in the US strategy of dealing with cyber security. And it may also be an ominous pointer about the future of cyber warfare.

At first glance, the Chinese have a point when they accuse Washington of being disingenuous on such matters.

As the revelations from US computer specialist turned whistle-blower Edward Snowden indicate, the Americans themselves are engaged in a vast, global cyber-snooping exercise.

However, while the Snowden revelations raise disturbing questions about privacy rights, ethics and America's relations with its allies, none has indicated the existence of a deliberate US programme targeting foreign corporations in order to steal their know- how. But that is precisely what the US alleges China is doing.

Stories about Chinese commercial spying are so common that they no longer even raise an eyebrow. Computer servers of multinational companies are probed on a daily basis. E-mail accounts are hacked to "harvest" personal data about people; these are then used to send spoof e-mails containing malicious software code which look convincing enough to trick their recipients into opening them. Then there is the old technique of tweaking the code on a company's website, so that anyone visiting it ends up sending information elsewhere.

Western intelligence agencies have long debated whether this Chinese behaviour really enjoys the support of Beijing's top political leadership. Some analysts claimed that China's spies could not be so persistent and so brazen unless they acted on explicit orders. Others have suggested that at least some of China's commercial spying operations are "cowboy" affairs, private undertakings by Chinese military staff who then sell the information to China's corporate sector.

But there is increasingly a realisation that, while "cowboy" operations sometimes do occur, the bulk of China's commercial cyber-hacking activity is systematic. And it is not only growing, but also changing in character.

The information Chinese hackers now want is not just related to innovative technologies and blueprints, but is also increasingly directed at spying on the merger and acquisition policies of Western firms, and on any commercial activities related to the trade in oil, gas and other minerals.

This is directly connected with the new emphasis of Chinese companies on overseas expansion and on moving up the trading value chain. It has the feel of a coordinated operation. And it seems destined to grow in intensity.

It is impossible to exaggerate the level of frustration felt among Western security planners about such developments. Since they could not legally discriminate between commercial companies, Western governments initially tried to offer cyber-security advice to everyone. But the information provided was too general and too low-grade to be of benefit.

Western intelligence agencies then changed tack and started offering more specific cyber-security advice to top corporate actors. More recently, a new refinement was added: Western companies deemed not to have invested enough in computer system security or deemed to have been compromised are simply cut off from access to government contracts.

Yet, as everyone acknowledges, this carrot-and-stick approach can apply only to big corporations, while cyber-spying activities are increasingly being directed at small companies and even start-ups, which are the real drivers of innovation, yet also the least likely to have resources to protect their systems.

For years, the US had hoped that the problem of China's commercial cyber spying could be handled politically. Every senior US official, from the president downwards, raised the matter at each meeting with his Chinese counterpart, only to be met with the inevitable stonewalling.

Last year, the US also tried the approach of naming and shaming: it used a study by an American computer security firm to lift the veil on PLA Unit 61398, which, from its base in a multi-storey building in the heart of Shanghai, is allegedly responsible for many commercial spying activities. But although the Chinese were initially stunned by this development and Unit 61398 temporarily suspended operations, these soon resumed with greater intensity.

The US authorities are aware that holding military officers of another country personally accountable for spying creates uncomfortable legal precedents. After all, the US has spent decades trying to shield its own soldiers from being dragged before foreign tribunals.

Still, the US decided to issue the indictments against the PLA officers because Washington concluded that the only way China could ever be deterred from engaging in such extensive hacking is when it realises that it has to pay a price for its activities. The US is determined to impress upon Beijing the distinction between "normal" military digital spying, which is acceptable and universally practised, and commercial cyber hacking, which the Americans consider intolerable.

But, for a variety of reasons, it is unlikely that Beijing will accept such a distinction. The fact that most Chinese enterprises are ultimately state-controlled means that a separation between security-related and commercially relevant spying will always be more theoretical than real. Chinese leaders also see the push of their companies into global markets as a strategic rather than a purely commercial operation.

Ultimately, the Chinese simply do not believe that a distinction between the military and the commercial exists in the West either. They point out that, while much of the technological research is undertaken by Western private companies, a great deal of it is spurred by the prospect of military contracts, so the West's advantage in civilian technologies is ultimately translated into military superiority.

But the Chinese will soon discover that if they do not take the current legal spat with the US more seriously, matters are only going to get more uncomfortable for Beijing. For in Washington there is a growing consensus that the next stage may entail direct American retaliation against Chinese activities, by engaging in offensive cyber operations.

The scenarios under which such operations may be launched are already being rehearsed.

Welcome to the brave new world of cyber warfare.