Richard B. Andres
Paul McNiel
On February 2nd, Director of National Intelligence Dennis Blair made cyber security the first item in his Annual Threat Assessment report to the US Senate. Coming on the heels of Chinese cyber attacks on Google, Secretary of State Hillary Clinton's subsequent demarche and the Chinese government's strongly worded response, the report signals a growing frustration over America's inability to deter foreign, and particularly China-based, cyber attacks.
China is able to discount US and allied diplomatic pressure because it can hide behind a screen of semi-autonomous cyber militias. Although not officially condoned by China, these patriotic freelance hacking groups engage in cyber operations in support of national goals and often act with the tacit approval and sometimes active coordination of the state. The existence of these groups makes it difficult to prove that attacks originating from China are authorized by the government and consequently provides the regime with plausible deniability.
While cyber militias are used by a number of countries, China has been particularly enthusiastic about embracing this methodology. In 2003 the People's Liberation Army announced that it had created a militia unit to launch hacker attacks against enemy networks. In addition to this, the PRC reportedly offers bounties to hackers who successfully conduct operations against the United States. Over the last decade attacks emanating from China have escalated considerably.
US defenses are insufficient to stop Chinese cyber attacks. The US-China Economic and Security Review Commission estimates that Chinese cyber attacks cost the US hundreds of billions of dollars annually. By way of comparison, this is substantially more than the entire Chinese military budget.
What is needed is a threat that is both capable of forcing China to take notice and that it will believe the United States would execute. Such a threat exists. While China's regime does not appear willing to be deterred by conventional diplomatic or legal complaints, it has demonstrated considerable concern about threats to its censorship apparatus.
The most effective way to threaten Chinese censorship would be for US and partner nations to develop their own cyber militias. Rather than stealing intellectual property and disabling public institutions, however, Western militias would aim at finding ways to bypass Chinese firewalls to spread internet freedom.
There are a number of ways to set up anti-censorship militias geared toward bypassing firewalls and, equally importantly, protecting Chinese citizens from discovery and retribution for what they read and write online. Groups such as the Tor Anonymity Network and the Global Internet Freedom Consortium that disseminate anonymizing software and set up deflection sites (URLs that allow computers to access banned sites) have made a good start but could do much more with government encouragement and funding. On the government side, the US State Department's outstanding request for proposals for methods to promote the free flow of information through technology is a step in the right direction. Google's recent alliance with the National Security Agency is another model that could be replicated on a much broader scale. The key is to find ways to harness the ingenuity of large groups of internet savvy entrepreneurs to open what Secretary Clinton described as the "information curtain." Making freedom-hacking a patriotic hobby for US computer specialists has the potential to massively undermine Chinese censors.
Unlike most other types of pressure, threats to bypass China's internet censorship are entirely credible. Just as China has taken advantage of Western social conventions that inhibit retaliation against clandestine cyber assaults, attacks on Chinese censorship take advantage of Western conventions that encourage promoting freedom. Moreover, there is precedent for this approach. For more than 60 years Voice of America has overcome legal challenges and jamming to broadcast information into closed countries.
To have deterrent value, the United States must communicate to China that it intends to ramp up support to freedom militias until China relents. Members of Congress are currently calling for tens of millions of dollars to support this type of operation. China must be made to understand that given the magnitude of the costs their hackers are currently inflicting, the United States could afford to spend tens of billions and still come out ahead. Because it is difficult to call back private groups once activated, support should start small and present Chinese leaders with opportunities to concede (preferably without losing face) before escalating to the next level.
There is no guarantee that supporting freedom militias will reduce Chinese cyber aggression, but since the number and severity of Chinese cyber militia attacks are already increasing rapidly, to not act is to guarantee escalation. At the end of the day, even if US support to freedom militias fails to deter cyber attacks it will signal China that there are costs as well as benefits to attacking US targets. That, in itself, might be worth the cost.
Richard B. Andres is a Senior Fellow at the Institute for National Strategic Studies (INSS) at National Defense University.
Paul McNiel is a research intern at INSS.
The opinions expressed in this article are those of the authors alone and do not necessarily represent those of National Defense University, the Department of Defense, or the U.S. Government.