In lieu of an abstract, here is a brief excerpt of the content:

  • Debating the Chinese Cyber Threat
  • Joel Brenner (bio) and Jon R. Lindsay (bio)

To the Editors (Joel Brenner writes):

In “The Impact of China on Cybersecurity: Fiction and Friction,” Jon Lindsay asserts that the threat of Chinese cyber operations, though “relentlessly irritating,” is greatly exaggerated; that China has more to fear from U.S. cyber operations than the United States does from China; and that U.S.-China relations are reasonably stable.1 He claims that “[o]verlap across political, intelligence, military, and institutional threat narratives . . . can lead to theoretical confusion” (p. 44). In focusing almost exclusively on military-to-military operations, however, where he persuasively argues that the United States retains a significant qualitative advantage, Lindsay underemphasizes the significance of vulnerabilities in U.S. civilian networks to the exercise of national power, and he draws broad conclusions that have doubtful application in circumstances short of a full-out armed conflict with China. In addition, he does not discuss subthreshold conflicts that characterize, and are likely to continue to characterize, this symbiotic but strife-ridden relationship.

To begin, Lindsay argues that American infrastructure is safe from nation-state cyberattack. For support, he cites a similar conclusion by Desmond Ball, who touts the supposed “sophistication of the anti-virus and network security programs available” in advanced Western countries.2 The notion that Western-made anti-virus and network security programs are effective against sophisticated cyberattacks would astonish any group of corporate security officers. Anti-virus programs are flimsy filters designed to catch only some of the malware that their designers know about. They miss a great deal. New malware enters the market at the rate of about 160,000 per day.3 Filters, whether employed by the military or not, are unable to keep up. “Network security programs” vary in quality, are insufficiently staffed, and are often not implemented at all across the economy. The Pentagon is expending huge sums to build its own power grids, even as its budget shrinks, precisely because the civilian grid cannot be relied [End Page 191] upon in a crisis. On this subject, Lindsay says only that China’s ability to attack the U.S. grid “cannot be discounted.” In contrast, Adm. Michael Rogers, director of the National Security Agency (NSA) and commander of U.S. Cyber Command, testified in 2014 that China and “one or two” other countries could shut down the power grid and other critical systems in the United States.4

Lindsay’s article also fails to address the relationship between nonmilitary vulnerabilities and the exercise of national power. For example, when Russian intruders penetrated JPMorgan Chase Bank’s computer system in 2014 during tensions over Ukraine, no one could tell President Barack Obama whether Russian President Vladimir Putin was sending him an implied threat.5 Taking down a major bank would have enormous economic repercussions, and Chase’s vulnerability was there for all to see. When evaluating his options, could the president ignore the possibility that exercising one of them carried the palpable risk that a major U.S. bank could be taken down? Whatever the source and objective of the intrusion in the Chase case, the incident demonstrates the way in which a critical vulnerability in the civilian economy could constrain the exercise of national power, including military power, in a crisis.

Lindsay speculates skeptically about the increase in the reporting of commercial network exploitation since 2010 and wonders whether it may be spurred by self-interested disclosures by network defense firms seeking to scare up demand for their services. He does not mention that the Securities and Exchange Commission issued guidance in 2011 stating that public companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”6 And despite Lindsay’s claim that commercial network exploitation is overreported, virtually every private-sector lawyer and consultant I know in this field believes that publicly disclosed information understates the severity and frequency of attacks on corporate networks. The reasons are well known: companies resist disclosure for fear of harm to their brands and stock prices and to avoid shareholder derivative class-action lawsuits and regulatory action by the Federal Trade Commission.

Lindsay...

pdf

Share