Tuesday, November 08, 2011

Cyber Warfare Capabilitiesin China

Professor Desmond Ball writes in "China’s Cyber Warfare Capabilities" (Security Challenges, Volume 7, Number 2 (Winter 2011), that "China has the most extensive and most practised cyber-warfare capabilities in Asia...". He argues that China’s People’s Liberation Army has a pre-emptive strategy, to use cyberwarfare at the outset of conflict.

Professor Ball cites media reports alleging Chinese cyber espionage against Australian Government agencies and resource companies. He also cites reports of China's own vulnerability to such attacks.

But what
Professor Ball doesn't say is what the response of Australia and its allies should be, if these reports are credible. The issue of how to identify and respond to cyber-attack is discussed at length in "Cyberdeterrence and Cyberwar", by Martin C. Libicki (RAND Corporation, 2009).

Cyber-warfare like other forms of irregular warfare, where it is difficult to work out who is responsible for an attack. Like germ warfare, it is difficult to limit the effects of an attack.

One difficulty is in an effective military response to a diffuse cyber-attack. The USA is still preparing its "Doctrine to Establish Rules of Engagement Against Cyber Attacks".

Retaliation in kind for cyber attacks is unlikely to be effective. Even where cyber retaliation inflicts damage, that damage may not be apparent to the government or the people of the country attacked (or apparent to the world media). Israel's government yesterday denied its security agency web sites were hacked: "Israeli Websites Down in 'Technical Malfunction" (ABC News, 6 November 2011).

There are some relatively simple measures to combat on-line attack. As an example, having personnel on duty to deal with the issue and having help with threats provided via the web.

The report "Alert and Ready: An Organizational Design Assessment of Marine Corps Intelligence" from the RAND Corporation pointed out that the US Marine Corp did not have a 24 hour a day intelligence service. The staff at headquarters in Quantico went home at the end of the day, leaving no one to answer the phone. Also deficiencies in their the web site design meant customers went elsewhere for information.

Presumably the Cyber Security Operations Centre (CSOC) at the Defence Signals Directorate is now providing 24 hours support to military and government customers. However, industry also needs support of facilities such as the Australian Computer Emergency Response Team (AusCERT). The idea that the military can "stand up" a defensive team in response to an attack will not work with Cyberwar. Like Thermonuclear War the cyberwar may be lost in hours, if not minutes. But unlike atomic war, those attacked may not even know they are under attack, until after the battle is lost.

Some of the US based reporting on China's threat are a little sensationalist, such as The book "Tiger Trap: America's Secret Spy War with China" by David Wise (Houghton Mifflin Harcourt, 2011):
... pre-emptive strategy ... cyber-warfare capabilities are
unleashed at the very outset of prospective conflicts ...
Use of electronic warfare at the start of hostilities has been routine since the development of the telegraph. There seems no reason to believe that this same practice would not be followed in cyberspace.

One aspect which has made parties less willing to attack electronic systems in modern symmetric conflicts is that they may be sharing the same infrastructure. There is no point in taking out the global IT systems if you cripple your own military, and perhaps control over your own country, in the process. As an example, it is likely that both sides to a conflict will be using the same satellites for navigation and communications. Either side could disable the service and so the question is who has more to be lost?

With cyber war, the best defence is defence. The nature of a cyberwar will be much the same as the daily attacks which government and industry computer systems are already subject to, just with greater intensity. Civil defence measures are therefore appropriator, with the general public encouraged to improve the security of their personal computers, so these are less easily co-opted in an attack, industry improving security to prevent corporate espionage and corporation with authorities to detect patterns of attack. The last and easiest element of this is protection of government and defence systems.

No comments: