The Issue
Cyberspace is a new domain of conflict, one guided by few accepted rules or standards of behavior. Policymakers find offensive cyber operations attractive because they are relatively inexpensive, can be designed to be less destructive than attacks against physical targets and can provide a high degree of anonymity to the attacker. Most of these operations include cyber espionage (theft of military and political secrets or intellectual property) and political disruptions (website defacement or distributed denial-of-service [DDoS] attacks, which flood a website with so much data that it can no longer respond).
Defending against cyber threats is extremely difficult. Defenders need to worry about millions of lines of computer code, hundreds of devices, and scores of networks. Attackers, on the other hand, only need to find one vulnerability. Moreover, determining who is responsible for cyberattacks is difficult and slow. Unlike other kinds of attacks, cyber attackers can hide their tracks more easily. The attacks can happen in minutes, if not seconds. Many countries also rely on proxies such as criminal groups, or patriotic hackers to conduct operations for them. Even if the hackers can be located, anyone anywhere could have authorized the attack. This conundrum also greatly complicates efforts to retaliate and prevent attacks. Experts generally assume that a cyberattack resulting in death or physical destruction would be considered an armed attack. However, the threshold for a military response to other forms of cyberattacks remains uncertain.
Compounding these difficulties is the fact that relatively few international norms exist to govern cyberspace. Without shared standards of acceptable behavior to guide responses to cyberattacks and deter certain types of cyber operations, such as those targeting critical infrastructure, cyber operations pose a considerable risk to international security. Successful attacks could risk escalation beyond the realm of cyberspace or have unintended consequences beyond the initial target. Moreover, if, based on past trends, military leaders fear that their networks or weapons systems could be subjected to cyberattacks—which would limit their ability to order forces in the field or to launch weapons—they would be incentivized to use their weapons systems preemptively. Such a move would escalate and further destabilize a conflict.
Hypothetical Decision Point
China, Brunei, Malaysia, the Philippines, Taiwan, and Vietnam have competing territorial claims in the South China Sea. In recent years, China has exerted authority over the area by increasing the size of existing islands or creating new ones. China has also constructed new ports, military installations, and airstrips. The United States has promoted the right of military vessels to operate in China’s claimed two-hundred-mile exclusive economic zone. The United States has also rejected China’s claim to a twelve-mile territorial zone around the artificial islands it has built. Since 2015, the United States has signaled its opposition by flying military aircraft and sending U.S. Navy ships near certain islands.
Last week, the U.S. Air Force conducted a flight near a shoal claimed by China in the South China Sea. Three days later, the Nasdaq Stock Market suffered a hack that damaged computers and forced the suspension of trading for two days. This imposed significant costs on several major multinational companies and dented confidence in the U.S. financial system. An underground hacker collective based in China known as the Zheng He Squadron has claimed responsibility for the hack. The group has known ties to the People’s Liberation Army, China’s military. U.S. intelligence agencies assess with 90 percent certainty that the hack occurred with the knowledge or support of parts of the Chinese government. Beijing claims no knowledge of the attack.
The U.S. secretary of state has declared that the attack represents a grave threat to U.S. national security and that Washington is considering all options, including military action, in response. In an effort to manage the dispute and avoid escalation, the UN secretary-general has convened a meeting of the UN Security Council to discuss and take possible action on the cyber conflict between two of the Security Council’s permanent members, the United States and China.