Jared Cohen - The New Digital Age

As with the Cold War, there will be little civilian involvement, awareness or direct harm, which deleteriously affects how states perceive the risks of such activities. States with ambition but a lack of experience in cyber warfare might go too far and unintentionally start a conflict that actually does harm their populations. Eventually, mutually-assured-destruction doctrines might emerge between states that stabilize these dynamics, but the multipolarity of the landscape promises to keep some measure of volatility in the system.

More important, there will be a great deal of room for error in the new Code War. The misperceptions, misdirection and mistakes that characterized the Cold War era will reappear with vigor as all participants go through the process of learning how to use the powerful new tools at their disposal. Given the additional layer of obfuscation that cyber attacks provide, it might end up being worse than the Cold War—even exploded missiles leave trails. Mistakes will be made by governments in deciding what to target and how, by victims who out of panic or anger retaliate against the wrong party, and by the engineers who construct these massively complicated computer programs. With weapons this technically complex, it’s possible that a rogue individual would install his own back door in the program—a means of access that bypasses security mechanisms and can be used remotely—which would remain unnoticed until he decided to use it. Or perhaps a user would unknowingly share a well-constructed virus in a way its creators did not intend, and instead of skimming information about a country’s stock exchange, it would actually crash it. Or a dangerous program could be discovered that would bear several false flags (the digital version of bait) in the code, and this time the targeted country would decide to take action against the apparent source.

We’ve already seen examples of how the attribution problem of cyber attacks can lead to misdirection on a state level. In 2009, three waves of DDoS attacks crippled major government websites in both the United States and South Korea. When security experts reviewed the cyber attack, they found Korean language and other indicators that strongly suggested that the network of attacking computers, or botnet, began in North Korea. Officials in Seoul directly pointed their fingers at Pyongyang, the American media ran with the story and a prominent Republican lawmaker demanded that President Obama conduct a “show of force or strength” against North Korea in retaliation.

In fact, no one could prove where the attacks came from. A year later, analysts concluded they had no evidence that North Korea or any other state was involved. One analyst in Vietnam had earlier said that the attacks originated in the United Kingdom, while the South Koreans insisted that North Korea’s telecommunications ministry was behind them. Some people even thought it was all a hoax orchestrated by the South Korean government or activists attempting to incite U.S. action against the North Korean regime.

These attacks were, by most accounts, rather ineffectual and fairly unsophisticated—no data was lost, and the DDoS method is considered a rather blunt instrument—which in part explains why the situation did not escalate. But what happens when more countries can build Stuxnet worms, and even more sophisticated weapons? At what point does a cyber attack become an act of war? And how does a country retaliate when the instigator can almost always cover his tracks? Such questions will have to be answered by policy-makers the world over, and sooner than they expect. Some solutions to these challenges exist, but most options, like international treaties governing cyber attacks, will require substantial investment as well as honest dialogue about what we can and cannot control.

The episodes that prompt these discussions will probably not be state-to-state cyber warfare; a more likely driver will be state-sponsored corporate espionage. States can contain the fallout of attacks on their own governmental networks, but if companies are targeted, the attacks are much more public and can affect more people if user or customer data is involved. Globalization also makes digital corporate espionage a more fruitful endeavor for states. As companies look to expand their reach into new markets, inside information about their operations and future plans can help local entities win contracts and regional favor. To examine why this is true and what it means for the future, we have to look, again, at China.

While China is by no means the only country engaging in cyber attacks on foreign companies, today it is the most sophisticated and prolific. Beijing’s willingness to engage in corporate espionage, as well as to sanction its companies to do the same, results in a heightened vulnerability for foreign corporations, not just those looking to work in China but those everywhere in the world. The previously mentioned Chinese cyber attack against Google and dozens of other companies in 2009 is hardly an isolated case; in only the past few years, the industrial-espionage campaign led by Chinese spy agencies has targeted American companies producing everything from semiconductors and motor vehicles to jet-propulsion technology. (Of course, corporate espionage is not a new phenomenon. In one famous nineteenth-century example, England’s East India Company hired a Scottish botanist to smuggle Chinese plants and secrets from China into India—which he did successfully, dressed as a Chinese merchant—to break the Chinese monopoly on tea.)

What is new about this latest iteration of corporate espionage is that, in the digital era, so much work can be done remotely and near-anonymously. As we’ll see shortly in our discussion of automated warfare, this is a crucial new technological development that will affect many areas in our future world. We live in an age of expansion, and as China and other emerging superpowers seek to expand their economic foothold around the world, digital corporate espionage will greatly enhance their abilities to grow. Whether officially state-sponsored or simply encouraged by the state, hacking into competitors’ e-mails and systems to obtain proprietary information will certainly give players an unfair advantage in the market. Several business leaders of major American corporations have told us in confidence about deals they lost in Africa and other emerging markets because of what they believe to be Chinese spying or theft of sensitive information (which was then used to thwart or commandeer their deals).

Today, the majority of cases of corporate espionage between China and the United States appear to involve opportunists rather than the visible hand of the state. There was the Chinese couple in Michigan who stole trade information related to General Motors’ research into hybrid cars (which the company estimated to be worth $40 million) and tried to sell it to Chery Automobile, a Chinese competitor. There was the Chinese employee of Valspar Corporation, a leading paint and coatings manufacturer, who illegally downloaded confidential formulas valued at $20 million, intending to sell them to China, and the DuPont chemical researcher who stole information on organic light-emitting diodes, which he planned to give to a Chinese university. None of these actors was tied directly to the Chinese government, and in fact they may simply have been private individuals looking to profit from confidential trade secrets. But we also know that in China, where most major companies are state-owned or heavily influenced by the state, the government has conducted or sanctioned numerous intelligence-gathering cyber attacks against American companies. There can be little doubt that the attacks we know about represent a small percentage of those attempted, whether successful or not.