In February, the American cyber security company Mandiant released a report “exposing one of China’s cyber espionage units” (PDF here). A large chunk of it boils down to three findings: The attacks on US infrastructures originated in China, they were orchestrated by a large and resourceful group, and Mandiant has studied that group to the extent where they can tell individual members apart.
Finally the authors point out that the activities of this “Advanced Persistent Threat #1” (APT1) have been tracked to a certain location in Shanghai, which also happens to host the headquarters of a Chinese military unit (PLA Unit 61398) dealing with cyber security. So Mandiant claims to be able to trace breaches into private U.S. security systems back to a unit of the People’s Liberation Army.
Cyber security analyst Jeffrey Carr has pointed out that the report leaves a lot to be desired, and that some of the claims about linking APT-1 to the PLA Unit 61398 appear to be wrong. There’s no reason to suspect that Carr naively wants to protect China. His comments rather illustrate the difficulty of attributing cyber “attacks” or “espionage” to particular actors.
Yet establishing such a chain of evidence is the whole point of the Mandiant report and the reason it got so much attention!
The successful attacks themselves are hardly newsworthy anymore. They just show that neither security nor obscurity can guarantee online safety. Even the most expensive protection gets outsmarted, and even irrelevant targets are under attack. It’s not just about Boeing, Iranian centrifuges, or the New York Times. A friend’s private blog was recently shut down (by a bored teenager?), and Berlin-based pizza delivery websites suffered from DDoS attacks for months (link in German) when a competitor payed a third party to put them out of business.
The point, again, is that normally you can’t put a finger on the people behind those incidents. Except for the likes of Anonymous or lulzsec, the intruders usually don’t brag about their actions, and if they do they hide behind pseudonyms. Also, hardly anyone ever gets caught red-handed. Even when you show that one of the attackers used e-mail passwords matching the ID code of the PLA unit allegedly running the attack (PDF, page 57-58), that’s only circumstantial evidence. To find out more, you would need more than digital detective work, and that’s very difficult once old-fashioned national borders come into play.
What does that mean for students of international relations? The answer to transnational criminal activities could be a legal regime against cybercrime, with judicial cooperation, extradition treaties, and so on. Another difficult question concerns digital activism: Should consumers be allowed to temporarily put corporate websites out of service as a form of protest? What should happen to people like Bradley Manning and Julian Assange? That may be a matter of domestic laws, yet it can easily have a transnational dimension.
Finally, what about state-run cyber attacks and espionage? An article in Süddeutsche Zeitung recently discussed the possibility of “digital deterrence” and a balance of cyber threats (link in German) and vaguely stated that the U.S. might be successful with their attempt to scare potential attackers off. In fact, there can be no such balance of threats.
The balance of threat theory (as articulated by Stephen Walt in 1985) holds that states will counterbalance the offensive capabilities of rival states if these are perceived as a threat to one’s own security. It is based on the assumption that these capabilities are objectively quantifiable and offensive actions clearly attributable to the opponent. This is a prerequisite for the stable and potentially peace-enhancing “balance” of threat to make sense: Only if you see what the other has got and if you can show the other how much it will hurt her if she attacks you, the implied consequences may keep offensive intentions at bay.
However, with cyber threats the correct analogy is not warfare, but espionage and sabotage. You can’t have operational capabilities that cancel each other out via mutual physical destruction (e.g. tanks) or deterrence (nukes). Covert operations are going on around the clock and, to make matters worse, there are tons of civilians around: White-hat consultants, black-hat criminals, both types of activists, and last but not least bored high school kids all make it difficult to reliably attribute anything to anyone. It is precisely this uncertainty about the origin of attacks as well as about the locus and extent of offensive cyber capabilities which inhibits a proper balancing of threats.
As long as cyber espionage and sabotage cannot be unambiguously detected and traced back, there is no deterrence. As long as citizens do not stop their own governments’ ambitions, there is no incentive to stop investing in operational capabilities. And as long as there is mutual mistrust and the costs seem negligible, who could resist using cyber attacks?