At first glance, the United States, China, and Russia all have similar public attitudes toward cyberwarfare. By and large they deem cyberwarfare and cyberespionage to be criminal or undesirable. But when we dig a little deeper, we notice that each nation has official policies allowing for cyberwarfare under certain conditions. While the United States’ policies do not promote all-out cyberwarfare, its strategies are akin to those of Cold War-era deterrence. China publicly denies cyberwarfare, but its military, government, and public all have the capability to engage—and have done so on several occasions against the United States and other nations. Russia tends to engage in acts of political subterfuge, but it has also been accused of deploying cyberattacks to support military operations in Georgia and Ukraine. What we have, then, are three permanent members of the United Nations Security Council who outwardly condemn cyberwarfare but readily engage in it out of the public view.
The American View
As the United States holds much economic and martial power in the world, it has become a prime target for cyberattacks. We don’t have to look far to find evidence of the United States’ susceptibility. In a rather infamous example, the attack on the Office of Personnel Management exposed personal information of over 21 million Americans. That attack is a signal of a worrying trend in the US federal government. The US Government Accountability Office has found that 18 federal agencies have systems that face frequent, serious cyberattacks from other nations. In another report, the agency found that 19 federal agencies have significant deficiencies in their cybersecurity. In response, cybersecurity has become a priority for federal spending. In 2017, the federal government is projected to allocate $19 billion for cybersecurity across its agencies. The Pentagon, in particular, plans to spend just under $1 billion of its $6.7 billion cyberspace budget in 2017 to increase cyberdefense measures.
Official US cyberwarfare policy is mostly one of defense, deterrence, and retaliation. The United States tries to be less aggressive than other nations. It would appear that US cyberwarfare emphasizes deterrence, especially of Chinese and Russian cyberattacks. In its 2015 cyber strategy, the Department of Defense identifies cyberattacks as the “number one strategic threat to the United States.” Crucially, the same strategy specifically identifies China and Russia as adversaries of the United States in cyberspace. The strategy is thus designed to defend against and to deter attacks from these nations. The White House takes it one step further by confirming that the United States will retaliate in self-defense against acts it deems to be cyberwarfare. That being said, the United States has also publicly committed itself to fulfilling its commitments to the guidelines set forth by the UN and the European Union. That is, the United States will work with other nations to promote cyber norms and behavior that foster peace in cyberspace.
The Chinese View
In a way, China’s attitude toward cyberwarfare is conflicted. On the one hand, China’s State Council has issued guidelines to prevent cybercrime and to protect personal information. This fits reasonably well with the goals of the UN. Indeed, the Chinese government regularly condemns cyberattacks while proclaiming its own victimhood, usually at the hands of the United States.
On the other hand, the Chinese military has built a large force whose purpose is to secure Chinese cyberspace and to provide combat capabilities in cyberspace. According to recent publications, the government has denied any support for cyberattacks, which runs contrary to the increasing numbers of cyberattacks attributed to China. It’s interesting to note that Chinese government documents have explicitly acknowledged that the Chinese military is capable of cyberwarfare and is certainly willing to engage. In fact, China breaks its cyberwarfare capabilities into three categories: (1) military forces with special training; (2) authorized civilian organizations like the Ministry of State Security; and, (3) nongovernmental forces that can be organized and mobilized at any time. Clearly China is not innocent when it comes to cyberwarfare, and it looks like they have no intention of deescalating their cyberwarfare capabilities anytime soon.
The Russian View
Official Russian policy toward cyberwarfare has been public since the 2010 Military Doctrine emphasized the greater role of information warfare in the military’s combat capabilities. This was further developed by policy efforts in 2012 to improve cybersecurity, fight cybercrime, and prevent cyberattacks. To this end, it would appear that Russia is keeping with the global norms established by the UN and the European Union. These public-facing policies may be a red herring, however.
Russia has been engaging in cyberattacks at least since its 2007 attack on Estonia and its 2008 invasion of Georgia, although the majority of its efforts have not been explicit acts of war. Rather, Russia has exercised its cyber capabilities against enemies to demonstrate its capability and willingness to use force in response to undesirable political decisions. Though Russia has been prolific in its cyberattacks, its attitude is geared much more toward espionage and subterfuge than outright acts of aggression. To this end, Russia has been able to exert a considerable degree of influence in the real world.
Essentially Russia is working to combine successful Cold-War era techniques with modern technologies, especially on the internet via social media. It’s important to note here that Russia doesn’t hold the common Western view of cyberwarfare. Rather than referring to its operations as cyberwarfare, official policy opts for “information war.” So, in the abstract, Russia isn’t necessarily concerned with attacking and controlling cyberspace; the end goal is to control the content and distribution of information. Russian cyberwarfare is therefore de facto cyberespionage. Rather than attack openly and aggressively, Russian operators infiltrate adversaries’ systems and work to corrupt from the inside out through a campaign of disinformation. Although the effects of such a campaign may not necessarily show immediate, physical damage, the real-world impacts could damage public trust and international relations.
These marked differences in cyberwarfare strategy should give pause to policymakers and global leaders. How can permanent members of the UN Security Council publicly discourage cyberwarfare while building up their own capabilities? It’s a worrying trend that escalates with each new state-sponsored attack. Surely there’s some good to be had in having a strong cyber infrastructure, but serious efforts need to be taken to ensure that infrastructure isn’t abused. The United States, China, and Russia are working to remedy this problem. For example, the United States and China recently came to an agreement on cybercrimes against businesses. The United States and Russia came to an understanding in 2013, but Russian activities in Ukraine and Syria have since strained relations between the two. Unfortunately, it seems Russia is more interested in improving relations with China than the United States. Although the United States, China, and Russia have been working on their own, the UN has the opportunity to take a more prominent, leading role in the global effort.