SAN FRANCISCO – A panel of security and policy experts said that, despite dire warnings about the information warfare capabilities of China and other developing nations, the risk of an all-out cyber war is remote, and that the U.S. still holds many of the cards.
Despite widespread portrayals of China as a cyber aggressor, the country’s civilian and military leaders are seeking input from U.S. policy experts as they weigh the role that cyber offense and defense will play in their country’s foreign policy and defense, the panel told attendees at the RSA Security Conference in San Francisco on Wednesday.
The cadre of top cyber security policy experts took part in a panel titlried Cyber Battlefield: The Future of Conflict on Wednesday. Panel members offered differing opinions about the dimensions of the cyber threat, but a consensus on the need for using tried and true methods in the new realm of cyber conflict. International diplomacy, multilateral agreements that clarify the parameters for peaceful and hostile cyber actions and a strong offensive deterrent were a must, experts said.
“With China, multi lateral efforts are particularly important,” said Adam Segal, A Senior Fellow for Counter Terrorism and National Security Studies at the Council on Foreign Relations. “If we can get India, Brazil, South Africa and other countries join with us, we’ll have a lot better chance of getting the Chinese to see things our way.”
Old fashioned diplomatic horse trading will also be a critical tool for avoiding conflict and stemming the kinds of economic and military espionage that have become common in recent years.
“We have our list of priorities and the Chinese have theirs,” said Dmitri Alperovitch of the firm CrowdStrike. “There has to be some sort of diplomatic transfer where we there’s a trade off.”
The U.S. also has to start building up its allies by sharing its native cybersecurity expertise .
“There’s a huge need for capacity building in these countries where the security expertise is thin on the ground,” Segal said. “If we’re not in there, then (Mainland networking technology firm) Huawei and the Chinese will be, and you’ll end up with different norms about information flow and control.”
Finally, deterrance will play an imporant role in avoiding conflict, as it did in the Cold War with Russia.
The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities – “big stones, and plate glass windows,” said Lewis. “We’re back to mutually assured destruction.”
Others said that the military shouldn’t look any differently at hostile cyber actions than it would at physical attacks or efforts to undermine U.S. soverignty.
“The U.S. posture has always been that ‘if you annoy us,’ we’ll do bad things,’ said Martin Libicki, a Senior Scientist at RAND. “We don’t need to be more specific than that.”
Still, panel members said that the People’s Republic and People’s Liberation Army are still unsure about the proper role of cyber offensive capabilities in their own plans, despite the country’s image as a finely oiled cyber warfare machine.
“The Chinese have not thought about cyber war as politics by other m eans,” Libicki said. He added that the Chinese military may have probed critical infrastructure such as electrical grids of the U.S. and its allies, but “there’s a big difference between doing reconnaissance and understanding how systems fail. Going into systems doesn’t necessarily give you that.”
In fact, the country’s leaders are anxious to hear the opinions of U.S. policy experts on what an effective cyber war doctrine and policy should look like.
“Many of us up here are being asked to meet with the Chinese in advanced seminars,” said James Lewis, a Senior Fellow at the Center for Strategic and International Studies. Beyond that, many of the country’s articulated policies on the role that cyber capabilities will play in national defense appear to closely resemble published U.S. position papers and doctrine, said Eric Rosenbach, a Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense.
The panel went on to discuss the proper role of the U.S. Government in securing private infrastructure domestically, and in concert with its allies. The U.S. needs to continue building its cyber capabilities, in the same way as it has built other warfighting capabilities (think: pilots in World War II) when the need arose.
More government efforts to promote software security and to protect critical infrastructure from attack are needed. Uncle Sam could also put m ore research and development dollars behind research into new security technology and look for ways to ensure the continuation of critical supply chains in the event of a hot war – cyber or otherwise.
Panel members were divided on the question of whether information gleaned through military or intelligence operations should be shared with private sector firms to protect the nation’s economic interests. Still, all those options – and more – are clearly on the table within policy circles in Washington D.C.
“We as a nation know what steps we need to take to reduce our risk in cyber space,” said Lewis of CSIS. “We may not want to, politically, but we know what those steps are.”
A hot topic of conversation now within policy circles, cyber war is likely to end up as just another weapon in the arsenal of the U.S., China and other advanced nations, said Lewis. “People will figure out how to use it.”