Written by James A. Lewis
We can draw upon twenty years of experience with cyber operations to identify common elements in their use. Countries use cyber operations in a manner consistent with their larger national strategies. Cyber operations are another tool in the portfolio of coercion available to states, but it is one they use with caution to avoid retaliation. Malicious cyber actions follow the larger pattern of relations among states. Where there is competition or hostility, malicious cyber action is likely. Putting cybersecurity in this larger strategic context lets us chart with some accuracy the map of cyber conflict in Asia and from this, begin to map elements of cyber risk that states face and must manage.
As the DPRK’s nuclear and missile capabilities improve, it will be tempted to increase the use of aggressive cyber actions in its coercive diplomacy.
True attacks are rare. There is a substantial gray area when a cyber action does not fit neatly into the categories of use of force or armed attack that guide international relations in the physical world. The leading military powers are developing cyberattack capability for use in armed conflict, but the most frequent use is to hack opponents for espionage and sometimes for coercive effect. Cyber espionage is omnipresent. The degree to which countries engage in cyber espionage is shaped by their larger interests and by their views of potential competitors and opponents. An ASEAN country faces few technical or budgetary constraints if it wished to spy on Iceland, for example, but there is no incentive to do so.
If this is the pattern of behaviour we can observe in state use of cyber operations, we can then map the interrelationships in cyber conflict in Asia using publicly available sources. There are four countries that have used offensive cyber operations in pursuit of national goals – China, Russia, the U.S. and the DPRK. Another four countries– Australia, Singapore, India and the ROK- have or are developing such capabilities (Japan’s cyber operations capabilities are still at a nascent stage). Other countries in the region, particularly ASEAN states, have varying degrees of defensive capabilities, few of which could be considered adequate for national defense.
- Russia, although capable and aggressive, has focused its attention on the U.S., Western Europe and the “near abroad.” It is also likely that Russian cyber espionage is directed against China, India, and Japan.
- China has made extensive use of cyber operations for espionage purposes, directed against the U.S., Russia, India, Australia, New Zealand, Japan and Korea, as well as dissident groups and countries outside of the region, but it has not used “force” in cyberspace, in the sense of seeking to disrupt services or damage computer resources
- The U.S. has, judging from public sources, engaged in extensive espionage operations against China, Russia and the DPRK, and probably others. It has also been charged in the media with using cyber operations to interfere with DPRK missiles tests.
- The DPRK has launched disruptive and coercive cyber actions against the U.S. and the ROK, engages in cyber espionage against these countries, and has attempted political influence operations against the ROK. It does not seem to have used cyber operations against other countries (particularly China and Japan, given its interest in maintaining good relations).
- While the U.S. and its treaty allies cooperate in defensive actions, the same is not true for the other regional “cyber powers,” creating what might appear to be a kind of free for all in cyberspace but is best seen as a series of overlapping bilateral cyber conflicts that are largely independent of each other.
Russia and the DPRK share involvement in cybercrime – carried out by government actors in the DPRK and by criminal groups operating with government support in Russia. The DPRK appears to be moving its wide-ranging criminal activities into cyberspace and the RGB operates its cybercrime activities from some of the same southeast Asian countries it has used for conventional criminal activities. Cybercrime is global in scope and driven by financial (rather than political) motives. A poorly protected bank can be hacked from anywhere in the world. These criminal activities pose the greatest risk to Southeast Asian countries, given the potential to disrupt national and regional financial systems. It is the risk of financial cybercrime more than anything else that points to the need for a cooperative arrangement in ASEAN for information sharing and defense.
Leading military powers are integrating cyber operations into their forces and planning. This is inevitable as the growing dependence of modern weapons systems on computer technology creates new vulnerabilities. Opponents routinely probe each other’s weapons systems to find ways to disrupt them, and they will use what they find in combat.
However, use of the most damaging cyber techniques is unlikely outside of armed conflict. A cyberattack on major targets, like the nuclear power plants or the electrical grid creates the unacceptable risk of an overwhelming response. Countries are reluctant to gamble that actions against such sensitive targets will remain covert and not provoke retaliation. Major cyberattacks will only occur when a country has already decided to go to war. Even then, attackers will try to manage risk, by limiting cyberattacks to specific regions (like the South China Sea) or to less sensitive targets. The greatest brake on action is uncertainty over attribution, retaliation, and escalation (attribution is not impossible – attackers don’t know if their opponent will be able to see through any tricks and identify the real culprit).
The exception to this is the DPRK. Consistent with its larger strategy of using provocation as part of coercive diplomacy, the North has been less constrained in its use of cyber operations and some of its “attacks,” such as the 2013 data disruption against ROK banks and media, approach the level of the use of force. As the DPRK’s nuclear and missile capabilities improve, it will be tempted to increase the use of aggressive cyber actions in its coercive diplomacy.
Cyber operations create a new avenue for conflict and competition, but that avenue follows the general direction of pre-existing tensions. Given the above mapping of cyber operations, we can identify three sets of activities that would advance the regional cybersecurity agenda: bilateral exchanges among opponents to reduce the risk of miscalculation; regional cooperation to improve defenses against cybercrime; and capacity building not only on technical means but on the ability to create national cybersecurity policies. Progress in these areas has been slow and uncertain, and the region would benefit from more energetic diplomatic efforts, based on a realistic appraisal of risk, to change this.
James A. Lewis is a senior vice president at CSIS, where he writes on technology, security, and innovation. Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. His government experience includes work on a range of politico-military and Asian security issues, as a negotiator on conventional arms transfers and advanced military technology, and in developing policies for satellites, encryption, and the Internet. He received his Ph.D. from the University of Chicago. He tweets at @james_a_lewis and @CyberCSIS. Image Credit: CC by Christiaan Colen/Flickr.