Jonathan Millican is a first-year university student from Harrogate, northern England. He says he does not think of himself as a “stereotypical geek,” but having been crowned champion in Britain’s Cyber Security Challenge, the 19-year-old is bound to take some stick from his undergraduate friends at Cambridge.
The competition is not well known, but it is well contested. About 4,000 people applied to take part this year, hundreds were seen by judges and 30 were selected for the final in Bristol, southwest England, on March 10.
After a day of fighting off hackers and identifying viruses in a series of simulations, Millican triumphed, giving him legitimate claim to be the brightest young computer whiz in the UK.
Though he may not recognize it yet, Millican has become a small player in a global game. There is a dotted line that links him to an ideological battle over the future of the Internet and the ways states will use it to prosecute conflicts in the 21st century.
The remaining Cold War superpower, the US, is slowly squaring up to the emerging behemoth, China, in a sphere in which Beijing has a distinct advantage — cyberspace.
Experts estimate China has as many “cyberjedis” as the US has engineers and some of them, with backing from the state, have been systematically hacking into and stealing from governments and companies in the West, taking defense secrets, compromising computer systems, and scanning energy and water plants for potential vulnerabilities.
The scale of what has been going on is only now being recognized and with a discernible sense of panic, the US and the UK are trying to make up lost ground.
One important way of shoring up the West’s defenses involves recruiting a rival army of computer specialists to defend the systems being attacked.
This is why the UK began the Cyber Security Challenge last year, and why Millican and other participants have been discreetly courted by the Government Communications Headquarters, the UK government’s electronic eavesdropping center, which is on the frontline of this new power struggle.
The explosion in Internet use, and the almost complete reliance on computer systems to run and record our daily lives, have opened up endless opportunities for thieves, spies and vandals to exploit the platform.
Though it is still evolving, the push-back has started. The Guardian has spoken to senior officials in the US and UK governments, as well as specialists and independent think tanks in London, Washington and San Francisco, who agree that the West is galvanizing itself to adopt a far more aggressive approach to a problem for which there is no precedent. The stakes have suddenly become very high.
Over the past 18 months, there has been a concerted effort to highlight the relentless nature of day-to-day attacks on businesses and government departments. The administration of US President Barack Obama estimates that 60 percent of small firms that are hacked go broke and billions of US dollars worth of intellectual property have been stolen from industry, including military blueprints from leading defense contractors.
In the political shadows in London and Washington, cyberspace has been moved more formally into the military sphere, so that those responsible for the attacks understand that retaliation is now part of the game.
Though much maligned, the UK’s strategic defense and security review in 2010 may prove to have been a historic punctuation mark in this process.
The review made the threats from cyberspace a “tier one” priority, because Downing Street considered them a genuine threat to national security.
The US is moving in this direction, too. On Jan. 17, US chairman of the Joint Chiefs of Staff General Martin Dempsey set out a significant change in position. In a 70-page document that was largely ignored and almost completely impenetrable, he said the US intended to treat cyberspace as a military battleground.
“Disrupting the enemy will require the full inclusion of space and cyberspace operations into the traditional air-land-sea battle space ... [they have] critical importance for the projection of military force. Arguably, this emergence is the most important and fundamental change ... over the past several decades,” he said.
The military has long had basic cybercapabilities, such as equipment for jamming signals, but the more sophisticated weapons are seldom spoken of and rarely used, in part because there has been no formal code of conduct.
This has prevented the US from routinely deploying its most destructive cyberweapons, including during the Libya campaign last year, when the Pentagon gave Obama the option of disabling then-Libyan leader Muammar Qaddafi’s military computer network with a targeted cyberattack. The White House decided against it, but the Dempsey doctrine will give the president and General Keith Alexander, the head of US Cyber Command, more confidence next time.
Officials in the US and the UK privately concede they have been developing a range of new “offensive” cyberweapons and a rulebook for their use.
“If we know that someone is about to launch a cyberattack on us, then we will pre-empt it,” one Whitehall official said. “We have that capability and we will use it, even if the bad actors are based abroad.”
The US Department of State now regards cybersecurity “as a foreign policy priority” and Obama administration officials insist “the laws of conflict apply to cyberspace.”
“If there is significant information of a cyberevent, we reserve the right to use tools in our toolbox,” an official said. “When does a cyberattack achieve critical level? When one can attribute an attack that deliberately causes loss of life.”
Paul Rosenzweig, who spent four years as US deputy assistant secretary in the Department of Homeland Security until 2010, is skeptical that a cyberwar will happen soon.
“[Though] we may have cyberwar as part of another war. I would hope and pray and assume that they [China] are as worried about that as we are,” he said.
“In cyber, we are where the counterterrorist community was on Sept. 12, 2001,” said Frank Cilluffo, US special assistant for homeland security under former US president George W. Bush at the time of the 9/11 attacks. “I have come to the conclusion that we can no longer firewall our way out of the problem. We need to talk about offensive capabilities to deter bad actors. I don’t think that you are going to see warfare without a cyber dimension in the future ... that is a given. I think warfare as we think of it today will take on these dimensions.”
With a buildup of cyberweaponry on both sides, Russia and China have called for negotiations to start on new treaties to govern what is permissible in the domain. The Russians, in particular, have favored arms-control-style agreements and in September last year, Moscow and Beijing formally proposed to the UN a new international code that would standardize behavior on the Internet.
That has been flatly rejected by the UK and the US. They argue arms-control treaties would not work because it would be almost impossible to verify the weapons each state had — computer viruses are more easily hidden than nuclear missiles.
The new international code is simply an attempt by Russia and China to stifle free speech on the Internet in their own countries, the UK’s Foreign Office says.
“It is too late for new formal treaties,” one senior source at the UK Ministry of Defence said. “If we go down that road, it will be years before anything emerges. This is China and Russia trying to kick the issue into the long grass.”
However, the alternative is almost as far-fetched and perhaps more nebulous. British Foreign Secretary William Hague has been calling for countries to agree on a “rules of the road” in cyberspace, with respect for international law, rights to privacy and protection of intellectual property at their core.
This puts huge emphasis on goodwill between countries and the harmonization of existing laws to make it easier for investigators to cross international boundaries. It is as unpalatable to China and Russia as their ideas are to the West.
“It’s not at a point where I would call it cyberwar yet, but it’s close,” said Larry Clinton, president of the Internet Security Alliance, which represents a group of multinational companies, including many in the defense and aviation sectors. “I think we are certainly seeing an arms race with respect to cyber. We did well to get through the nuclear age. We did well with chemical weapons. If we can do as well with cyber, that would be great, but we don’t really have a theory — I am not sure what the theory is. We don’t have a model set up for how we are going to deal with this.”
Developing cyberweapons and a methodology for using them is only one part of this complex new puzzle.
Though government departments are continually under attack, it is private industry that suffers most from hackers. The frightening scale of the theft of intellectual property and the potential knock-on effect for fragile economies underpinned the UK’s decision to say it must now be regarded as a genuine threat to national security.
This, in turn, is forcing governments to expand the boundaries of what might trigger a military response to include theft, albeit on a massive scale.
Rosenzweig estimates that 85 percent to 90 percent of the US’ digital infrastructure is in private hands.
“I am pretty sure it’s the same in Europe,” he said.
Though it is hard to make calculations, one survey last year commissioned by the UK’s Cabinet Office estimated that the British economy lost £27 billion (US$43 billion) to cybertheft in 2010.
The US gave up trying to calculate precise values nine years ago, when the number of known “cyberintrusions” reached 100,000 in a year. One respected Washington think tank put the cost of cybertheft in the US last year at roughly US$100 billion.
The US’ biggest companies have spent a similar amount beefing up their cybersecurity in the past five years, but analysts say this has not been enough to prevent “significant military losses” involving stealth, nuclear weapon and submarine technology, though none of the companies involved will admit it.
Without giving away details, FBI Executive Assistant Director Shawn Henry confirmed that military networks and defense contractors had been hit hard by hackers.
“A tremendous amount of information has been stolen from those networks by a variety of state actors,” he said.
However, there is another dimension of cyberespionage which is, in some ways, more disturbing.
“We know that Russia and China have done the reconnaissance necessary to plan to attack US critical infrastructure,” said Jim Lewis, of the Center for Strategic and International Studies, a Washington think tank.
Lewis was commissioned by Bush in 2008 to write a cyberstrategy for the government, which is still regarded as a benchmark.
“You might think we should put protection of critical infrastructure at a slightly higher level. It is completely vulnerable. It is totally unprotected,” he said. “This isn’t made up. I have been doing this for a long time. We know that people have done the reconnaissance, we know that control systems can issue commands to destroy critical infrastructure. We know all this and we have done nothing to defend ourselves ... we have been trying for about seven years to deter people and it doesn’t work.”
Henry said his agency was now dealing with thousands of attacks every month. The agency has people in 63 countries specifically to deal with online threats.
“We recognize that there are vulnerabilities in infrastructure,” he said. “There are thousands of breaches every month across industry and retail infrastructure. We know that the capabilities of foreign states are substantial and we know the type of information that they are targeting.”
“We have seen adversaries that have been in networks for many months, or even years in some cases, undetected,” he added. “They have essentially had free rein over those networks ... looking at information that is transiting that network, with the ability not only to review that data, but potentially to change that data. They have complete ability to disrupt that network entirely.”
Henry said attacks are becoming much more sophisticated.
“Every step that the defense makes, the offense changes its tactics,” he said.
Rosenzweig believes this mapping of critical infrastructure — such as energy or water plants — is seen within government as “preparation of the battlefield.”
It is, he says, China’s way of saying: “Don’t send the 7th Fleet to save Taiwan, or we will take out the electricity supply in Los Angeles.”
The US is using the Idaho National Laboratory to run simulations testing the robustness of the US’ most important computer networks, but these take time.
With so much at stake, the Obama administration is pushing for proper domestic regulation and standards in cybersecurity, but that is being resisted by private companies, even though it may force them to close the gaps that are being exploited.
Three competing bills are currently vying for votes in the US Congress, including one from former US presidential candidate John McCain, who wants to fend off government oversight and the prospect of companies being fined — or sued — if their cyberdefenses do not come up to scratch.
Though the arguments are running along party lines, there is no argument about the fundamental problem and where it is sourced from.
“Anyone who is significant on either side of the aisle is running around with their hair on fire,” Rosenzweig said. “The influential voices on both sides are saying it’s a problem. It’s a real problem and it’s a real problem right now. General Keith Alexander says he is seeing it, and he’s not the sort of guy to make things up.”
There is no doubt about the main culprit, Rosenzweig said.
“China denies it, but this is one of the baldfaced lies that people get away with because we don’t want to face the consequences. China has more computer programmers than the West has engineers. Not everyone is a ‘cyberjedi,’ but if you have 1 million computer programmers, you will find 1,000 jedis. We have a lot of IT professionals, but they are not the same thing — we don’t understand the culture,” he said.
“The Chinese clearly have no restraints when it comes to espionage,” said Dmitri Alperovitch, one of the world’s leading independent cybersecurity analysts. “In the US, economic espionage by either private sector or government is prohibited by policy and the Chinese are certainly not constrained by such measures. When it comes to volumes and sheer scale, no one even comes close to them.”
The audaciousness of some of the attacks has been astounding. Earlier this month, NASA inspector general Paul Martin revealed that the space agency’s Jet Propulsion Laboratory (JPL) headquarters in Pasadena, California, had been compromised by an attack that appeared to come from China. JPL manages 23 spacecraft, including missions to Jupiter, Saturn and Mars, and it controls the International Space Station.
In a testimony before the US Congress, Martin said hackers had “gained full system access” to JPL, allowing them to modify, copy or delete sensitive files, create new ones and upload hacking tools to compromise other NASA systems. In short, they were running the network. This was only one of 47 cyberattacks on NASA last year — 13 of which successfully compromised the agency’s firewalls.
Martin said some of the intrusions “may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.”
There is debate on how effectively and for how long a cyberattack from China could knock out an energy supply or communications hub. Clinton said it would not be easy, but it would be foolish to think it was not possible.
“Older technologies tend to be safer than newer technologies. Copper wire is more secure than fiber, and the problem is the interconnections. We don’t have nearly the degree of air-gapping that we once did,” he said. “You can get into a weapons system and you won’t even know that system is compromised until you set it off, and then it comes back and hits you in the face ... the sort of attacks that were considered sophisticated six years ago are considered elementary now.”
If the threat is that great and the belief that China is behind it so widely held, why hasn’t the US been more robust in condemning Beijing?
It is a question the US Department of State refuses to answer. It will not even say if it has used normal diplomatic means — summoning an ambassador or expelling someone from the embassy.
Melissa Hathaway, who was director of the Joint Interagency Cyber Task Force under Bush and was on the National Security Council in the first year of the Obama administration, thinks the reticence is understandable.
“We need to think about our roles and the economic future of the world. What would you like the future of the economy to look like? Quite honestly, right now, we are all dependent on China. All of us. They have bought a lot of European debt, they have bought a lot of US debt. They are helping to promote world stability right now,” she said.
The US has been pursuing another route to the Chinese, reaching out to Beijing using think tanks as proxies and engaging them in “cyberwar” games.
It is the only chance the Pentagon and the Department of State get to sit across the table from their Chinese counterparts, to express their own fears and to hear those of China. One hope is that the talks will lead to an equivalent of a nuclear hotline from Washington to Beijing, so leaders can talk before a situation gets out of control.
While the US may be pleased it is finally getting its message across, Lewis is not convinced the Chinese are listening and he does not think they will stop their activity in cyberspace.
Having dealt with the Chinese military for years, he says the People’s Liberation Army is hostile.
“They see the US as a target. They feel they have justification for their actions. There is a sense that China has been treated unfairly and so they have a right to catch up. Britain and France may have burned the summer palace, but the US has become the symbol of imperialism, and they think the US is in decline,” he said.
Because much of what former US president Donald Trump says is unhinged and histrionic, it is tempting to dismiss all of it as bunk. Yet the potential future president has a populist knack for sounding alarums that resonate with the zeitgeist — for example, with growing anxiety about World War III and nuclear Armageddon. “We’re a failing nation,” Trump ranted during his US presidential debate against US Vice President Kamala Harris in one particularly meandering answer (the one that also recycled urban myths about immigrants eating cats). “And what, what’s going on here, you’re going to end up in World War
Earlier this month in Newsweek, President William Lai (賴清德) challenged the People’s Republic of China (PRC) to retake the territories lost to Russia in the 19th century rather than invade Taiwan. He stated: “If it is for the sake of territorial integrity, why doesn’t [the PRC] take back the lands occupied by Russia that were signed over in the treaty of Aigun?” This was a brilliant political move to finally state openly what many Chinese in both China and Taiwan have long been thinking about the lost territories in the Russian far east: The Russian far east should be “theirs.” Granted, Lai issued
On Tuesday, President William Lai (賴清德) met with a delegation from the Hoover Institution, a think tank based at Stanford University in California, to discuss strengthening US-Taiwan relations and enhancing peace and stability in the region. The delegation was led by James Ellis Jr, co-chair of the institution’s Taiwan in the Indo-Pacific Region project and former commander of the US Strategic Command. It also included former Australian minister for foreign affairs Marise Payne, influential US academics and other former policymakers. Think tank diplomacy is an important component of Taiwan’s efforts to maintain high-level dialogue with other nations with which it does
On Sept. 2, Elbridge Colby, former deputy assistant secretary of defense for strategy and force development, wrote an article for the Wall Street Journal called “The US and Taiwan Must Change Course” that defends his position that the US and Taiwan are not doing enough to deter the People’s Republic of China (PRC) from taking Taiwan. Colby is correct, of course: the US and Taiwan need to do a lot more or the PRC will invade Taiwan like Russia did against Ukraine. The US and Taiwan have failed to prepare properly to deter war. The blame must fall on politicians and policymakers