The overthrow of the current world order and the leader of the next may well be determined by the winner of cyber warfare. America’s current capabilities in this respect do not assure it of that role. In fact, with every transaction that America executes as part of ‘America First’, it undermines the current world order, and potentially furthers the position of its rivals, leaving the US and its allies open to state and asymmetric cyber-attacks. Leveraging cyber technology and the possibilities that it offers, China and Russia have a unique opportunity to precipitate the decline of American power in the first half of the 21st century, aided by a wide array of independent and semi-independent actors that see America as a target to be assaulted. Should America’s allies, given their dislike of the current administration’s style and rhetoric, choose to quietly celebrate its losses from the sidelines, their democracy and freedoms are also at risk. Further, lest America’s foes gloat, America will not go quietly and perceive their very existence as a threat by it. This paper examines critical recent developments in the cyber arena, the components, catalysts and drivers of its rapid development and the risks it poses for the world, pointing to the need for a global cyber security order. America’s leadership represents that best chance the world has for creating a stable cyber order as part of the emergence of a new world order.
The Need for Global Cyber Rules and the Case for American Leadership: 10 Key Takeaways
- The global cyber disruptions occurring in the world today are indicative of the shift of civilisations away from the industrial to the informational, auguring the demise of the current world order
- Among these disruptions is an unprecedented proliferation in cyber warfare capabilities, driven by the dissemination of digital technology among both states and non-state actors, led by Russia and China
- Cyber attacks are becoming more sophisticated and more strategic, evolving from simple cyber theft to asserting control over physical infrastructure and critically undermining governments and political systems
- Further, with the increasingly ubiquity of digital technology and the merging of digital and physical world systems, the potential physical destruction capability of cyber is increasingly catastrophic
- 5. No country has yet built a comprehensive cyber attack and defence capability. While America continues to lead the world in cyber capabilities, the asymmetric nature of cyber warfare favouring attackers and the speed of innovation enables smaller countries to pose credible threats to the US and other nations
- Managing these rising global cyber threats will require countries to act at both the national level (building capabilities, investing in technology) and at the international level (working with partners and establishing rules)
- Existing global frameworks and institutions cannot manage cyber space but provide the core principles for incorporating global rules across cyber warfare, security, trade and finance
- Given the critical importance of cyber as one of the key control points of any new world order that emerges in the 21st century, America cannot afford to not also lead in establishing the cyber rules of conduct for the world
- Recent actions by the US have called into question its continuing commitment to the rules of conduct and principles upon which it established the western liberal order after World War II, as well as its willingness to lead in the creation of new rules
- Leading in cyber will require America to reaffirming its previous principles and carrying them over into the digital space, as well as (re-)assuming its role as a global leader with full cyber attack and defence capabilities and dominance in digital trade, commerce and finance
In the last five years, the cyber world has asserted itself into the most fundamental workings of the physical world. The overthrow of industrial businesses by information ones in the top league of companies is one sign of the transition to a digital age. However, the use of cyber to influence the outcome of elections in the West and the lack of any meaningful retaliation by the targets demonstrates that the lessons from this transition have not yet been internalised by the industrial age leaders, despite digital attacks that threaten to undermine the foundations of the democratic political systems of the west.
Five years ago, the Sign of the Times published a paper on the strategic importance of cyber capabilities to the US and its importance to America’s pre-eminent position as a global superpower in the 21st century. At the time, the focus was on the increasing importance of the cyber arena to America’s foreign, domestic and security policy. Today, many of the core issues covered in the original paper remain unaddressed, even though the accelerating advances in digital technology, the ubiquity of networks and the documented cyber attacks on the US and its allies make the issues raised even more urgent now than they were are the time. The spread of digital technology and its rising importance in multiple walks of life makes the case for cyber security across all of society, at the personal, community, corporate and government level, self-evident. Since 2013 the percentage of the world’s population with online access has increased from one-third to currently one half. Today, seven of the ten most valuable companies in the world are technology companies, up from five years ago, and half of all global economic value is expected to be created in the digital sector by 2025 against less than 20% a few years ago. With digital and networked technology integral to the global economy and increasingly society as well, its geo-economic importance cannot be understated. In addition, both China and Russia have stated the importance of cyber warfare capabilities and, while accurate numbers are hard to determine, are believed to be investing heavily in building military cyber units. Western intelligence agencies have also identified multi-faceted attempts by Russian state-supported actors to influence the outcome of democratic elections in the UK, Germany, France, the Netherlands and of course the United States. The combination of the economic and political dimensions of digital elevates the importance of cyber to the geopolitical level. Five years after the original piece, which focused on the importance of cyber for America’s continued superpower status, the Sign of the Times is revisiting the topic and assessing cyber security and warfare through a global lens, given that digital technology raises global issues that cannot be solved by one nation or group of leading nations alone.
Introduction: The Original Thesis Revisited
Cyber power remains a matter of grave importance for geopolitics, particularly for the rising competition between the prevailing great power America and the fastest growing superpower China. Given the increasing integration of digital and physical systems across commerce, security and society, US supremacy in the physical world requires it to master the cyber arena too. The last five years have validated the original thesis and several the key thrusts of that work remain relevant today:
Cyber Warfare and Civil Society. Cyber security continues to be a national issue in the public domain of most countries across the world. The original paper asserted that personal privacy considerations, particularly in democracies, present an important check on building national cybercapabilities, an issue originally propelled into the limelight by the Edward Snowden leaks. Since then, additional personal privacy and data protection has come to the fore as investigations have revealed that Facebook has been used as a platform by numerous rivals of democracies to influence election results. In particular, Cambridge Analytica was uncovered as a user of Facebook personal data to influence Brexit voters during the UK’s vote on EU membership. While a number of laws like the EU’s General Data Protection Regulation have begun to address public concerns over data privacy, they have not slowed down data collection in the build-out of national cyber capabilities.
Power Players on the Cyber Battlefield. The core assets and skills required for nation states to build advanced cyber capabilities stretch across technology, capital and talent, requiring considerable organisation to coordinate and integrate. Five years ago, the US stood head above shoulders over the rest of the world, drawing on the world’s largest tech industry, controlling the most advanced communications networks, having the largest military and intelligence agencies, and coordinating its cyber warfare capabilities through the US Cyber Command, whose status was recently elevated by the Department of Defence to that of a unified command on par with the Strategic Command, responsible for America’s nuclear arsenal and global strike capabilities. America for the time being still dominates the cyber arena much like it does the physical world. However, America’s largest cyber competitor, China, is also executing an ambitious plan to dominate the cyber space, setting the pieces of for a future cyber battlefield.
The Shape of Warfare to Come. Cyber warfare requires a rethink of offensive and defensive strategy. An effective cyber arsenal requires multiple attack and defence strategies with reach over military and civilian infrastructure, economic systems, commercial networks, individuals, society as a whole and rival’s cyber infrastructure itself. Five years ago, America, although advanced, had not built this full capability. However, the events of the past five years make it clear that other countries have made significant inroads into some of these offensive strategies and deployed them with varying degrees of success against the United States, increasing the urgency of its capability build-up. The actions of Iranian hackers, who within a short period of time have built capabilities that enabled them to access remotely the terminal controlling the Bowman Dam in upstate New York and hack into the New York Stock exchange, demonstrate the urgent need for America building out comprehensive cyber capabilities.
Continued Need for News Rules of Engagement. International law does not adequately cover the various cyber attack and defence options open to states, creating the urgent need for new rules of engagement in cyber conflicts. However, policy makers appear to be no closer to defining or agreeing these rules than they were five years ago, and current multi-lateral negotiations appear to be stuck on some of the most basic (albeit important) issues that need to be addressed, such as the definition of what constitutes a cyber attack. Given that America and its allies have previously institutionalised a set of fundamental rules of conduct - in particular, united action under US leadership, free trade, globalisation, the increasing importance of human rights, alongside democracy, capitalism and non-proliferation – they are well suited to lead in the creation of the rules of cyber engagement and have the foundation upon which to build them. However, the words and actions of the Trump Administration call into question whether these rules are still America’s priorities in the physical world, potentially leaving the potential cyber regime without a base upon which to be built.
The intervening period since the first paper has seen significant developments in technology, society and geopolitics and that have had a fundamental impact on the shape of cyber warfare and its likely conduct, during which time China has embarked on a rapid mission to buildout its own cyber capabilities to complement its increasing geostrategic assertiveness in the physical world. America on the other hand, under the Trump Administration, has embarked on an ambitious agenda of engagement with the world in a series of transactions designed to place ‘America First’. This is leading to its own allies in Europe, Japan and the broader Greater Pacific region exploring plans for independent military capabilities to fill the void America’s actions are creating. While it will take a long time for these to come to meaningful fruition, these developments indicate a loss of America’s role as the trusted rule-setter, not to mention as the security guarantor, among its allies. The combined impact of these developments calls into question whether America will be the rule setter for cyber space or whether it will tolerate a chaotic and worldwide proliferation of cyber capabilities that provides others with the initiative. Its prodigious cyber and physical arsenal will certainly allow it to retaliate against its enemies but that is a pattern that favours the threat of deterrence over pre-emptive action, a strategy that ignore one of the fundamental lessons of asymmetric warfare, namely that non-state actors are often not deterred by the threat of retaliation and even see it as the best way to precipitate a desired conflict. Further, if its actions are not embedded in rules, America itself may be seen as a rogue power should it choose to preempt an attack and go on the offensive.
Part 1: Global Cyber-Driven Discontinuities
The physical world of five years ago feels like a very different place from today. Barack Obama had just started his second term after defeating Mitt Romney in the US presidential election, Xi Jinping, China’s newly appointed president, had just announced an ambitious reform package for the country’s economy, Angela Merkel had just won re-election as Germany’s chancellor on record opinion poll numbers and the UK was an integral part of the European Union. Fast forward five years and the West has seen a wave a political populism that has created the Trump presidency, seen the UK vote to leave the EU and Merkel announcing she will leave politics, while President Xi has established himself as a potential leader for life, centralising political power while slowing down China’s economic reform. What is less obvious is that these changes have been matched if not exceeded by dramatic shifts in the digital world. These changes augur an age in which the physical world order of the 20th century will be overturned by the cyber world; this process has indeed been accelerating during the last five years. The key components of this overthrow are as follows:
- Cyber Powers: US, China and Russia. Cyber warfare is a key element of great power politics. China and the US were initially thought to be the natural leaders of the space, with superior capabilities and resources to build and entrench their global positions. And while the past five years have in fact seen a massive cyber capability build up by China, it is Russia who has emerged as America’s principal agitator over the near-term, having compensated for its declining relevance in the international economy as well as its falling physical military strength with a systematic focus on cyber warfare. Russia has integrated cyber as a core mechanism of its broader information warfare ambitions, which include electronic warfare, information operations and psychological operations and deployed its offensive capabilities across a range of geographies and arenas. In addition to the widely accepted interference in the US presidential election Russia is also accused of among other things coordinated attacks on Estonia’s media and finance sector and government, and the Ukraine’s physical infrastructure during the invasion of Crimea, hacking into power plants and knocking out the electricity grid across parts of the country. As a result, Russia has topped the list of nation-state cyber threats in the US’s annual Worldwide Threat Assessment report issued by the Director of National Intelligence since 2015. After several decades of declining geostrategic importance in the physical world, it appears that Russia has both the capabilities and the will to be a global leader in the digital world.
- Cyber Warfare: Cyber Attacks, Fake News and the Post Truth Society. Undermining beliefs and attitudes was identified as one of six core offensive cyber attack strategies in the original Sign paper. What is astounding is how boldly this weapon has been deployed to attack western democracies in the past five years. While propaganda has long been a component of any conflict, to this has been added the spreading misinformation through the manipulation of social media and networks on an unprecedented scale. Russia, again, appears as a key player, accused of a massive campaign of disseminating fake news to influence the US presidential election, using bots and trolls to seed and amplify ‘fake’ news on discussions forums and social media platforms like Facebook and Twitter. Although there was plenty of misinformation spread, particularly about the Democrats , the main purpose of the Russian campaign appears to have been the deterioration of trust in online information generally and the reduction of space for effective political discussion on the internet by flooding social media with fake content. This, coupled with the particular style of populism deployed by President Trump - involving attacks on the US press, the regular telling of untruths (often debunked but clearly not persuasively enough for his electoral base) , his support of right-wing, previously fringe media sources and his understandable conflict of interest that led him to deny the Russians had influenced his election – created the perfect storm for Russia to test its cyber capability and escape virtually unscathed. The corrosive effect of this campaign on American democracy cannot yet be measured, but it is certainly feeding the division of its people and the dysfunctional bipartisanship that plagues the country today and may therefore be more effective than any direct cyber attack on US infrastructure or installations over the long run.
- Technology: Big Data and Artificial Intelligence. Technologies like artificial intelligence (AI) (and machine learning) are emerging as game changers across a wide range of industries, including in the cyber arena. AI is fundamentally transforming cyber security and cryptography, and automating core security processes. Moreover, the application of AI to big data analytics promises to unlock a step change in value from information, with AI estimated to add US$15.7 trillion to global GDP by 2030. Given its economic and security disruption potential, “Whoever becomes the leader in the [AI] sphere will become the ruler of the world.” Russian President Vladimir Putin, 2nd Sept, 2017 both China and the US are racing to develop AI technologies and establish a leadership position in a 21st century ‘space race’, with China’s national AI strategic plan targeting a leadership position in AI by 2025. China’s annual AI spending is projected to increase from US$12bn in 2017 to US$70bn by 2020, and China’s plan is built on private-public collaboration, envisaging innovation to be leveraged from private sector companies like Alibaba and Tencent for applications in warfare and espionage. The US on the other hand has not announced a comprehensive government strategy for accelerating AI development and adoption, and so the perception is that innovation to date is largely being driven (and paid for) by the private sector. If the US government is covertly pursuing such a programme, it is doing so quite differently from the post-World War II era when it financed IBM’s development of mainframe and computational technologies that dominated the world for decades. At any rate, America for the time being it continues to lead the field, with over three times as many AI companies and twice the number of AI patents as China has today. America has a natural advantage as an open society that provides widespread access to information and ideas, enabling mass innovation. However, the question remains whether China can overcome this advantage by throwing money at the problem and focusing on one objective, cyber warfare capability, rather than America Inc’s myriad objectives and applications.
- Cyber Attack: Shift from Commercial and Military to Political Targets. While first generation cyber attack capabilities focused on information gathering and espionage from both commercial and military targets, second generation capabilities have focused on compromising military and civilian infrastructure. Cybertheft of intellectual property is a classic example of the first, while the Stuxnet virus that infected the controls of 3,000 uranium centrifuges in Iran in 2010 and crippled the Iranian nuclear programme is a good example of the second generation. The emerging third generation of cyber attack capabilities however is focusing not on economic or military targets but on countries’ entire political systems. As stated above, Russian interference in the US elections incorporated a wide range of tactics and technologies, some of which, like hacking and leaking confidential information, were tried and tested, while others such as social media manipulation, were novel and are still evolving. Beyond economic, political and military engagement strategies, cyber technology is adding an additional dimension of engagement for countries seeking to systematically influence strategic opponents. Moreover, cyber is both cheap and more or less covert (for now), allowing national actors to wield influence at the fraction of the cost that more overt engagement strategies would incur, and at lower risk levels, too. This widening of cyber attack targets to political systems requires a rethink of cyber defence strategies: while protecting electronic voting machines from hacking is likely to use well established cyber security technologies, preventing the spread of misinformation on social networks is likely to require a new set of defences, both legal and technological.
- Threat Origins: From a Game of Great Powers to Proliferation of Capabilities. Finally, and perhaps most importantly, the world has seen an unprecedented proliferation of cyber warfare capabilities. The past five years have seen countries with formerly virtually no recognised cybercapabilities emerge on the world stage. Iran and North Korea, two countries facing significant technology embargos, for example, have launched credible attacks on targets, with the former attacking banks and brokerages on Wall Street and the latter successfully hacking Sony Entertainment to thwart the launch of a movie it deemed offensive to North Korean President Kim Jong Un. From only a few, mainly highly industrialised countries a few years ago, there are now more than 30 countries building cyber warfare capabilities. Moreover, in many countries, governments are working closely with private groups on cyberwar capability build out, defraying costs to the government but creating further capability proliferation. Given the massive physical destruction potential of cyber attacks (e.g. hacking avionics on aircraft or control systems on dams and power plants), this proliferation of capabilities poses a global security risk. By way of comparison, cyber capabilities with potentially nuclear-level destructive capabilities are already more widely spread today than nuclear ones were at the time the Non-Proliferation Treaty was signed. At the time, the existence of only five nuclear states and the risks their capabilities represented were enough to call into life a treaty signed by over 190 countries.
Today cyberspace is the only domain of warfare in which the United States faces near-peer competition, as well as multiple state and non-state actors that can and do freely attack the US homeland. While the US enjoys the largest tech industry, has the world’s largest military and potentially the largest cyber budget, foreign actors have recognised the asymmetric nature of cyberpower and their ability to compete with or at least disrupt US interests using much fewer resources. This growth and diversification of the geopolitical cyber landscape is likely to have an impact on the shape of future cyber conflicts. Rather than being like protracted wars between nation states that had defined beginnings, phases and endings, cyber conflicts of the future are likely to fall into the category of ‘perpetual conflict’. They are set to be continual and multi-dimensional, fought with the use of both direct resources and proxies, leading to a constant barrage of attacks against military, government, economic and civilian targets. However, while cyber attacks will have varying levels of intensity, under most circumstances they likely remain under the threshold that triggers a physical response by the US, where it can bring superior resources to bear and outmatch any opponent, (provided that it can identify the source of such an attack and formulate an effective response). For the most part, cyber threats to the US will therefore be more like terrorist attacks than like conventional attacks that could be construed as an act of war, and American cyber defence and counterattack capabilities will need to be organised accordingly. This of course does not mean that cyber attacks may not have devastating effects: just like 9/11 showed the destructive potential of physical terrorist attacks, cyber attacks can cause massive infrastructure destruction and loss of life, and American policy makers and defence planners will need to account for these types of attacks as well. Of course, America may well also be faced with ‘conventional’ cyber threats by other state actors and even other superpowers. China’s cyber efforts during the past five years mean that it is potentially the most likely candidate in this regard.
Part 2: China - An Emerging Cyber Superpower
Among nation-states, the only country with the potential to rival the US as a superpower, cyber or otherwise, is China. In parallel to its expanding cyber warfare capability, its military, economic and technological cyber capability is expanding rapidly and its stated ambitions in the space appears to exceed that of America’s. China during the past five years has fully woken up to the importance of the cyber dimension, recognising the need for it to become a cyber power in tandem “Cyberspace has become a new pillar of economic and social development, and a new domain of national security … As cyberspace weighs more in military security, China will expedite the development of a cyber force to maintain national security and social stability.”
China’s Military Strategy, May 2015 with its economic, political and increasingly military rise. President Xi Jinping, in 2017, announced China’s ambition to achieve cyber superpower’, status kicking off a multi-pronged development strategy to build its technological capabilities. This build-out comprehensively covers both economic and military considerations, recognising on the one hand the fact that ‘without cyber security there is no national security’ and on the other hand the fact that China’s economy too will need to adapt to the information age, given that its existing economic strategies are insufficient to maintain the growth rates required to satisfy the demands of its population and keep the Communist Party of China (CPC) in power over the long term. Accordingly, the priorities of China’s cyber build-out are both comprehensive and ambitious, covering the following eight objectives:
- Priority 1: Build Cyber Warfare Capabilities. China’s cyber warfare capabilities have been evolving in parallel with the general ongoing modernisation drive of the People’s Liberation Army’s (PLA), as it seeks to integrate electronic warfare as a key component of future strategy. To better coordinate efforts, the PLA has recently created a cyber ‘Strategic Support Force’, a branch of service unifying various cyber assets under one roof, closely mimicking the structure and role of the US Cybercommand.
- Priority 2: Build a Cyber Defence Wall. Protecting China’s homeland from foreign attacks remains a key priority. For China’s rulers, the definition of foreign attacks includes both cyber attacks in the narrow sense and the online dissemination and propagation of content and ideas that they consider harmful. Accordingly, the Great Firewall of China, which regulates domestic access to the internet and limits the use of foreign tools and access to news and content, is considered to be core element of China’s cyber defence.
- Priority 3: Control the Population. Limiting access to foreign content is the other side of the coin to controlling domestic content, as both are considered important by their leaders to ensure continued communist party If the Communist Party of China cannot traverse the hurdle represented by the Internet, it cannot traverse the hurdle of remaining in power for the long term’. leadership of China. ‘Accordingly, it has identified two core levers to ensure ‘that the Party’s ideas always become the strongest voice in cyberspace’: censorship and propaganda. China today employs upward of 2m internet censors that monitor the internet, deleting content that does not conform with the government line on a given issue. In terms of propaganda, government agencies in China fabricate and post nearly 450m pro-government social media comments a year, accounting for, according to one study an estimated 99% of the pro-regime messages posted overall.
- Priority 4: Determine Internet Governance. The internet may be American in origin, but it is fast becoming Chinese in practice based on total users, e-commerce volumes and certainly China’s desire to set its own governance rules. While the US has traditionally propagated the ‘open platform’ view of the internet, China wishes countries to exercise a similar level of control over their online spaces as they do over their physical domains. The implementation of this view would effectively atomise the internet into a series of national cyber fiefdoms, with interoperability being subject to bilateral treaties. In the absence of America or international bodies setting universal rules, China would of course be free to act bilaterally as it sees fit.
- Priority 5: Build International Influence. In parallel to securing domestic cyber sovereignty, China is seeking to export its internet to other countries. Officials have stressed the need to build a “digital Silk Road” alongside the One Belt One Road initiative, and Chinese companies have been busy building communications infrastructure - fibre, mobile, satellite, even smart cities - in participating countries, e.g. extending Beidou, China’s version of the (US) Global Positioning System, to 60 plus countries along the Silk Road. Chinese companies are gaining important positions in international communication networks transferring massive amounts of government, business and personal data. This not only gives Chinese companies (and the government) a potential say in rules and governance, albeit initially at the infrastructure level, but is also a first step in enabling technological control over the network.
- Priority 6: Drive Innovation. Chinese policymakers believe that to be truly secure, China must achieve technological self-sufficiency, driving massive top-down, state-led efforts at innovation in AI, quantum computing, semiconductors and robotics. China today spends more money importing integrated circuits than it does importing oil. China’s government is investing US$150bn in domestic semiconductor manufacturing with a target of meeting 70% of China’s chip demand by 2025, up from 10% today. On the AI front, China’s 2017 AI plan calls for homegrown technology to match the West by 2020 and to lead the world by 2030, committing tens of billions of dollars to the effort. China has executed large scale industry transformations before, building the world’s largest high speed rail network within a decade. Whether it can repeat this success in purely intellectual property driven sectors and in innovation remains to be seen, however.
- Priority 7: Acquire Critical Technologies. A critical part of China’s technological independence push is acquiring technology to complement home grown development. For example, Chinese companies between 2013 and 2016 “Only if core technologies are in our own hands can we truly hold the initiative in competition and development…[to] ensure our national economic security, defence security and other aspects of security.”
Chinese President Xi Jinping 10 June 2014attempted to buy U.S. semiconductor companies worth more than $37 billion. However, with many of these bids blocked by the US on national security grounds, China stands accused of resorting to cybertheft and espionage to acquire critical technology and IP. With Chinese IP theft estimated to cost US companies between US$225 and US$600bn, annually, this matter has become one of the central issues of the current US-China trade war.
- Priority 8: Foster Economic Growth. Finally, China’s cyber ambitions are also economic in nature. With GDP growth at its lowest level in a decade, technology and cyber represent significant potential growth drivers for China’s economy. Having built an industrial era powerhouse which is now facing rising costs and slowing growth, China needs to transition from an industrial focus to an information focus, requiring the transformation of many of its most important industries, through the process of ‘informatization’. To this end China’s leadership has stated that “Cybersecurity and informatization are a single body with two wings, the two wheels of a single drive, and require unified planning, unified deployment, unified promotion, and unified implementation.”
Will China succeed? With the world’s largest internet user base (800m), China has an invaluable platform for domestic technology development and deployment, leading the world, for example, in the roll-out of 5G networks. Further, its online population generates massive amounts of data critical for analytics and AI, and loose data privacy laws ensure that this data can be used freely. The close collaboration between government and the private sector is another strength: it is home to four of world top ten internet companies by market cap, and China’s government has designated specific partners to lead the development of key technologies: e.g. supporting Tencent’s development activities in driverless cars and Baidu’s AI efforts. The concentration of funds and resources is allowing China’s companies to quickly close the gaps on US technology leads that have been years in the making. In the meantime, America appears to be inwardly focused on its own divisions.
All these advantages still may not lead to China surpassing the US, of course. However, the threat though is that much like it did with its industrial build out, any shortfall can be overcome with a combination of scale and capital to spur innovation and any gaps can be compensated for with imports, acquisitions and commercial espionage. Over the long term, only China has the potential to be a geostrategic competitor to the United States. Moreover, as China’s capabilities grow, it will increasingly find itself at loggerheads with the US on questions of cyber warfare, cyber espionage, e-commerce, and cyber law, just like it is coming up against America on the equivalent topics in the physical world. However, given the nature of cyber, there will always be less powerful nations with assets and capabilities to at least disrupt the actions and policies of cyber giants like China and the US. Accordingly, the cyberpower paradigm will not be a bipolar or even a multi-polar one but a complex multidimensional one.
Part 3: A Roadmap for US-led 21st Century Cyber Security
While cyber capabilities will be a critical and increasingly important component of what it takes be a superpower in the 21st century, advanced cyber capabilities will not be the exclusive preserve of superpowers, requiring a fundamental rethink of what a future security architecture might look like. Rapid capability proliferation and the diversification of technology will likely make a Cold War-era ‘tit-for-tat’ paradigm of measure-countermeasure development moot. Critically, conventional thinking and strategies are irrelevant to the cyber dimension; America can watch and wait safely until it believes an Iran or North Korea have developed an intercontinental nuclear capability before it feels the security threat, but with cyber the domain is immediately global, and can reach instantaneously into the US heartland.
With cyber attacks potentially crippling national civilian infrastructure such as power, water, and emergency services, or crashing global equity markets and triggering a worldwide recession, or even launching automated nuclear counter-attacks, cyber warfare transcends being a tool for superpowers to leverage in their quest for dominance and becomes an issue for all nations to consider, one that can only be only be satisfactorily managed through the establishment of new rules of engagement. Realistically, there is only one country with the assets and capabilities standing to secure cyberspace globally in the 21st century: the United States. The issue of global cyber security is not just one of rule-making, but also of rule enforcement. Other countries and institutions lack either the credibility to make rules (like China) or the will and capabilities to enforce them by necessary means (like the EU). American diplomacy and power will be fully tested in this endeavor: rule making will require encompassing a rapidly expanding set of countries with independent competitive cyber attack capabilities, while rule enforcement will require building and maintaining both physical and digital retaliation capabilities to respond to cyber attacks.
The summary roadmap of a US-led security environment for 21st cyber space would encompass the following elements, consisting of both international and national developments:
- International Engagement: Reaffirm International Leadership and Principles. America cannot establish rules (or leadership) alone. Repudiating ‘America First’ as the governing principle of policy in favour of ‘America and allies first’ allows the US to (re-)build a scaled coalition that can support its rule-making and enforcement initiatives. Further, cyber rules of conduct will require a platform of values and principles upon which to be based. Globalisation, free trade, and the respect for human rights underpinned an order that witnessed the greatest increase in global prosperity and the greatest decline in violence in history. While these principles may need to be updated (for example for a plural world order or for an environmentally challenged planet), they represent the best option upon which America can establish new rules for the 21st century, and America will need to reaffirm these principles if it is to rally the support it needs.
- International Rules of Engagement: Determine Globally Accepted Set of Cyber Warfare Laws, Treaties, Protocols and Governance. The current rules of war cannot be applied to cover the breadth of cyber attack and defence options so new rules will be required. Based on a set of established principles, these rules will need to accede to the status of international laws to be universally accepted, and not stop short at the level of bilateral treaties that China believes should govern cyber warfare. Rules will need to cover a wide range of issues including an agreed-upon scope (e.g. agreeing what constitutes a cyber attack and how is it delineated from, say, cyber crime or cyber espionage), rules of engagement for cyber attacks and defence (e.g. the hierarchy of acceptable responses, both digital and physical, to attacks and escalation/de-escalation protocols), and the establishment of absolute boundaries outside of which no actions can ever be legitimate (the cyber equivalent of biological or chemical weapons).
- International Agencies: Share Data and Collaborate with Allies. At a minimum, effective cyber defence requires collaborating with other state’s law enforcement agencies to counter attacks from international non-state actors. In practice though, this requires working closely with other nations on threat detection and prevention too. An example of this is Europol’s European Cybercrime Centre, a joint cybercrime task force executing global operations. These types of collaborations will need to be expanded beyond private sector cybercrime to cover cyber warfare and military issues as well, and supercede geography, given the cross-border nature and impacts of cyber threats.
- International Roles: Shared Enforcement Responsibilities. America may need to be the global cyber policeman, but it should be so only as a matter of last resort. Effective global governance regimes confer both benefits and responsibilities on participants and other countries will need to bear their share of the cyber security burden. For example, nations will need to be responsible for enforcing global cyber rules, both physically and digitally, within their own borders. This will require coordinating with international law enforcement and security services to track down and stop non-state actors using their country as a base, with non-cooperation to be potentially considered as a form of tacit support, much like it has in the physical world (for example, where the Taliban’s hosting of Al Qaeda in Afghanistan triggered a war and occupation of the country post 9/11).
- National Security: Strengthen Domestic Infrastructure. All countries need effective cyber defence for their civil-military infrastructure, protecting against attacks by rivals’ powers, rogue states, non-state actors and simple criminal activity. Civil infrastructure is particularly susceptible to cyber attacks as it typically has lower grade cyber protection in place than government or military infrastructure. Guarding against these attacks will require close collaboration between government agencies and the private sector enterprises at risk, with intelligence agencies helping companies to address, rather than exploit network security issues, as they have on numerous occasions in the past.
- National Rules of Engagement: Create Responsible Technology Development. Given the high rate of ongoing technological development the world-over, countries will require permanent and adequately funded cyber development (and defence) programmes. In what promises to be a cyber arms race, countries will need to consider carefully how they develop and deploy their innnovations and deploy effective protections. Leading technologists are becoming increasingly concerned at the potential existential risk posed by AI, fearing that the current rate of development is outpacing our ability to implement safety mechanisms for our protection. While this risk is unlikely to deter countries from the further AI research, guardrails around existing and future development efforts need to be considered. Similarly, social media and other technology platforms need to become accountable for the impact they have on society, which will require them to create and enforce a set of agreed upon principles and rules. The recent experience in the US shows that this is unlikely to happen without at least some government participation, though. Over time, one can expect a massive and powerful cyber security (weapons and defence) industry to develop that sells tools to the world, on par with or exceeding today’s conventional arms industry.
- National Defence and Deterrence: Create and Execute Tailored Deterrence Campaigns. Given the enormous potential destructiveness of cyber attacks and the difficulty of defending against them, cyber defence strategies need to be based on deterrence. The US will need to create bespoke deterrence strategies tailored to specific threats and attackers, planning for massive retaliation on an equal or even greater scale. This requires having a ‘library’ of various attack plans ready for execution against all potential state and non-state cyberthreats. Moreover, for its position as the guarantor of a 21st century cyber security order to be credible the US will likely need to demonstrate its ability and willingness to execute such a plan in responses to a transgressor of rules. Given that the most likely instigators of overt cyber attacks against America and its allies are already states that it considers to be rivals, like China and Russia, and others that it (mostly) considers to be ‘rogue’, like North Korea and Iran, the US will need to calibrate its responses carefully given the wider geopolitical rivalry that exists with these nations in the physical world.
Creating the rules of engagement for the cyber world is unlikely to succeed if the role, legitimacy, integrity and efficacy of the current platform (UN, the World Bank, World Trade Organisation, the International Criminal Court, the EU, NATO in particular) for the physical world is put into doubt. The leaders of almost all these institutions have found that American commitment to their organisations under the Trump Administration has diminished or is in active opposition. Clearly, the administration’s current definition of ‘America First’ may have seen the challenging of these institutions as an essential part of their agenda. However, winning in the short term by undermining the rules of physical engagement has the likely implication of allowing others to legitimately claim there is no agreed basis upon which to build the rules for cyber engagement.
Conclusion: The Case for America to Reaffirm Inclusive Leadership
Cyber arms and defence technologies are the nuclear weapons of the digital age. Their preponderance is occurring as part of a series of fundamental shifts: of human civilisation from the industrial to the information age, the explosion of the world’s population to almost 10 billion people, the shift of energy resources away from carbon, the inevitable decline of America’s global share of industrial output and power, and the continuing integration of peoples across the world in an open information and access society. If America fails to embrace and lead in these changes it will be replaced just as other great powers have been displaced by newer ones throughout history. In the last five years the role of cyber in reshaping the world has advanced at a greater pace than seemed possible. The contours of the new game of power are becoming clearer.
The Shift to the information age sets up a new security paradigm and an acceleration of US-China adversity. The shift underway in the world today, most acutely felt in developed countries for the time being, from the industrial age to the information age is undeniable. Information and computing technology is transforming the structure of politics, societies, economies, industries and individuals’ lives by disrupting existing physical systems. Nearly every pillar of global civilisation – political, economic, social and military – is becoming more and more digital and therefore any conceivable future world order, short of a post-apocalyptic one, will be cyber enabled, cyber enhanced and most importantly cyber dependent, making cyber one of, if not the most critical control point for future superpowers to occupy. The US and China are the only real candidates with sufficient scale today to compete for supremacy.
Industrial age thinking and policies cannot create information age supremacy. However, at this time, industrial age thinking is driving American policy, and America First, popular thought it may be, appears to be seeking to hold on to is leadership position in the physical world using industrial age methods and tools. This effort, while it may bring some benefits in the short term, appears to be doomed to fail in the longer term, even if the US wins in every trade dispute that it launches, including extracting US$200bn from China. Even without the disruption of cyber on the industrial age, America’s relative decline in the physical world – based on GDP, trade, physical resources, and so forth - is inevitable as a simple matter of arithmetic: a country with less than 5% of the global population cannot produce 25% of the world’s GDP or control 40% of its wealth indefinitely. ‘America First’ fails to recognise this reality, attempting to bring back manufacturing jobs to the US that will likely be automated in a few years, or restrict immigration to protect ‘American’ jobs, restricting technology companies’ traditional access to international talent. By looking backward to a fleeting purported ‘Golden Age’ in the past, America risks falling behind in reaching a potential one in the future.
China has fully grasped the importance of cyber in superpower positioning and is investing with the intent to lead. America’s loss is China’s gain. China is showing signs of better grasping that the way to secure its future is to add cyber capabilities across its industrial base and economy. Despite its lower level of industrial development relative to the US, the country’s leaders have recognised that its industrial base, including manufacturing, requires ‘informatisation’ and the integration of digital technologies to generate the productivity required to remain globally competitive over the long term. China already has the world’s largest e-commerce market and is fast becoming a cashless economy through e-finance, with China processing 40x the volume of e-payments as the US. Importantly too, however, China has recognised the importance of cyber for national security and its future power position and is building a scaled cyber warfare capability to augment its growing conventional military capabilities and to counter future cyber threats.
America holds cyber primacy and the most powerful position in rule setting; both are its to lose. Despite America’s recent actions to the contrary, it is still the best placed country to embrace cyber and complete the economic transition to the information age, creating a cyber security architecture for the 21st century and thereby ensuring its superpower position in the next world order. Doing so however requires political commitment and international engagement on levels last demonstrated during the Cold War. America’s technological, economic and (open) societal superiority over China may be diminishing but is still there for America to leverage if it chooses. Moreover, as the architect of the current global rules of engagement, America is best placed to defend what is defendable, reform what needs reforming and replace the obsolete, preferably in partnership with its traditional allies. These revised and updated rules provide the best platform upon which any future cyber security architecture can be built, while the alternatives are recipes for failure.
The current course is alienating allies and creating the conditions under which American cannot lead, or lead only through tyranny. However, the reaffirmation and reform of old principles alongside the formation of new (cyber) ones cannot succeed without America realising that its self-interest is best served by uniting and leading its allies, rather than by extracting short term gains from them. This would accordingly require the current administration to support a united EU rather than supporting Brexit, stop fighting all its allies on trade, taking a more balanced position in the Middle East, and to cease undermining international institutions, in short, the effective abandonment of the current conception of “America First”. The necessity to change course is immediate: America will need to move quickly to (re-establish) leadership and to counter the moves that its potential rivals have been making, not just in cyber warfare but in commerce, finance and other areas, too. In parallel to its own build-out and preparation for a cyber future, America will need to slow down the efforts of countries like Russia and China with a combination of pressure on trade, sanctions on IP theft, restrictions FDI in the US tech sector, and enhanced cyber threat detection, prevention, and if required, retaliation to minimize the impact they can have on the US. While the shape of the coming world order, its organising principles and its beneficiaries and losers might still be uncertain, its contours are becoming clearer. Cyber will play a critical role in this order, and will therefore need to be embedded into the international institutions that set the rules of engagement. What is also clear is that in human societies, order still requires leadership, and history teaches that in the absence of leadership, the transition from one order to another is typically accompanied by extreme violence. The transition of human civilisation to the information age provides America with not just a potential reset of its position in an otherwise inevitable relative decline in its industrial might and therefore overall geopolitical power position, but also with the ability to underpin global security and prosperity for decades to come. With a prize of this size, if America chooses not to act, others surely will.
1. See the July 2013 Sign of the Times: Cyber Attack, Defence and Security in the Making and Preserving of Superpowers
2. International Telecommunications Union
3. Source: McKinsey Global Institute
4. Source: The New York Times, DoJ Special Counsel investigation,
5. Source: Whistleblower disclosure to Channel 4 News
6. The Asia-Pacific region with South Asia
7. Bots are computer algorithms that can continuously perform a specified task, such as sending spam mail to millions of addresses or tweeting and retweeting messages with certain defined parameters on social networks. Trolls are human actors that influence information on the internet, leveraging anonymity to disseminate information and influence
8. Overall, pro-Trump bots generated five times as much activity at key moments of the campaign as pro-Clinton ones. These Twitter bots—which often had zero followers—copied each other’s messages and sent out advertisements alongside political content.
9. Source: According to Politifact, 78% of 158 of Trump’s campaign statement from the first half of 2016 sampled were found to be false or mostly false.
10. Source: CNN
11. Source: “New Generation Artificial Intelligence Development Plan” Jun 20, 2017
12. Clearly in a fragmented digital innovation scenario, the government would back a wide array of established and innovative newcomers
13. Source: Goldman Sachs Economic Research
14. Source: Joint statement by the NSA and the Director of National Intelligence
15. Source: http://www.chinadaily.com.cn/china/2015-05/26/content_20820628.htm
17. Source: Cyberspace Administration of China’s Theoretical Studies Center Group article published in Qiushi, Sept 2017
18. Source: How the Chinese Government Fabricates Social Media; Gary King, Jennifer Pan and Margaret Roberts, Havard University, 2016
19. Importing semiconductors c.US$230bn in 2016
20. Compared with deals worth only $214 million from 2000 to 2013.
21. Source: https://www.cnas.org/publications/reports/strategic-competition-in-an-era-of-artificial-intelligence
23. Source: https://www.newamerica.org/cybersecurity-initiative/blog/chinas-strategic-thinking-building-power-cyberspace/
24. Cf. “The Better Angels of Our Nature: Why Violence as Declined”, Pinker Steven, Viking Books, 2011
25. These differences matter: Under China’s interpretation of cyber sovereignty an action such as posting a New York Times article on Chinese social media could meet the standard of a cyberattack
26. Examples: The Microsoft Windows security backdoor discovered by NSA, the news of which was not disclosed by the NSA but eventually leaked to the press
27. Allianz Global Wealth Report 2015
28. See the March 2017 Sign of the Times, The Shape of the World to Come – Part III: The Path to a New World Order and the May 2016 Sign The Trump Doctrine and the Future of American Power
29. See appendix for definitions and sources
Transforming Education Through Technology is a Key to Underpinning Human Security and Progress