America’s Department of Defense yesterday released its annual report on China’s military capabilities (pdf). The report includes “electronic warfare” and “information dominance” as part of a larger campaign it says is an “essential element, if not a fundamental prerequisite” of China’s defense planning.
The report is good PR for China’s cyberwarriors but there is nothing surprising about the country’s ambitions. America itself is relatively open about its cyberwarfare activities. The US air force recently designated six bits of code as “weapons” so it could squeeze some more funding out of the defense budget. And the most widely known instance of cyberwarfare, Stuxnet, is a computer virus with not one, not two, but five “zero-day exploits,” as attacks on previously undiscovered vulnerabilities are knowns. Stuxnet was hailed as such a success that its authors, America and Israel, gleefully ensured that the whole world knew who was behind it.
Some researchers doubt the effectiveness of Stuxnet. That seems almost immaterial. Where the wide publicity given to Chinese attacks ensures a bogeyman, the success of Stuxnet—and the low cost of developing such weapons—has become a model for other countries to follow.
For example, here is what the British Intelligence and Security Committee’s latest annual report (pdf) had to say about cyberwar: “While attacks in cyberspace represent a significant threat to the UK, and defending against them must be a priority, we believe that there are also significant opportunities for our intelligence and security agencies.”
The committee’s recommended actions included accessing enemy networks to obtain intelligence without detection, destruction of data, and “disruption,” which it describes as accessing the “networks or systems of others to hamper their activities or capabilities without detection (or at least without attribution).” It cited Stuxnet as an example.
France is the latest to hop on to the bandwagon. A white paper submitted to the president by a committee on defence and security last week outlined the need for “la capacité informatique offensive” (pdf in French). There are few national security agencies that haven’t outlined something similar (pdf) to their governments.
A milder form of cyberwar is fighting crime online. But this too requires many of the same techniques and involves the same extra-territorial incursions. The Dutch ministry of security and justice said last week that it is seeking new legislation to allow police to break into computers, which would make it a crime to refuse to share passwords with the law. In this, the Dutch could argue they are merely fulfilling their commitments to the Convention on Cybercrime, which practically requires (pdf) such laws.
While the convention encourages international cooperation and allows unilateral access to data in other countries, negotiators were unable to agree on the extent of that access. Reaching into an American server and destroying or stealing private data without the consent of the owner is frowned upon. Yet that is the right the Dutch are seeking, since many services, such as Gmail, now lie beyond their jurisdiction. Even for those countries that aren’t yet building full-blown cyberwarfare capabilities, there are only couple of steps that lie between snooping and spying, and between spying and sabotage.