There has been a great deal of thinking and writing about why deterrence is difficult in cyberspace. Attacks can be masked, or routed through another country’s networks. Even if you know for sure the attack came from a computer in country X, you cannot be sure the government was behind it. All of this creates the attribution problem: It is hard to deter if you cannot punish, and you cannot punish without knowing who is behind an attack. Moreover, much of the cyber activity is espionage and it is hard to imagine a government threatening military action for the theft of data.
China Defense Daily lays out some of the reasons why Chinese experts think deterrence is hard, or to be more specific, why the U.S. military will have difficulty achieving its deterrence aims. First, though, the article addresses all the “advantages” the United States brings to the table: resources (10 of the world’s 13 root servers are in the United States); technology (operating systems, databases, processors, microchips, network switching, and other core technology are all “in the hands of American companies”); power (there is a large gap between the U.S. and others in the development of weapons, investment, the training of talent, and the scale of armed forces).
Despite these strengths, the article see the U.S. as being unable to secure its networks. The announcement of the Defense Department’s Strategy for Operating in Cyberspace, in the Chinese view, encouraged other countries to develop their own offensive capabilities. Attribution is hard, and providing proof of who is behind an attack that would convince others is still extremely difficult. Detection and monitoring capabilities in cyberspace are underdeveloped so it is a real question whether the U.S. military can detect, provide warning of, and deter an attack before it happens. Finally, if the United States decides to retaliate through offensive cyberattacks, it can have no certainty about the outcomes. The impacts on networks are often limited and can be quickly recovered from.
U.S. intelligence officials are going to AP and The Wall Street Journal and telling them they have identified the specific Chinese groups behind attacks on Google, RSA, and other companies is an attempt to diminish Chinese confidence that they can remain hidden and, thus, strengthen deterrence. Going further down the hall of mirrors, it may be that the purpose of the article in China Defense Daily is to undermine these U.S. efforts. Can Washington believe that it has achieved a credible deterrent if the potential adversary keeps saying it is not possible?
What deterrence is in cyberspace and how it is achieved is exactly the type of discussion the United States needs to be having with China. This article’s use of deterrence (威慑, wei she) is reflective of the Chinese definition, which can be more expansive and normative than the American use, encompassing threat or menace. As far as I can tell, cybersecurity discussions have only (officially) been happening once a year at the U.S.-China Strategic and Economic Dialogue. Cyberspaces is of course a strategic and economic issue, so it makes sense to have a whole of government approach. Still, given the distance between Washington and Beijing, and the speed at which the issue is developing, the Pentagon and the PLA should be speaking as frequently and in as many fora as possible.