CFR Presents

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.

Print Print Cite Cite
Style: MLA APA Chicago Close


An Expansive, and Dangerous, Chinese View on Cyber Deterrence

by Adam Segal
January 25, 2016

cfr cyber china deterrence net politics Children wearing uniforms stand in formation during a military parade game on China's National Day, at Beyou World, a centre where children can experience different kinds of professions, in Beijing last year. (Stringer/Reuters).


In most open source writings, Chinese analysts tend to discount the possibility of deterrence in cyberspace. Attribution, detection, and monitoring are hard. Attacks can come from state and non-state actors. Retaliatory cyber attacks have no certainty of outcome. All of these conditions combine to make it difficult to deter cyber attacks on national networks.

Given this skepticism, it was interesting to find a long, Sun Tzu-quote-filled discussion of cyber deterrence published on a website affiliated with People’s Daily. Like many other open source writers, Yuan Yi, a researcher at the Academy of Military Sciences, takes a very expansive view of deterrence in cyberspace. According to Dean Cheng, China traditionally views deterrence, or weishe (威慑), as both deterrence in the Western sense–threats intended to raise the costs high enough so a potential adversary does not act in the first place–and compellence–displays of military power or threats to use military power in order to compel an opponent to take an action or submit. In the vast majority of cases where Yuan’s article refers to deterrence, it appears to be talking about offensive cyber operations and compellence. So the strengths of cyber deterrence, in Yuan’s view, include the fact that cyberattacks are more humane than nuclear, chemical, or biological attacks; deterrence is cost effective because cyber weapons are cheap; deterrence methods are diverse because cyber weapons can target multiple types of systems; and deterrence uses are repeatable and flexible because, unlike nukes, cyber weapons can be used multiple times. Western analysts tend to associate all of these characteristics with cyber offense not deterrence.

The list of negatives that characterize cyber deterrence also mirrors what Western strategists have traditionally associated with the weaknesses of cyber weapons. Cyber deterrence, for Yuan, lacks credibility because cyber weapons have not yet been used in real warfare; the defense is dynamic and may eliminate vulnerabilities and thus make a weapon useless; the effects of a weapon may spread to connected networks and may even boomerang back to the attackers; states with low levels of connectivity provide few targets and are not easily deterred; and the distributed nature of networks makes the creation of a unified military force difficult.

After laying out these strength and weaknesses, Yuan describes four types of deterrence, three by appearance, the fourth by actual combat. Deterrence by appearance includes technical tests with widespread publicity about the results as well as the displays of cyber equipment. Displays can happen through doctrine, white papers, diplomatic pronouncements, newspapers, or other official channels. It can also occur through social media and may involve misinformation in an attempt to confuse the enemy and create a psychology of fear and restraint. Combat exercises are also a form of deterrence by appearance and may involve real or virtual troops. Yuan mentions Cyber Storm, the biennial exercise run by the Department of Homeland Security, as an example of deterrence by exercise.

Yuan argues that there are two opportunities for deterrence by combat operations. First, when one side believes the other is on the verge of initiating war, it may launch cyberattacks on critical defensive networks, thus conducting “preventive, restraining deterrence.” The second is when the enemy is conducting cyberattacks on your side in a deterrent effort, then you must immediately launch “retaliatory, reprimanding deterrence.” The types of attacks Yuan believes could be launched include disseminating propaganda on cell phones and interrupting television broadcasts as well as damaging telecommunication networks and power grids.

According to Yuan, a successful deterrence strategy requires preparation. Cyber forces must conduct comprehensive network reconnaissance and install backdoors and logic bombs to launch future attacks. Decision makers need to find the right intensity of the fight in cyberspace to achieve combat deterrence. Attacks that are too restrained will do little to dismay the enemy. Attacks that cause too much damage may provoke a conventional military response or bring international criticism. There should be a clear and controlled progression. Warnings should be issued, and attacks should move up a ladder of difficulty and impact, with scheduled breaks and resumptions when necessary. In addition, a clear deterrence strategy demands centralized command and unified planning. All military cyber forces must form a joint force, and Yuan argues that decision makers “must organize and coordinate amateur civilian cyberwar forces, particularly patriotic hackers.”

While Yuan’s call for unified forces, centralized political control, and a clear escalatory ladder could provide for greater predictability in cyberspace, most of the article’s suggestions are highly destabilizing, especially the belief that cyberattacks are relatively low risk and the call for network reconnaissance and prepping the battlefield. The article is almost definitely not an authoritative overview of what the People’s Liberation Army thinks about deterrence but at the same time it is equally unlikely to be completely outside the mainstream. One of the outcomes of the Xi-Obama was supposed to be the creation of a cyber “senior experts group.” It would be good if that group could meet soon, and start the discussion on the meaning of deterrence and other basic concepts.

Post a Comment 2 Comments

  • Posted by AMRutkowski

    Having been significantly engaged in this arena for the past decade, I find this a good comprehensive analysis. China has been involved in multiple global cooperative cyber security technical bodies over many years, deploying substantial resources. The addition of the new senior experts group could be useful in shaping those existing activities. However, the title seems rather at odds with the article.

  • Posted by Richa @ Homesecuritylist

    Now, that’s an interesting article indeed as most of the hackers in China are all government sponsored. This article is indeed an interesting one, especially when it concerns cyber deterrence. I was going through an article in the foreignpolicy magazine which dealt with the US strategy of winning cyberwars of future. Though I’ve to agree that cyberwars are not as lethal as nuclear ones, the former also cost billions of dollars. It’s interesting to note that till today US government believes in the Cold War theory of deterrence – hit back just as hard once a country (esp. China) strikes US, right from lifting of loads of records from Office of Personnel Management to stolen emails and credit card theft. At this juncture, the time has come for all the countries to realize and accept the reality of global approach to cyber deterrence rather than country-specific approach. The cold war era is gone. Until and unless all the leading countries in the world realize how detrimental cyber wars have become and how important it’s to safeguard cyber security, there will hardly be any solution in sight. Hope US, China, and other growing world powers understand this reality.

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required