9 August 2016

A Force for Cyber Anarchy or Cyber Order? —PLA Perspectives on ‘Cyber Rules’

July 6, 2016

General Hao Yeli, vice president of the China Institute for Innovation and Development Strategy and formerly deputy director of the Fourth Department (4PLA) of the General Staff Department, argues that “the formulation of rules for cyberspace is actually just a process of great powers playing a chess game of interests”

In early June, the Eighth Round of the U.S.-China Strategic and Economic Dialogue (S&ED) “welcomed” apparent progress on cyber security, an issue that has been among the most contentious aspects of this bilateral relationship in recent years (U.S. Department of State, June 7). As the official press release noted, the U.S.-China High-Level Dialogue on Cybercrime and Related Issues occurred last December and recently reconvened in June, and the inaugural Senior Experts Group on International Norms in Cyberspace and Related Issues took place this May and will meet again this fall. Since the previous U.S.-China cyber security working group had been suspended after the indictment of 3PLA hackers in May 2014, this resumption of substantive bilateral engagement on these issues constitutes at least an initial step toward the search for common ground on cyber security that these dialogues seek to advance. 

This diplomatic progress on cyber issues, which builds upon other recent advances, raises the question of whether shared interests could enable future cooperation between the U.S. and China or strategic competition will persist in this new, anarchic domain. In 2015, Beijing agreed through the UN’s Group of Government Experts consensus report that certain norms and aspects of existing international law, including the UN Charter, do apply in cyberspace. [1] During his September 2015 state visit to the U.S., President Xi apparently agreed to restrain Chinese commercial cyber espionage activities and pledged, along with President Obama, to refrain from cyber attacks against civilian critical infrastructure during peacetime (White House Press Office, September 25, 2015). [2] 

While such outcomes are encouraging, the prospects for future progress on cyber issues must be evaluated in light of the relevant aspects of Chinese, particularly PLA, strategic thinking on cyber/network warfare. [3] Unless diplomatic engagement proves able to impact the PLA’s strategic thinking on and constrain its operational approach to “cyber domain military struggle,” the credibility of Beijing’s rhetorical commitments will remain questionable. Of course, the continuation of efforts to address cyber security in Sino-U.S. relations could be critical to ameliorate mutual misperceptions, establish crisis management mechanisms to lessen the risks of escalation, and perhaps ultimately progress toward the formulation of a consensus on potential ‘rules of the road’ for the cyber domain. However, these efforts should be informed by an understanding of the range of views among the relevant strategists and operators within the PLA, which frequently differ appreciably from China’s articulated diplomatic positions on the topic. This analysis is an initial attempt to outline these perspectives, in an effort to understand the likely constraints upon and potential opportunities for agreement between the U.S. and China regarding a future cyber order. 

Following the Cyber Rules? 

At this point, a number of PLA theorists and strategists, including affiliates of the PLA’s Academy of Military Science (AMS) and National Defense University (NDU), do appear to recognize the importance of formulating basic “cyber rules” (网络规则), as well as some form of “cyber arms control” (网络军备控制). There is evidently a range of views on the topic, including those who argue for highly competitive approaches to cyber norms and those urging greater cooperation. However, existing Western efforts to institutionalize cyber norms and “cyber laws of war” are often viewed with suspicion, even as attempts to secure U.S. “cyber hegemony” (网络霸权). [4] For instance, the Tallinn Manual—a NATO-proposed framework for the application of existing international law, including the laws of war, to cyberspace—has been characterized as an indication of hostile intent. The PLA’s perception that the U.S. seeks to reinforce its strategic advantage, rather than contribute to the stability of this new domain, lessens its willingness to constrain its own capabilities and operations in accordance with future cyber rules. 

Although it will remain difficult to assess the credibility of any peacetime cyber commitments, the PLA’s evolving strategic thinking on the topic could be a critical indicator of how Chinese cyber forces, under the aegis of the PLA’s Strategic Support Force, China’s new “information warfare service,” might operate in an actual conflict scenario (China Brief, February 8). Looking forward, attempts to achieve consensus on these issues must take into account the PLA’s concurrent advancement of strategic and doctrinal approaches to information operations, especially “cyber military struggle” (网络军事斗争), that include the PLA’s conceptual integration of peacetime and wartime (平战结合); anticipated attacks against civilian targets, including critical infrastructure; the intended mobilization of civilian cyber forces, under the aegis of the concept of military-civil fusion (军民融合); and also the potential for a preemptive cyber attack, given the PLA’s consistent “first strike” (先发制人) approach to information and cyber warfare. [5] These established aspects of the PLA’s existing strategic thinking call into question the viability of negotiating norms that would have to supersede theories and practices that might already be incorporated into official strategy and doctrine. Despite such potential obstacles, the PLA’s apparent interest in options for cyber arms control—against the backdrop of an intensified awareness of China’s own vulnerability and superior U.S. offensive cyber capabilities—could nonetheless reinforce the incentives for its acceptance of an eventual agreement for cyber rules of the road. 

A “Chess Game” of Cyber Rules? 

Certain authoritative PLA strategists tend to view the formation of rules for the cyber domain predominantly in terms of great powers’ strategic competition. General Hao Yeli, vice president of the China Institute for Innovation and Development Strategy and formerly deputy director of the Fourth Department (4PLA) of the General Staff Department (总参四部), argues that “the formulation of rules for cyberspace is actually just a process of great powers playing a chess game of interests” (Global Times, December 12, 2015). Similarly, Major General Ye Zheng, an influential Chinese information warfare theorist affiliated with the AMS Operational Theory and Regulations Research Department (作战理论和条令研究部), which is involved in the formulation of official PLA doctrine, has described the development of cyber rules as a “cyberspace strategic game and security struggle,” especially in the case of rules regarding cyberspace management, usage, arms control, and conflict. [6] 

This realpolitik perspective on cyber rules contributes to skepticism of U.S. intentions in efforts to formulate international cyber norms and an argument for advancing instead a distinctly Chinese agenda, centered upon the concept of cyber sovereignty. From Ye Zheng’s perspective, the U.S. “has a double standard” in the development of cyber rules, since it seeks to ‘seeks to impose a norm upon other countries but not upon itself,’ especially with regard to cyber arms control. [7] In particular, Ye Zheng urges opposition to the U.S. agenda for cyber norms and the advancement instead of norms that are favorable to the “fulfillment of national cyber sovereignty.” The PLA’s intensified focus upon the defense of China’s national cyber sovereignty has corresponded with diplomatic efforts, notably by China’s cyber czar, Lu Wei, to advance international acceptance of a more expansive understanding of the concept. Given the high-level focus on cyber sovereignty—including Xi’s frequently quoted remark that “cyber sovereignty is national sovereignty”—this could prove to be a sine qua non for Beijing. Although this outlook could constrain cooperation, even such “cyber realists” seem to recognize the necessity of a more secure cyber order and could be willing to compromise in order to achieve it. [8] For instance, Ye Zheng has suggested, with a cautious optimism, “It is possible that some cyber arms control agreements will be formulated akin to nuclear arms control and that they will lock up the “Pandora’s box” of cyber warfare.” [9] 

Cyber Arms Control? 

Although the PLA literature on the concept of “cyber arms control” remains relatively nascent, the initial analyses of the issue, including in China Military Science (中国军事科学), the AMS’ official journal, suggest that this topic is starting to receive substantive consideration within the PLA. In particular, Lieutenant Colonel Lu Jinghua, a post-doctoral researcher at the PLA’s AMS China-U.S. Defense Relations Research Center, has published several articles on cyber arms control, including an analysis of the divergences and opportunities for cooperation between the U.S. and China in this context. Although these articles represent the views of a relatively junior scholar within AMS, Lu, whose dissertation focused on U.S. strategic thinking on cyber warfare, appears to be one of the PLA’s emerging experts on cyber conflict. [10] 

While this particular perspective is probably not representative of a mainstream view at this point, such early examinations of the prospects for cyber arms control indicate an interest in and potential openness to options for constraining the use of offensive cyber capabilities. For instance, despite recognizing the difficulty of reconciling certain bilateral disagreements, Lu Jinghua evidently sees the need for some form of cyber arms control and is well versed in the relevant U.S. and international efforts. From Lu’s perspective, the differences of opinion between the U.S. and China on this topic include the U.S. preference to apply existing legal and normative frameworks, including the Laws of Armed Conflict, to cyberspace, relative to China’s preference for a new treaty and rules for cyberspace; the U.S. concept of “cyber security” in tension with China’s focus on “information security” (信息安全), the latter of which implies more expansive control over information; and whether to “comprehensively prohibit” cyber weapons, a position for which Beijing has argued (even while likely advancing its own offensive cyber capabilities in practice), or only “partially prohibit” cyber weapons, based on the U.S. preference. Her recommendations for progressing toward cooperation on this issue include the development of a common understanding of basic terms and concepts (e.g., how to define a “cyber weapon”), the establishment of a cooperative mechanism to remove barriers to verification in a potential arms control scenario, and the creation of a norm regarding the usage of cyber weapons, since preventing their ‘proliferation’ is infeasible. In particular, Lu notes that the potential of efforts to build upon a common interest in constraining the use of cyber weapons and the existing initiatives in this area, such as the Tallinn Manual, which, as she notes, includes a form of cyber sovereignty as a basis for the application of existing international law to cyber conflict. She argues that the U.S. and China can use the regulation of cyber military operations as the starting point for more expansive cooperation on cyber arms control. 

The emergence of such a range of views is perhaps an encouraging sign that U.S. discourse and diplomacy regarding cyber norms and the need for rules of the road are starting to have an attentive and, in some cases, reasonably receptive audience within the PLA. For instance, Lu Jinghua seems to be among what has been characterized as a cyber ‘institutionalist’ school of thought within the PLA, relative to the more realist perspectives of Hao Yeli, Ye Zheng, and others. Potentially, continued bilateral engagement on cyber issues, especially if inclusive of relevant stakeholders from the PLA, could be constructive. However, such theoretical arguments for cyber arms control currently come into tension with the PLA’s prevailing strategic and doctrinal approaches to cyber warfare, which could supersede peacetime commitments. 

Complications Based on the PLA’s Strategic Thinking 

Based on authoritative texts, certain aspects of the PLA’s strategic thinking on and articulated operational approach to cyber warfare could complicate and would undermine the credibility of diplomatic commitments to even the most fundamental rules of the road for the cyber domain. Consistently, the PLA’s approach to information warfare, which encompasses cyber warfare, has been characterized by the concept of “the integration of peace and warfare” (平战结合) and a corresponding lack of differentiation between civilian and military targets. According to the 2013 AMS edition of The Science of Military Strategy (SMS), “cyber attack and defense countermeasures are an everyday occurrence,” such that cyber military struggle is underway “at all times,” including anticipated attacks on civilian targets and critical infrastructure, such as power, transportation, and communications systems. [11] Similarly, by Ye Zheng’s assessment, “The strategic game in cyberspace is not limited by space and time, does not differentiate between peacetime and wartime, [and] does not have a front line and home-front…” [12] 

This highly integrated approach extends to the PLA’s conceptualization of the forces that would participate in cyber operations, which would further blur the conventional distinction between military and civilian domains. Beyond the longstanding linkage of information warfare to the traditional concept of people’s warfare, relatively authoritative sources, such as a 2005 AMS study guide on information operations, also allude to the participation of civilians in information warfare, observing that “the boundaries between military personnel and common people and between civilian-use and military-use [technologies] have all become indistinct.” [13] Notably, the 2013 AMS SMS and also the 2015 NDU SMS both allude directly to the participation of civilian cyber forces in a conflict scenario. The AMS SMS argues, since “military and civilian attacks are hard to distinguish,” the PLA should “persist in the integration of peace and war [and] the integration of the military and civilians,” such that “in peacetime, civilians hide the military, [while] in wartime, the military and the people, hands joined, attack together…” [14] This intended participation of civilian forces—including relevant personnel from government ministries, civilian industry, and even “some non-professional hobbyists who possess specialized skills”—is often linked to the expansive concept of military-civil fusion. [15] Such mobilization of civilian forces is unorthodox relative to most Western militaries and could complicate attribution efforts in a crisis through enabling plausible deniability to engage in proscribed cyber activities. 

In practice, those theoretical aspects of the PLA’s approach to cyber warfare could translate into a focus on extensive peacetime “cyber preparation of the battlefield,” which could undermine strategic stability. The PLA appears to take a highly integrated conceptual and likely operational approach to cyber reconnaissance (网络侦察) and cyber attack, unlike the U.S., which is legally required to maintain a distinction between Title 10 and Title 50 authorities in cyber operations. That is, for the PLA peacetime cyber reconnaissance (often characterized as cyber espionage) is considered “generally just the preparation for probable future cyber attack operations,” since “cyber reconnaissance very easily transforms into cyberspace attack,” if one only ‘presses a button.’ [16] For instance, even the code for Chinese “cyber weapons” used in espionage and offensive operations doesn’t differentiate clearly between reconnaissance and offensive functions; rather, those functions often tend to be integrated within a single cyber “tool.” (Belfer Center, February 4). Similarly, the 2015 NDU edition of SMS, presents the concept of “integrated reconnaissance, attack, and defense” (侦攻防一体), implying that the operational activities of Chinese cyber forces would likely take a less differentiated approach to these activities, which are inherently interrelated at the technical level. [17] Such operational integration, even if not directly proscribed by existing and nascent legal and normative frameworks, could raise the risks of misperception or misattribution of intent in a crisis scenario, given the lack of technical differentiation between ordinary cyber espionage and cyber preparation of the battlefield. 

These consistent aspects of the PLA’s strategic and doctrinal approach, which date back to PLA’s early literature on information warfare from the 1990s, could prove challenging to change credibly based on diplomatic commitments that are difficult to verify. Such texts’ advocacy for a lack of differentiation between peacetime and wartime, attacks without discrimination between military and civilian targets, and the mobilization of civilian forces in wartime cyber operations are certainly not amenable to the preferred U.S. normative frameworks. If the potential immutability of these practices is taken into account, ongoing efforts to advance cyber rules and cyber arms control could perhaps focus even more narrowly on cyber rules for which there would be the highest degree of shared interest and mutual vulnerability. 

Conclusion 

Although the terms of a hypothetical cyber consensus might seem suboptimal to the U.S. and China alike, the stakes could be high enough to motivate continued progression toward a common understanding of at least minimal rules of the road for this new domain. For instance, the Xi-Obama joint pledge to refrain from “attacks” against “critical infrastructure” (a concept defined differently by the U.S. and Chinese governments) during “peacetime”—which leaves open the option of peacetime “reconnaissance” to prepare for preemptive attacks—might be reframed as an absolute prohibition against all forms of cyber operations against certain forms of critical infrastructure (e.g., civilian nuclear facilities) at any time, with violations to be investigated and appropriate countermeasures approved by an independent international panel of experts. [18] Future progression toward a more comprehensive framework for a new cyber order might also require that the U.S. eventually recognize, at least in a limited, legalistic sense, the relevance of cyber sovereignty. Ongoing Chinese efforts to advance its own version of “cyber sovereignty,” which evidently includes its implementation of expansive controls over the freedom of expression and information, might make U.S. and Chinese approaches to this issue seem irreconcilable (China Brief, April 16, 2015). However, given that proposed legal frameworks, such as the Tallinn Manual, do recognize that national sovereignty has relevance in cyberspace, it seems that there might be space for a compromise in which the U.S. and China might each acknowledge that certain aspects of the traditional notion of sovereignty do apply, while the U.S. continues to oppose China’s particular interpretation of the concept. [19] 

Looking forward, “cyber anarchy” will continue to be “what states make of it,” and certainly cyberspace has thus far remained a domain in which a high degree of international anarchy has prevailed. [20] While appreciable differences certainly do and will remain between U.S. and Chinese perspectives and preferences, the apparent progression in the views of PLA theorists toward a more widespread recognition that such cyber rules and even cyber arms control could be necessary to reduce the risks of conflict is notable, perhaps even encouraging. If the U.S. can credibly demonstrate that it is not advancing a “double standard” and would adhere to restraints upon certain of its own cyber activities, then it seems plausible that the PLA might eventually reciprocate and perhaps even be equally constrained by a compromise regarding cyber rules that it perceived as fair and balanced. However, unless there were evidence that the PLA’s strategic thinking on cyber warfare were starting to recognize and incorporate such restraints, it will remain difficult to determine the relevance of any future diplomatic commitments. While an eventual U.S.-China agreement on cyber rules might seem infeasible at this point, past examples of China’s “socialization”—including, for instance, into the international arms control regime or based on its engagement in international institutions—do provide precedents for a trajectory that perhaps could ultimately be achieved in this new domain as well. [21] 

Elsa Kania is a recent graduate of Harvard College who is currently working as an analyst at Long Term Strategy Group. 
NATO Cooperative Cyber Defense Center of Excellence, “2015 UN GGE Report: Major Players Recommending Norms of Behaviour, Highlighting Aspects of International Law,” August 31, 2015, https://ccdcoe.org/2015-un-gge-report-major-players-recommending-norms-behaviour-highlighting-aspects-international-l-0.html 
However, the credibility of these commitments has already been questioned, given evidence of continuing, if perhaps somewhat reduced, Chinese commercial cyber espionage activities, as well as potential ongoing cyber preparation of the battlefield. See the recent FireEye report, “Red Line Drawn,” June 20, 2016, for further details on the apparent trends in Chinese commercial cyber espionage. 
Although “network” is the literal and perhaps more appropriate translation of 网络, I choose to use the translation “cyber” for the purposes of this article for clarity. 
Hao Yeli [郝叶力], “Great Powers Cyber Strategic Game and China’s Cyber Strong Country Strategy” [大国网络战略博弈与中国网络强国战略], International Relations Research [国际关系研究], 2015. 
See: Joe McReynolds, “China’s Military Strategy for the Network Domain,” Joe McReynolds (ed.), China’s Evolving Military Strategy, Jamestown Foundation, April 2016, for more extensive discussion of the topic. 
Ye Zheng [叶征 ], “A Discussion of the Innate Characteristics, the Composition of Forces, and the Included Forms” [论网络空间战略博戏的本质特征, 力量构成与内容形势], China Information Security [中国信息安全], August 2014. 
Ibid. 
See: Joe McReynolds, “China’s Military Strategy for the Network Domain” for the initial framing of this cyber/network realist and institutionalist distinction. 
Ye Zheng, “From Cyberwarfare to Cybersecurity in the Asia-Pacific and Beyond,”Lindsay, Jon R., Tai Ming Cheung, and Derek S. Reveron, eds. China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, Oxford University Press, 2015. 
吕 晶华 [Lu Jinghua], 网络军备控制:中美分歧与合作 [Cyber Arms Control: Divergences and Cooperation Between the U.S. and China], China Information Security [中国信息安全], September 2015;吕晶华 [Lu Jinghua],《美国网络空间战思想研究》[Research on U.S. Strategic Thinking on Cyber Warfare], 军事科学出版社 [China Military Science Press], 2014; e.g., 吕晶华 [Lu Jinghua], 《国际网络军控问题研究》 [A Study of International Arms Control in Cyberspace], 中国军事科学 [China Military Science], 2014. 
Academy of Military Science Military Strategy Research Department [军事科学院军事战略研究部], eds., The Science of Military Strategy [战略学]. Military Science Press [军事科学出版社], 2013. 
Ye Zheng [叶征], “A Discussion of the Innate Characteristics, the Composition of Forces, and the Included Forms” [论网络空间战略博戏的本质特征, 力量构成与内容形势]. 
Xu Genchu [徐根初], eds., Study Guide on Theories of Information Operations [信息化作战理论学习指南], Military Science Press [军事科学出版社], 2005. 
Academy of Military Science Military Strategy Research Department [军事科学院军事战略研究部], eds., The Science of Military Strategy [战略学]. 
Xu Genchu [徐根初], eds., Study Guide on Theories of Information Operations [信息化作战理论学习指南], Military Science Press [军事科学出版社], 2005. 
Academy of Military Science Military Strategy Research Department [军事科学院军事战略研究部], eds., The Science of Military Strategy [战略学]. 
Xiao Tianliang [肖天亮], eds., The Science of Military Strategy [战略学]. National Defense University Press [国防大学出版社]. 2015. 
The proscription against the targeting of civilian nuclear assets with offensive cyber capabilities was previously proposed in the report: East West Institute, “A Measure of Restraint in Cyberspace: Reducing Risk to Civilian Nuclear Assets,” January 2014. 
NATO Cooperative Cyber Defense Center of Excellence, “Tallinn Manual on the International Law Applicable to Cyber Warfare,” 2013, https://ccdcoe.org/research.html
Alexander Wendt, “Anarchy is what states make of it: the social construction of power politics,” International Organization, 46, no. 02 (1992): pp. 391–425. 
e.g., Evan S. Medeiros, Reluctant Restraint: The Evolution of China’s Nonproliferation Policies and Practices, 1980–2004. NUS Press, 2009. Alastair Iain Johnston, Social States: China in International Institutions, 1980–2000, Princeton University Press, 2014. 

No comments: