The West Is Already Fighting in a Cyber Conflict
The West’s inability for more than twenty years to impose meaningful penalties only encourages these countries. Playing in an arena with no rules and no risk are the core of the Russian and Chinese advantage.
There is general recognition that the United States’ most active opponents in cyberspace are (in order of proficiency) Russia, China, Iran, and North Korea. The first two are the most skilled and the most dangerous. Cyber operations form a central part of their larger efforts to harm the United States and its allies and in China’s case, to build its technology base.
The West’s historic weakness in cyber defense encourages opportunism. Russia began computer network espionage in the 1980s, going after defense research and technology. China began cyber espionage in earnest in the early 2000s, when it connected to high-speed global networks. China is omnivorous when it comes to stealing intellectual property (IP) for commercial purposes. While U.S. cyber defenses are now stronger, they are not strong enough to stop these advanced opponents.
Russia has natural advantages. Its cyber efforts build on a decades-long legacy of signals intelligence, espionage, and influence operations. Russia’s universities crank out skilled mathematicians and programmers. Close ties between the Kremlin and the “Vory” (Russian criminal groups that became powerful after the collapse of the Soviet Union) create a culture where crime is deeply interwoven with government. This is blended with (as we have seen in Ukraine) a powerful urge for revanchism and a general disdain for Western democracies that the Biden administration has only just begun to reverse.
China shares Russia’s disdain for democracies. It started out less capable than Russia, but the Chinese government’s massive and continuous cyberespionage efforts have steadily improved its capabilities. Before Xi Jinping took office, Chinese companies routinely hacked each other as well as Western competitors and the PLA freelanced for commercial gain, hacking to steal IP and resell it to Chinese companies. China also has a strong hacker culture connected to its growing technology sector. Xi has sought with considerable success to bring hacking under Chinese Communist Party control and focus it on his strategic goals. Private hackers were told to cooperate or else, People’s Liberation Army hacking was refocused to support national intelligence goals, and China’s foreign intelligence agency, the Ministry of State Security, was allegedly given a larger role in cyber espionage. There has been a marked uptick in cyber espionage since Xi’s arrival.
Russia and China have very strong espionage agencies. Both also have well-developed military institutions comparable to U.S. Cyber Command. Russian military doctrine focuses on creating disruptive political effects and social turmoil to weaken an opponent’s will to resist. In the event of armed conflict, Russia will also attack critical infrastructure. China’s approach is different. In wartime, it will use cyberattacks to degrade the performance of U.S. weapons and disrupt reconnaissance assets and command and control. China’s cyber efforts are linked to its planning for kinetic attacks, blending, for example, simultaneous hypersonic strikes against aircraft carriers with cyber interference to degrade defenses.
Russia, China, and Iran have infiltrated American critical infrastructure networks, conducted reconnaissance, and in some cases may have left behind small pieces of code to guide later access. They have avoided massive cyberattacks to cripple critical infrastructure. They have the ability to launch massive attacks, but have chosen not to do so, avoiding actions that might provoke the United States. They are careful so far to ensure that their cyber actions stay below an implicit “use-of-force” threshold, attacks that cause physical damage or casualties.
Neither Russia nor China shares the U.S. obsession with Cold War strategies like deterrence. They see a country that lost two wars and had a mob storm its capital and think it is weak. It will take time to change their perceptions that cyberattacks are risk-free if they avoid casualties or physical destruction. This means Russia may be tempted to act on its threats to retaliate for Ukraine sanctions, perhaps by encouraging cybercriminals to take actions that have some political resonance, like Colonial Pipelines. Using cybercriminals gives the Kremlin some deniability, however implausible. It would be an expression of pique, a gesture of insolence toward the United States, and part of the larger strategic threat posed by Russia. Any incident would be a test to see how the United States reacts, and China is watching with interest.
We are already in a conflict, just not one that fits twentieth-century thinking about warfare. Cyberattack is the new battlespace in this conflict, and while the United States has strengths, so do our opponents. Their success is not dependent solely on technical capabilities. A certain disregard for the laws and conventions that govern international relations give Russia and China an advantage, particularly against legalistic opponents. Both also benefit from clear goals and, at least in Russia’s case, by having well-defined offensive cyber doctrine. Finally, the West’s inability for more than twenty years to impose meaningful penalties only encourages these countries. Playing in an arena with no rules and no risk is the core of the Russian and Chinese advantage.
James Lewis writes on technology and public policy at the Center for Strategic and International Studies (CSIS), where he is a senior vice president and directs the Strategic Technologies Program. Before joining CSIS, he was a diplomat and a member of the Senior Executive Service with extensive negotiating, politico-military, and regulatory experience.