Two weeks ago, Admiral Mike Rogers, head of U.S. Cyber Command and the director of the National Security Agency, told a congressional panel that China and “one or two” other countries would be capable of mounting a cyberattack that could shut down the power grid or other critical infrastructure. In addition, over the last two years, there have been a number of public reports that China-based hackers broke into industrial control systems (ICS). UglyGorilla, one of the five People’s Liberation Army hackers indicted by the Department of Justice, reportedly hacked into the computers of a public utility in the northeastern United States, perhaps to map the system in preparation for a future attack.
As with previous U.S. claims, the Chinese have fiercely denied that they hack at all, much less into industrial systems. But in one of the denials, there is an interesting insight into Chinese concerns about U.S. capabilities. This article in Chinese points out that these claims have been made before and are part of the “China threat theory,” efforts by Congress, the Defense Department, and others to paint China as a threat to the international order. The novelty and importance of the claim, the article argues, is that Rogers is its source. The article asserts, in a roundabout way, that this is evidence that the United States is capable of hacking into China’s power grid. No one knows what cyber capabilities China possesses, and so if Rogers is worried about someone hacking into U.S. critical infrastructure it is because he knows that Cyber Command can do it to others.
More concrete evidence of this concern is clear in the announcement this week that China is establishing its first laboratory to work on information security for industrial control systems (the story was also covered with the headline, “China’s Industrial Control System Information Security System is Grim“). According to the announcement, over 80 percent of China’s economy and critical infrastructure involve some type of industrial control system. These systems are vulnerable to attack for at least three reasons: operators have low security awareness and ICS are connected to the Internet; Chinese industry is heavily reliant on foreign suppliers for ICS and these suppliers have access in order to service or update software; and the country lacks a testing range or simulation environment to prepare for and defend against attacks. The laboratory is meant to address all of these weaknesses.
This sense of vulnerability could break in one of two ways for stability in the U.S.-China relationship. On one hand, if vulnerability is high and defense is difficult, there are incentives to use cyber attacks quickly before your adversary does. Offense has the advantage, and crises could quickly escalate through cyberattacks. On the other hand, a mutual sense of vulnerability may help create deterrence. You do not dare launch a cyberattack because you know the same could happen to you.
It would be good to know which the Chinese think is more likely, and to discuss how we might dampen the potential instability in the relationship through greater transparency and discussions of thresholds of attacks. As Rogers told the panel, “We need to define what would be offensive, what’s an act of war.” Unfortunately, the two sides are not talking right now (the Chinese suspended the cyber working group after the Department of Justice indictment), which means, to parrot the Chinese article, the ICS information security situation will continue to be grim.
This piece first appeared on CFR’s blog Net Politics.