US/China Cyber War: Allegations, Denials, and Secrecy

We have just finished David Sanger’s new book on cyber warfare, titled “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age”. Sanger is a national security correspondent for The New York Times and has been with the paper for 36 years. He is well sourced in Washington and, for whatever you may think of the Gray Lady, he clearly talks to the right people. Most of the book is a retelling of past cyber contretemps, from North Korea’s hack of Sony Pictures to the Stuxnet virus attack on Iran’s nuclear program. We’ll have a complete review of the book later this week.

The central lesson from Sanger’s narrative that we want to focus on today is simple: the world’s intelligence agencies (both East and West) will flat out lie about anything related to cyber warfare. There are many valid reasons for this, including:

• The cyber battlefield is very new. The closest analogy is to the earliest days of the airplane, when militaries only considered them useful for observation purposes. It took time for fighters, bombers, and other uses to become obvious and even more time for technology to make them possible. [su_spacer] In the case of cyber warfare, no government anywhere wants to discuss their strategy for developing these tools or putting them to work; the field is so new that the range of what is possible is still expanding rapidly. Nor do they want to reveal what they know about other governments’ initiatives, even inadvertently.

• Cyber war is too new to have a rulebook for what is considered in or out of bounds. Consider the history of nuclear weapons as an instructive case study. The global Treaty on the Non-Proliferation of Nuclear Weapons only came into force in 1970, 25 years after the end of World War II. And long after a dozen-plus counties had nukes. [su_spacer] The limits of cyber warfare are therefore still undefined, and there is little sign that will change any time soon. And as with the prior point, no rules means no incentive for revealing anything related to cyber warfare initiatives.

• Governments do not have an established protocol for slotting a cyber attack into a continuum of traditional military responses. By limiting public knowledge about cyber incursions, governments do not have to explain why they aren’t “doing something” about them.

• Further, it is almost impossible to publicly identify the source of a cyber attack without also tipping off your adversary about your own capabilities. Such disclosure can actually degrade your advantage, something intelligence agencies are typically loath to do.

All this is important context for understanding a recent Bloomberg scoop: Chinese military operatives planted secret microchips on servers that ended up in the data centers of a major bank, US government contractors, Amazon, Apple, and many other western companies. Once the computer was installed and turned on, the chip would alter the operating system, allowing unauthorized users to access stored information and make further code modifications possible. Apple caught on in 2015 and alerted US authorities according to the article.

In the last few days, Apple and Amazon have both denied the allegations presented in the Bloomberg story. You can read a summary of their responses here and in our links section below: https://www.theverge.com/2018/10/4/17936968/apple-amazon-deny-servers-chinese-spy-chips

Who should we believe? Bloomberg’s well-documented story, or the companies’ responses, supported over the weekend by statements from the Department of Homeland Security?

This is where Sanger’s book sheds some needed light, because there is precedent for the US government asking American companies to keep information about cyber warfare out of the public eye. The reasons why all relate to our bullet points above. Cyber warfare has no rules, doesn’t fit neatly into a national security framework, and no country wants to give up any edge it might temporarily enjoy.

And, let’s be honest… it’s not like Silicon Valley and Washington are on the best of terms at the moment. If a government agency asks a private company (even one that has public shareholders) to deny a story on the basis of national security concerns, it would be hard for that business to say no.

If all this is too conspiratorial for you, then just consider this note a mind-expanding “what if” rather than proven fact. The central point is valid regardless: with trade tensions still rising between the US and China, supply chain security is just one more argument for onshoring the production of computers and other tech-enabled devices. Expect to hear more about it, denials notwithstanding, in the coming weeks.