EMC Chair Conference Paper
A Theory of Cyber Espionage for the Intelligence Community Brandon Valeriano
Ryan Maness
University of Glasgow
University of Illinois at Chicago
The case of Russian cyber operations is indicative of the potential pattern of cyber intelligence operations in the future. At first Russia was an active aggressor, utilizing cyber attacks against Estonia in 2007 and Georgia in 2008. Since then it has remained relatively silent in the course of cyber operations. The answer to why this outcome has presented itself can likely be found through a series of norms and blowback to the original use of cyber-­‐attacks. The matter of how Russia has and will utilize cyber attacks in the future is likely to exhibit the patterns of cyber espionage. Cyber espionage is defined as the use of dangerous and offensive intelligence measures in the cyber sphere of interactions. As Maness and Valeriano (2013) state, Russian actions in the cyber sphere are likely examples of literally the least they can do in the system. Their capabilities far outpace the actual use of the technologies in reality. Russian demonstrations of cyber power have been minimal. States have utilized cyber espionage operations, but they have done so rarely and their use of these tactics fits in with general theories of rivalry and support for non-­‐state actors. We see this process at work in China. While the Chinese are active in cyberspace and have their own offensive cyber command, the reality of their use of cyber attacks is very minimal and exhibits the typical dynamics of espionage interactions rather than outright cyber warfare. In response to negative articles on the Premier of China, Wen Jiabao, the Chinese launched a series of denial of service attacks and phishing attacks against the New York Times and Washington Post. All of the New York Times’ employees’ computers, passwords, and email accounts were infiltrated. The media outlet had been the victim of these attacks for at least four months until security experts were able to finally shut these phishing attempts down. More interesting is that in tracing the sources of the attacks from China, it was found that these attacks were the work of a Chinese government operation known as the Chinese People’s The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
Liberation Army, an entity that has been troubling government and private networks in the U.S. for years (Perlroth 2013). While troubling and concerning, these attacks fail to reach the level of hyperbole of most prognosticators. Instead of destroying American media operations, they have only sought to disrupt, punish, and steal information from whom they feel are the original aggressors. A noticeable gap in the literature is the lack of any development of a theory of cyber espionage between states or state based targets. Cyber intelligence operations are proliferating, but at a low-­‐level, mainly in the area of espionage. Considering this process, why then would states utilize cyber espionage operations over full scale cyber offensive operations? What sort of defensive intelligence mechanisms does the United States have for thwarting or launching cyber espionage campaigns? To develop the logic behind this process we must understand the intention of cyber operators in the system. The first relationship between cyber abilities and actions is the observation that states do literally the least they can do in the cyber sphere. The point for a state cyber attack seems to be to demonstrate capabilities rather than destroy systems and operations, extreme attacks such as Stuxnet and Flame excluded. It is as if the attackers only want it made known that they exist and have capabilities. As with conventional deterrence policies, actions and responses are only effective if they are communicated to the target. China and Russia have achieved this goal in their cyber operations. They have made known their capabilities and reach, and then have chosen to go no further. Why would this be the case? In terms of rivalry relations, a recent observation by Conrad (2011) and Moaz and San-­‐Akca (2012), in relation to a rival state’s support of terrorists or non-­‐state actor groups, argue that the advantage of covert operations and supporting these groups is deniability and the perpetuation of bait and bleed strategies. Through the infliction of wounds, which might be physical, psychological, or economic, the hope is that these problems will multiply and proliferate. Likewise, cyber espionage could also be part of the usual process of a rivalry where one cuts the nose to spite the face – the tendency to burn a rival (Valeriano 2013). By harassing a rival state, a state provokes a reaction. Sometimes this reaction can be offensive but just as importantly the reaction is defensive. While defensive actions are The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
generally benign, sometimes they go too far. As Mueller (2006) has documented so well in relation to terrorism, the protection industry that sprang up around it has been more devastating than the tactic itself. By seeking secure forms of protection against cyber espionage threats, the target then overreacts, overprotects, and cuts itself off from the systems and opportunities the global information age has done so well to create. Just as business has been harmed by terrorism, business itself has been just as hardened by cyber operations. Certainly companies can lose millions of dollars in order to clean malware and prevent attacks, but they are just as likely to lose even more money in taking extreme actions to protect themselves in the future. These organizations spend money on software that has little or no probability of stopping what are termed zero-­‐day threats. These threats are termed zero-­‐day because they cannot be anticipated and stopped, only reacted against once they happen. The paradox is the amount organizations spend to protect what they cannot possibly defend against. The other process in cyber espionage is the tendency to try to balance against a rival. Balancing is neither peaceful nor beneficial (Morgenthau 1952, Bremer 1992); but it does happen and will often be a goal of states engaged in a rivalry. In some ways the idea is to achieve gains through non-­‐conventional means because the rival state cannot hope to catch up to its competition through conventional tactics. This may be the motivation for the numerous cyber espionage campaigns and operations launched by China against the U.S. government and the American private sector. China cannot match the Americans in terms of conventional military means, but it seems to have an edge on the U.S. in cyberspace, and has used these capabilities much to America’s chagrin. H1: Due to power imbalances, less powerful rival states will use cyber espionage as a tactic to perceptively bridge the power gap with the more powerful state. Another process in rivalry is what is called the normal relations range (Azar 1972) where rivals try to manage competition and engagement through level operations. In the process of cyber espionage, the tactic is likely utilized to manage low level proxy battles that avoid direct The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
confrontations. South Korea and Japan seem to exhibit this behavior, as both have much animosity towards each other yet are also close allies with the United States. Cyberspace seems to be the perfect forum to vent their frustrations with each other. H2: Due to international constraints and norms, rival states will use cyber espionage in order to manage low level competition between two actors but this competition will be minimal and represent the normal relations range of rival interactions. Finally, cyber espionage operations during a rivalry can be a way to place economic costs on the rival. The goal is to punish through harassment and engagement of the business community of the opposing side of the rivalry. Table 1 below shows that China is particularly active in cyber espionage, causing large-­‐scale economic losses in the U.S. and East Asian region. The goal is to provoke a reaction in the population of a rival state. The Mandiant report released in February 2013 has provoked a media and public frenzy of fear and uncertainty about China and its status with the United States. This report provides information accusing China of stealing sensitive documents and secrets pertinent to American national security. However, this report releases nothing new and nothing some in Washington did not already know. The Chinese have been infiltrating American networks and stealing information in cyberspace for over a decade now. The question that should be asked is why are the Americans letting China get away with this for so long? They either need to better their cyber defenses or make clear to China that this sort of activity will not be tolerated. Thus far, they have done neither. Some theories of terrorism suggest that the tactic can be used to impact voting patterns or be a shortcut to a revolution (Conrad 2011), in terms of espionage in cyber, the goal would then be to provoke domestic reactions through the fear of the cyber threat. H3: Rival states will use cyber espionage to provoke economic costs to their rivals, as these perceived threats will get public attention and create demands for more spending on national security The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
Previous research (Valeriano and Maness 2012, Valeriano and Maness 2013) has constructed a working dataset of all cyber incidents and operations from 2001-­‐2011. Table 1 parses out the findings of this data and shows all incidents and operations that can be identified as cyber espionage campaigns, where the initiator’s objective is to steal sensitive information from the target government or private sector essential to national security. Looking at the severity scale, where a “1” indicates the least severe cyber incident and a “5” indicates the most severe attack, which results in a catastrophic event in the target state. The highest cyber espionage attack is at “3,” when China infiltrated the Pentagon and India’s military establishment and stole sensitive documents. Another espionage incident at this severity level is the Chinese theft of Lockheed-­‐Martin’s F-­‐35 jet plans. The effects of these infiltrations have yet to be seen, as China has not come out with any American or Indian military technology. China is using its abilities in cyberspace to harass its more powerful competitor in the United States and regional competitor in India. This alludes to both H1 and H3 not able to be falsified. China is using its cyber abilities to counter U.S. power as well as provoke defense spending increases due to perceived American insecurity. China is also perhaps provoking India into more defense spending to keep its closest regional competitor down. Also indicative of Table 1 is the fact that China is the most involved in the use of cyber espionage as a foreign policy tactic. Many of these cyber espionage operations are used on fellow Asian nations. Perhaps this is to project the regional prowess of a rising China in East Asia to let its rivals, most notably Japan and Taiwan, that it has arrived as a world power. Another
possibility is that this is as far as China can go with these powers as they are closely aligned with
China’s global competitor, the United States. There is reason not to falsify H2 when interpreting
the results of Table 1.
The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
Table 1: Publicly-known Cyber Espionage Incidents and Operations1
This preliminary analysis of a theory of cyber espionage has generated the need to go further in our study of this topic. The cyber-­‐industrial complex has been a prominent force in this process. By operating on an active level in the industry, they make the suggestion that they can protect against these threats, when in all likelihood the error is on the target rather than the attacker. If networks are insecure, if individuals continue to respond to phishing attempts and lack the basic common sense necessary in cyber interactions, they will always fall prey to attacks. The attacks only make the never ending cycle of cyber operations go round. 1
Attribution is whether or not a government acknowledged involvement in the cyber espionage: 0=no comment,
1=denial, 2=acknowledgement, 3=multiple attribution for operations
Severity is based on an ascending scale, with 1 being benign attacks and 5 being the most severe
The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
In what is termed cyber espionage, the goal should really be to harden targets, teach good cyber practices so that individuals do not fall prey to attacks, and to think of rational responses to cyber threats, not the irrational and exaggerated responses we have seen quite often in the digital industry and by some governments. State based cyber espionage is literally the least a state can do. It chooses to take on these operations because they are easy and cost-­‐free in that the aggressor can deny perpetuation of the attacks. They are forms of harassment in a rivalry, but with most forms of harassment, the tactics used are relatively benign, cumulative, and serve as nuisances rather than patterns. Cyber espionage is to be expected. The espionage industry is one of the oldest professions in this world and it is not going away. States will use whatever tactics they can to achieve political ends. But throughout the course of history, the impact of espionage has relatively minor and major successes can generally be attributed to errors in the target rather than the prowess of the aggressor itself. References Azar, Edward E. 1972. “Conflict Escalation and Conflict Reduction in an International Crisis, Suez 1956.” Journal of Conflict Resolution 16 (2): 183-­‐201. Bremer, Stuart A. 1992. “Dangerous Dyads: Conditions Affecting the Likelihood of Interstate War 1816-­‐1965.” Journal of Conflict Resolution 36 (2): 309-­‐341. Conrad, Justin. 2011. “Interstate Rivalry and Terrorism: An Unprobed Look.” Journal of Conflict Resolution 55 (4): 529-­‐555. Maness, Ryan C. and Brandon Valeriano. 2013. The Reemergence of Russia: Rivalry and Foreign Policy in the Near Abroad and Beyond (Lynne Rienner Publishers, editing phase). Maoz, Z., & San-­‐Akca, B. 2012. “Rivalry and State Support of Non-­‐State Armed Groups (NAGs), 1946–2011.” International Studies Quarterly, 56 (4): 720-­‐734. Morgenthau, Hans. 1952. “Another ‘Great Debate’: The National Interest of the United States.” The American Political Science Review, 46 (4): 961-­‐988. The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.
EMC Chair Conference Paper
Mueller, J. 2006. Overblown: How politicians and the terrorism industry inflate national security threats, and why we believe them. (New York: Free Press). Perlroth, Nicole. 2013. “Hackers in China Attacked the Times for Last 4 Months.” The New York Times 1/30/2013. Online: http://www.nytimes.com/2013/01/31/technology/chinese-­‐hackers-­‐infiltrate-­‐new-­‐york-­‐
times-­‐computers.html?pagewanted=all. Valeriano, Brandon. 2013. Becoming Rivals: The Process of Interstate Rivalry Development (New York: Routledge) . Valeriano, Brandon and Ryan Maness. 2012. “The Fog of Cyberwar: Why the Threat Doesn’t Live Up to the Hype.” Foreign Affairs. http://www.foreignaffairs.com/articles/138443/brandon-­‐valeriano-­‐and-­‐ryan-­‐
maness/the-­‐fog-­‐of-­‐cyberwar?page=show#. Valeriano, Brandon and Ryan C. Maness. 2013. “Cyberwar among Rivals: The Dynamics of Cyber Conflict between Antagonists, 2001-­‐2011” Under Review. The views expressed in this paper are those of the authors and do not reflect the official policy or position of the Department of the Navy,
Department of Defense, or the U.S. Government.