Grand Strategy

David Sanger has a very interesting article in Saturday’s New York Times, reporting that the United States has decided to retaliate against China for the hacking of the Office of Personnel Management. According to Sanger, how the United States will respond is still a matter of debate. The White House is uncertain whether the response will be symbolic or something more substantial; whether it will be public, known only to the Chinese, or secret; and whether it will happen soon or sometime in the future. Over at Lawfare, Jack Goldsmith argues that the White House’s inability to craft a response highlights the challenges of deterring an adversary through counterstrikes, and that deterrence through resilience and defense may be a better option. I am going to pick up on one of the policy responses mentioned in the article, what Sanger calls "one of the most innovative actions" discussed in the U.S. intelligence agencies: finding a way to breach the Great Firewall so as to demonstrate to the Chinese leadership that the thing they value most—"keeping absolute control over the country’s dialogue"—could be at risk. First, a quibble. I am not sure that the idea of attacking the Great Firewall is innovative. I have heard it raised at conferences and other discussions since at least 2010. It may have also happened before. The drop of the Shanghai stock market by 64.89 points on the 23rd anniversary of the Tiananmen massacre (which occurred on June 4, 1989, or 6/4/89) may have been a weird coincidence, or the type of innovative policy Sanger is describing—an effort to show the Chinese leadership that their control was vulnerable. Even if this is an old idea that is seeing new light, it is hard to see how it would deter future Chinese attacks, if only because Beijing appears to believe that the United States is already using the Internet to undermine domestic stability and regime legitimacy. As an article in PLA Daily put it in May (translation by Rogier Creemers): Cybersovereignty symbolized national sovereignty. The online space is also the security space of a nation. If we do not occupy the online battlefield ourselves, others will occupy it; if we do not defend online territory ourselves, sovereignty will be lost, and it may even become a “bridgehead” for hostile forces to erode and disintegrate us. Sanger’s article does not get into details, but there are at least three types of attacks that could be considered: hacks that expose information embarrassing to the leadership; allow Chinese users access to blocked websites outside of China; and lessen or dismantle controls on information within China. Beijing is likely to believe that Washington is already engaging in the first two types of attacks. A hack that exposes corruption or offshore bank accounts, for example, will not be seen as any less a hostile act than the New York Times’ reporting on the hidden wealth of former prime minister Wen Jiabao’s family or Bloomberg’s on the assets of Xi Jinping’s family. In addition, the State Department has spent over $100 million to help develop anti-censorship technology and train online activists, and some of that funding has gone to groups trying to give Chinese users tools to jump over the Great Firewall. Given this perception, counterattacks may not look like tit-for-tat retaliation for the OPM hack but instead as part of ongoing battle in and over cyberspace. In the best case scenario, the Chinese would simply react with more hacking of U.S. targets. In the worst case scenario, attacks directed at the Great Firewall risk significant escalation. Despite the White House’s framing of Chinese cyberattacks as a threat to the U.S. economy and the bilateral relationship, Beijing has probably discounted the importance of the issue to the United States. China’s leadership probably calculates that Washington does not want to scuttle Beijing’s cooperation on a range of global issues over cybersecurity. They also view the United States as the predominant power in cyberspace, willing to use claims of Chinese hacking as a precursor to and justification for more cyberattacks on others. Beijing would likely view the types of responses being debated by U.S. intelligence agencies as disproportionate to the OPM hack, and deem them new threats to national security that call for a Chinese response. This is not argue that the United States should not retaliate for Chinese state-sponsored cyberattacks. Rather, it suggests trying to keep the responses as proportionate as possible—economic sanctions for the cyber-enabled theft of intellectual property; counterintelligence operations for political and military espionage—and, perhaps most importantly, improving defenses and making it much harder for an attacker to breach U.S. networks.

After yesterday’s meeting between top Communist Party leader Nguyen Phu Trong and President Obama and Vice President Joseph Biden, the United States-Vietnam relationship seems poised to reach a new level. As the Washington Post noted, it is rare for the president to welcome at the White House a foreign leader who is not the head of state or head of government. But an exception was made for the Vietnamese leader, since Hanoi is becoming increasingly important to U.S. strategic interests in Asia, and since Nguyen may well wield as much power as Vietnam’s president or prime minister within Hanoi’s opaque leadership structure. In a speech today at the Center for Strategic and International Studies, Nguyen is expected to call for a series of steps to move the bilateral relationship forward, and he will find his ideas reciprocated in Washington. As I noted in a working paper earlier this year, the U.S. relationship with Vietnam is well on its way toward becoming the United States’ closest strategic partnership in Southeast Asia, other than with Singapore. It is not impossible to imagine, in a decade or so, that Hanoi and Washington would become treaty allies. The joint vision statement issued just after Nguyen’s visit to the White House is but one sign of the new level of U.S.-Vietnam ties. Although Thailand is a U.S. treaty ally, Thailand’s decade-plus domestic turmoil has made it an unsteady, often distracted partner. The United States’ other treaty ally in Southeast Asia, the Philippines, is a vibrant democracy with close economic and cultural ties to the United States, but its regular (not reserve) armed forces are about half the size of Vietnam’s, and it remains tied down by its own ongoing insurgencies. Vietnam, meanwhile, not only has an armed forces employing, overall, over 400,000 people but also an increasingly sophisticated navy. Hanoi also has slowly moved away from the strategy it has pursued since the 1990s of balancing relations between China, the United States, and other regional powers; the May/June 2014 South China Sea standoff between Hanoi and Beijing sped up Vietnam’s shift. As Alexander Vuving notes, “After the [South China Sea] incident, some members of the Vietnamese National Assembly called China an invader and an enemy, breaking a taboo that had been in place for more than two decades since the renormalization of Sino-Vietnamese relations in 1991.” It is possible that, in the next decade, Vietnam will formally abandon the “three nos” of national defense policy---no military alliances, no foreign military bases on Vietnamese soil, and no reliance on external powers for Vietnamese defense---that has underpinned Hanoi’s strategy for decades. Vietnamese leaders have become so worried about China’s growing regional power that they have formed strategic partnerships, in the past five years, with the Philippines, Singapore, and Japan, among others. (The U.S.-Vietnam partnership is formally called a comprehensive partnership.) The partnership with the Philippines, which along with Vietnam is the most aggressive Southeast Asian claimant to the South China Sea, appears to have angered Beijing significantly---in some ways more than Vietnam’s ties with the United States. By the end of President Obama’s second term, the U.S.-Vietnam relationship will likely become stronger in several ways. Vietnam’s willingness to join the TPP, despite being the poorest and, in many ways, most closed economy involved in the TPP, sends an important signal of Hanoi’s commitment to economic reform. Although Vietnam was already an important destination for U.S. investment, joining the TPP is likely to bring a new flow of investment from U.S. and Japanese firms, among others. In addition, U.S. arms sales to Vietnam, allowed last year, are likely to be expanded. Although Vietnam’s human rights climate has not improved in the past five years---Freedom House notes that “in 2014, Vietnam continued to suppress freedom of expression online, in print, and through public demonstrations"---congressional opposition to arming Vietnam has waned, though a group of congresspeople did write the president expressing concern about human rights before Nguyen’s visit. On the eve of Nguyen’s visit, Human Rights Watch urged the United States and other countries to “press the Vietnamese government to end abusive policies and practices,” and used op-eds and other forums to remind Congress and other opinion leaders of Vietnam’s repressive rights record. But the lobbying appeared to have only a limited effect. Obama administration officials specifically told reporters that “there was no promise from Vietnam to release prisoners or amend free speech laws in exchange for [Nguyen’s] meeting with Obama,” according to the Washington Post. Ten years ago, concerns about Vietnam’s rights record might have led Congress to seriously criticize, and try to block, an invite to Washington for the Party chief. But with the Republicans in control of the Senate for now, and Senator John McCain chairing the Armed Services Committee, the most influential congressional advocate of arming Hanoi and building closer ties wields significant power. Obama also probably will visit Vietnam in the fall---he told Nguyen only that he would visit the country soon, but the visit will likely take place during Obama’s already-scheduled autumn trip to Asia. The presidential trip would highlight Hanoi and Washington’s closeness, provide a measure of support to pro-U.S. leaders within Vietnam’s ruling party, and potentially set the stage for the next U.S. president to consider a treaty alliance with the country.

After the Obama administration’s victories in Congress the past two weeks, it appears far more likely that the United States will become part of the Trans-Pacific Partnership. Bilateral negotiations are still taking place between some of the countries negotiating the TPP---the United States and Japan still have major issues to resolve---but the chances of these bilateral hurdles being resolved, and the final agreement being negotiated, have risen substantially now that President Obama has gained fast track authority. As the TPP’s chances rise, more countries in Asia appear ready to join the negotiations, most likely as members of the second round of nations joining the deal. The Philippines’ trade secretary last week indicated that the country wants to join the TPP. “I want to state clearly and irrevocably that we want to join TPP,” Philippine trade secretary Gregory Domingo told a conference at the Center for Strategic and International Studies. But the Aquino administration faces significant hurdles to joining. The Philippines’ state enterprises, while not as much of a challenge to trade talks as the state firms in Malaysia and Vietnam, are still likely to wield their influence in an attempt to prevent the Aquino administration from moving forward with TPP negotiations and possibly being forced to liberalize sectors of the economy dominated by state companies and other monopolies. In addition, the Philippines---unlike Vietnam, Brunei, or Malaysia---is a democracy, and one in which the public generally does not have a favorable view of trade deals. Although President Aquino, like all presidents of the Philippines (the executive only gets one term in office), is a lame duck, he still wants to use his influence to support his party’s preferred successor---which now appears to be Senator Grace Poe---in winning the presidency. Negotiating to join a trade deal likely to be unpopular with the public and with key segments of elite opinion---church leaders, many NGO leaders---is not going to help Aquino pass on whatever popularity he has left. Thailand has repeatedly expressed interest, in theory, in joining the TPP, though the Thai government has been assessing the costs and benefits of the TPP for Bangkok for at least three years. In theory, Thailand is better equipped to join the TPP than the Philippines. The country is likely to remain under authoritarian or pseudo-authoritarian rule for several years, so public sentiment about a trade deal would matter less, and the Thai economy is slightly more open than that of the Philippines. But Thailand’s contentious domestic politics have made it difficult for the Thai government to focus on anything other than drafting the new constitution, suppressing dissent, and ensuring the military’s sustained influence. With Thai politics in such turmoil, it is hard to imagine Bangkok focusing its energies on the TPP. South Korea has repeatedly expressed interest in joining the TPP but has not formally committed to joining negotiations. Although some in Congress are wary of South Korea joining the TPP, because they view the United States-South Korea bilateral deal as having not delivered enough benefits to the United States, South Korea is in a far stronger position to join the TPP than Thailand or the Philippines. A recent survey by the Korea International Trade Association shows that South Korean companies strongly support Seoul joining the TPP. Notably, small and medium-sized Korean firms, as well as large companies, expressed support for entering the TPP. Taiwan also reportedly has expressed interest in joining the TPP, after the current parties to the negotiations agree on terms and launch the free trade area. Taiwan is solidly positioned to join the TPP, though the American Chamber of Commerce in Taipei recently noted that the Taiwan government would have to modify some regulations on sectors including medical devices and some areas of e-commerce to harmonize these regulations with the standards likely to be adopted in the TPP. However, even though Taiwan relies on trade, and President Ma Ying-jeou has called for an “all-out effort” to make the island ready to join the TPP, presidential elections loom early next year. It remains unclear whether the opposition, if it wins the presidency, will be as committed to joining the TPP.

Ashlyn Anderson, Lincoln Davidson, Lauren Dickey, Darcie Draudt, William Piekos, and Ariella Rotenberg look at the top stories in Asia today. 1. Up to 440 presumed dead after Chinese cruise ship capsizes. A Yangtze River cruise ship sank during a torrential rainstorm in Hubei Province Monday evening. While emergency services rushed to respond, four days later only fourteen passengers have been rescued, making this the most deadly peacetime maritime disaster in China’s recent history. Concerned, as usual, about media representations of tragic events, Chinese censors quickly sent out an order to media outlets to stop dispatching reporters to the scene and only run reports from Xinhua and CCTV, and authorities on site began turning away journalists and even some rescue workers. That response may represent a change from a previous strategy of information denial to one more concerned with shaping public perceptions. 2. Secretary Carter travels to Asia to add oomph to the U.S. rebalance. On a ten-day trip across the Asia Pacific, U.S. Secretary of Defense Ashton Carter made stops in Hawaii, Singapore, Vietnam, and India. Carter attended the change-of-command ceremonies for the U.S. Pacific Command and U.S. Pacific Fleet before traveling to partner countries in South and Southeast Asia to shift into the “next phase of the rebalance.” In Singapore, Carter delivered the keynote address at the Shangri-La Dialogue in which he emphasized a shared regional architecture to connect and create opportunities for Asia-Pacific people and nations. The South China Sea featured prominently in his meetings in Vietnam and India. With the Vietnamese defense minister, Carter proposed a complete end to island militarization and reclamation projects. Carter also pledged $18 million to help Vietnam purchase American patrol boats. In India, Carter and his counterpart renewed the defense framework agreement and ramped up defense cooperation under the Defense Technology and Trade Initiative. 3. U.S. government employees’ data breached by Chinese hackers. Four million current and former federal government employees’ personal data was accessed starting late last year by hackers based in China, the Obama administration announced Thursday. The hackers, who the New York Times claims are the same group that hacked health insurance companies Anthem and Primera, obtained personal identifying information for the employees held by the Office of Personnel Management (OPM),  including Social Security numbers. While the attack comes just a week after the Chinese government released a white paper on military strategy advocating a more active approach to cyberspace, it’s unlikely that the attack came from the Chinese government, as the data stolen would be more useful to criminals than intelligence analysts. Chinese authorities agree, calling the Obama administration’s claims “unverified … irresponsible and unscientific.” Prior to the announcement of the OPM breach, the Chinese Ministry of Foreign Affairs spent the week pointing to a report that Chinese government agencies have been the target of a state-backed hacker group for three years as evidence that the PRC is the “biggest victim” of cyberattacks. 4. South Korea reports four deaths in MERS outbreak. The latest death brings the outbreak’s fatality rate in South Korea to 9.8 percent; the worldwide death rate is 27 percent, reports the WHO. Also on Friday, the Ministry of Health and Welfare also announced five new cases of the disease and also identified the hospital in Pyeongtaek, a city about thirty-five miles from Seoul, where the outbreak originated. MERS was also found in an Korean Air Force sergeant stationed at a U.S. base in South Korea; 6 Korean civilians and 164 Korean soldiers were put in quarantine. The total number of people diagnosed with MERS in South Korea is 41. 5. Remembering Tiananmen. This Thursday, June 4, marked the twenty-sixth anniversary of the crackdown on protestors in Beijing’s Tiananmen Square; tens of thousands turned out for the annual candlelight vigils in Hong Kong. However, in the wake of the 2014 Umbrella Movement, this year there were competing rallies and divisions over the purpose of the gatherings, as Hong Kong residents question their identity, Hong Kong’s relationship with mainland China, and the next step for democracy protests. Back on the mainland, though, not much changed from previous years, as censorship was the word of the day. WeChat users were even unable to transfer money in amounts related to the Tiananmen incident—64, for June 4, and 89, for 1989, the year of the protests. Bonus: Indonesia has a new and friendly neighborhood tax collector. From pizza delivery to spider-web weaving, creative uses of drones are rapidly proliferating. Indonesia hopes to use the technology to catch tax evaders across their chain of seventeen islands. Many plantation owners in Indonesia underreport either the size or the extent of their activities, resulting in less revenue the tax drone aims to recover.

Zachary K. Goldman is the Executive Director of the Center on Law and Security at NYU School of Law. He formerly served in the Department of the Treasury’s Office of Terrorism and Financial Intelligence and at the Department of Defense.  With the new cybersecurity sanctions program adopted by the Obama administration last month, the U.S. government is finally beginning to develop the tools to deter financially-motivated cybercrime. With a price tag estimated at $400 billion per year, cyber-enabled theft imposes a substantial tax on American businesses. And while the U.S. government has focused on deterring attacks against critical infrastructureand on the military dimensions of cyber deterrence, financially motivated cyber crime is far more prevalent. In order to stem the kinds of digitally-facilitated crime that saps American competitiveness, the Obama administration should focus on deterring financially-motivated cyber thieves by targeting what they value most: their money. The White House’s new cybersecurity sanctions program provides the perfect framework to do so—if it’s used correctly. Deterrence is fundamentally about manipulating an adversary’s cost/benefit calculations to dissuade him from doing something you want to prevent. Over the last several years, strategists have struggled to adapt venerable Cold War concepts like deterrence to the information age. But deterring financially-motivated cyber criminals—the kinds of people that attacked Target, Anthem Health, and many others—requires an approach tailored to hackers that seek to steal sensitive information that can be monetized quickly. Many companies are also hacked because they hold commercially valuable intellectual property or trade secrets, the theft of which can provide competitive advantages to industry rivals. Indeed, last year the U.S. Department of Justice indicted five members of the Chinese military for stealing this type of information from leading American companies, including Westinghouse and U.S. Steel—data that would be useful to competitors in China, including state-owned enterprises. Law firms, too, have been subject to cyberattack because they hold valuable information about mergers, IPOs, and other corporate activities that can provide an advantage to a competitor (or a company on the other side of the negotiating table). Companies or groups of hackers steal this information for commercial purposes. They do so for profit, and as such, are sensitive to the costs of their activities. Raise the costs high enough and they will move on to other targets or other activities. Criminals involved in cyber theft therefore have different motivations from state-sponsored actors that target the U.S. military or critical infrastructure. The motivations of cyber thieves also differ from those who engage in cyber espionage to steal government secrets, or “hacktivist” groups that commit acts of cyber vandalism to make a political point. This is where the new sanctions program, inaugurated by the Obama Administration in April, comes in. The cybersecurity sanctions program in some respects resembles traditional sanctions programs. It freezes the assets of people designated for harming computer networks and posing a significant threat to U.S. national security, foreign policy, economic health, or financial stability. But the sanctions program also contains an innovative provision that allows the government to impose sanctions on companies that are responsible for cyber crime, or who receive or use the proceeds of cybercrime for commercial advantage or private financial gain. Using this authority, the U.S. government could target, for example, banks in Eastern Europe that function as the back office for cybercrime rings, moving and storing their ill-gotten gains. It could also sanction Chinese companies that receive stolen intellectual property and incorporate it into their products, disadvantaging their American or European competitors. Doing so will freeze targeted companies and individuals out of the international financial system, neutralizing the advantage they thought they procured by using stolen data or intellectual property. In so doing, the program has the potential to dry up the market for information stolen by cyber means. If companies cannot make money by engaging in cyber theft, they are much less likely to do so. They will, in other words, be deterred. There will be challenges to using the new sanctions in this way. For starters, the government must feel confident that it can control the potential for escalation, and mitigate the risk that U.S. companies operating abroad will be targeted in retaliation. It also must feel confident in its ability to attribute attacks, and to identify the beneficiaries of commercially-motivated cyber theft. But the first step is to recognize that deterring financially-motivated cyber crime is different from deterring other kinds of cyberattacks. And with the new cybersecurity sanctions program, the United States is beginning to develop and deploy a set of tools designed for the task.

Last week, a Chinese Ministry of Defense spokesman condemned the Pentagon’s new cybersecurity strategy. Geng Yansheng not only opposed the "groundless accusations" about Chinese cyber espionage contained  in the strategy, but also suggested it "will further escalate tensions and trigger an arms race in cyberspace." Geng called on the United States to promote common security and mutual trust, rather than "seeking absolute security for itself." This week a scholar from the Chinese Academy of Military Science published a short critique of the strategy. Lu Jinghua summarizes the strategy in three words: deterrence, offense, and alliances. As did many U.S.-based analysts, Lu also stresses the importance of the shift to offense in the report. In contrast to analysts outside of China, Lu gives greater weight to the strategy’s emphasis on alliances, highlighting NATO and the Middle East but paying special attention to the revisions of the U.S.-Japan Security Guidelines. Lu argues that while the document is intended to give strategic guidance, questions remain about implementation. First, Lu is skeptical about the DoD’s ability to deter attacks, raising the fact that attacks can come from state or non-state actors and questioning the U.S. ability to ascribe responsibility. This is another example of Chinese analysts doubting the U.S. ability to attribute attacks, despite U.S. insistence that attribution is getting easier. Second, Lu assumes that the offense always has the advantage, and the defense will always fail to keep the attacker out and so the defense will have to retaliate. But when? How closely does the retaliatory strike have to follow the attack to create deterrence? Third, given the lack of consensus on a code of conduct for cyberspace, Lu wonders under what legal basis U.S. offensive operations will be conducted. Finally, Lu notes the damage done to alliance relations by the Snowden revelations, especially the relationship with France and Germany. He wonders if there is enough trust among partners to exchange the sensitive information needed for network operations. In the strategy, the Pentagon seems to acknowledge the possibility that building offensive capabilities could stoke a security dilemma and so "will always be attentive to the potential impact of defense policies on state and non-state actors’ behavior." The official Chinese response has so far played up that angle, warning of an arms race. Lu’s analysis was reprinted online widely, but is only one voice, and we will have to wait to see how else China responds.

In a speech at Arizona State University earlier this week, Secretary of Defense Ashton Carter laid out a kind of relaunch of the Obama administration’s rebalance to Asia---a plan for moving the rebalance forward over the final years of the president’s second term. Carter hit many key points that the administration hopes to emphasize: the importance of passing the Trans-Pacific Partnership both for the region’s economic future and for America’s own strategic interests; the growth in maritime partnerships with longtime allies like Australia and Japan; the increase in training programs for partner militaries in the Asia-Pacific region. But, other than relatively brief references to Malaysia, Vietnam, and Indonesia, the defense secretary largely avoided talking about Southeast Asia, which originally was a focus of the rebalance. He almost completely skipped mainland Southeast Asia, other than Vietnam. He did not mention the budding U.S. strategic and economic relationship with Myanmar, supposedly one of the administration’s great foreign policy triumphs. He also did not mention other authoritarian mainland Southeast Asian nations, like Cambodia, where the White House has pursued a policy of building closer strategic ties. And Carter did not make reference to Thailand, a treaty ally, at all either. If Carter’s speech highlights a shift in the rebalance away from focusing on mainland Southeast Asia---other than Vietnam---it may signal a wise policy change. As I wrote in a recent working paper, pursuing rapprochement with many nations in mainland Southeast Asia, including Cambodia, Myanmar, and even junta-ruled Thailand, has delivered minimal strategic benefit for the United States while exacerbating repressive human rights climates in these countries. Only the relationship with Vietnam has delivered significant strategic benefits to the United States in the past six years---benefits worth the damage to the United States’ image by partnering with the authoritarian government in Hanoi. Although the White House, during Obama’s first term, argued that rapprochement with Southeast Asian nations like Myanmar would foster improvements in democratic governance in the region, there has been little evidence to support this claim. Thailand suffered a military coup in May 2014, and the Thai junta recently suggested that it could stay in power indefinitely, a contrast to previous junta promises that it would hand power to an elected government in early 2016. Myanmar, though headed for elections later this year, has moved backward, according to most rights monitoring organizations, from the reforms of 2011 and 2012. Vietnam’s human rights situation “remained critical” in 2014, according to Human Rights Watch’s most recent annual report on the state of human rights in the world. “The [Vietnamese] security forces increased various forms of harassment and intimidation of critics.” Malaysia has put its opposition leader in jail, filed charges against his daughter, also an MP, for making a speech in Parliament, and reportedly used the Sedition Law to arrest activists and other opposition politicians. Perhaps, at this point, the Obama administration is realizing that the rebalance, or pivot, is not delivering enough strategic gains in mainland Southeast Asia, which is why Carter’s speech ignored Myanmar, Cambodia, and Thailand. If the speech suggests that the White House will focus instead on Indonesia, the Philippines, Vietnam, and Singapore---as well, of course, as focusing on Australia, and partners in South Asia and Northeast Asia---then the revamped rebalance might be more effective in Southeast Asia.

Today, the Biological Weapons Convention (BWC)—the first treaty to ban an entire class of weapons—marks the 40th anniversary of its entry into force. Reflections on this milestone will examine the BWC’s successes and travails, such as its ratification by 173 countries, its lack of a verification mechanism, and what the future holds. Although not prominent in these discussions, the BWC relates to cybersecurity in two ways. First, the BWC is often seen as a model for regulating dual-use cyber technologies because the treaty attempts to advance scientific progress while preventing its exploitation for hostile purposes. Second, the biological sciences’ increasing dependence on information technologies makes cybersecurity a growing risk and, thus, a threat to BWC objectives. The BWC as a Model for Cybersecurity The BWC addresses a dual-use technology with many applications, including the potential to be weaponized. Similarly, cyber technologies have productive uses that could be imperiled with the development of cyber weapons. Those concerned about cyber weapons often turn to the BWC for guidance because of characteristics biology shares with cyber—the thin line between research and weaponization, the global dissemination of technologies and know-how, the tremendous benefits of peaceful research, and the need to adapt to new threats created by scientific and political change. The BWC supports actions to prevent weaponization and foster peaceful exploitation of the biological sciences, including: Prohibitions on weaponization and transferring the means of developing bioweapons; Requirements to implement domestic measures to prevent weaponization; Obligations to cooperate and provide assistance in addressing BWC violations; and Undertakings to facilitate exchange of information, materials, and technologies for peaceful research. However, the BWC maps poorly against cybersecurity problems. Cyber weapons, weaponization, and attacks by states and criminals have become ubiquitous. The BWC required destruction of stockpiles of bioweapons, but many countries accepted this obligation and the weaponization ban because they concluded bioweapons had little national security utility. The same cannot be said for cyber technologies. States find cyber exploits useful for multiple national security tasks, including law enforcement, counter-intelligence, espionage, sabotage, deterrence, and fighting armed conflicts. Tools used to prevent biological weaponization, such as imposing licensing and biosecurity requirements on biological research facilities, make little sense for cyber given the nature of cyber technologies and their global accessibility. Experts have called for a norm requiring countries to assist victims of cyberattacks, which echoes the BWC’s provision on assistance in cases of treaty violations. However, political calculations, not normative considerations, determine whether governments offer assistance to countries hit by cyberattacks—behavior consistent with other contexts where states provide discretionary assistance, such as after natural disasters. Nor have countries embraced export controls on cyber technologies in the manner seen with biological technologies. Countries harmonizing export controls on dual-use technologies through the Wassenaar Arrangement added "intrusion software" to this regime in December 2013. However, this decision reflected human rights concerns about authoritarian governments using such software, a reason having no counterpart in export controls supporting the non-proliferation of bioweapons. Perhaps led by the United States, the Wassenaar Arrangement might create more export controls for cyber technologies, but here the BWC offers a cautionary tale. Developing countries have long considered that export controls on biotechnologies imposed for non-proliferation reasons violate their BWC right to gain access to equipment, materials, and information for peaceful purposes. Whether a similar controversy emerges if Wassennaar participants agree to more export controls on cyber technologies remains to be seen, but this path is not one the BWC suggests would be easy or effective. The Cybersecurity Challenge in the Biological Sciences The more important aspect of the BWC-cyber relationship involves the biological sciences’ increasing exploitation of, and dependence on, information technologies (IT). In describing scientific developments for the BWC review conference in 2011, the BWC Implementation Support Unit noted that "[i]ncreasingly the life sciences are referred to as information sciences. Digital tools and platforms not only enable wetwork but are increasingly able to replace it." Cybersecurity problems increase as dependence on information technologies deepens. Biological research enabled by information technologies is vulnerable to cyber infiltration by foreign governments, criminals, or terrorists and theft of data or manipulation of facilities. The cybersecurity challenge has been recognized in some policies. In the United States, Executive Order 13546 (2010) identified the need for cybersecurity in facilities handling dangerous pathogens, which led to amended regulations. As the biological and information sciences converge, cybersecurity becomes increasingly important for responsible biological research. Despite awareness of this dependence, the BWC process has not focused on cybersecurity. Neither the 2011 review conference nor meetings in 2012-14 identified the security of information and the ubiquity of IT systems as issues arising from developments relevant to the BWC. As planning for the next BWC review conference in 2016 unfolds, cybersecurity should be included to ensure the BWC’s next chapter does not ignore a problem the biological sciences face now and in the future.

Last week, Admiral Mike Rogers, commander of U.S. Cyber Command, testified before the Senate Committee on Armed Services. Most of the media attention (see this, this, and this) has focused on Rogers’ argument that deterrence is not working, and that defense in cyberspace will be "will be both late to need and incredibly resource intensive." As a result, Rogers argued, Cyber Command needs "to think about how can we increase our capacity on the offensive side to get to that point of deterrence." The argument that additional offensive capabilities are critical to deterrence seemed to be widely accepted by the senators’ questioning Rogers. Senator Angus King went further, saying that it was not enough to have the offensive capabilities but that the public has to know about them. Alluding to Dr. Strangelove, the classic movie on the absurdities of the Cold War, King argued “If you build the doomsday machine, you’ve got to tell people you have it. Otherwise the purpose is thwarted." Rogers’ opening comments and written testimony raise at least three follow up questions. First, in regards to the exchange with Senator King, is talking about offensive capabilities enough? For effective deterrence, do you also have to demonstrate that they would work? The United States and the Soviet Union conducted a combined 1745 known underground and atmospheric nuclear tests between 1945 and 1996, along with countless launch exercises from submarines, bombers, and missile silos. The physical effects of a nuclear weapon were well known to both sides. None of this is available in cyberspace. The effects, so far, are invisible and contested, and they may be unpredictable as attacks spill over into connected networks. You can’t march a cyber weapon in a parade and even if the United States, Russia, and China built cyber ranges where they launched practice destructive digital attacks, would the other side necessarily believe that their systems were vulnerable in the same way or could not be quickly reconfigured for defense? Second, do we have any idea of how adversaries might interpret or react to the effort to develop a greater deterrence through offensive cyber capabilities? In his written testimony, Rogers implicitly suggests that U.S. efforts will not be destabilizing by making a comparison to the nuclear age: "Building these nuclear forces and the policy and support structures around them took time and did not cause a nuclear war or make the world less safe." But is this both a rosy remembering of Cold War history and an optimistic hope for future cyber conflict? Given that many defense analysts believe that offense has the advantage over defense in cyberspace, do efforts to develop deterrence through offense create a security dilemma and an arms race? Finally, Rogers says in his written testimony that Cyber Command has gained "priceless experience in cyber operations" and insight into how force "can be employed in cyberspace." He also mentions that Cyber Command has "had the equivalent of a close-in fight with an adversary." Does it matter who that adversary was? Are the lessons learned from an encounter with one adversary applicable to other potential rivals in cyberspace? Is Cyber Command’s knowledge about fighting China’s People’s Liberation Army transferrable to fighting the Iranian Revolutionary Guard Corps? The answer to all these questions is we do not know yet. We can assume, however, that Admiral Rogers knows that cyber deterrence, if it is to work at all, will not operate like nuclear deterrence. Nuclear deterrence was primarily a military strategy designed to prevent one completely unacceptable outcome—nuclear war with the Soviet Union. Cyber deterrence will be the use of political, economic, diplomatic, and military tools not to stop attacks entirely but instead to reduce the volatility and intensity of cyber conflicts. It will require flexibility, adaptability and a lot of thinking about how to tailor policies to specific actors. Offensive capabilities will be important, but they will only be one part of deterrence.

The U.S.-DPRK tit-fo-tat over the Sony hack has continued into the new year, with the Obama administration announcing sanctions on three organizations and ten individuals on January 2 and North Korea responding with indignation two days later. But the media focus on the Sony hack obscures a potentially much more dangerous hacking incident that has also been attributed to North Korea involving release of personal information of over 10,000 employees of the Korea Hydro and Nuclear Power Company (KHNP), which operates twenty-three nuclear reactors in South Korea. This story line includes demands by the hackers that KHNP shut down at least one South Korean reactor by Christmas Day (a threat that was ignored). There are also reports that the origins of the hack may have been traced to Shenyang, a city that houses a known platform for North Korean cyber operations. Specialists on nuclear plant systems assert that the hacking incident posed no real danger to the operation of South Korean plants, but they do highlight the sensitivity—and potential vulnerability—of South Korean nuclear facilities to a potential North Korean attack. This eventuality is potentially as damaging as the threat of North Korean nuclear use that South Korea now faces if indeed North Korea has developed a mid-range payload delivery capability. In addition to the dangers of nuclear terrorism, the KHNP hack underscores a common interest among South Korea, Japan, and northeastern China, which have one of the greatest concentrations of nuclear energy production facilities on the planet. China is the country with the fastest-growing nuclear energy sector, but stands to gain much by raising nuclear standards to avoid possible accidents. Following the Fukushima triple-disaster, Japan has valuable experience in management of damage from a nuclear accident including its potentially debilitating regional effects. South Korea, with its relatively small size, dense population, nascent nuclear reactor export business, and relatively high reliance on nuclear energy to meet its energy needs, has a large stake in taking steps to forestall potential nuclear accidents either on its home soil or in neighboring countries, including North Korea. The KHNP hack underscores South Korea’s vulnerability to both the cyber and nuclear threats. These challenges to both cybersecurity and nuclear safety are shared challenges that governments in Northeast Asia should be prepared to confront together. Yet there is no viable regional organization within Northeast Asia that brings together the countries to cooperate on these shared challenges. The Six Party Talks had envisioned establishment of a multilateral regime for Northeast Asia following the resolution of the North Korean nuclear issue, but they have not met since 2008 and cannot reconvene without North Korea’s commitment to denuclearization. North Korean intransigence on its nuclear program should not be allowed to hold hostage the prospect of Northeast Asian cooperation on other issues. In fact, recent events illustrate that North Korean intransigence provides an even more compelling rationale for its neighbors to redouble their cooperation efforts, starting with functional areas such as nuclear safety and cybersecurity. This is precisely the purpose that South Korea’s recent proposal of a Northeast Asia Peace and Cooperation Initiative (NAPCI) hopes to achieve in this volatile and dynamic region. The United States has in the past welcomed and promoted the establishment of a multilateral regime that would help regulate behavior in Northeast Asia, a historical flashpoint recently renewed, to prevent possible confrontation among major powers. In fact, the United States envisioned the establishment of precisely such a mechanism as a legacy that would remain following the satisfactory resolution of the North Korean nuclear issue. I argue in a CFR Working Paper with the Asan Institute’s Woo Jung-yeop (downloadable here) that North Korea’s non-cooperation should not be allowed to prevent such a mechanism from being established to promote cooperation on these issues; nor should the United States withhold its support for South Korea’s Northeast Asia–focused efforts in favor of region-wide multilateralism through the East Asia Summit (EAS), especially since the main objective of both efforts is to translate existing international norms into the regional context of East Asia. U.S. support for South Korea’s NAPCI initiative can be reciprocated by South Korea through more active participation in region-wide forums such as the EAS. Given the gravity of the challenges facing the region, a two-pronged effort along these lines is worth trying.

The U.S.-South Korea alliance has grown deeper since 2009, when Presidents Obama and Lee Myung-bak announced a U.S.-ROK Joint Vision Statement that expanded the framework for bilateral cooperation beyond the Korean peninsula to regional and global issues. This statement set the stage for both deeper U.S.-ROK security coordination toward North Korea and for South Korean contributions to anti-piracy missions in the Gulf of Aden and South Korean participation in the ISAF mission in Afghanistan. The vision was reaffirmed by Park Geun-hye last year in Washington on the occasion of the 60th anniversary of the founding of the alliance. I argue in my chapter for National Bureau of Asian Research’s most recent volume, Strategic Asia 2014-2015: U.S. Alliances and Partnerships at the Center of Global Power, that further implementation of this broadened vision has created new internal and external challenges. The internal challenge is one that derives from the growth in South Korea’s military capabilities that has accompanied the evolution of the U.S.-ROK security alliance from a patron-client relationship to a strategic partnership. Now that South Korea brings substantial capabilities to the table, it is inevitable that there will be domestic debates over the extent to which South Korea should pursue homegrown capabilities (internal balancing) versus relying on procurement or supply of capabilities through the alliance (external balancing). The challenge is to find a mix that enables development of indigenous capabilities without coming at the expense of the alliance. To illustrate how these tensions have been manifested and managed, I describe the evolution of South Korea’s approach management of operational control arrangements and missile defense. The external challenge to the alliance comes from a China that increasingly seeks to limit U.S.-ROK alliance cooperation to the peninsula and to confine U.S.-ROK alliance aims and rationales  solely to North Korea. As a result, China has objected to South Korean military equipment sales to other U.S. allies such as the Philippines and is currently mounting a vociferous public campaign against the stationing of Theater High Altitude Advanced Defense (THAAD) capabilities on the Korean peninsula. But China’s objection to the placement of THAAD capabilities on the peninsula will ring hollow as long as North Korea continues to test and develop missile capabilities that could overwhelm or compromise South Korea’s existing missile defenses. Instead, China’s objections highlight a gap between China’s characterization of alliances as Cold War relics and the U.S. position that its alliances are vital as both an important contributor to U.S. power and as a logical starting point for the U.S. rebalance. In this respect, the U.S.-ROK alliance will likely face larger challenges in the future to the extent that China contests it. However, China’s objections to the alliance themselves may ultimately serve as a compelling rationale for why broadened alliance cooperation should be sustained.