Among the many things Brits are given to moan about, one oft-heard complaint is defeat in sports “we invented.” It seems that they feel that having codified the rules for global sports such as football, rugby, tennis or cricket somehow should confer a continuing advantage in, if not ownership of the game. Yet this is the charge at which the worldwide participation these sports has come. Global success comes at the expense of domestic superiority. To win, even the inventor of the game cannot escape growing competition with ambitious emerging contenders.
A similar thing seems to be true in cyberspace. It is undeniably the case that the United States has enjoyed significant first-mover advantages in the development of Internet and information technologies. However, as successively more detailed stories about the hack in the Office for Personnel Management emerge, long and hard questions should be asked in Washington about how important government data should be secured. At this point in time, the origin of this particular hack is not publicly known. While individual sources have pointed the finger toward China, the U.S. Government has, so far, not made any official statement to that effect. There may be many reasons for this. It is notoriously difficult to attribute cyber attacks. Even if it is possible, revelation of attribution processes might reveal capabilities that intelligence bodies would like to remain classified. Nevertheless, the White House is considering sanctions against the perpetrators. China, for its part, has vehemently denied involvement, with foreign ministry spokesman Hong Lei denouncing the allegations as “irresponsible and unscientific.”
An interesting debate has emerged in the aftermath of these revelations. The United States has sought to separate economic espionage of the type that China is regularly accused of from “bona fide” intelligence concerning government activities, and the announced sanctions are a logical extension of this line. Yet while this particular case concerns the pilfering of useful information, the data at issue is purely governmental, and allegedly includes confidential statements made by applicants for security clearance. Retired general, CIA and NSA director Michael Hayden called the action “honorable espionage work”, stating he would not have hesitated to obtain similar data from China if given the opportunity. Instead, he took the U.S. side to task for failing to adequately protect such sensitive resources.
The attack has thus underlined the glaring weaknesses that existed in data protection within U.S. government authorities, even after repeated warnings. There are two important elements to this: first, despite repeated warnings, nothing was done about demonstrated security flaws. Second, a culture of outsourcing with overly lax oversight has pushed sensitive tasks toward the private sector where both loyalty and scrutiny are less of a priority than in government service. In both the OPM hack and the Snowden affair, the role of contractors has been central. In fact, in the OPM case, some contractors weren't even located in the U.S. while working on the database. One person had root access from China – a country where corporate officers take loaner laptops and smartphones as a matter of routine. Two Chinese citizens headed another team working with these databases. To come back to my sports metaphor, one of the interesting points about English football (as a European, I refuse to call it “soccer”) is the disparity between the Premier League and the English national team. The former is perhaps the best league in the world, while the latter hasn't made it past the quarterfinals at a world championship in the last quarter century. One reason for this is that top English football clubs, flush with the cash of wealthy owners, compose superstar teams by importing global talent. This works fine for Manchester United, but less so for the national collective.
One can debate the actual damage caused by lapses in cybersecurity. A little while ago, the Sunday Times published claims that Russian and Chinese intelligence services had decrypted a cache of documents purloined by Edward Snowden, forcing the withdrawal of British and American spies from active operations. These claims were immediately countered, amongst others by a former British ambassador. With the OPM hack, however, the sheer bulk of exfiltrated data means not only that China potentially has sensitive and personal information about every U.S. official entering its territory, but also potential targets for blackmail or enlistment. In other words, not only is the functioning of U.S. government officials impaired abroad, extra security measures may be necessary in many domestic departments. In many cases, these may not have considered such threats before. The damage is also not only limited to government officials: many professionals and executives in private firms hold security clearances for various reasons.
In many ways, this changes the information security ball game. Cold war espionage had natural limits: while signals intelligence was not unimportant, human operations were indispensible in obtaining the sort of information that the OPM hack involved. This, in turn, required considerable efforts and investment. These limits are now largely gone, and espionage can now be conducted from comfortable armchairs within commuting distance of home. As a result, targets for information gathering have diversified. Apart from predictable, high priority objectives, it seems intelligence services have learnt that much valuable material can be found in many softer environments. The U.S. may be good at such operations. But as it turns out, so is someone else.
What if that someone is Chinese? How would this hack influence the bilateral relationship in the longer run? Are ongoing comparisons with the cold war justified? To a certain degree, I think they are: at the core of the Sino-U.S. tensions we have seen recently lies a fundamental ideological conflict that manifests itself in existential terms on both sides. The Chinese official press is regularly peppered with allegations that “Western hostile powers” seek to “Westernize and divide” China. It sees efforts by liberal actors, including governments and NGOs, to derail China from its development trajectory and trigger regime change. The United States, on the other hand, seem unable to comprehend the continuing robustness of the Chinese regime. It has long been an article of faith in U.S. politics that only the democratic and capitalist values it espouses lead to power, prosperity and global leadership. Evidently, China's very existence challenges this view, and yet, few U.S. voices are willing to publicly assess how to engage with a China that remains illiberal, but grows into a major regional power. And such engagement is inevitable, as in contrast to the cold war, the Chinese and U.S. economies and interest are deeply intertwined. The dissolution of the Soviet Union did not cause any serious impact on the U.S. economy. Conflict with China, however, would sever a considerable proportion of globally integrated value chains and thus cause significant damage to the global economy.
This is going to require a way of dealing with politics and technology that surpasses the somewhat simplistic techno-optimism of the 2000s. While the mantra of disruptive technology might still have strong traction in the Bay Area, hacks such as these posit a strong reason to develop a more clear-eyed view of the harm that can be generated through technology. This is – and has always been – the price of progress. Airplanes have brought the world closer together, but have also provided the stage for some of the most deplorable terrorist attacks. The same is true for the Internet: if it is going to continue being a driver of economic and social development, it must become subject to similar logics of security and politics. If Chinese competition spurs this along, it can only be for the better.