Deterrence, a concept developed primarily in order to deal with the perils presented by the nuclear age, has become central to debates on how to counter cyber-attacks. However, one major challenge of deterrence in cyberspace is the covert nature of cyber opertations: without means to identify the culprit of an attack, accountability becomes a vacuous concept. As such, the question of attribution is becoming increasingly politically sensitive, particularly as part of the growing tensions between the United States and China on cyber affairs.
This report reviews China’s evolving strategic thinking of cyber deterrence and attribution. China’s early practice of cyber deterrence focused on developing asymmetrical offensive capabilities to create a state of ‘mutually assured destruction’ in cyberspace. However, China’s growing digitalisation prompted a pivot to defensive capabilities such as network resilience and more recently cyber attribution capabilities. On cyber attribution, China had previously maintained that technical attribution is near impossible, and that public attribution is counterproductive and hypocritical. Meanwhile, China has most likely heavily invested in cyber forensic technologies. With the recent CVERC attribution, it is logical to assume that China’s official position on attribution has changed. However, it remains to be seen if China will adopt the ‘naming and shaming’ tactics of public attribution.
The perceptions thatChinese authors have of other actors in cyberspace seem to reflect prevelant Chinese geopolitical views in the physical space: while Chinese authors have consistently referred to the US as the ‘cyber hegemon’, China has meticulously studied how the US practises cyber deterrence and attribution and adopted it, when in China’s interest, as far as China’s capabilities allow. In comparision, there is substantially less Chinese literature written on European countries, while their strategies in cyberspace are often described as defensive. Lastly, as most Chinese authors reviewed in this report seem to adopt a state-centric approach, they see organisations such as NATO more as state-actors’ policy tool, instead of an actor with agency of its own.