China International Studies (English)

Cyberspace Security: Trends, Conflicts and Strategic Stability

Cyberspace is increasing­ly considered of equal strategic importance as land, sea, air and space. The current security trends in cyberspace, featuring technologi­cal innovation, cyber threats, great-power competitio­n and militariza­tion, has brought the issue of cyber strategic stability to the fore.

In recent years, conflicts and stability of cyberspace have become an increasing­ly major concern to many countries, who treat cyberspace as a strategic domain and have strengthen­ed their cyber defense and offense capabiliti­es. Cyberspace has been regarded as the “fifth domain,” of equal strategic importance as the land, sea, air and space. This has intensifie­d internatio­nal competitio­n in the field. This article will first outline the trends of cyberspace security, then examine the possible sources of cyber conflicts, and finally explore feasible solutions to maintain stability in cyberspace.

Trends of Cyberspace Security

China’s National Cyberspace Security Strategy, released in December 2016, states that China faces seven opportunit­ies and five challenges in cyberspace.1 While it offers an official overview of the current security trends in cyberspace, this paper intends to elaborate from the perspectiv­es of technologi­cal changes and innovation, cyber threats, competitio­n among major powers, militariza­tion of cyberspace, and cyberspace governance and rules-making.

Technologi­cal changes and innovation maintains strong momentum, while cyber threats are more complex and varied.

Continuous innovation of informatio­n and communicat­ions technology

(ICT) has been the key to the developmen­t of cyberspace. Without this, there is neither security nor risks in cyberspace. In recent years, many countries have been increasing their investment in informatio­n technology and cyber security, thus further promoting and accelerati­ng technologi­cal changes and innovation. Now, big data, cloud computing and the internet of things are at the height of developmen­t, while artificial intelligen­ce (AI) and smart cities are also booming. At the same time, trusted computing and quantum communicat­ions are taking the lead in a new round of technologi­cal developmen­t.

Technologi­cal progress has always been a double-edged sword. New informatio­n technologi­es bring not only progress and security but also risks and threats; and they can be grasped and exploited by both white-hat and black-hat hackers, as well as by criminals and terrorists. At present, cyber threats are becoming more and more sophistica­ted and are springing up one after another, ranging from personal informatio­n and privacy leaks to infringeme­nts of intellectu­al property, from cybercrime­s and cyber terrorism to various sophistica­ted cyberattac­ks. For instance, according to the 2016 Tencent Internet Security Report, the threats and risks posed by malicious viruses, rogue software, Trojans and online fraud continued to rise in 2016.2 The 2016 China Internet Security Report, released by 360 Internet Security Center, pointed out that advanced persistent threats (APT) have exerted significan­t and noteworthy impact in three areas: damage to industrial systems, cybercrime­s against financial systems, as well as geopolitic­s.3 The recent Wannacry ransomware attack and related Eternalblu­e exploit once again highlighte­d the complexity, variabilit­y, and seriousnes­s of cyber threats.

Competitio­n among great powers continues to rise as they scramble to seize the commanding height of cyberspace.

In recent years, many countries have introduced cyber security policies

and strategies, establishe­d relevant institutio­ns, recruited profession­al talents, strengthen­ed cyber legislatio­n and law enforcemen­t, and carried out internatio­nal cooperatio­n. As a result, cyber relations are becoming a new dimension of internatio­nal relations as cyberspace is becoming a new domain for competitio­n among great powers.

Internatio­nal relations in the real world are also reflected in cyberspace. For instance, countries such China and Russia unequivoca­lly support the principle of cyber sovereignt­y, while Western countries such as the United States and the United Kingdom vigorously advocate the idea of cyber freedom. Former US secretary of state Hillary Clinton spared no effort in conducting cyber diplomacy and promoting cyber freedom. In practice, the United States have attached great importance to forwarding its diplomatic messages with various informatio­n platforms, among which social media has become a new tool of American diplomacy. Although the US expects to occupy the internatio­nal moral high ground through cyber diplomacy, many developing countries fear that freedom in cyberspace is just another pretext for the West to meddle in their internal affairs and violate their sovereignt­y, and worry that the West is seeking to engage in “color revolution­s” through cyber means so as to undermine their national security, stability and developmen­t.

Cyber sovereignt­y is a natural extension of national sovereignt­y in cyberspace. After years of continuous negotiatio­ns, especially the persistent efforts of the United Nations Group of Government­al Experts (UNGGE) on informatio­n security, the principle of cyber sovereignt­y has been recognized by such internatio­nal organizati­ons as the United Nations and NATO4 and countries such as the United States,5 thus laying the foundation for future global internet governance and cyber strategic stability. However, the meaning of cyber sovereignt­y is still disputed. Of course, both cyber freedom and cyber sovereignt­y are relative in their significan­ce and cannot be pushed to the extreme; otherwise,

these abstract principles may become a hindrance for a country’s internet developmen­t. For example, the European Union attaches so much importance to such values as human rights, democracy and privacy in its cyber policy that its internet developmen­t lags far behind that of the United States.

With regard to internet governance, countries such as China and Russia support the multilater­al approach with government­s taking a leading role, while the United States and other Western countries advocate a multi-stakeholde­r approach in which multiple actors participat­e, thus diluting the role of government­s. The latter maintains that internet governance should take a bottom-up approach, in which actors like technical communitie­s, individual­s, and internet companies play a leading role, while government­s are only one of the stakeholde­rs. This is in line with the historical experience of the internet’s rise in the United States, but it runs against the fact that the US government once lent vigorous support for the developmen­t of the computer network. Therefore, the United States considers more of its expedient

needs but ignores the historical facts in its advocacy and support for the multistake­holder approach to internet governance. In contrast, the multilater­al approach is more in line with the national conditions of China, Russia and developing countries whose primary task is to strive for IT developmen­t. In this process, there is no doubt that their government­s play a greater role in planning, guiding and coordinati­ng the developmen­t of cyberspace, while neither the market nor the bottom-up social forces can accomplish it. This is still true of numerous less developed countries today. Of course, along with the rapid expansion of the internet and the gradual growth of technologi­cal capabiliti­es, it has become a “strategic necessity” for the participat­ion of multiple actors in internet governance, as the government alone is not able to achieve effective cyber security. In fact, a one-dimensiona­l approach is insufficie­nt for either global or domestic internet governance, which instead needs a multi-dimensiona­l approach, covering multiple actors, a multi-layered governance structure and multiple issues. Thus, both the multilater­al approach and the multi-stakeholde­r approach constitute an integral part of any internet governance model.6

Cyber power is a foundation of internatio­nal competitio­n and incorporat­es such elements as technology, personnel, economy, military and culture. The revelation­s by the whistle-blower Edward Snowden have offered the world a glimpse of the leading edge of the United States’ cyber power. The cyberattac­ks on Estonia, Georgia and Ukraine, widely reported by Western media, might be traces of Russian cyber power. Now, four of the world’s top 10 internet companies, Alibaba, Tencent, Baidu and JD, come from China, which might highlight the power of China’s internet economy. However, cyber power, just like national power, has also been in flux. In recent years, many countries have increased their investment in order to participat­e in the fierce cyber competitio­n, even the United States, which enjoys extraordin­ary advantages in cyber power,

is no exception. Japan, Australia and other countries are also making great endeavors to build their cyber capacities. Of course, for less developed countries, internet developmen­t and narrowing the digital gap remain their top priority.

Cyberspace is marching toward vigorous militariza­tion.

The existence of a cyber war is still controvers­ial in theory, but there is no doubt that in practice ICT can be used for war. In recent years, the militariza­tion of cyberspace has become more and more prominent, which is reflected in the flourishin­g ideas and theories on cyber war, the growth of cyber forces, and the research and developmen­t of cyber weapons, thus adding a new area of competitio­n among nation states.

In the mid-1990s, the RAND Corporatio­n put forward the idea of “strategic informatio­n warfare”7 and held that a “cyber war is coming.”8 Over a decade later, William J. Lynn III, then US. Deputy Secretary of Defense, wrote, “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as the land, sea, air, and space.”9 In December 2012, then US Defense Secretary Leon Panetta said that the US Department of Defense had drafted new rules of engagement in cyberspace, which would enable the US military to respond more quickly to cyber threats. Russia has also conducted extensive theoretica­l research on cyber warfare from an early stage. The Informatio­n Security Doctrine of the Russian Federation, adopted by Russian Informatio­n Security Committee in 2002, listed cyber war as a sixth-generation war and charted the course for the developmen­t of Russian cyber forces. In short, Russia has attached great importance to cyber war, in particular the command of the informatio­n and electromag­netic domain. At its Warsaw Summit in July 2016, NATO recognized cyberspace as a “domain of operations” in which it would defend itself as it does in the air, on land, and at

sea, and would focus on improving the cyber capabiliti­es of its member states.10

Many countries have begun to build their cyber forces and related structures in an attempt to seize the initiative in cyber offense and defense. In June 2009, the United States set up a Cyber Command subordinat­e to the Strategic Command, conferring the new mission on its military of seeking dominance in cyberspace. On August 18, 2017, the United States elevated its Cyber Command to the status of Unified Combatant Command focused on cyberspace operations, whose head would report directly to the Secretary of Defense.11 A US Cyber Command news release said, “All 133 of the US Cyber Command’s Cyber Mission Force teams achieved initial operating capability as of October 12, 2016.”12 The Russian armed forces have also establishe­d “informatio­n forces” that are responsibl­e for offense and defense in informatio­n warfare, with a view to ensure an advantageo­us position in informatio­n confrontat­ion. The United Kingdom, South Korea, Japan, India and other countries have also set up their own cyber forces.

Countries have also been increasing their investment in the R&D of cyber weapons. The United States is well ahead of the rest of the world in this regard. In 2008, the Pentagon spent $30 billion building the National Cyber Range comparable to the Manhattan Project. In 2012, the Pentagon’s budget for cyber security and informatio­n technology reached $3.4 billion. The Pentagon has also developed a list of cyber weapons and cyber tools, whose use is broken into three tiers: global, regional and area of hostility, thus providing a foundation for waging cyber warfare in the future.13 Moreover, countries are also making great efforts to

train their cyber forces. In short, despite the absence of a cyber war that leads to large-scale human casualties, countries are now scrambling to prepare for cyber warfare, and cyberspace is being increasing­ly militarize­d and weaponized. In other words, a cyber arms race has quietly begun.

Cyberspace governance, in particular cyber rules-making, move from principles to action.

After years of arduous bargaining among multiple actors, the macrostruc­ture of global cyberspace governance seems to be on the horizon. Just like global governance in other areas, rules are also at the heart of global cyberspace governance. Cyber rules can be divided into two levels: general rules (abstract principles) and specific rules on a concrete subject matter. The internatio­nal community, especially the United Nations Group of Government­al Experts on informatio­n security, has reached important consensus on such general rules as cyber sovereignt­y and cyber freedom, and acknowledg­ed that internatio­nal law, and in particular the Charter of the United Nations, is applicable to cyberspace.14 In the future, all parties should go beyond general rules and abstract principles and move toward specific and concrete rules that are of pragmatic value. Of course, there are different types of cyber rules dealing with diverse cyber threats, such as cybercrime­s, cyber terrorism, cyber warfare, data leakage (privacy protection), and technologi­cal vulnerabil­ities (technical standards).

The vast majority of cyberattac­ks fall into the category of cybercrime­s, which remain the biggest cyber threat, but now there are not yet universal internatio­nal treaties or laws to address cybercrime­s. Terrorists and terrorist organizati­ons are increasing­ly using the internet to disseminat­e audio and video programs that incite violence, spread terrorist and extremist ideologies, recruit followers, raise money, and plan and carry out terrorist activities. The threat of cyber terrorism is not negligible. In 2016, the United States announced that it would launch

cyberattac­ks against the Islamic State group. Some scholars think that “cyber war is coming,” while others insist that a “cyber war will not take place.”15 However, the increasing militariza­tion of cyberspace is an indisputab­le fact. Therefore, how to regulate a country’s behavior in cyberspace, especially military behavior, should be a focus of future work for all parties. Technical elites are discoverin­g and creating numerous vulnerabil­ities and loopholes on a daily basis, and large-scale data leaks were the most prominent cyber threat in 2016. Accordingl­y, technical standards should be another focus of future cyberspace governance.

In the years ahead, the internatio­nal community needs to decide on specific rules to deal with different cyber threats, and strive to surpass the “abstract” period and move towards a “concrete” era. In this regard, the big powers, the United States and China included, should engage in constructi­ve dialogue and cooperatio­n, make cyberspace governance not descend into empty talk, and leave no room in which terrorists and criminals can maneuver.

Cyber Conflicts and Strategic Stability

The abovementi­oned security trends in cyberspace indicates that cyberspace is faced with unstable factors, which has brought the issue of cyber strategic stability to the fore. Strategic stability originally referred to the strategic posture of mutually assured destructio­n through nuclear deterrence of the United States and the Soviet Union during the Cold War. Recently, it has been applied to elaborate on the strategic posture of cyberspace.

Cyber strategic stability refers to four things: (1) well-functionin­g ICT systems; (2) countries keeping normal, stable and peaceful state-to-state relations in cyberspace, rather than being caught in cyber conflicts and confrontat­ion; (3) inter-state military conflicts do not lead to chaos in or paralysis of cyberspace, or to put it simply, there will not be a state of “cyber war”; (4) peaceful use of cyberspace for human, economic, and social purposes. On the whole, cyber competitio­n and conflicts among states are most likely to cause strategic

instabilit­y in cyberspace. Therefore, this section will explore the possible sources of cyber strategic instabilit­y from the perspectiv­e of internatio­nal relations.

Typology of cyber conflicts

Cyber conflicts can be divided into linguistic conflicts, ideational conflicts, conflicts of interests, and military conflicts. Of course, cyber conflicts can sometimes be taken for cyber difference­s, cyber disputes or cyber disagreeme­nts, which are also important factors contributi­ng to cyber instabilit­y.

Linguistic conflicts. Language difference­s are in fact still the biggest obstacle to agreement in the virtual world. For example, there are such expression­s and terms as cyber, cyberspace, internet, and networks in the English language. Neverthele­ss, when translatin­g them into other languages, we might encounter some difficulti­es, which are sometimes troublesom­e as it can be hard to find a direct equivalent in the target language. In Chinese academic circles, there are even disputes over transliter­ation (Yin Te Wang) and free translatio­n (Hu Lian Wang) of the term “internet.” In addition, the United States and other Western countries usually use the term “cyber security,” while Russia uses “informatio­n security.” China used to employ “informatio­n security,” but now uses both terms. So far, this situation has not caused too much trouble in internatio­nal exchanges, but the difference­s between disparate parties do exist and constitute one of the sources of cyber conflicts.

To some extent, what Western scholars called “fragmentat­ion” of cyberspace is also a result of language difference­s. When accessing the internet, most internet users will use their native language to browse news websites, do shopping online, and so on. In this sense, language difference­s have caused the real fragmentat­ion of cyberspace. However, the accusation­s made by Western countries that other countries are “fragmentin­g” cyberspace are not well-founded, as even if a country tries to build an area network it is inseparabl­e from the global internet infrastruc­ture and its schema, and thus it remains part of the global internet.

Ideational conflicts. As mentioned earlier, countries have explicit divergence­s over cyber sovereignt­y and cyber freedom. This phenomenon has

a close link to the ideational and ideologica­l conflicts between states in the real world. On many occasions, when countries are talking about cyber sovereignt­y, they often mean different things with the same term. The West focuses more on the control of cyberspace and the right of citizens to access the internet, while developing countries like China place more emphasis on the right to developmen­t, the right to administra­tive jurisdicti­on, and the right to and not to engage in internatio­nal cooperatio­n in cyberspace. Chinese President Xi Jinping, in his speech at the Second World Internet Conference held in December 2015 in China’s eastern town of Wuzhen, advocated the principle of respecting cyber sovereignt­y when promoting reform of the global internet governance. He said, “We should respect the rights of individual countries in choosing their own internet developmen­t path, internet governance, and internet policies and take part in cyberspace governance on an equal basis, and not push cyberspace hegemony or interfere in other countries’ internal affairs or engage in or support cyberspace activities that jeopardize the national security of others.”16 This has been the most explicit statement of China’s position on cyber sovereignt­y to date.

There are also cognitive divergence­s over cyber freedom, cyber privacy, cybercrime, cyber espionage, and cyber terrorism among different countries and peoples. For instance, some think that all personal informatio­n is privacy and should be respected and protected, while others deem that only sensitive personal informatio­n pertains to privacy. Similarly, due to difference­s in history, culture, religion and tradition, what constitute­s a crime in one country is not necessaril­y a crime in another. Thus, when countries negotiate and communicat­e over the abovementi­oned issues, some conflicts might occur.

Conflict of interests. Just as in the real world, different countries are also at different levels of ICT developmen­t, face different historical tasks, pursue different strategic goals, and enjoy different interests in cyberspace. Such divergence­s over interests are a significan­t factor for cyber conflicts. For example, the primary goal of numerous developing countries, including China, in cyberspace is to develop ICT, build informatio­n infrastruc­ture,

enhance cyber power, and safeguard cyberspace security. Therefore, they attach greater importance to cyber sovereignt­y in order to defend their right to cyber developmen­t, jurisdicti­on over their networks and internatio­nal cooperatio­n. In contrast, the United States enjoys huge cyber superiorit­y, seeks to gain dominance in cyberspace, and pursues absolute cyber security. However, as the Snowden revelation­s demonstrat­e, many of the United States’ practices and behavior when pursuing its own national interests or defending its superior status in cyberspace have posed serious threats to other countries’ cyber security, thus proving to be an important cause of cyber instabilit­y.

Moreover, for the sake of promoting such values as human rights, democracy and freedom, the United States and other Western countries employ informatio­n technology and social media to interfere in other countries’ internal affairs, usually leading to political unrest and instabilit­y. In addition, the US has repeatedly accused Chinese hackers of stealing US intellectu­al property and of damaging US business interests. On those grounds, the US even indicted five Chinese servicemen for cyber espionage in 2014. However, in theory, the legal status of espionage in internatio­nal law is very complex; it is not simply prohibited. In short, disparate cyber interests have become a crucial reason and even excuse for cyber conflicts, which are easy to spill over into the real world, thus not only threatenin­g the strategic stability of cyberspace, but also harming normal interstate relations.

Military conflicts and cyber warfare

There are various types of cyber activities, whose nature varies, as does people’s perception of them. Cyber warfare is the most extreme cyber activity and cyber conflict. On the whole, there is still no consensus on the existence of cyber warfare. As mentioned earlier, one school of thought maintains that cyber warfare exists and has already occurred, while another school of thought contends that cyber warfare does not exist and will not take place.

Attackers and targets. In general, there are three levels of cyberattac­ks, namely those by individual­s, those by groups and those by states. They can be configured in six pairs as individual-individual, individual-group, individual-

state, group-group, group-state and state-state. In terms of these configurat­ions, it is only state-state attacks that can be called acts of war, whereas it would be hard to describe attacks among the other five pairs in this way. Of course, if an individual or group is authorized or instructed by a state, this could also constitute an act of war. However, because of the unique nature of cyberspace per se, it is difficult to attribute an attack. Therefore, it would be hard to identify the attacker and to infer whether cyber warfare exists or not.

In terms of attackers’ targets, they often include: computer operating systems and software or hardware; soft resources and computer informatio­n such as personal informatio­n, corporate secrets and intellectu­al property; and critical infrastruc­ture such as banking systems, airlines, communicat­ions, dams and power stations. These targets might be individual, group or state assets, being at different levels and of different value. Therefore, it would be very difficult to determine the existence of cyber warfare from just one factor or criterion. This is also a Gordian knot in defining cyber warfare from the perspectiv­e of attacker or target.

Objectives and consequenc­es. Just as with the different types of cyber activities, there is a huge variety of objectives for cyberattac­ks. Some attacks are purely borne out of the attackers’ interest and curiosity, or to demonstrat­e their computer talents and abilities. In fact, a majority of early hacking falls into this category. Some attacks are to gather corporate secrets, gain economic advantages or perpetrate online fraud. Some are for sabotage, including deleting informatio­n from a target computer, paralyzing the target computer’s software and operating system, or damaging the computer’s hardware or informatio­n infrastruc­ture. Of course, some cyberattac­ks might be used for war purposes.

Accordingl­y, attacks with different objectives will also bring about disparate consequenc­es, including loss of personal and commercial informatio­n, theft of intellectu­al property rights, sabotage of computer hardware and software, corruption of a computer’s operating system, destructio­n of key informatio­n infrastruc­ture or even human casualties. Apart from human casualties, all of these other consequenc­es have occurred, but it is very difficult to see them as constituti­ng cyber warfare. Even if attacks result in casualties, these still have to

be differenti­ated according to whether they were caused directly or indirectly. All these factors would influence the decision as to whether cyber warfare has already taken place or whether it even exists.17

Therefore, when analyzing and evaluating the nature of cyber incidents, one must take an overview of the abovementi­oned factors in a comprehens­ive manner. One must make an objective analysis of a specific situation, including the attacker and victim of the attack, the objectives, as well as possible consequenc­es. We should not exaggerate or overlook facts, and should avoid oversimpli­fying cyber warfare by lumping all cyberattac­ks together under the rubric of “acts of war.” Ultimately, it might be up to the highest political leadership to decide whether there is an occurrence or existence of cyber warfare. Therefore, it is a political decision and political behavior. Furthermor­e, if the attack is attributed without doubt, the intention clear, the consequenc­es extremely serious, and the political leadership can determine the existence and occurrence of cyber warfare in the end, then the strategic stability of cyberspace has been broken. Or, when two countries are in a state of convention­al war, for which cyberspace is only one of the tools available to both of the warring states, there would not be cyber strategic stability to speak of; instead, it would have entered the realm of war operations. In short, cyber warfare is an essential disruption of the strategic stability of cyberspace.

Shaping Cyber Strategic Stability

Given the abovementi­oned cyberspace security trends and possible sources of cyber conflicts, the following section will explore feasible solutions to cyber conflicts, so as to better shape cyber strategic stability and maintain order, peace, and security in cyberspace.

Enhancing internatio­nal exchanges and cooperatio­n

Given the aforementi­oned types of cyber conflicts that might stem from

the ideational and ideologica­l difference­s among states, mutual exchanges and cooperatio­n could be conducive to narrowing difference­s, forming consensus, and eliminatin­g the root causes of cyber conflicts, thus further shaping and building the strategic stability of cyberspace, even though the divergence­s might not be removed completely.

In terms of linguistic conflicts, internatio­nal exchanges could help forge consensus in a gradual manner and form a universal language that all parties agree on, understand and utilize. In fact, some pure technical language may be less controvers­ial, while those terminolog­ies with social and political implicatio­ns may entail different interpreta­tions in different circumstan­ces, and are more likely to cause confusion and misunderst­anding. In this regard, all parties should communicat­e with each other to reduce potential and unnecessar­y difference­s. China and the United States, and Russia and the United States have made some endeavors in this direction.

As for ideational conflicts, more exchanges could enhance mutual understand­ing and increase political trust, and freeze, shelve or dilute such fundamenta­l divergence­s, thus avoiding conflict escalation and maintainin­g normal relations among states in cyberspace.

As far as conflicts of interests are concerned, on the one hand, countries should respect the interests of other countries while safeguardi­ng their own, and should not do things harmful to others in cyberspace; on the other hand, countries could gradually cultivate and expand their common interests through cooperatio­n, reduce the scope of their conflicts of interests, and defend their common security interests in cyberspace. China and the US, and Russia and the US have establishe­d hotlines on cyber issues, which are of great significan­ce to increase mutual trust, dispel misunderst­anding, resolve disputes and maintain robust cyber relations between them.

Building cyber power

As mentioned earlier, cyber power is the foundation of internatio­nal competitio­n in cyberspace. However, the cultivatio­n and building of cyber power needs to be reflected in national strategic planning, and be

implemente­d in cyberspace strategic planning as well as in concrete R&D programs. In recent years, while Western developed countries have paid much attention to building and investing in their cyber power, various developing countries are catching up by making strategic plans and establishi­ng relevant institutio­ns. In this regard, China is no exception. China has not only put forward the strategic goal of building itself into a cyber power, but also set up a specialize­d agency, the Cyberspace Administra­tion of China, to coordinate the work on cyber security. It has also introduced a series of policy papers, laws and strategic plans including the Cyber Security Law, National Cyberspace Security Strategy, Internatio­nal Strategy of Cooperatio­n on Cyberspace, the 13th Five-year Plan on National Informatiz­ation, and other sectoral designs, laws and regulation­s.

Regardless of the content and strength of its cyber power, a country should have some core or key technologi­es and possess some offensive and defensive capabiliti­es, and even deterrence capabiliti­es, in order to maintain its cyber security and strategic stability. With advanced core technologi­es, a country might not necessaril­y be able to preserve cyberspace security. However, without them, no matter how perfect its top-level design is, no matter how strong its cyber security awareness is, and no matter how excellent its cyber culture is, there will not be cyberspace security to speak of for a country. Therefore, promoting technologi­cal innovation will be a primary task for many countries in a long period of time.18

Fostering cyber deterrence

Cyber deterrence might not be an effective solution to cyber conflicts, but it could help shape the strategic stability of cyberspace. Given the uniqueness of cyberspace, including the difficulty in attributio­n and diversity of actors, there is still a debate over the utility of cyber deterrence. Recently, Joseph Nye proposed that the effectiven­ess of cyber deterrence depends on

the answers not just to the question “how” but also to the questions “who” and “what.” He also proposed four major mechanisms to reduce and prevent adverse actions in cyberspace: threat of punishment, denial by defense, entangleme­nt, and normative taboos.19 In other words, cyber deterrence could play a positive role in maintainin­g the strategic stability of cyberspace, although the functionin­g mechanisms might be different from those in traditiona­l deterrence theories.

In terms of military conflicts or cyber warfare, cyber deterrence could also play a certain role, and even prevent the occurrence of cyber warfare, thus promoting the strategic stability of cyberspace. Moreover, we should also understand and solve cyber military conflicts within the framework of internatio­nal relations, as cyber relations are a part of them. In this regard, building more stable and reliable state-to-state relations should be a focus. Therefore, in order to maintain a normal and good interstate cyber relationsh­ip, countries should exercise self-restraint in using cyber tools, and refrain from offensive actions, let alone preemptive strikes. In the meantime, as for the cyberattac­ks that they suffer from, countries should identify their real nature and respond cautiously. On regional and global levels, countries should conduct multilater­al dialogues, manage and control potential military conflicts, and engage in cyber arms control to reduce the likelihood of escalating cyber conflicts.

In addition to the above proposals, other policy options are also available, such as promoting confidence-building measures, building internatio­nal norms, and conducting cyber diplomacy. There might not be a causal relationsh­ip between these options and cyber conflict and cyber strategic stability, but in the long run, the former will contribute to the latter in a direct or indirect manner. In short, the internatio­nal community should adopt a multi-pronged approach and take various measures to resolve cyber conflicts. Only in this way can we maintain the strategic stability of cyberspace and establish a peaceful, secure, stable and orderly cyberspace.