We’ve already seen examples of how the attribution problem of cyber attacks can lead to misdirection on a state level. In 2009, three waves of DDoS attacks crippled major government websites in both the United States and South Korea. When security experts reviewed the cyber attack, they found Korean language and other indicators that strongly suggested that the network of attacking computers, or botnet, began in North Korea. Officials in Seoul directly pointed their fingers at Pyongyang, the American media ran with the story and a prominent Republican lawmaker demanded that President Obama conduct a “show of force or strength” against North Korea in retaliation.

In fact, no one could prove where the attacks came from. A year later, analysts concluded they had no evidence that North Korea or any other state was involved. One analyst in Vietnam had earlier said that the attacks originated in the United Kingdom, while the South Koreans insisted that North Korea’s telecommunications ministry was behind them. Some people even thought it was all a hoax orchestrated by the South Korean government or activists attempting to incite U.S. action against the North Korean regime.

These attacks were, by most accounts, rather ineffectual and fairly unsophisticated—no data was lost, and the DDoS method is considered a rather blunt instrument—which in part explains why the situation did not escalate. But what happens when more countries can build Stuxnet worms, and even more sophisticated weapons? At what point does a cyber attack become an act of war? And how does a country retaliate when the instigator can almost always cover his tracks? Such questions will have to be answered by policy-makers the world over, and sooner than they expect. Some solutions to these challenges exist, but most options, like international treaties governing cyber attacks, will require substantial investment as well as honest dialogue about what we can and cannot control.

The episodes that prompt these discussions will probably not be state-to-state cyber warfare; a more likely driver will be state-sponsored corporate espionage. States can contain the fallout of attacks on their own governmental networks, but if companies are targeted, the attacks are much more public and can affect more people if user or customer data is involved. Globalization also makes digital corporate espionage a more fruitful endeavor for states. As companies look to expand their reach into new markets, inside information about their operations and future plans can help local entities win contracts and regional favor. To examine why this is true and what it means for the future, we have to look, again, at China.

While China is by no means the only country engaging in cyber attacks on foreign companies, today it is the most sophisticated and prolific. Beijing’s willingness to engage in corporate espionage, as well as to sanction its companies to do the same, results in a heightened vulnerability for foreign corporations, not just those looking to work in China but those everywhere in the world. The previously mentioned Chinese cyber attack against Google and dozens of other companies in 2009 is hardly an isolated case; in only the past few years, the industrial-espionage campaign led by Chinese spy agencies has targeted American companies producing everything from semiconductors and motor vehicles to jet-propulsion technology. (Of course, corporate espionage is not a new phenomenon. In one famous nineteenth-century example, England’s East India Company hired a Scottish botanist to smuggle Chinese plants and secrets from China into India—which he did successfully, dressed as a Chinese merchant—to break the Chinese monopoly on tea.)

What is new about this latest iteration of corporate espionage is that, in the digital era, so much work can be done remotely and near-anonymously. As we’ll see shortly in our discussion of automated warfare, this is a crucial new technological development that will affect many areas in our future world. We live in an age of expansion, and as China and other emerging superpowers seek to expand their economic foothold around the world, digital corporate espionage will greatly enhance their abilities to grow. Whether officially state-sponsored or simply encouraged by the state, hacking into competitors’ e-mails and systems to obtain proprietary information will certainly give players an unfair advantage in the market. Several business leaders of major American corporations have told us in confidence about deals they lost in Africa and other emerging markets because of what they believe to be Chinese spying or theft of sensitive information (which was then used to thwart or commandeer their deals).

Today, the majority of cases of corporate espionage between China and the United States appear to involve opportunists rather than the visible hand of the state. There was the Chinese couple in Michigan who stole trade information related to General Motors’ research into hybrid cars (which the company estimated to be worth $40 million) and tried to sell it to Chery Automobile, a Chinese competitor. There was the Chinese employee of Valspar Corporation, a leading paint and coatings manufacturer, who illegally downloaded confidential formulas valued at $20 million, intending to sell them to China, and the DuPont chemical researcher who stole information on organic light-emitting diodes, which he planned to give to a Chinese university. None of these actors was tied directly to the Chinese government, and in fact they may simply have been private individuals looking to profit from confidential trade secrets. But we also know that in China, where most major companies are state-owned or heavily influenced by the state, the government has conducted or sanctioned numerous intelligence-gathering cyber attacks against American companies. There can be little doubt that the attacks we know about represent a small percentage of those attempted, whether successful or not.

The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play. This is a difference in values as much as a legal one—as we discussed earlier, China today does not rate intellectual property rights very highly. But the disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage. American firms will have to fiercely protect their own information and patrol their network’s borders, as well as monitor a range of internal threats (all of the individuals in the above examples legitimately worked for those companies), just to remain competitive.

• • •

The current economic espionage will continue for decades, both between the United States and China and between other nations that gain the required technical capabilities and see the competitive advantages it offers. There will be no dramatic escalation for the same reason that we’ll have an ongoing but relatively stable Code War: the lack of attribution in cyber attacks. The Chinese government is free to support or partake in any number of cyber attacks against foreign companies or human-rights organizations so long as their involvement cannot be definitively proven.⁷

But there are strategies we can use to mitigate the damage caused by cyber attacks in addition to introducing some vulnerability on the part of the attackers. One idea comes from Microsoft’s Craig Mundie: virtual quarantine. As we’ve described, many cyber attacks today come in the form of DDoS attacks and regular denial-of-service (DoS) attacks, which require the use of one “open” or insecure computer on a network that the attacker can use as a base of operations to build his “zombie army” of compromised devices. (DoS attacks could be generated by a small number of hyperactive attacking machines; DDoS attacks are generated by a large, distributed—hence the extra “D”—network of attacking machines, often comprised of hacked computers owned by everyday users ignorant of the fact that their computers are being manipulated in this way.) One neglected or unprotected device on the network—a never-used laptop in a science lab, or a personal computer an employee brings to work—can become the attacker’s base and then compromise the whole system.⁸