Options for Countering the Rise of Chinese Private Military Contractors

Anthony Patrick is a graduate of Georgia State University and an Officer in the United States Marine Corps.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.


National Security Situation:  Future threats to United States (U.S.) interests abroad from Chinese Private Military Contractors.

Date Originally Written:  November, 26, 2018.

Date Originally Published:  December 24, 2018.

Author and / or Article Point of View:  The author is a United States Marine Corps Officer and currently attending The Basic School. 

Background:  Over the last six months, the media has been flooded with stories and articles about the possibility of a trade war between the U.S and the People Republic of China (PRC). These talks have mainly focused around specific trade policies such as intellectual property rights and the trade balance between the two nations. These tensions have risen from the PRC’s growing economic influence around the world. While many problems persist between the U.S and the PRC due to the latter’s rise, one issue that is not frequently discussed is the growing use of Private Military Contractors (PMCs) by the PRC. As Chinese companies have moved operations further abroad, they require protection for those investments. While the current number of Chinese PMCs is not large, it has been growing at a worrying rate, which could challenge U.S interests abroad[1]. 

Significance:  Many countries have utilized PMCs in foreign operations. The most significant international incidents involving PMCs mainly come from those based in the U.S and the Russian Federation. However, many other countries with interests abroad have increasingly started to utilize PMCs. One of the most significant examples has been the growing use of Chinese PMC’s. These PMCs pose a very unique set of threats to U.S national security interest abroad[2]. First, like most PMC’s, Chinese contractors come mainly from the Peoples Liberation Army and policing forces. This means that the PMCs have a significant amount of military training. Secondly, the legal relationship between the PMC’s and the PRC is different than in most other countries. Since the PRC is an authoritarian country, the government can leverage multiple forms of coercion to force PMC’s into a certain course of action, giving the government a somewhat deniable capability to control foreign soil. Lastly, the Chinese can use PMC’s as a means to push their desired political endstate on foreign countries. With the U.S still being ahead of the PRC militarily, and with both states having nuclear capabilities, conventional conflict is highly unlikely. One way for the Chinese to employ forces to counter U.S. interests abroad is through the use of PMC’s, similar to what Russia has done in Syria[3]. With this in mind, the U.S will need a proactive response that will address this problem both in the short and long term.  

Option #1:  Increase the Department of Defense’s (DoD) focus on training to counter irregular/asymmetric warfare to address the threat posed by PRC PMCs. 

Risk:  The new National Defense Strategy (NDS) focuses on many aspects of the future conventional battlefield like increasing the size of the U.S Navy, cyber operations, and cutting edge weapons platforms[4]. By focusing more of the DoD’s resources on training to counter irregular / asymmetric warfare, the military will not be able to accomplish the goals in the NDS. This option could also lead to a new generation of military members who are more adept at skills necessary for smaller operations, and put the U.S at a leadership disadvantage if a war were to break out between the U.S and a near peer competitor. 

Gain:  Another major conventional war is highly unlikely. Most U.S. near peer competitors are weaker militarily or have second strike nuclear capabilities. Future conflicts will most likely require the U.S. to counter irregular / asymmetric warfare methodologies, which PRC PMCs may utilize.  By focusing DoD resources in this area, the U.S would gain the ability to counter these types of warfare, no matter who employs them. In addition to being better able to conduct operations similar to Afghanistan, the U.S. would also have the tools to address threats posed by PRC PMCs.  Emphasizing this type of warfare would also give U.S actions more international legitimacy as it would be employing recognized state assets and not trying to counter a PRC PMC with a U.S. PMC. 

Option #2:  The U.S. pursues an international treaty governing the use of PMC’s worldwide.  

Risk:   Diplomatic efforts take time, and are subject to many forms of bureaucratic blockage depending on what level the negations are occurring. Option #2 would also be challenging to have an all-inclusive treaty that would cover every nation a PMC comes from or every country from which an employee of these firms might hail. Also, by signing a binding treaty, the U.S would limit its options in foreign conflict zones or in areas where Chinese PMC’s are operating or where the U.S. wants to use a PMC instead of the military.

Gain:  A binding international treaty would help solve most of the problems caused by PMC’s globally and set the stage for how PRC PMC’s act as they proliferate globally[5]. By making the first move in treaty negotiations, the U.S can set the agenda for what topics will be covered. The U.S can build off of the framework set by the Montreux document, which sets a non-binding list of good practices for PMCs[6]. By using the offices of the United Nations Working Group on PMCs the U.S would be able to quickly pull together a coalition of like minded countries which could drive the larger negotiation process. Lastly, Option #2 would help solve existing problems with PMC’s operating on behalf of other countries, like the Russian Federation. 

Other Comments:  None.

Recommendation:  None.


Endnotes:

[1] Swaine, M. D., & Arduino, A. (2018, May 08). The Rise of China’s Private Security (Rep.). Retrieved November 26, 2018, from Carnegie Endowment For International Peace website: https://carnegieendowment.org/2018/05/08/rise-of-china-s-private-security-companies-event-6886

[2] Erickson, A., & Collins, G. (2012, February 21). Enter China’s Security Firms. Retrieved November 26, 2018, from https://thediplomat.com/2012/02/enter-chinas-security-firms/3/

[3] United States., Department of Defense, (n.d.). Summary of the 2018 National Defense strategy of the United States of America: Sharpening the American Military’s Competitive Edge (pp. 1-14).

[4] Gibbons-neff, T. (2018, May 24). How a 4-Hour Battle Between Russian Mercenaries and U.S. Commandos Unfolded in Syria. Retrieved November 25, 2018, from https://www.nytimes.com/2018/05/24/world/middleeast/american-commandos-russian-mercenaries-syria.html

[5] Guardians of the Belt and Road. (2018, August 16). Retrieved November 26, 2018, from https://www.merics.org/en/china-monitor/guardians-of-belt-and-road

[6] Switzerland, Federal Department of Foreign Affairs, Directorate of International Law. (2008, September 17). The Montreux Document. Retrieved November 26, 2018, from https://www.icrc.org/en/doc/assets/files/other/icrc_002_0996.pdf

Anthony Patrick Below Established Threshold Activities (BETA) China (People's Republic of China) Irregular Forces Non-Government Entities Option Papers

Options to Deter Cyber-Intrusions into Non-Government Computers

Elizabeth M. Bartels is a doctoral candidate at the Pardee RAND Graduate School and an assistant policy analyst at the nonprofit, nonpartisan RAND Corporation.  She has an M.S. in political science from the Massachusetts Institute of Technology and a B.A. in political science with a minor in Near Eastern languages and civilization from the University of Chicago.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.


National Security Situation:  Unless deterred, cyber-intrusions into non-government computer systems will continue to lead to the release of government-related information.

Date Originally Written:  March 15, 2017.

Date Originally Published:  May 11, 2017.

Author and / or Article Point of View:  Author is a PhD candidate in policy analysis, whose work focuses on wargaming and defense decision-making.

Background:  Over the years, a great deal of attention has been paid to gaining security in cyberspace to prevent unauthorized access to critical infrastructure like those that control electrical grids and financial systems, and military networks.  In recent years a new category of threat has emerged: the cyber-theft and subsequent public release of large troves of private communications, personal documents and other data.

This category of incident includes the release of government data by inside actors such as Chelsea Manning and Edward Snowden.  However, hacks of the Democratic National Committee and John Podesta, a Democratic party strategist, illustrate that the risk goes beyond the theft of government data to include information that has the potential to harm individuals or threaten the proper functioning of government.  Because the federal government depends on proxies such as contractors, non-profit organizations, and local governments to administer so many public functions, securing information that could harm the government – but is not on government-secured systems – may require a different approach.

Significance:  The growing dependence on government proxies, and the risk such dependence creates, is hardly new[1], and neither is concern over the cyber security implications of systems outside government’s immediate control[2].  However, recent attacks have called the sufficiency of current solutions into question.

Option #1:  Build Better Defenses.  The traditional approach to deterring cyber-exploitation has focused on securing networks, so that the likelihood of failure is high enough to dissuade adversaries from attempting to infiltrate systems.  These programs range from voluntary standards to improve network security[3], to contractual security standards, to counter-intelligence efforts that seek to identify potential insider threats.  These programs could be expanded to more aggressively set standards covering non-governmental systems containing information that could harm the government if released.

Risk:  Because the government does not own these systems, it must motivate proxy organizations to take actions they may not see as in their interest.  While negotiating contracts that align organizational goals with those of the government or providing incentives to organizations that improve their defenses may help, gaps are likely to remain given the limits of governmental authority over non-governmental networks and information[4].

Additionally, defensive efforts are often seen as a nuisance both inside and outside government.  For example, the military culture often prioritizes warfighting equipment over defensive or “office” functions like information technology[5], and counter-intelligence is often seen as a hindrance to intelligence gathering[6].  Other organizations are generally focused on efficiency of day-to-day functions over security[7].  These tendencies create a risk that security efforts will not be taken seriously by line operators, causing defenses to fail.

Gain:  Denying adversaries the opportunity to infiltrate U.S. systems can prevent unauthorized access to sensitive material and deter future attempted incursions.

Option #2:  Hit Back Harder.  Another traditional approach to deterrence is punishment—that is, credibly threatening to impose costs on the adversary if they commit a specific act.  The idea is that adversaries will be deterred if they believe attacks will extract a cost that outweighs any potential benefits.  Under the Obama administration, punishment for cyber attacks focused on the threat of economic sanctions[8] and, in the aftermath of attacks, promises of clandestine actions against adversaries[9].  This policy could be made stronger by a clear statement that the U.S. will take clandestine action not just when its own systems are compromised, but also when its interests are threatened by exploitation of other systems.  Recent work has advocated the use of cyber-tools which are acknowledged only to the victim as a means of punishment in this context[10], however the limited responsiveness of cyber weapons may make this an unattractive option.  Instead, diplomatic, economic, information, and military options in all domains should be considered when developing response options, as has been suggested in recent reports[11]. 

Risk:  Traditionally, there has been skepticism that cyber incursions can be effectively stopped through punishment, as in order to punish, the incursion must be attributed to an adversary.  Attributing cyber incidents is possible based on forensics, but the process often lacks speed and certainty of investigations into traditional attacks.  Adversaries may assume that decision makers will not be willing to retaliate long after the initiating incident and without “firm” proof as justification.  As a result, adversaries might still be willing to attack because they feel the threat of retaliation is not credible.  Response options will also need to deal with how uncertainty may shape U.S. decision maker tolerance for collateral damage and spillover effects beyond primary targets.

Gain:  Counter-attacks can be launched regardless of who owns the system, in contrast to defensive options, which are difficult to implement on systems not controlled by the government.

Option #3:  Status Quo. While rarely discussed, another option is to maintain the status quo and not expand existing programs that seek to protect government networks.

Risk:  By failing to evolve U.S. defenses against cyber-exploitation, adversaries could gain increased advantage as they develop new ways to overcome existing approaches.

Gain:  It is difficult to demonstrate that even the current level of spending on deterring cyber attacks has meaningful impact on adversary behavior.  Limiting the expansion of untested programs would free up resources that could be devoted to examining the effectiveness of current policies, which might generate new insights about what is, and is not, effective.

Other Comments:  None.

Recommendation:  None.


Endnotes:

[1]  John J. Dilulio Jr. [2014], Bring Back the Bureaucrats: Why More Federal Workers Will Lead to Better (and Smaller!) Government, Templeton Press.

[2]  President Barack Obama [2013], Executive Order—Improving Critical Infrastructure Cybersecurity, The White House Office of the Press Secretary.

[3]  National Institute of Standards and Technology (NIST) [2017], Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1.

[4]  Glenn S. Gerstell, NSA General Councel, Confronting the Cybersecurity Challenge, Keynote address at the 2017 Law, Ethics and National Security Conference at Duke Law School, February 25, 2017.

[5]  Allan Friedman and P.W. Singer, “Cult of the Cyber Offensive,” Foreign Policy, January 15, 2014.

[6]  James M. Olson, The Ten Commandments of Counterintelligence, 2007.

[7]  Don Norman, “When Security Gets in the Way,” Interactions, volume 16, issue 6: Norman, D. A. (2010).

[8]  President Barack Obama [2016], Executive Order—Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.

[9]  Alex Johnson [2016], “US Will ‘Take Action’ on Russian Hacking, Obama Promises,” NBC News.

[10]  Evan Perkoski and Michael Poznansky [2016], “An Eye for an Eye: Deterring Russian Cyber Intrusions,” War on the Rocks.

[11]  Defense Science Board [2017], Task Force of Cyber Deterrence.

Cyberspace Deterrence Elizabeth M. Bartels Non-Government Entities Option Papers