In the long Cold War between NATO and the Warsaw Pact, espionage was rife. Security services placed secret agents in sensitive positions, spy planes photographed strategic locations and information was smuggled through borders.
The reasons were simple: each side believed that they would eventually end up at war with the other - and when conflict began, knowing your enemy's secrets could make a crucial difference to the outcome. There was only one rule: don't get caught. Getting caught could spark an international incident and bring the world one step closer to war.
Is something similar happening online?
Attacks are everywhere
In August, it emerged that a group called APT1 - aka Comment Crew - had infiltrated the control systems for a US city's water supply. The systems were fake, a honeytrap designed to catch hackers, but the infiltration was real. According to security firm Mandiant, "APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors" and may be Unit 61398 of the Chinese People's Liberation Army.
As MIT Technology Review reports, other hacking groups also target municipal control systems: "Between March and June this year, 12 honeypots deployed across eight different countries attracted 74 intentional attacks, 10 of which were sophisticated enough to wrest complete control of the dummy control system." Around half of the critical attacks originated in China.
Why are they targeting control systems? The answer's simple: by shutting down key infrastructure, you can cause chaos. According to US director of national intelligence James Clapper, cyber attacks and electronic espionage have supplanted terrorism as the most severe security threat to the US.
In May, a report claimed that the US electricity grid is under near constant attack from malware and cyber-criminals - and earlier this month, industry leaders claimed that a massive attack on the US power grid was "inevitable."
In the UK, GCHQ has announced twin schemes to protect against electronic attacks: it is working with the Council of Registered Ethical Security Testers (CREST) to promote "appropriate standards for incident response" across the public and private sectors, and it is working with the Centre for the Protection of National Infrastructure (CPNI) to help organisations under attack "source an appropriate incident response service... and allow GCHQ and CPNI to focus on the most challenging attacks."
It's unclear whether APT1 and similar groups are controlled by the Chinese authorities - security analyst Jeffrey Carr told MIT Technology Review that he doubts that "the Chinese military or their intelligence services would use such obvious methods and be so frequently found out" - but there's no doubt that many electronic attacks and espionage are state sponsored.
China isn't doing this in isolation - Iranian hackers have been targeting US companies, with one attack on oil pipeline systems that went "far enough to worry people" - but it's a little more brazen than others.
In March, General Keith Alexander told the US Congress that he was creating 13 teams to carry out offensive cyber-attacks. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said. "This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace."
And of course, there's PRISM. According to claims by US whistleblower Edward Snowden, PRISM extends to Hong Kong and China, giving the US "access to the communications of hundreds of thousands of computers without having to hack every single one."
Hacks of war
Is hacking an act of war? That depends on what you hack. The go-to guide on electronic aggression comes from the NATO Co-operative Cyber Defence Center of Excellence, whose Tallinn Manual attempts to explain how international law applies to cyber operations. By the group's legal analysis, an electronic attack isn't an act of war unless it violates sovereignty and is a "use of force" that causes damage. So far, the antics of Chinese (and other) hackers don't meet that definition.