China’s Cyberwarfare Finds New Targets
Is China a leader in cyberwarfare? China answers yes.
With the massive media coverage of Russian cyber interference in recent Western elections, the time is ripe to examine the issue of cyberwarfare in China. China discusses its own emphasis on cyberwar capabilities in several official documents, including the 2015 China’s Military Strategy white paper:
“Cyberspace has become a new pillar of economic and social development, and a new domain of national security. … As cyberspace weighs more in military security, China will expedite the development of a cyber force, and enhance its capabilities of cyberspace situation awareness, cyber defense, support for the country’s endeavors in cyberspace and participation in international cyber cooperation, so as to stem major cyber crises, ensure national network and information security, and maintain national security and social stability.”
Moreover, in the wake of the massive worldwide WannaCry ransomware attack, China was hit hard. The malicious backdoor software that hackers relied on to develop the ransomware attack was created by the US National Security Agency (NSA) and later stolen by a secretive group known as the Shadow Brokers; NSA whistleblower Edward Snowden wrote that the “circumstantial evidence and conventional wisdom” suggested Russia was behind the hack. With the largest online population in the world, surpassing 649 million users, China is more openly declaring its place as a cyber power among the US, Russia, Israel and North Korea — the “cyber five.” The question is whether China will fully assume a leadership role.
The iSight intelligence unit of FireEye — a company that manages large network breaches — conducted a study that came to the conclusion that Chinese attacks are decreasing in volume and increasing in sophistication. China picks targets more carefully and covers tracks more expertly. Unit 61398 — the notorious military-run cyber center — appears to be largely out of business, with its hackers dispersed to other military, private and intelligence units. The Chinese cyberattacks have focused on the US, Russia, South Korea and Vietnam and have sometimes aimed at the South China Sea disputes. The report states that the change is part of Chinese President Xi Jinping’s broad effort to bring the Chinese military, which is one of the main sponsors of the attacks, further under his control.
A Revolution in Cyber Affairs
The Chinese approach has clearly shifted in the past three years. For instance, The Science of Military Strategy — a study of the People’s Liberation Army’s (PLA) strategic thinking, published by China’s Academy of Military Sciences — released in 2015, both acknowledges for the first time that China has built up network attack forces and divides them into specialized military network warfare forces, teams of network warfare specialists in government civilian organizations and entities outside of the government that engage in network attack and defense, including its civilian IT industry. Similarly, the 2015 China’s Military Strategy asserts that “China will devote more efforts to science and technology in national defense mobilization, be more readily prepared for the requisition of information resources, and build specialized support forces. China aims to build a national defense mobilization system that can meet the requirements of winning informationized wars and responding to both emergencies and wars.” This new openness about the need for strong cyber forces and the integration of civilian specialties into national defense is a definite shift.
The previous two decades were a steady buildup to this perspective. Beginning as early as 2000, China’s Central Military Commission called for a study of people’s war under conditions of “informationalization.” The Chinese strategy called Integrated Network Electronic Warfare consolidated the offensive mission for both computer network attack and electronic warfare under the PLA’s General Staff Department. The originator of the strategy, now retired Major General Dai Qingmin, a prolific and outspoken supporter of modernizing the PLA’s information warfare capabilities, first described the combined use of network and electronic warfare as early as 1999 in articles and a book entitled An Introduction to Information Warfare, written while on faculty at the military’s Electronic Engineering Academy. General Dai was promoted in 2000 to lead the General Staff’s 4th Department.
China’s National Defense in 2004 white paper stated that “informationalization has become the key factor in enhancing the warfighting capability of the armed forces” and that the military takes informationalization “as its orientation and strategic focus.” Chinese military doctrine advocates a combination of cyber and electronic warfare capabilities in the early stages of conflict. Both the 2004 white paper and the noted expert on the PLA, You Ji, identify the PLA Air Force as responsible for information operations and information countermeasures. Other cyber responsibilities lie with the PLA General Staff’s 4th and 3rd Departments that conduct advanced research on information security. The 4th Department oversees electronic counter-measures and research institutes developing information warfare technologies. The 3rd Department is responsible for signals intelligence and focuses on collection, analysis and exploitation of electronic information. The military also maintains ties with research universities and the public sector.
The Chinese military maintains a network of universities and research institutes that support information warfare-related education either in advanced degree granting programs or specialized courses. Military universities supporting this approach include the National University of Defense Technology, the PLA Science and Engineering University and the PLA Information Engineering University.
China, like many countries, initially turned to its civilian computer programmer subculture and information technology workforce, but this strategy too has modified as Chinese cyberwarfare strategy matures. In the early days of 1999 to 2004, China’s civilian computer programmer subculture gained notoriety for its willingness to engage in large-scale politically motivated denial of service attacks, data destruction and defacements of foreign networks. While initially encouraged, this sentiment changed and official party media sources published editorials suggesting that civilian computer attack activities would not be tolerated.
Nonetheless, the traditional computer programmer subculture may still offer unique skill sets and may have a niche role for military or state intelligence collection. Some evidence suggests a relationship exists between Chinese malicious civilian computer programmer subculture and Chinese government operators responsible for network intrusions, and there has been limited recruiting from this community, similar to what occurs in the US and Russia.
How is China integrating the military strategy for cyberwarfare into overall planning efforts and implementing it? The FireEye study concluded that as early as 2014, around the time of the indictment of the PLA’s officers and hackers in the US for economic cyber theft, the Chinese government was modifying its approach to cyber operations. Central to this new posture is the previous decade’s scheme of informationization. The guiding doctrine, Local War Under Informationized Conditions, outlines the effort to develop a fully networked architecture capable of coordinating military operations on land, in air, at sea, in space and in cyber realms. The goal is to establish control of a rival’s information flow and maintain dominance in the early stages of a conflict.
Chinese military strategists early on viewed information dominance as a key goal at the strategic and campaign level, according to The Science of Military Strategy in 2005 and The Science of Campaigns in 2006. The strategy relies on applying electronic warfare and computer network operations against an adversary’s command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) networks and other essential information systems. The strategy requires that these cyber tools should be widely employed in the earliest phases of a conflict and possibly preemptively against an adversary’s information systems and C4ISR systems. Additional to the core military objective, other goals have emerged.
The primary objective of the strategy is to deny an enemy access to information essential for continued combat operations, ideally before other forces engage in combat. A secondary objective is to attack people’s perception and belief systems through information deception and psychological attack. A third objective is strategic deterrence, which some Chinese military strategists see as comparable to nuclear weapons but possessing greater precision, leaving far fewer casualties and possessing longer range as most other weapons.
Another early objective of cyber strategy in China, a strategy that has been greatly modified since the 2014 shift, was cyberespionage. Most countries engage in some sort of espionage of each other’s governments. However, in the initial stages from 2006 to 2014, China was very active in cyberespionage of commercial interests as opposed to government secrets; some scholars argue that commercial espionage was seen as necessary to build the Chinese economy. A massive commercial cyberespionage campaign was conducted by APT1, a single organization of operators. Since 2006, Mandiant — another FireEye company — observed APT1 compromised 141 companies spanning 20 major industries, a long-running and extensive cyberespionage campaign made possible, in large part, through direct government support it received from the military’s Unit 61398. As late as 2011, at least 17 new victims operating in 10 different industries. However, by 2017, Unit 61398 is mostly disbanded, as Chinese cyber strategy completes its shift from volume to sophistication and its shift from commercial to government objectives.
One of the major concerns of cyberespionage, besides loss of government and commercial secrets, is that it can be a frontrunner for cyberattacks. According to The New York Times, “What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.”
Then-US President Obama discussed this point in this 2013 State of the Union speech. “We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.” From 2006 to 2014, the theft of intellectual property resulted in the loss of billions of dollars of revenue. But clearly the strategy and objectives have changed.
Another thing that has changed is the belief in the ability to control cyberspace. China argues that states have the right to control their own cyberspace, much like they do any other domain or territory or cyber-sovereignty, while Western countries argue for an “open, interoperable, secure, and reliable information and communications infrastructure.” Chinese leaders believe that cyberspace is largely controllable. Around the time of the Google pullout, China’s State Council Information Office delivered an exultant report on its work to regulate online traffic, according to a crucial Chinese contact cited by the State Department in a cable in early 2010 and later quoted in The New York Times. The source claimed that “in the past, a lot of officials worried that the Web could not be controlled. But through the Google incident and other increased controls and surveillance, like real-name registration, they reached a conclusion: the Web is fundamentally controllable.”
In an attempt to control its own cyberspace, China adopted a cybersecurity law to address growing threats of cyberattacks in addition to the Golden Shield Project, a major part of which is the notorious Great Firewall of China. The new cyber legislation took effect in June 2017 and is labeled an “objective need” of China as a major internet power, a parliament official said. The law might shut foreign technology companies out of various sectors deemed “critical” and include requirements for security reviews and for data to be stored on servers in China. In 2016, Beijing adopted a sweeping national security law that aimed to make all key network infrastructure and information systems secure and controllable. “China’s government has come to recognize that cyberspace immediately and profoundly impacts on many if not all aspects of national security,” said Rogier Creemers, a Sinologist at Leiden University. “It is a national space, it is a space for military action, for important economic action, for criminal action and for espionage.”
So is China a leader in cyberwarfare? China answers yes. Yang Heqing, an official on the National People’s Congress standing committee, said cyber power is deeply linked to China’s national security and development: “China is an internet power, and as one of the countries that faces the greatest internet security risks, urgently needs to establish and perfect network security legal systems.” The Chinese cyber approach has clearly shifted in the past three years with expanding goals and increased sophistication in strategy and targets. It has also shifted from predominantly economic cyber targets to predominantly governmental and infrastructure targets. China has taken a leadership role among the top five cyber powers, now openly declaring its place with the US, Russia, Israel and North Korea.
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.