China is one of the most active nations in cyberspace. It has devoted substantial money, manpower and resources to developing its cyber capabilities. Chinese cyber capabilities include a mix of dedicated personnel, advanced equipment and cyberattack methodologies.
According to the cybersecurity firm Mandiant, since as early as 2006, the People’s Liberation Army (PLA) has been using an elite cyberwarfare unit based in Shanghai to launch hundreds of cyberattacks targeting American interests. China President Xi Jinping has made no secret that a “new model of great power relations” policy means it will not be afraid to challenge the U.S. and the rest of the world in areas it considers a core interest, such as cyberspace (thediplomat.com).
Cybersecurity and the even greater concern of offensive cyber-driven warfare are becoming an ever more essential concern of global interests, particularly between the nation-states of China and the United States. Cyber technology and use has taken on an ever more essential function across a multitude of landscapes to include both geo-political and economic. Because of this the concern, cyber-espionage and the threat of cyber based attacks that could prove severely debilitating have become a greater concern.
China has developed an elaborate force of agencies and units designed for the express purpose of waging cyber operations throughout the world to include sabotage and espionage. These include several ‘hacker’ units both within its military and its civilian intelligence apparatuses with the mission of engaging cyber warfare and espionage on a large scale. It has developed much of its intelligence gathering abilities towards the west, whom it views as a serious threat to its own security (China and Cybersecurity). This is a vastly more complicated situation, and the U.S. is struggling to both understand and effectively respond.
China has used cyber espionage to their advantage very well. In recent years, they have engaged in a campaign against the west primarily for obtaining intellectual property of U.S. companies. Though it has publicly maintained that it does not engage in any form of cyber espionage or any form of cyber warfare, evidence to the contrary continues to emerge.
In May 2014 an investigation conducted by the U.S. Federal Bureau of Investigation led to the indictment of five people involved in illegal hacking. These individuals were members of the Chinese People’s Liberation Army. The Department of Homeland Security released the IP addresses of several Chinese hacking groups to Internet service providers. In April 2016 Admiral Michael Rogers, head of the U.S. National Security Agency, testified before a Senate Armed Services Committee that incidents of penetrations of U.S. companies continue to occur (Knake & Segal, 2016). Despite China’s claims, it has in recent times been active in building its military and intelligence organs in a direction aimed at a large scale cyber conflict. The difficulty is trying to determine the long term aims.
China’s intelligence apparatus has long been desultory in regards to its role as a global intelligence entity. This is a reflection of constantly changing agendas within its bureaucratic and party organizations who vacillate over what is perceived as the chief threat to their security between the wish to operate more aggressively in the world and whether to move more cautiously.
The mid-1960s to 1970s saw a complete stop to all external intelligence operational missions by China. This was due to the obstructionism driven by the Maoist Cultural Revolution. In the early 1980s China, realizing how far behind they had fallen with technology development, began an aggressive campaign to fill the technological gap. However, by 1983 the concern of more internal threats of what was dubbed the three evil forces: separatism, terrorism and religious extremism became the chief concerns of Chinese security considerations.
China continues to suffer from the concerns of separatist movements, underground dissident movements, anti-government hackers and civil rights activists who have embraced the computer as a powerful weapon against the state (China and Cybersecurity). This has led the Chinese government to refocus its emphasis on domestic over international threats.
At present China is starting what could be the most ambitious plan in the world to implement digital social control. In 2010 a plan that was started by one of the country’s local governments began a program of mass data collection to determine ‘good citizens’. This collection gave and deducted points based on several factors to include negative political behavior.
This pilot program proved disastrous from questionable data collection to public backlash. However, by 2014 similar social credit programs have been adopted by 30 more local governments who have begun large scale data collection on its citizens. The ultimate goal of this program is to implement large scale social conditioning where those deemed trustworthy can move freely and restricting severely those considered discredited. In the greater scope it is intended to keep the government better apprised of the changing views and attitudes of the general populace.
In 2016 the Chinese communist party approached Electronics Technology Group, a major Chinese defense contractor, with the request to develop software designed to predict terrorist risks. These risks would be identified on the basis of individual job records, financial backgrounds, consumption habits, hobbies and data from camera surveillance.
Internet use has also become a serious concern in China as its use by citizens has grown. In response, measures have been taken to restrict access to outside information. Such comprehensive programs such as the Great Firewall have been initiated. With the Great Firewall system, thousands of websites to the wider internet audience are blocked.
The government has implemented other such programs as Golden Shield-an extensive online surveillance system, and Great Cannon-a system that attacks hostile websites. Government censorship has also extended to giving censors the ability to suspend internet and social media accounts if sent messages contain sensitive information such as references to Tibetan independence or the Tiananmen Square incident.
Such surveillance requires the ability for the government to match individual devices with digital footprints. To allow for this, laws passed in 2012 and more recent ones in 2016 now require internet customers’ real names and other personal information. Service companies that accumulate vast amounts of data frequently comply with government demands for data (Economist, 2016). However, it still is a power that carries both international concerns and economic ramifications.
The 21st century has seen China emerge as a world power with a dominating global presence. This has led to the development of larger more powerful intelligence and warfighting entities aimed at serving China’s new international role. This is seen best in the form of the Fourth Department of the PLA which was established specifically to wage cyber espionage and sabotage and to direct a campaign of electronic warfare and computer network attacks (China and Cybersecurity).
A unit, officially known as Unit 61398, operates under the PLA’s Second Bureau of the General Staff Department’s (GSD) Third Department, which is focused on cyber surveillance and monitoring of foreign electronic communications. Unit 61398 has a staff numbering in the hundreds if not thousands of people, trained in advanced network security, digital signal processing, and covert communications who have access to extensive “infrastructure of computer systems around the world” (thediplomat.com).
In 2013, American private security firm Mandiant published a 60-page report that detailed the notorious Unit 61398, suspected of waging cyber-warfare against American companies, organizations and government agencies from or near a 12-story building on the outskirts of Shanghai. It also targeted a number of government agencies and companies whose databases contain vast and detailed information about critical United States infrastructure, including pipelines, transmission lines and power generation facilities (thehackernews.com).
China has also developed Maoist concepts to their cyber warfare strategy by creating several ‘hacker’ militias designed with the possibility of engaging in a type of insurgent cyber-warfare (China and Cybersecurity). These units work to diversify their network and assets.
In addition to its official cyber-warfare units, China is believed to also have “reached out” to people with the necessary cyber skills in the IT sector and academic community to help fill any gaps in state expertise and personnel when needed. There is also ample evidence that China uses hackers and other cyber criminals to accomplish operations that it is officially unwilling or unable to commit.
To be sure, cyber-crime is often intimately tied to state-sponsored threats to cyber security. The use of affiliated hackers is based on the idea that cyber criminals can be used to escape the attribution that may otherwise provide the necessary legal, military or diplomatic links that other countries can use to prove China’s official participation in cyber-attacks. Consequently, in October 2014, the FBI issued a warning that a Chinese hacking collective known as Axiom has been engaged in a well-resourced, sophisticated campaign to steal valuable data from U.S. government agencies.
In order to achieve its cyber strategic goals and effectively make use of its cyber-warfare units, China has employed a wide range of advanced cyber-attack methodologies. For instance, the PLA’s Unit 61398 is known for its use of zero-day exploits. A zero-day exploit refers to vulnerability in software that the software maker itself does not know exists.
Discovering zero-day exploits require broad access to a software developer’s internal routines and procedures. It also requires a better understanding of the software than the developer. This is often achieved by employing a technique known as advanced persistent threat (APT). APT refers to a hacking process that involves a long-term campaign to break into a computer network, avoid detection, and harvest valuable information over days, months and even years (thediplomat.com).
The U.S. and, by extension the western world, have responded to these actions. The strategy of the Obama administration has been to take advantage of mutual economic interests and geopolitical stability concerns to entice China to curtail its behavior in cyber space. In 2015 the administration increased pressure when an executive order was signed that would allow for economic sanctions against companies that profited from gains derived from cyber theft. It further deterred executives of these companies from traveling through the United States. The results from this action was an agreement by the Chinese to both investigate and prosecute cyber criminals at the behest of the U.S. government.
It has been difficult to measure the effectiveness of these policies. Since its inception the reports derived from various cyber security firms have yielded different conclusions. The cyber security firm iSight Intelligence group reported a sharp decline of cyber-attacks originating out of China. The cyber security firm FireEye reported that while Chinese based cyber-attacks against the U.S. have not entirely ceased; the Chinese government has been inclined to redirect most of its cyber espionage activities elsewhere so as not to exacerbate problems with bilateral relations with the U.S (Knake & Segal, 2016).
China, in its own right, often counters U.S. accusations of cyber threats with allegations and concerns of their own regarding U.S. hostility in the cyber world. China frequently argues that U.S. cyber aggression is carried out against them. Their evidence is the U.S.’s own extensive cyber warfare machine in the form of the National Security Agency and the U.S. based service providers that so much of the world depends on for internet access.
The release of the classified documents by Edward Snowden revealing the massive spying program undertaken by the U.S. government of even allied nations has given strong credibility to such accusations. Furthermore, China has always been inclined to remind the world that to date the most aggressive and debilitating cyber-attack ever carried out in the world was the U.S./Israeli orchestrated Stuxnet attack against Iran. This event has been touted often as a show of U.S. aggression in the cyber world (The Hacked World Order).
“Snowden’s exposure has upgraded our understanding of cyberspace, especially cyber-attacks from the US, which is probably a much sharper weapon than its traditional military force. This weapon has demonstrated the US’s hypocrisy and arrogance” -- An editorial published in the Global Times, China’s state-run newspaper May 19, 2014 (fireeye.com).
What is most interesting is the change in recent years of China’s overall approach and strategy with cyber activities. In the past China’s mechanism for waging cyber war or even defending against it existed in the form of a virtual labyrinth of various police, intelligence and military bureaucracies with confusing and often overlapping jurisdictions and responsibilities. This was further complicated by the conflicts between organs that functioned for the state and organs that functioned for the Chinese Communist Party (China and Cybersecurity). This vast and complicated network insured a certain limitation to effective operations and strategy.
However, China has undergone significant changes including a massive centralization of presidential power, reforms restructuring the country’s military capabilities, and growing regional security concerns. Currently the power of China’s executive branch has wielded unrivaled authority which has allowed for advance in a large-scale reorganization of the People’s Liberation Army (PLA). The reforms aim to improve China’s ability to conduct joint operations and win “informationized” wars, deemphasizing the army in favor of a stronger focus on cyber and maritime capabilities and space assets (fireeye.com).
In addition China has also become more forward in its behavior towards the world in regards to its actions. As recently as 2013, official People's Liberation Army publications have issued blanket denials such as, 'The Chinese military has never supported any hacker attack or hacking activities.’
In the 2015 updated edition of a PLA publication called The Science of Military Strategy, China finally broke its silence and openly talked about its digital spying and network attack capabilities and clearly stated that it has specialized units devoted to wage war on computer networks (thehackernews.com).
The North Atlantic Treaty Organization (NATO) now recognizes cyber threats as a true operational threat. On a strategic level it now factors it in as part of future military planning, training exercises and NATO level crisis response. More importantly the conclusion of the Wales Summit concluded that cyber defense was part of NATO’s core tasking. As such, it now falls into the traditional domains being considered along with the physical considerations of land, sea and air. This meaning that a cyber-attack now has the potential of being responded to by Article 5 (of the Washington Treaty). Which incurs that cyber threats can be responded to with cyber, political, economic or even military or other measures, if deemed necessary (Ducaru, 2016). Though many things presume that actions taken by the U.S. government and NATO have proven fruitful in curtailing Chinese cyber threats other considerations may conclude otherwise.
Article 5 (NATO Agreement)
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area. Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore and maintain international peace and security (nato.int).
It is difficult to measure defense or offensive capabilities in today’s world of cyber battlefields. Unlike the days of conventional wars where a weapon’s formidability could be demonstrated with a demonstration (dropping a hydrogen bomb on a deserted island to show weapon intensity but also control damage to only intended target). Cyber weapons exist with several unique complications. There is no cyber version of a test target. An action taken is taken with real life consequences and harm on someone (Clark, 2016). Furthermore, the ability to measure the effectiveness of current policies and strategies implemented is still complicated with several unaccounted factors.
Evidence compiled by various cyber security firms presumes a changing of strategy as opposed to deterrence; the previous strategy used by China amounted digital smash and grab. Attacks today are showing to be more selective and stealthier. The ability to assess the situation is further complicated by the fact that U.S. and western based companies are often fearful of coming forward and reporting Chinese directed cyber-attacks.
During the Obama administration, the only companies that publicly admitted penetrations were companies directly named in federal indictments against Chinese PLA hackers. China has their own powerful economic weapon with the threat of denying western companies’ access to Chinese markets as reprisal to any companies that report them. This is a strong incentive to keep companies quiet.
Internally it becomes difficult to truly measure the effects of the Obama strategy (Knake & Seagal, 2016). Between September 2015 and June 2016, it was observed that 13 active China-based groups conducted multiple instances of network compromise against corporations in the U.S., Europe, and Japan. During this same timeframe, other China-based groups targeted organizations in Russia and the Asia Pacific region (fireeye.com).
The other problem is that cyber warfare is still a new and difficult concept for nation-state leaders, and particularly U.S. policy makers, to fully comprehend.
The concern of engaging in cyber warfare is that it is impossible to conduct it in any limited scope. Ultimately any action taken incurs the grave possibility of unintended and unforeseeable consequences (Clark, 2016). As previously mentioned, the Stuxnet virus launched against Iran by the U.S. and Israel was a complex and highly volatile weapon that caused immense damage to the Iranian nuclear program. Such a weapon demonstrated the first execution and degree of sophistication for the ability of cyber weapons. Since then weapons development in the cyber world has become much more of a priority for nation-states around the globe.
As of the date of this paper, intelligence agencies are hard pressed to deliver an accurate picture defining the capabilities of adversary nation-states as far as capabilities of cyber weapons they have developed. At the fast pace of cyber development, it’s even more difficult to assess how fast a weapon goes from being state-of-the-art to completely obsolete before ever being used.
An even greater problem with cyber weapons is that they can, in all reality, only be used once. Once used, adversaries will see full hand what was used and can immediately begin creating effective counter- measures. And if not necessarily rendered obsolete, the program and software is now out for the enemy to examine and replicate for their own use.
The Stuxnet virus has now been obtained by hackers who offer it for download. Malware known as BlackEnergy was designed by the Russian underworld and was made available for download on the black market. Used initially to hack bank sites, a team of Russian hackers developed it for espionage purposes to penetrate various organizations and governments including NATO, the European Union and the governments of Ukraine and Poland (Hacked World).
Even China’s ambitious new program to digitally monitor their citizens has many concerned. Government data could be questionable and misleading making it easy for government mistakes and miscalculations to occur. Many observers worry about the ability for the vast government data storage to be properly secured, which will give means for criminals to more easily steal or change information (Economist, 2016). This concern has also given rise as other governments have attempted to implement similar projects on their own populace.
Great Britain is now passing laws to intensify its surveillance of its citizens. As part of this measure it passed a bill demanding that companies that produce software, to include Apple computers, create automatic backdoors that governments can access if they need to snoop on potential suspects. This has become a serious issue of contention as critics of this measure point out how easily such backdoors can produce a dangerous counter-response. This counter-response being that government only accessible cyber backdoors are a fantasy. If a built in exploitable entrance exists it can accessed by anyone with hacking capabilities. More concerning is that Britain would have the potential to expand this program beyond its borders to spy on foreign nationals as well (Reason, March 2017).
An important question of cyberwar is over the issue of how much control are nation-state governments able to retain over their cyber weapons systems. This presents yet another issue for concern.
Already cyber terrorism has emerged as an instrument capable of destruction. In April 2013, a group calling itself the Syrian Electronic Army (SEA) took over the Twitter account of the Associated Press. After hijacking the account it sent a fake message about a bomb attack on president Obama. Though only a false news message, the results were the Dow Jones Industrial Average plunged 146 points erasing $136 billion in market value.
The SEA continued its campaign against western media by carrying out similar attacks against such major organizations as CBS, NPR, BBC, The Washington Post and New York Times. This was only minor as far as the overall damage. The act did demonstrate the ability of none-state forces to operate as a threat (The Hacked World Order). Occasionally, aligned interests between two types of groups may drive activity that blurs the lines between direct government sponsorship and independent action.
For example, during territorial disputes, patriotic hackers may conduct targeting activity that is indistinguishable from that of government forces. As a result, it is often difficult to determine the extent to which activity is directed by the Chinese Government (fireeye.com). The other concern is the role of the private sector. The fluidity of cyber information has caused an erosion over the monopoly nation-state dominance in the world. The question then becomes how will nation-states respond to this?
Already governments are taking measures to address the modern age of cyber threats. As early as 2001, the Budapest Convention on Cybercrime demonstrated an understanding of the potential dangers posed by the growing significance of cyber technology in the world and the growing influence of the emerging internet. It resolved the need for nation-states to adopt criminal offence measures within their individual legal code and recognize that now, through computers, crimes can be committed in one country by a person operating from another (europarl.europa.eu).
More recently, the results of the Wales Summit expanded the role of NATO’s mission. Through this new revision the modern role of NATO not only calls for establishing means for rapid response to emergency threats, it outlines the essential need that the Alliance possess the necessary tools and procedures required to deter and respond effectively to hybrid warfare threats, and the capabilities to reinforce national forces. That rapid response military action must include response to such hybrid forms of threat (europarl.europa.eu).
This in turn concludes that responses to foreign cyber threats can be confronted with a more collective approach by several nation-states as opposed to individual action.
Also, the concept of cyber threat must not be misunderstood. Cyber threats happen and appear from a multitude of different origins. NATO, on a daily basis, detects an average of 240 million suspicious actions; of which, less than 4,000 per year require attention from experts30. Even the concern of cyber espionage is not as impending. Foreign hackers who successfully infiltrate networks for companies and foreign governments often are confronted with digital junkyards full of discarded plans and proposals that were proven useless, old memos that complicate what projects are active versus dead further add to this complication. This incurs that while a hacker might obtain a large quantity of information during an infiltration they still are unable to determine how much is of any value (Ducaru, 2016). So the threat against major network systems is not nearly as ominous as generally reported.
China will continue to engage in cyber operations, and it will be directed on a greater global scale. The question, however, is to achieve what goal? Understanding the difference of cyber war over cyber espionage, China still operates from the strategy of the 1980s calling for aggressive pursuit of knowledge that will eventually allow them to meet or surpass the world in technological and economic advancement.
That said, cyber espionage along with all other methods of intelligence collection will continue to be employed as a means to accomplishing this goal. Altogether this initiates an entirely new era of conflict that has yet to even begin to be managed. An understanding of it still wavers between what is a practical and realistic concept versus a concern that is still only theoretical.
For China, the notion of cyber conflict, particularly with the U.S. is still hampered by current complications. The Chinese still vacillate between focusing more on threats posed on a global scale and threats within the regions of their own border creating a directionless policy through which their military and intelligence networks will have to constantly navigate and function.
From another perspective, between the execution of the Stuxnet virus and the information elicited about the U.S. cyber program from the Snowden files, China can only surmise that whatever they have as a weapon, the U.S. could possibly have something even more dangerous ready with which to retaliate. China’s own economic interests are closely aligned with the U.S. and any serious attack that could prove detrimental to the U.S. economy would have severe rippling effects back on China.
The most likely consideration is that China and the U.S., along with the other advancing cyber powers in the world are going to reach some kind of mutual detente in which the world settles into a cyber version of the old time nuclear Cold War. In this world governments, through various means, continue the practice of espionage on each other. However, any threats will be at best controlled and most likely initiated through proxy organizations that give distance to any government involvement.
Another consideration is that as the danger of none-state actors able to unleash far more damaging terror attacks becomes a potential reality with more sophisticated means of technology becoming available to the general public and out of the general control of any government authority. The need for mutual cooperation to better respond and police the cyber world will take precedent over any nation-state concerns.
As previously mentioned, the direction adopted at the Wales Summit of 2014 is probably the best approach. It begins by working on a pre-existing alliance for mutual security and expands the role to be responsive to the threats of nation-states that may choose to pursue cyber warfare as a means to threaten. By building on agreements such as these, the parameters can eventually be expanded to insure a more unified front for international cyber threats.
The other course is not to exaggerate the threat. How debilitating cyber threats are or can be is still too complex to calculate. As fast as technology is developing, a state-of-the-art cyber virus could be threatening for years or rendered obsolete within a few months of its inception. It must also be understood that true cyber threats are still in question between what is plausible versus what is purely theoretical.
Ultimately cyber technology is going to redefine the balance of power in the world not only between nation-states but also the role of private companies that will be driving much of the development and breakthroughs. It will also redefine the balance of power amongst nation-states based upon whose borders enjoy the best and brightest in these field. The surest way to respond is to understand the new battlefield both militarily and politically. This is a new era and one that requires a completely new set of rules in which to operate.
Creating a digital totalitarian state, The Economist, 17-13 December 2016, p 20-22
Knake, Rob & Segal, Adam, How the next U.S. President can contain China in Cyberspace, Journal of International Affairs, Vol 70 No. 1, Winter 2016, 21-27.
Interview with Richard A. Clark: Risk of cyber war and cyber terrorism, Journal of International Affairs, Vol 70 No. 1, Winter 2016, 179-181
Interview with Sorin Ducaru: Is cyber defense possible, Journal of International Affairs, Vol 70 No. 1, Winter 2016, 182-189.
Segal, Adam, The Hacked World Order: How nations fight, trade, manueuver and manipulate in the digital age, Public Affairs, New York, 2016.
Lindsay, john, Cheung, Tai Ming & Derek S. Reveron, China and cybersecurity: espionage, strategy and politics in the digital domain, Oxford University Press, Oxford, 2015.
Shackford, Scott, Big Brother in the U.K, Reason Magazine, March 2017, p 9.