A Chinese proverb warns that “there are always ears on the other side of the wall.” A modern adaption might warn that the Chinese are on the other end of your Internet connection. There is increasing reason to heed that warning. In March 2009, for example, GhostNet, an electronic spy network based mainly in China, reportedly infiltrated 1,300 government computers in 103 countries, according to a Department of Defense (DOD) report. More recently, for 18 minutes in April 2010, 15 percent of the Internet’s routes were hijacked when “the state-controlled telecommunications company China Telecom Corp., redirected some of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.”1
While the United States, Russia, and Israel are considered to possess significant and sophisticated cyber capabilities, China distinguishes itself for having the fastest-growing and most active cyber-attack program of all nations. China’s motivation is twofold. On the offensive, Chinese military documents state that “seizing control of an adversary’s information flow [is] a prerequisite to air and naval superiority.” Defensively, China’s growing network-security concerns and cyber capabilities are driven by how the “the development of the Internet in China created ‘unprecedented challenges’ in ‘social control and stability maintenance.’”2
Beyond that dedicated strategy, China’s integration of cyber into a wide range of actions projecting Chinese power forces the United States to prepare for a wider array of multifaceted threats. Ironically, China remains just as vulnerable to cyber attacks as any other nation and worries about becoming a victim of its own capabilities. Those challenges, however, do not deter China from trying to become a cyber superpower—thus a growing U.S. national security concern.
Raising a Cyber Army
China is engaged in “the single largest, most intensive foreign intelligence-gathering effort since the Cold War” against the United States, SecurityWeek’s Michael Stevens reported in July 2010. The People’s Liberation Army (PLA) also views intelligence-gathering, in addition to traditional military and espionage activities, as part of its core mission. While most nations engage in cyber espionage activities and develop cyber warfare capabilities, none seem to do it with the large-scale focus and commitment of the Chinese.
The Chinese government was a relative latecomer to the Internet, but was not long in realizing its potential. The evolution of China’s cyber activities began in the 1990s when the Ministry of Public Security partnered with foreign network-systems firms (many from the United States) to monitor information on the Internet. Although China had fewer than 1 million Internet users in 1997, the government was eager to control public access to it. By 1998, the Chinese had a sophisticated system that effectively monitored all domestic Internet and wireless traffic. Police and state security services had become, according to a Heritage Foundation report by John Tkacik Jr., “well trained and equipped in using the Internet and cell phone networks to monitor, identify, locate, and censor cyber dissidents.”
Over the next three years, China’s online population mushroomed to more than 22 million users. While the government continued to control and monitor Internet usage, it realized that a cyber-savvy public could also be used to its advantage. When a Chinese pilot was killed in an encounter with a U.S. reconnaissance aircraft in 2001, for example, Chinese hackers defaced several U.S. government Web sites. Although the United States issued a formal apology, intelligence reports said the hacks “had the ‘tacit blessing’ of the Chinese government and perhaps even official help,” SecurityWeek noted in a July 2010 article.
During that time the PLA also began developing its cyber-warfare capabilities. A Federal Times report said those early days consisted of “examining and replicating U.S. computer network operations in the two wars in Iraq and operations in the Balkans.” By 2003, the PLA had organized its first cyber-warfare unit, which reached operational capability the following year. According to a 2006 Chinese defense white paper, as reported by The Washington Post in December of that year, the PLA established a “strategic goal of building informationized armed forces and being capable of winning informationized wars by the mid-21st century.” To achieve that goal, the PLA reduced its force by 200,000 troops and invested somewhere between $50 billion to $100 billion annually in developing new capabilities and establishing new cyber-militia units.3 One significant investment is reported to be a 1,100-person cyber operation at Hainan Island (complete with a James Bond-style submarine cave), which also is home to some key Chinese military units. Canadian researchers have found that a number of cyber attacks originated there; U.S. Navy ships near the island have been harassed.4
Also significant is the blurred relationship between Chinese hackers, the military, and government organizations. Former National Counterintelligence Executive Joel Brenner noted that “The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction. It’s a kind of cyber militia. . . . It’s coming in volumes that are just staggering.”5
China’s hacker community evolved organically as the country’s population became increasingly wired, nationalistic, and (relatively) prosperous. While the government employs its own hackers, it rarely discourages the activities of “patriot” or “red” hackers because they share the same interests and causes. For example, hackers retaliated for the 1999 NATO bombing of the Chinese Embassy in Belgrade by plastering the Web site of the U.S. Embassy in Beijing with the phrase “Down with the Barbarians!” That attack is credited as driving the development of hacker culture in China. More recently, in 2008 “red” hackers attacked the e-mail accounts of the Save Darfur Coalition because of that organization’s opposition to Chinese involvement in Sudan.6
The Role of Cyber Companies
Chinese companies also should be considered an unofficial, loosely integrated part of China’s cyber strategy. Huawei Shenzhen Technology Company, for example, is the world’s second largest infrastructure vendor and China’s top networking company—and possibly also one of its most suspect. It was founded in 1988 by a former PLA director who had been responsible for military telecommunications research. A 2006 study from RAND Corporation reported that “Huawei maintains deep ties with the Chinese military, which serves a multifaceted role as an important customer, as well as Huawei’s political patron and research and development partner.”7
In 2003, Huawei voluntarily withdrew from the U.S. market, facing a possible ban arising from a Cisco Systems lawsuit alleging corporate espionage and software piracy. That did not discourage American digital electronics manufacturer 3Com, however, from forging a joint venture with Huawei that same year. Although 3Com was the controlling partner on paper, the venture was a Chinese entity staffed entirely by Huawei employees. In 2006 when 3Com bought out Huawei, 3Com retained Huawei’s staff and organizational structure—information that Huawei likely retained, Heritage’s Tkacik observed. (3Com was acquired by Hewlett-Packard in 2010).
Huawei’s business practices and activities have been scrutinized and investigated worldwide. Security concerns continue to obstruct the company in the United States and India—two target markets. In 2010, several U.S. senators asked the White House to review any contracts awarded to Huawei, saying that the manipulation of the company’s products in American telecommunications could pose a threat to national security. India lifted its ban on Chinese telecom equipment, but also is hesitant to expose its strategic networks to the Chinese.8 Despite becoming a Fortune 500 company in 2010, Huawei still has unbreakable ties to the Chinese government—even if there is no governmental control of the company as Huawei maintains.9
Realities of a Virtual Threat
It is an understatement to say that the Chinese have made good on their cyber intentions. Admiral Robert Willard, Commander, U.S. Pacific Command, told the House Armed Services Committee in March 2010 that American military and government networks and systems continue to be the target of Chinese intrusions. According to Willard, China’s cyber threats “challenge our ability to operate freely in the cyber commons, which in turn challenges our ability to conduct operations during peacetime and in times of crisis.”
In 2003, the Pentagon began monitoring PLA cyber operations and found the Chinese had already identified network vulnerabilities in critical Pentagon systems nationwide. By 2006, the Chinese had instigated attacks on the State and Commerce departments, the office of Congressman Frank Wolf, and the Naval War College.10 From June through October in 2006, up to 150 computers at the Department of Homeland Security were quietly penetrated; the data was sent to a Chinese-language Web site. That summer Chinese military hackers attacked systems at the Defense and State departments. The 2008 presidential campaigns of Barack Obama and John McCain also suffered hits, forcing all senior campaign staff to replace their BlackBerries and laptops. China also is believed to be behind the 2009 data theft from Lockheed Martin’s F-35 fighter program. A May 2010 Defense News article noted comments by Vice Chairman of the Joint Chiefs of Staff Marine Corps General James Cartwright that some penetrations of Pentagon systems were efforts to map out U.S. government networks and learn how to cripple America’s command-and-control systems as part of a future attack.
That is a mere sampling. In the first six months of 2009, the Department of Defense recorded nearly 44,000 incidents of malicious cyber activity from sources ranging from criminal hackers to foreign governments. While the cost in terms of lost data is unknown, remediation for those attacks exceeded $100 million the Federal Times reported. Cyber espionage alone is estimated to cost the United States up to $200 billion a year.11 It’s reasonable to assume that China’s share of those costs is greater than that of any other foreign government.
American businesses also are prime targets for China. Northrop Grumman, for example, has experienced electronic intrusions and disruptions from sites inside China since 1999.12 American companies in China have been harassed by intrusive government practices: Tkacik noted that Microsoft had to provide source codes for its “Office” software to the Chinese government in order to do business there. Most notable were attacks on Google and its Chinese users. China had never been comfortable with Google to begin with, considering it to be a U.S. government propaganda and surveillance tool. China also believed Google did not do enough to remove material that the government considered offensive, critical, or taboo, such as human-rights issues and criticism of Chinese leaders. Although traced to provincial universities, the attacks on Google allegedly were coordinated at the highest levels of government by two senior officials after they discovered that Chinese-language searches could be conducted on Google’s main international Web site. When one official, a member of China’s top ruling body, Googled his name and turned up results that were critical of him, he stepped up pressure on the company.13
In addition to businesses such as Huawei, that are inextricably linked to the government, other Chinese companies increasingly are manufacturing commercial, off-the-shelf microchips and semiconductors, making it challenging for the United States to meet secure and classified chip needs.
Chinese hackers, independently and in conjunction with their government, often are credited with infiltrating American corporate and government systems. The fruits of their labor include proprietary information stolen from American companies conducting business in China, and access to computer systems controlling American infrastructure. Chinese cyber spies are known to have penetrated the U.S. power networks to leave potentially disruptive software programs or simply to gain tactical information. “The Chinese have attempted to map our infrastructure, such as the electrical grid.”14 In either case, the risk to national security is real.
A Cyber Arsenal . . . and Achilles’ Heel
Its focus on developing offensive capabilities may have been to China’s own detriment. “It has realized that a weapon it once wielded so deftly against foreign powers and business entities can now be used against Beijing.”15
China’s growing cyber-security concerns were raised in government publications throughout 2010. The PLA, in particular, called for new strategies to combat the unprecedented growth of Internet threats. The PLA, responsible for Internet security, has two substantial network-security units. On the offense, the Military Intelligence Department (MID) manages research institutes that develop hacking capabilities—some of the best in the world—as well as new hardware and software. On the defense, the PLA Third Department, which monitors diplomatic, military and international communications, is the third largest signals-intelligence-monitoring organization in the world.16
The government, however, has struggled to develop effective cyber-security policies and systems. “Spam and malware are pervasive. Meanwhile, Web site integrity—including for government sites—is poor, and the distribution and usage of personal information goes almost totally unregulated. China’s Internet policy has been marked by repeated deviations and U-turns, and even the Great Fire Wall of China can be circumvented with remarkable ease.”17
Ironically, China fears many of the cyber capabilities it has embraced. “Recent arrests of Chinese hackers and [PLA] pronouncements suggest that China fears that its own computer experts, nationalist hackers and social media could turn against the government.”18 There are worries that patriotic hackers could turn against the government at any given time or for any given cause. China’s Ministry of Public Security (MPS) reported an 80 percent rise in cyber crime during 2010, which it indirectly attributed to hackers. In that year alone, the MPS arrested 460 hacking suspects and closed more than 100 Web sites for hacker training and programs. The overwhelming amount of illegal software in China—which is infamous for software piracy—has also made most government and private computer systems vulnerable to malware.19
Social media is a particularly sore spot for China. With more than 400 million Internet users today, including 160 million using social networking, the government fears it no longer will be able to control what the public reads, sees, and posts. That is a significant threat for a propaganda-oriented government, which limits or bans access to many Internet sites while paying individuals for posts that cast the government in a favorable light. Of particular concern is “disharmonious” material, such as the announcement of imprisoned dissident Liu Xiaobo’s Nobel Peace Prize award in 2010. The Chinese also worry about opposition and minority ethnic groups dispersed across the country uniting online.20
China is quickly learning a lesson that the United States and other nations already have realized—that the Internet is a double-edged sword. Nonetheless, China’s determination and commitment to building its cyber power is unwavering.
America’s Cyber-threat Level: Red
What does China’s cyber campaign mean for the United States? Its interests in the Pacific Rim range from the political to the technological, making it a prime target for China. Chinese cyber-attack efforts threaten to impede the flow of forces and supplies to crisis areas, and, as the Federal Times put it, “boost the ability to attack an adversary’s satellite communications and sensor systems, critical transportation and energy infrastructure, ports of embarkation, and command systems.” Addressing the threats posed by China’s cyber forces is clearly a national security priority.
What can the United States do to bolster its cyber security against the Chinese and other adversaries? In general, it must first look inward. General Keith Alexander, director of U.S. Cyber Command, believes that “a network sectioned off from the rest of the Internet is probably inevitable for systems crucial to national security.”21 Setting up such a secure network would be technically straightforward, but politically and organizationally complicated. Creating the “Secure Zone” would require cooperation among the Pentagon, Department of Homeland Security, the FBI, and the private sector—which owns 85 percent of the critical U.S. infrastructure. Laws covering additional powers during cyber attacks are not in place; questions about who should regulate civilian cyber security remain unanswered. For example, the government has yet to define what constitutes a cyber attack or how to characterize specific activities—are they espionage or war? Additionally, there is “no formal policy for dealing with foreign government-led threats against U.S. interests in cyberspace.”22
Looking to the East, the U.S. must continue to emphasize matching China’s efforts to control cyber information, particularly in national security. The U.S. Pacific Command already is working with the U.S. Cyber Command and other agencies on real-time solutions for detecting and responding to network attacks. In addition to developing technical countercapabilities, the United States needs to ensure that the components for information technology systems come from trustworthy sources. Chinese commercial investments in cyber-related enterprises require ongoing examination.
Interestingly, the United States and China share many of the same cyber-security challenges. Recent cyber-related events made both Washington and Beijing realize how much networks and computer systems still are at risk. WikiLeaks proved how easily sensitive government information could be spread globally through the Internet, while the Stuxnet worm highlighted the vulnerability of important national infrastructure. For both countries, the next generation of cyber challenges only amplifies ongoing cyber security problems—the ubiquity of the Internet, the anonymity of users, and the unpredictability of attacks.
That China will remain a national security challenge is a given. However, accurately assessing its national security capabilities often proves difficult. On one hand its national defense industries are known to be unable to meet the military’s needs. China buys fighter-jet engines from Russia, for example, because Chinese engineers cannot make a reliable engine for military planes.23 Yet, China already is testing a stealth-type fighter prototype and is inching closer to deploying an antiship ballistic missile capable of threatening U.S. aircraft carriers in the Pacific.24 Meanwhile, China holds a short leash on its cyber capabilities. In July 2010, for example, a presentation on China’s military cyber-attack capabilities was cut from the Black Hat security conference after pressure from Taiwanese and Chinese agencies.25 Considering the cyber damage China already has shown it is capable of doing, the United States needs to prepare for the worst.
The sixth century B.C. Chinese general Sun Tzu wrote in his classic The Art of War, “In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory.” The domination of cyberspace perfectly embodies that philosophy in today’s asymmetric threat environment. Joint Chiefs of Staff Chairman Admiral Mike Mullen told 2010 graduates of the U.S. Air Force Academy, “In the next 20 years, cyberspace will change how we fight.” According to Mullen, the fact that the United States does not have an unmatched advantage in such a ubiquitous and unaccountable space is “pretty scary stuff and it needs to continue to be addressed very, very rapidly.”26 Who will push the United States to seize the cyber lead? The urgency to address the challenge might best be described as “Made in China.”
1. Stew Magnuson, “Cyber Attacks Reaching New Heights of Sophistication,” National Defense, January 2011. (http://www.nationaldefensemagazine.org/archive/2011/January/Pages/CyberattacksReachingNewHeightsofSophistication.aspx)
2. Sean Noonan, “China and Its Double-edged Cyber-sword,” Stratfor Global Intelligence, 9 December 2010, (http://www.stratfor.com/weekly/20101208-china-and-its-double-edged-cyber-sword?utm_source=SWeekly&utm_medium=email&utm_campaign=101209&utm_content=readmore&elq=d2842de7d4a24e538d1dd421c8771735#ixzz17cxN2GSK).
3. Richard Parker, “It’s Not Just the Russians Who Are Spying on the U.S.,” Canada.com, 2 July 2010. (http://www.canada.com/technology/just+Russians+spying/3228905/story.html)
4. Medius Research, “China, Cyber Espionage and U.S. National Security,” 5 July 2010. (http://www.scribd.com/full/33788819?access_key=key-1lcdjsqzz3z5v5apqrfu)
5. Shane Harris, “China’s Cyber-Militia,” National Journal, 31 May 2008. (http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php)
6. Mara Hvistendahl, “China’s Hacker Army,” Foreign Affairs, 3 March 2010. (http://www.foreignpolicy.com/articles/2010/03/03/china_s_hacker_army?page=0,1.)
7. Evan S. Medeiros, Roger Cliff, Keith Crane, and James C. Mulvenon, A New Direction for China’s Defense Industry. (www.rand.org/pubs/monographs/2005/RAND_MG334.pdf)
8. Robert Olson, “Names You Need to Know: Huawei,” Forbes, 21 December 2010. (http://blogs.forbes.com/robertolsen/2010/12/21/names-you-need-to-know-huawei/?boxes=financechannelforbes)
9. Jeffrey Carr, “Huawei: Cybersecurity Threat Or Cybersecurity Provider?” Forbes.com, 6 December 2010. (http://blogs.forbes.com/firewall/2010/12/06/huawei-cybersecurity-threat-or-cybersecurity-provider/?boxes=Homepagechannels)
10. Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” Foreign Policy, 22 January 2010. (http://thecable.foreignpolicy.com/posts/2010/01/22/the_top_10_chinese_cyber_attacks_that_we_know_of.)
11. Parker, op.cit.
12. James Fallows, “Cyber Warriors,” The Atlantic, March 2010. (http://www.theatlantic.com/magazine/archive/2010/03/cyber-warriors/7917/)
13. James Glanz and John Markoff, “Vast Hacking by a China Fearful of the Web,” The New York Times, 5 December 2010. (http://www.nytimes.com/2010/12/05/world/asia/05wikileaks-china.html?pagewanted=2&_r=1)
14. Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies,” The New York Times, 8 April 2009. (http://online.wsj.com/article/SB123914805204099085.html#ixzz1A5quCRxZ)
15. Noonan, op. cit.
16. “Special Report: Espionage with Chinese Characteristics,” Stratfor Global Intelligence, 24 March 2010. (http://web.stratfor.com/images/writers/INTEL_SERVICES_CHINA.pdf)
17. Iain Mills, “China’s Faltering Cyber-Security Efforts Offer Chance for Engagement,” World Politics Review, 9 December 2010. (http://www.worldpoliticsreview.com/articles/7274/chinas-faltering-cyber-security-efforts-offer-chance-for-engagement)
18. Noonan, op.cit.
21. Gautham Nagesh, “NSA chief envisions ‘secure zone’ on Internet to guard against attacks,” The Hill, 23 September 2010. (http://thehill.com/blogs/hillicon-valley/technology/120565-alexander-wants-a-secure-network-for-businesses)
22. Jaikumar Vijayan, “Alleged China Attacks Could Test U.S. Cybersecurity Policy,” Computerworld, 14 January 2010. (http://www.computerworld.com/s/article/9144440/Alleged_China_attacks_could_test_U.S._cybersecurity_policy)
23. John Pomfret, “Military Strength is Eluding China,” The Washington Post, 25 December 2010. (http://www.washingtonpost.com/wp-dyn/content/article/2010/12/24/AR2010122403009.html)
24. Kathrin Hills, “Chinese Missile tilts Power in the Pacific,” Financial Times, 29 December 2010. (http://www.ft.com/cms/s/0/3e69c85a-1264-11e0-b4c8-00144feabdc0.html#axzz19cKfBfgK)
25. Robert McMillan, “Talk on China Cyber Army Pulled After Pressure,” NetworkWorld, 15 July 2010. (http://www.networkworld.com/news/2010/071510-talk-on-china-cyber-army.html)
26. Camille Tuutti, “Leaders of All Levels, Areas Must Understand the Cyber Threat, Says Mullen,” ExecutiveGov.com, 28 May 2010. (http://www.executivegov.com/2010/05/leaders-of-all-levels-areas-must-understand-the-cyber-threat-says-mullen/)