For example, at the end of 2014 private corporate data was extracted from Sony Corporation as a result of cyber activity—presumably by North Korea. International cyber experts are closely studying Russia’s use of cyberspace in Eastern Europe. And the media has concentrated their spotlight on China’s cyber activities. Although Chinese leaders systematically denounce media accounts as attacks on the reputation of the Chinese people, in official pronouncements and open literature Chinese leaders have been quite transparent about intentions to conduct military operations in the cyber domain.
In 2003 at the 10th National People’s Congress, leaders announced the establishment of People’s Liberation Army (PLA) information-warfare units. Since the dawn of its revolution in military affairs in the early 1990s, PLA biannual defense white papers have openly included the country’s pursuit of information-warfare capabilities. Today, Chinese writings throughout technical and policy literature affirm that Chinese thinkers pay close attention to trends in the use of cyberspace as a domain of warfare.
Domain of Opportunity
Beijing is taking measures to establish cyber fortifications and thwart intrusions into its networks. Concurrently, it perceives the cyber domain as a vast theater of war in which to gain advantage over its perceived enemies. Security firms have attributed a number of cyber incidents to PLA information-warfare units since they were first established. In 2013, the American security firm Mandiant released one of the most notable such reports, which focused on a group referred to as “APT1.” A stinging account of the activities of one Chinese information-warfare unit, the Mandiant report detailed thousands of attribution indicators, strongly linking a set of cyber intrusions back to China’s 2nd Bureau of the PLA General Staff Department’s 3rd Department.
The report was not only unique in its multidimensional approach of determining the source of the intrusions, but it was also incredibly precise, claiming to have ascertained the military unit number and even the physical address in Shanghai from which these activities were carried out. The Xinhua News Agency, China’s state media organization, hastily issued a response to the report that cited, among other things, a technique known as IP spoofing to account for the American security firm’s findings.
Xinhua aimed to deflect the accusations, claiming that the real actors behind the APT1 activity used the Shanghai IP address to carry out the intrusions. This technique provides plausible deniability for any activity in cyberspace as it takes advantage of the high level of trust built into the Internet’s architecture. It is this incidental attribute of cyberspace’s architecture that is behind the difficulty in identifying the source of the recent attacks on Sony Corporation and why disagreement continues about whether North Korea was behind them. This characteristic is also why state and non-state actors alike have found the cyber domain an ideal place for malicious conduct they would rather keep anonymous.
Examining Foreign Cyber Programs
The report also cites external evidence that corroborates IP address data and increases the likelihood that Mandiant researchers were correct in their assessment. For example, data recovered by Mandiant indicated that the intruders were using operating systems with simplified Chinese language sets—a unique character set used almost exclusively within the PRC. (Traditional characters are used in Taiwan, Hong Kong, and Macau, while simplified characters are used along with traditional characters in Singapore and Malaysia, such that operating systems have different settings for Chinese used in Singapore.) Regardless of whether the Mandiant report correctly identified the Chinese military unit behind APT1, it is clear that PLA military cyber units are preparing for conflict.
The Chinese academic literature is rich with thoughtful discussions of foreign cyber programs, policies, and mechanisms, most notably those of the United States. Recent open Chinese cyber literature reveals that a component of the PLA’s preparation involves the careful study of U.S. Defense Department cyber policy, programs, and capabilities.
In a lengthy examination of future international legal frameworks with the potential to regulate cyber attacks, Chinese law professor Wang Kongxiang, from Nanjing’s Southeastern University, describes the capabilities of programs being developed by the U.S. Defense Advanced Research Projects Agency (DARPA). Wang draws from public White House reports, Congressional testimonies of U.S. Defense Department and Justice Department officials, as well as Government Accountability Office reports. In his assessment of the need for an international legal cyber regime, Wang explains in detail the capabilities of U.S. programs, including one known as the U.S. National Cyber Range, the recently established U.S. Cyber Command, and the U.S. International Strategy for Cyberspace.1 It is noted in Wang’s writings, and throughout those of many other Chinese scholars, that current American policy clearly states, “network attack is war.” While this quote is attributed to the White House’s International Strategy for Cyberspace, it is not declared as plainly in the White House policy document. However, other statements by U.S. Defense Department officials regarding the White House policy have made this claim, an assertion that is noticed and repeated by Chinese and Western scholars.2
Additionally, an article evaluating the operational effectiveness of cyberspace operations written by three researchers from China’s National Defense Information Operations Command details a number of programs from leading U.S. institutions including DARPA; the National Cyber Range program; the Minnesota Army High Performance Computer Research Center’s MINDS intrusion detection program; and the Cyber Warfare, Exploitation and Information Dominance (CWEID) Laboratory’s Structured Holistic Attack Research Computer Network (SHARCNet), among others.3
Chinese Air Force officer Liu Jinxing details how cyberspace operations act as force multipliers in armed conflict and liberally cites U.S. doctrine.4 The article is an interesting analysis of how cyberspace has been leveraged in recent conflicts, but the source material on which the article is based is perhaps just as interesting. U.S. publications account for 11 of the 23 sources, 8 of which are from the DOD, and only 4 are from Chinese authors. This heavy reliance on foreign publications, especially from the U.S. Defense Department, is a conventional practice throughout the Chinese cyber literature. As such U.S. defense publications heavily influence the Chinese perception of the role cyberspace is expected to play in warfare.
Chinese thinkers, like many of their Western counterparts, largely acknowledge that cyberspace and physical space have many touch points, and therefore attacks conducted in cyberspace have the potential for kinetic effects. An example customarily cited by Chinese thinkers is the release of the STUXNET worm, which the Chinese literature often attributes to the United States and Israel. According to Wang, this cyber attack—assumed to be directed at Iranian nuclear facilities—resulted in the Iranian government being forced to unload nuclear fuel. He broadened his analysis to describe the cyber-physical crossover:
The Iranian government was forced to unload nuclear fuel; approximately 30,000 Iranian Internet terminals and PCs were infected. This event indicates that a cyber attack can produce a very real physical result. It illustrates the transition of network attacks from the cyber domain to the physical world.5
Wang’s analysis of the use of cyber weapons is not restricted to the United States. He also cites the 2008 conflict between Russia and Georgia as an example of cyber attacks used synchronously with conventional military assaults, essentially a joint operation. Additionally, he analyzes Russian capabilities, including advanced botnets, which are networks of hijacked devices, typically used to conduct distributed denial of service (DDoS) attacks. Denial of service attacks are designed to prevent access to network systems by overwhelming them with a barrage of artificial traffic, thereby preventing legitimate communications from getting through. The strength of DDoS attacks is that the traffic is coming from a wide array of locations, which makes identifying and blocking illegitimate traffic very difficult. IP spoofing, discussed earlier, can be used in conjunction with DDoS attacks to increase the number of locations from which the traffic appears to be originating. According to Wang, the Russian military is also focusing on Trojans, sensor viruses, and long-range virus weapons, capable of being delivered through Wi-Fi radio or laser signals.6
‘Zero-Day’ Vulnerabilities
A repeated theme in Chinese cyber literature is that nation states are uniquely capable of designing and deploying the most advanced cyber weapons. Among these are cyber payloads—known as advanced persistent threats (APT)—that can be delayed covertly for years and released in milliseconds. This is where APT1, the subject of the well-known Mandiant report, gets its designation. The most complex APT payloads are customized to exploit a unique flaw in the target system, remaining unaffected by operating system updates and security patches. The missions of these complex payloads can be changed after receiving new instructions, or if pre-programmed events are triggered such as a date or the execution of a software function. Their goal is to fly under the cyber-security radar until the time of the intended attack and remain unnoticed, which they achieve by blending into everyday routines and exploiting unknown security vulnerabilities.
Cyber-security experts refer to an incident where an attacker is able to identify an unknown vulnerability as a “zero-day” attack because the vulnerability was unknown and there was no way to update the software to prevent exploitation. Locating zero-day vulnerabilities takes a great deal of research, which leads Chinese thinkers to conclude that nation states are most likely behind malware that contain zero-day exploits, particularly those that contain multiple ones like STUXNET. Zero-day vulnerabilities combined with carefully, sometimes custom-designed exploits, can create a potent set of effects in the non-cyber world as well, the scope of which usually goes beyond the interests of non-state actors.
Chinese cyber experts do not restrict their sources to official public reports. Many articles make references to supposed classified foreign cyber programs. The Chinese diplomatic journal International Politics features information it claims relates to sensitive U.S. programs. In a discussion of the realities of global reliance on the current international cyber establishment, author Yang Jin reveals the diplomatic implications of former U.S. National Security Agency contractor Edward Snowden’s 2013 release of classified documents. This is another context in which Chinese cyber experts attempt to examine U.S. cyber programs and capabilities.7
Countermeasures, Stability, and Code of Conduct
The Chinese literature features three prominently recurring themes: a call for developing some form of countermeasures to U.S. cyber capabilities, the observation that maintaining stability in cyberspace is a goal of mutual interest, and an appeal to the development of a cyberspace code of conduct. The first recurring theme of the need for countermeasures against U.S. cyber capabilities is discussed in various forms. Some Chinese authors suggest technical defeaters to U.S. capabilities. Others suggest using legal and diplomatic frameworks to constrain U.S. activities in cyberspace, both potential future U.S. activities as well as those that Chinese researchers perceive to be employed currently. Some writings call for a blend of countermeasures working in parallel.
The second theme is the importance of the stability of the U.S.-China cyber relations. The Chinese cyber community widely agrees that although the most lethal and stealthy cyber weapons are capable of being developed only by nation states, the nature of the cyber domain is such that developing cyber capabilities is a low cost-of-entry proposition even for small actors. This characteristic, coupled with an increased awareness of the profitability of cyber crime, has led to an increase of international crime in the cyber domain. Regardless of its criticisms of U.S. policies, Chinese literature recognizes that international cyber crime is a problem too complex for any one nation to address alone. Calls for cooperation between China and the United States on this front are often a part of recommendations for action or predictions of the future of cyberspace. In fact, Xu Longdi, a researcher at the China Institute for International Studies, lists cooperation with the United States to safeguard cyberspace from cyber crime as one of four countermeasures against U.S. preemptive cyber strikes. 8
The third theme is the importance of developing a global framework or international information security code of conduct, but one that preserves the sovereignty of governments to control content and information flow. This position has been noted by U.S. defense analysts as well.9
Legal Frameworks and U.S. Hegemony
Chinese analysts also call attention to the views held by scholars who study legal issues involving cyber attacks and warfare, which can be summarized in three schools of thought. The first considers current laws to be largely adequate to address all scenarios involving military actions—cyber and kinetic. The second school argues for complete abandonment of existing cyber regulations. This group believes that the Internet can be free of hostilities as a self-governing system. The third school holds that existing laws governing warfare are helpful but not completely adequate for addressing cyber-specific dynamics, leading this group to call for a special class of laws specifically addressing cyber scenarios.10
It appears that ideologically Chinese scholars largely fall into the third school of thought. Even though they vary regarding the best approach to develop new international legal regimes, a consistent theme in the literature is that the current legal regulations are inadequate to address the unique features of cyber warfare, which is partly due to the perceived power imbalance in cyberspace. The Chinese literature is consistent in presenting the PRC as an underdog in every respect in cyberspace, particularly vis-à-vis the United States:
American hegemony exists throughout cyberspace in every area, in every corner of the Internet the U.S. has hegemony—hegemony in technology, hegemony in resources, hegemony in information and hegemony in the legal context—the U.S. has absolute advantage in at least these four areas.11
Chinese cyber security experts Zheng Zhilong and Yu Li, from Zhengzhou University in central China, are funded by the Chinese National Social Science Fund to conduct research exploring the diplomatic and strategic implications of cyber power under a grant titled, “The Internet and Our Country’s Countermeasures through Our Role in International Politics.” While the authors bemoan U.S. hegemony, they also predict a future shift in power from the United States to more populous and rapidly modernizing countries such as India and the PRC. Yu and Zheng conclude that the cyber realm is not a neutral space for state actors. The power of cyberspace is such that hegemonic states can advance a global political agenda and its comprehensive national strength by maintaining a lead in information technology. At the same time, the authors view cyberspace as a domain holding promise for a progressive transfer of power from hegemons to emerging nations that invest in information technology and technical education.12
To understand the way the PRC intends to achieve dominance in cyberspace it is necessary to look deeper than the cyber infrastructure, programs, and official pronouncements—areas easier to quantify—and peer into Chinese cultural and philosophical underpinnings. Some of the literature surveyed provides such a glimpse, but a deeper historical study would be necessary to capture sufficiently these factors. In particular, writings, which debate not only strategic issues but also ethical ones, from legal publications such as The Journal of Xian Politics Institute are exceptionally insightful. This segment of the literature provides an invaluable glimpse into the internal philosophical debates among Chinese academics and influential decision makers. It is research into this layer of the Chinese cyber community that is most needed, especially as the United States seeks new ways of understanding Chinese decision makers and steering them toward peaceful and mutually beneficial resolutions in the early stages of conflict.
For the moment, the United States maintains a healthy advantage in the crucial and increasingly pivotal domain of cyberspace. Continued prioritization of cyber research and development funding, a sustained effort on safeguarding sensitive cyber technologies, and a fresh grasp of Chinese views on cyberspace are critical to maintaining this advantage in an uncertain future.