Thoughts on China Cyberattacks
Image Credit: Photobucket / kemily811

Thoughts on China Cyberattacks


Yesterday, the U.S.-China Economic and Security Review Commission released the second report prepared for it by Northrop Grumman on Chinese cyber capabilities. As numerous press reports noted, Occupying the Information High Ground  argues that China’s improving cyber capabilities pose a threat to the United States military, that China could target U.S. logistic and transport networks in the case of a regional conflict, and that Chinese IT companies ZTE, Datang, and Huawei all have close collaborative ties with the People’s Liberation Army (PLA).

The report does a good job of bringing a great deal of Chinese-language and open-source information together, and is especially useful in laying out how information security research is funded in and conducted by military and civilian universities. Much of the discussion, however, about how China thinks about computer network operations, the growing links between defense and civilian industries, and the threats to the supply chain has been done before (James Mulvenon is particularly good on Chinese thinking about seizing the information advantage and the “digital triangle”; Tai Ming Cheung’s Fortifying China is an exhaustive study of China’s efforts to build a dual-use industrial base; and CFR held a workshop on some of the vulnerabilities that stem from sourcing hardware and software from all over the world in January 2011).

The specific findings of the report are useful and important, but we should remind ourselves of four things. First, it’s easy to forget that much in the report is about aspirations, what the PLA hopes to accomplish, and that we are less certain about how capable it truly is. The report doesn’t shy away from this point, quoting senior PLA officials who provide “blunt assessments of the shortcomings still being experienced” and who suggest there are “contradictions”  between the Chinese and Western media portrayal of PLA operational success in training with “a different reality on the ground.” The gap between aspirations and capability is often lost in the report through a stream of descriptions of what PLA writings say the Chinese military could or might want to do to U.S. networks. By contrast, Desmond Ball of Australia National University argues that “China’s cyber-warfare authorities must despair at the breadth and depth of modern digital information and communications systems and technical expertise available to their adversaries.”

Second, and again the authors make this point, Occupying the Information High Ground isn’t a net assessment. It makes no effort to “detail possible countermeasures and network defense capabilities that the U.S. military and government may employ that could successfully detect or repel the types of operations described.” Or as one senior Defense Department official told Reuters, “We’re cognizant of those capabilities, of course, and are working on ways to add to the tools we already have to respond to them if necessary.” We should remember that the United States isn’t standing still – as Deputy Secretary of Defense Ashton Carter said at the RSA conference last week, “No moment in all those [budget] deliberations was it even considered to make cuts in our cyber expenditures…ships, planes, ground forces, lots of other things on the cutting room floor; not cyber.”

Third, as most of the writings cited in the report demonstrate, we know a lot more about Chinese thinking at the tactical level and much less about how the central leadership understands the political or strategic implications of a cyber-attack on U.S. interests, especially one on critical infrastructure. The report notes that “the decision to move beyond strictly military targets for network attack operations would likely be made at the highest levels of China’s military and political leadership because of the recognized dangers of escalation that such a move presents.” How certain can leaders on either side of the Pacific be that it’s possible to limit network attacks to “strictly military targets”? If the strategic is always a possibility in the tactical, then we need better insight into what central leaders in Zhongnanhai understand about and expect from cyber operations.

Finally, shadowing the report is the question of what the U.S. policy response should be. The report doesn’t spend much time discussing cyber espionage threats (which was covered more expansively in the previous report, Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation), but it does suggest that continuous exfiltration of data from U.S. government networks exacerbates military instability:

“To the extent that the PLA and civilian intelligence organizations have been carrying out long term CNE [computer network exploitation] against U.S. networks without retribution or hard evidence of public attribution, Chinese leadership may be emboldened toward greater risk-taking for preemptive network-based attacks or penetrations, potentially increasing the dangers of miscalculation and unintended second and third order effects that lead the United States to escalate the crisis or respond in ways that PLA leaders may not have anticipated.”

As I argue in my recent Foreign Affairs article, Chinese Computer Games, raising the costs and calling the perpetrators out is part of a strategy that will include bilateral and multilateral discussions on rules of the road for cyber, capacity-building, deterrence through denial, and possibly trade or other sanctions. Even using all these policy tools, it’s going to take a long time; Chinese-based cyberattacks won’t disappear anytime soon.

Adam Segal is the Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies at the Council on Foreign Relations. He blogs at Asia Unbound, where this piece originally appeared. Follow him on Twitter @adschina.

March 11, 2012 at 22:08

I’m just not rolling with this PLA cyber attack thing.

For sure they can probably dredge out volumes of info through access points… and maybe attack a few systems and knock them out temporally.

However, I very much doubt they have the ability to do huge damage – I think the PLA/Red Hacker cyber threat is over rated – just like Y2K

Engineers, did their jobs and made Y2K a non event – I think the PLA/Red Hacker phenomena will be the same.

Take Free Tibet for instance.

A quick search on Google on 10th March – A key date in Tibet independence brings up

The list just goes on and on… Everyone of these sites is fully working – on a huge significantday for Free Tibet – all of them showing messages that are an anathema to the CCP. If the PLA or Red China hacker movement can’t even takedown the Free Tibet movement – why are we thinking they can take down the US military?

For sure – Free Tibet spends a lot of money on internet security and is regularly compromised, but mostly by phishing members.

I don’t disagree that the countries should prepare well for a cyber war…. but my bet is is that when push comes to shove the dreaded cyber attack from China fizzles out into a non story. Read Hackers will be trying their best to bombard and bring down critical systems with only limited results.

When I see the Free Tibet movement unable to get a presence on the internet then I’ll start believing that the Red hackers are starting to gain control and can truly do what they dream about.

March 11, 2012 at 01:02

Most US/European Telecoms & IT companies have been infested with CCP/PLA moles. Any countries using telecoms/datacoms gears from Huawei, ZTE, Datang, etc. probably know this. Nortel went down partly because of the finacial issues, but partly, because of their networks have been hacked by the MSS from CCP/PLA.

CCP/PLA members have been embedded in all Chinese’s Education/Business/Political organizations and from there, they are spanned out into all other US/EU organizations as sleeper cells for data collections.

“Primary Party organizations are formed in China’s mainland enterprises, rural areas, government departments, schools, scientific research institutes, communities, mass organizations, intermediaries, companies of the People’s Liberation Army and other basic units, where there are at least three full Party members.”

Share your thoughts

Your Name
Your Email
required, but not published
Your Comment

Sign up for our weekly newsletter
The Diplomat Brief