Dean Cheng is senior research fellow at the Asian Studies Center at The Heritage Foundation, a Washington, D.C.-based think tank, where he writes extensively about China’s military and foreign policy. He previously worked for the Science Applications International Corp (SAIC), the Center for Naval Analyses, the Office of Technology Assessment, and the International Security and Space Program.
He recently spoke with The Diplomat’s associate editor Prashanth Parameswaran about China’s cyber capabilities and the threat they pose to the United States. An edited version of that interview follows.
When we talk about China’s approach to cyber security, which organizations are involved and how unified are their approaches and goals in practice?
Typically, we think of the Chinese armed forces (which includes both the People’s Liberation Army and the People’s Armed Police), the Ministry of Public Security, and the Ministry of State Security as key players in China’s approach to cyber security. However, as noted in the 2013 edition of The Science of Military Strategy, there are also “external entities” that can be called upon to engage in cyber warfare (including cyber security) activities. While not specified, this term almost certainly embodies “patriotic hacker” groups, other civilian entities (e.g., academics specializing in cyber security research) and also, potentially, hardware manufacturers and software firms.
The recent Chinese national security law specifies, under Article 49: “All levels and department of state organs shall promptly report up information relevant to national security that they acquire in the course of performing their duties.” Since intelligence gathering is an essential part of cyber security, this would imply that various other organs and entities have some role to play in Chinese cyber security.
Similarly, the new cyber-security law suggests a growing role for the China Cybersecurity Administration. And it suggests that hardware vendors are seen as part of the cyber security architecture.
In theory, Chinese policies generally reflect a unified, coordinated approach to policy formulation and implementation. But in practice, there seem to have been shortcomings. It is thought that this new cyber security law (which is still in draft form) may be part of the effort to improve Chinese practice in this regard. Similarly, the creation of the Central Internet Security and Informationization Leading Small Group, headed by Xi Jinping and incorporating several members of the Politburo Standing Committee indicates high level concern and interest in improving coordination of cybersecurity measures.
What are some of the recent trends we have seen with respect to Chinese cyber espionage and hacking?
This is always hard to say, not only because attribution is difficult, but because revelations do not necessarily correspond to initiations. That is, when a security breach is publicly reported, it may be about a recent breach, or it may be the recent discovery of a longstanding penetration, or it may be the announcement of a long-known effort.
This is exacerbated by the coyness with which various governments, including the U.S., then treat the attacks. Thus, just this week, reports indicate that the Administration is going to refrain from publicly accusing China of responsibility for the OPM (Office of Personnel Management) hacks. The various hacks involved a cumulative total of some 30 million records, and apparently include information about security clearances as well as personal information. The Director of National Intelligence (DNI) James Clapper has indicated previously that China is “the leading suspect.” But without official statements, we are left with no official position on who mounted this extensive, pervasive attack.
Nonetheless, what does appear to be the case is that there has been an extensive, persistent attempt by the People’s Republic of China to engage in computer network exploitation, seeking to obtain information about a wide range of targets, including foreign nations (e.g., the United States); foreign leaders (e.g., German Chancellor Merkel, the Dalai Lama); foreign scientific research establishments (e.g., the Canadian National Research Council), and foreign corporations.
This latter aspect distinguishes Chinese cyber espionage from other states’. There is no real precedent for the scale of state-sponsored/state-supported corporate espionage that we are seeing. This is partly a result of the Internet, but also partially the product of China’s hybrid economy, which retains extensive state-ownership in key areas, making the dissemination of the fruits of espionage (cyber or otherwise) easier.
China has just released a draft of a new cybersecurity law. Based on what we know thus far, what might this mean for foreign companies operating in the country?
Foreign companies are clearly going to have to store data about their Chinese customers in China.
Between the national security law (formally passed in the last month) and the draft cyber security law, it would appear that the Chinese are also intent upon having foreign hardware manufacturers provide extensive details and information about their products, if they wish to have a chance of participating in the Chinese market.
Furthermore, Chinese officials have indicated that they expect cooperation from foreign companies on cyber security and data holdings in the course of investigating terrorist or other internal security affairs. This will include the requirement (in Article 20) that: “Network operators handling network access and domain registration services for users, handling stationary or mobile phone network access, or providing users with information publication services, shall require users to provide real identity information when signing agreements with users or confirming provision of services.” In short, there can be no anonymity on the Chinese web. The problem, of course, is that entities that China defines as terrorists or threats – such as Falun Gong, or Tibetan nationalists – may not be seen as such elsewhere.
How would you assess the Obama administration’s response thus far to China’s cyber challenge?
Given some of the difficulties in assessing trends in China’s cyber espionage efforts, as well as fundamental problems of Internet security that have nothing to do with the Obama administration, the White House faces an unenviable task. This has been further complicated by the Edward Snowden revelations. Snowden’s claims about American cyber espionage undercut – in the public perception – the idea that China’s actions are atypical. They may well have also served to heighten Chinese cyber espionage efforts (both offensive and defensive). They certainly have been used by the Chinese to shrug off criticism of their activities.
That being said, the Administration has rightly tried to highlight the difference between traditional espionage (state efforts to gain information about foreign military plans, equipment, etc.), and China’s state-supported corporate espionage. Unfortunately, the Administration’s actual track record is limited and arguably inadequate. Not one diplomatic representative has been recalled for consultations, not one meeting has been downgraded, not one exchange has been cancelled. Indeed, the decisions to continue to hold summits and plead for dialogue almost certainly misleads the PRC into thinking that the United States cannot afford (or lacks the will) to respond more assertively.
Similarly, given that the most often cited problem has been the economic aspect of Chinese cyber-espionage activities, one might have expected economic steps in response. Companies that exploit information derived from stolen data could be investigated, and if sufficient evidence is found, prohibited from listing in American stock exchanges or using the American banking system, with their corporate officers placed under indictment. The point would be to alter the cost-benefit equation for extensive economic cyber-espionage. Thus far, there has been little cost imposed on major benefits. Instead, at the most rent Strategic & Economic Dialogue, public information suggests that more time was spent discussing global warming than cyber security concerns.
Chinese President Xi Jinping is expected to visit the United States in September. How do you expect cyber to feature in U.S.-China discussions? What would you advise the Obama White House to do in the lead-up to the visit and for the rest of its second term?
Given the extremely poor outcome from the Sunnylands summit, when the Chinese refused to even stay at the Annenberg estate on the grounds of the threat from American “electronic espionage,” as well as the Chinese refusal to reinitiate the cyber-working group discussions, suspended after several PLA officers were indicted by the United States for cyber-espionage, one should have limited expectations about any movement in U.S.-Chinese discussions on this subject.
It is certainly possible that Beijing may offer to restart the cyber-security working group as a public display of conciliation. That does not mean, however, that we should expect any significant change in Chinese behavior. Such a move would more likely be part of a “public opinion warfare” campaign than a substantive shift in policy. While there would be little reason not to take up any such Chinese move, the United States does itself no favors by mischaracterizing any such movement as somehow constituting a new stage in relations.
Instead, the Administration would be best served by taking a clear-eyed view of the overall U.S.-China relationship, including but not limited to the cyber realm. The United States and China have massive mutual economic interests – a point of leverage that works both ways. At the same time, there is a growing array of security concerns, whether it is Chinese island building in the South China Sea, Chinese development of a growing portfolio of counter-space capabilities (including demonstrated cyber intrusions into satellite networks), or the Sino-Japanese tensions over the Senkakus. American policy towards China needs to be coordinated and consistent. Whipsawing Beijing (e.g., criticizing them for island building while inviting them to Rim of the Pacific Exercises (RIMAC), and lauding them for sending a spy-ship) with inconsistent messages can only undermine not only U.S. ability to influence Beijing, but also American credibility with our allies in the region.
Similarly, if the Administration remains committed to the “Asia pivot,” it would help to demonstrate this by actually according both more resources and more high level attention to the region.
The Administration should be under no illusion that it can somehow “shame” the PRC into behaving in the cyber arena according to American rules – at least, not without demonstrating that its current actions will incur a substantial cost. Nor should it expect that China will somehow simply evolve towards the American perspective on cyber espionage. Leaving aside the reality that China is not the United States, China’s actions demonstrate that it has a fundamentally different perspective – and one that has, thus far, been lucrative and worthwhile. Why would it change?