14 June 2015

China: Active Defense in the Cyber Domain

By Elsa Kania
The Chinese Ministry of National Defense recentlyreleased its first-ever white paper on military strategy. “China’s Military Strategy” (CMS) outlines a strategy of “active defense” and emphasizes China’s commitment to “winning informationized local wars” and becoming a maritime power. Although the white paper contained no surprises for longtime China watchers and analysts, CMS also contains the first official acknowledgement of China’s commitment to building a cyber force with the capability to engage in offensive cyber operations. Evaluated in the context of concurrent domestic developments and recent incidents, this new strategy offers hints at what to expect as China seeks to advance and defend its “cyber sovereignty” from perceived threats at home and abroad.

‘Commanding Heights’

Although the explicit discussion of China’s cyber strategy in CMS is limited, what is stated is nonetheless significant. CMS characterizes outer space and cyberspace as the “new commanding heights in strategic competition,” and notes that, as war evolves towards “informatization” (xinxihua), China faces serious new security challenges. Therefore, a key strategic task of China’s armed forces is safeguarding China’s security interests in these new domains.

Notably, CMS emphasizes that China must “expedite the development of a cyber force,” and enhance its capabilities in “cyberspace situation awareness” and cyber defense. This perceived imperative of building a cyber force and advancing Chinese cyber capabilities is justified in defensive terms, with the familiar refrains that China itself is a consistent victim of intrusions. The aims articulated do not directly reference offensive measures, but rather take a subtler note: The stated objective is to “to stem major cyber crises, ensure national network and information security, and maintain national security and social stability” [emphasis added]. Presumably, offensive cyber operations are an acceptable tool to achieve these objectives.

The white paper thus characterizes the threats associated with the cyber domain as potentially jeopardizing not only national security but also social stability. The need to “maintain social stability” (mentioned six times) is presented as a primary mission of China’s armed forces, which are also directed “to remain a staunch force for upholding the [Communist Party of China] CPC’s ruling position.” By extension, the mission of this new cyber force would therefore be not only to safeguard China’s sovereignty in cyberspace but also to defend CPC rule against any threats emanating from this new domain. The perceived imperative of controlling content considered a threat to the CPC’s authority is implicit in the concept of information security (xinxi anquan), which is broader than cyber security or “network security” (wangluo anquan), the standard terminology used in Chinese, as Amy Chang noted in her recent report, “Warring State: China’s Cybersecurity Strategy.”

Active Defense: Justifying Offense

Our understanding of China’s military strategy for the cyber domain should be contextualized by the white paper’s overall focus on “active defense.” Although Beijing does not explicitly discuss offensive cyber operations in this white paper, that possibility is inherent in the concept of “active defense,” described as:

“adherence to the unity of strategic defense and operational and tactical offense; adherence to the principles of defense, self-defense and post-emptive strike; and adherence to the stance that “We will not attack unless we are attacked, but we will surely counterattack if attacked.””

If applied to the cyber domain, the implications of this concept could be that offense at the tactical and operational levels is consistent with an overall defensive orientation at the strategic level. By this logic, cyber “attacks” could be considered integral elements of the Chinese military’s efforts to “resolutely safeguard China’s sovereignty, security and development interests” in cyberspace. The question then becomes what China perceives to be an attack, a question complicated by the ambiguities of intent and challenges of attribution inherent in the cyber domain.

Indeed, it seems that, in the cyber and maritime domains alike, Beijing consistently rationalizes seemingly assertive activities as justified responses to prior provocations. For instance, China has developed and recently deployed a unique, sophisticated cyber tool that is collocated with, but distinct from, the Great Firewall, asCitizen Lab’s analysis has shown. The use of the “Great Cannon” in Distributed Denial of Service (DDoS) attacks against GreatFire.org and two GitHub pages run by GreatFire.org could be seen as an attempt to deter such efforts to circumvent the Great Firewall and provide censored content to Chinese users. Notably, this attack utilized the servers of Baidu, known as China’s Google. Future aggressive cyber activity could also seek to weaponize and some might even deliberately target civilian cyber infrastructure in order to defend China’s “cyber sovereignty” – and prevent such perceived efforts to threaten social stability.

Transparency Overture?

The new defense white paper is hardly surprising or unexpected, and it provides confirmation of trends long observed by analysts. However, as an official document intended for an international readership, CMS could be characterized as a small but significant step towards transparency regarding Chinese strategic thinking and intentions. Previously, Beijing had consistently denied that China engages in any hacking or offensive cyber operations, frequently claiming to be the world’s biggest victim of hacking and cyber attacks. CMS seems to be the continuation of a trend towards acknowledging that the Chinese military is actively expanding its capabilities in the cyber domain and contemplating the offensive applications of cyber power.

The relatively anodyne language in the white paper reflects what the Chinese government is willing to acknowledge to an international audience. This is in contrast to the more detailed, open discussions of China’s cyber strategy and cyber force that can be found within certain credible, quasi-official sources. Although these views and publications cannot be characterized as entirely authoritative, some likely reflect the direction of Chinese strategic thinking on cyber security and cyber warfare more candidly and accurately.

Signaling and Deterrence 

Interpreting and predicting a country’s intentions and activities in cyberspace requires synthesizing a range of sources. For instance, the PLA’s influential Academy of Military Sciences publishes a new edition of The Science of Military Strategy (SMS) once every fifteen years. This comprehensive, authoritative study reflects the PLA’s evolving strategic thought and impacts the formation of official strategy. The latest edition, released in December 2013, includes an extensive discussion of the network domain and network warfare, including an explicit categorization of the three types of Chinese network attack forces: the PLA’s “specialized military network warfare forces”; “PLA-authorized forces” in civilian organizations, such as the Ministry of State Security and the Ministry of Public Security; and “non-governmental forces.”

Although Beijing is not yet willing to admit or officially discuss certain military elements of China’s cyber strategy, this important document hints at the increasingly offensive orientation of China’s cyber strategy. Since Beijing would certainly be aware that SMS is carefully reviewed in Western analytical circles, its release could be interpreted as a deliberate signaling of underlying elements of China’s cyber strategy that are advocated by certain, more hawkish voices. SMS also discusses the integral role of peacetime “network reconnaissance” as a way to prepare the battlefield for wartime network operations, as Joe McReynolds observed in a recent article. Troublingly, the authors of this book seem to believe that foreign countries’ civilian cyber infrastructure could be a legitimate target for future network attacks. This selective disclosure of actual or aspirational Chinese cyber capabilities and intentions could be intended as a means of deterrence. 

Cyber Sovereignty and China’s Cyber Future

The characterization of China’s cyber strategy in the CMS and related sources must be understood in the context of Beijing’s vigorous advocacy of the concept of network sovereignty (wangluo zhuquan) or Internet sovereignty (hulianwang zhuquan), often translated as cyber sovereignty. For some time, Beijing has actively sought to advance this concept, including at the United Nations and in international conferences, through new rules and restrictions on foreign technology companies doing business in China, and through draft national security and counterterrorism laws. China’s cyber czar, Lu Wei, has argued, “cyberspace cannot live without sovereignty” and called for cyber sovereignty to “rule the global Internet.”

This strategic thinking on cyber sovereignty and active defense will likely guide China’s activities in the cyber domain in the years to come. China will react strongly, and perhaps offensively, to attempts to circumvent the “cyber borders” of its Great Firewall and to all perceived threats to its cyber sovereignty, including from activists, dissidents, and foreign tech companies. Domestically, the Chinese government will continue to step up Internet censorship and crack down on the use of VPNs and even access to Gmail, despite the potential economic consequences. As China extensively engages in and perhaps escalates offensive activities in cyberspace, the CPC will probably continue to characterize such behavior as inherently defensive, in response to perceived threats against China’s cyber sovereignty, security, and stability. Perhaps, the five-year cyber security plan that China is currently preparing will ultimately take a further step towards transparency on these issues.

Elsa Kania is a rising senior at Harvard College and was a 2014-2015 Boren Scholar in Beijing. She is currently an intern on the threat intelligence team at FireEye. The views expressed in this article are the author’s own and do not necessarily represent those of FireEye, Inc.

No comments: