China Reveals Its Cyberwar Secrets
In an extraordinary official document, Beijing admits it has special units to wage cyberwar—and a lot of them. Is anybody safe?
A high-level Chinese military organization has for the first time formally acknowledged that the country’s military and its intelligence community have specialized units for waging war on computer networks.
China’s hacking exploits, particularly those aimed at stealing trade secrets from U.S. companies, have been well known for years, and a source of constant tension between Washington and Beijing. But Chinese officials have routinely dismissed allegations that they spy on American corporations or have the ability to damage critical infrastructure, such as electrical power grids and gas pipelines, via cyber attacks.
Now it appears that China has dropped the charade. “This is the first time we’ve seen an explicit acknowledgement of the existence of China’s secretive cyber-warfare forces from the Chinese side,” says Joe McReynolds, who researches the country’s network warfare strategy, doctrine, and capabilities at the Center for Intelligence Research and Analysis.
McReynolds told The Daily Beast the acknowledgement of China’s cyber operations is contained in the latest edition of an influential publication, The Science of Military Strategy, which is put out by the top research institute of the People’s Liberation Army and is closely read by Western analysts and the U.S. intelligence community. The document is produced “once in a generation,” McReynolds said, and is widely seen as one of the best windows into Chinese strategy. The Pentagon cited the previous edition (PDF), published in 1999, for its authoritative description of China’s “comprehensive view of warfare,” which includes operations in cyberspace.
“This study is a big deal when it’s released,” McReynolds said, and the current edition marks “the first time they’ve come out and said, ‘Yes, we do in fact have network attack forces, and we have teams on both the military and civilian-government sides,’” including inside China’s equivalents of the CIA and the FBI.
The acknowledgment could have political and diplomatic implications for China’s relationship with the United States and other Western powers.
“It means that the Chinese have discarded their fig leaf of quasi-plausible deniability,” McReynolds said. “As recently as 2013, official PLA [People’s Liberation Army] publications have issued blanket denials such as, ‘The Chinese military has never supported any hacker attack or hacking activities.’ They can’t make that claim anymore.”
U.S. officials have spent years marshaling evidence of China’s cyber capabilities and have been escalating efforts to stop cyber spying. Last year, the Justice Department took the unprecedented step of indicting five Chinese military officials for hacking into U.S. companies and stealing their proprietary information to give Chinese firms a leg up on the global market.
That indictment was met with more denials, which have continued even past the publication of the latest Science of Military Strategy, which has taken months to translate, McReynolds said, and has not been publicized outside the ranks of China analysts.
“When asked, the Chinese as recently as a month ago denied they had a cyber command,” James Lewis, a senior fellow at the Center for Strategic Studies and a leading expert on China’s cyber capabilities, told The Daily Beast. Lewis said that the new revelations won’t come as “earth-shattering” to analysts and experts who closely follow statements by Chinese officials, because “we all assumed they were lying.”
“But it’s interesting, and people outside the community won’t know it,” Lewis said. He compared the revelation to China’s testing, in 2007, of an anti-satellite missile, “which came after they had for years stoutly denied that they were building space weapons.”
China has divided its cyber warfare forces into three types, said McReynolds, whose analysis is included in his forthcoming book, China’s Evolving Military Strategy, which will be published in October.
First, there are what the Chinese call “specialized military network warfare forces” consisting of operational military units “employed for carrying out network attack and defense,” McReynolds said.
Second, China has teams of specialists in civilian organizations that “have been authorized by the military to carry out network warfare operations.” Those civilian organizations include the Ministry of State Security, or MSS, which is essentially China’s version of CIA, and the Ministry of Public Security (its FBI).
Finally, there are “external entities” outside the government “that can be organized and mobilized for network warfare operations,” McReynolds said.
As to which of those groups is responsible for targeting American companies to steal their secrets, the short answer, says McReynolds: “They all do it.” Espionage by the PLA has been extensively documented, McReynolds said. And a Chinese hacking unit dubbed Axiom that has been linked to intrusions against Fortune 500 companies, journalists, and pro-democracy groups is reportedly an MSS actor. He noted that there are also many ways that Chinese civilians have been seen assisting in industrial espionage, including through “hack-for-cash” operations.
Based on other PLA writings, it appears that the military would most likely handle any targeting of critical infrastructure, McReynolds said.
Now that China is coming clean about its cyber warfare forces, other countries may question whether they can safely cooperate with the government on combating cybercrime. The Ministry of Public Security (MPS), for instance, has assisted more than 50 countries with investigations of more than a thousands cases of cybercrime over the past decade, and China has set up bilateral law enforcement cooperation with more than 30 countries, including the United States, the United Kingdom, Germany, and Russia, McReynolds said.
“With the Chinese now explicitly acknowledging that the [ministry] has network warfare forces stationed within it, the United States and other targets of Chinese state-sponsored hacking will have to weigh carefully whether cooperation with the MPS on cybercrime is worth the risks,” he said.
McReynolds also saw signs of a potential power struggle between the People’s Liberation Army and civilian government agencies like the Ministry of Public Security over who really runs cyber operations within the Chinese system. Those civilian cyber forces operated under the PLA’s “authorization,” according to the Chinese document.
“As unprecedented as it is to have the Chinese military acknowledge the existence of its network attack forces, having the PLA announce the existence of such secretive forces inside the civilian government is particularly unusual, and strikes me as an attempt to ‘plant the flag’ for the PLA,” McReynolds says.
The new analysis of China’s cyber operations has taken a long time to produce, in part because the latest edition of the The Science of Military Strategy wasn’t released until December 2013, McReynolds said. “It takes a while for this sort of information to filter out into the Western PLA-watcher community, especially since there’s no English translation available yet. It was only last summer that the first of us in the community started to obtain copies of the new SMS and go through its contents; it’s hundreds of pages long.”
McReynolds, who said he reads Chinese, also ran his translations by analysts fluent in the language to ensure the accuracy of his work, he said.
China isn’t the only major U.S. adversary with advanced military cyber operations. Russia is a “near peer” to the United States, former National Security Agency Director and Cyber Command chief General Keith Alexander said in 2010. The country’s use of cyber offensive operations has been documented both in Georgia in 2008 and more recently with Russia’s invasion of Crimea in 2014. Those operations, conducted in tandem with traditional combat operations, have been aimed at disrupting adversaries’ communications systems, including public websites.
Experts generally agree that Russia, China, and the United States have the most advanced and sophisticated cyber warfare forces. But Iran has been quickly gaining new capabilities and demonstrated a willingness to use them, as with a massive attack on U.S. bank websites in 2012. North Korea has also ramped up its cyber operations, most notably with the hacking of Sony Pictures Entertainment last year, which prompted the Obama administration to impose new economic sanctions on the hermit kingdom.
Eric Rosenbach, an assistant secretary of defense in charge of homeland defense and global security isssues, has said that some five dozen countries are building a military-cyber operation, equivalent to the United States’ Cyber Command.