Chinese Cyber Warfare Capabilities

Published Date: 02 Nov 2017

1. It is quite difficult to know China‘s official cyber warfare strategy with certainty from open source. Open source documents do not give all the relevant information required to make such a finding. However, by beading together the available information, bringing out the linkage between them, and analyzing the data, it is possible to come up with a likely strategy that is as close to the reality as possible. It is a well known fact that strategies develop out of necessity and have a distinct or underlying purpose. The People’s Liberation Army (PLA) has been sensitive to continuous changes in geo-political and geo-strategic scenario, as well as the changing nature of warfare. It has tailored made its responses by evolving appropriate military doctrines and strategies to meet threats and challenges of future. It is likely that the Gulf War had the greatest impact on devising a cyber warfare strategy with Chinese characteristics. Of all the lessons learned from the Gulf War, the Chinese realised the usefulness of the U.S. armed forces reliance on technology but more importantly on its ability to manage information with that technology. The use of satellites and other forms of digital C4ISR systems provided a significant advantage over an adversary. With this realization, the PLA began a revolution of the military with the directive to prepare for local wars under high-technology conditions. [1] 

2. The Chinese are actively developing a capability for information warfare (IW). The Chinese have adopted a formal IW strategy called "Integrated Network Electronic Warfare" (INEW) that consolidates the offensive mission for both Computer Network Attack (CNA) and Electronic Warfare (EW) [2] . Integrated Network Electronic Warfare: China's New Concept of Information Warfare Operations (CNO) and is creating the strategic guidance, tools and trained personnel necessary to employ it in support of traditional war fighting disciplines. Nonetheless, the PLA has not openly published a CNO strategy with the formal vetting of the Central Military Commission (CMC), China's top military decision-making body, or the Academy of Military Sciences (AMS. The PLA has however, developed a strategy called "Integrated Network Electronic Warfare" that is guiding the employment of CNO and related information warfare tools. The concept allows the PLA to network its existing force structure without radically revising current acquisition strategies. China’s November 2004 White Paper on National Defence outlines the acceleration of a Revolution in Military Affairs (RMA) with Chinese characteristics by building an ‘informationalised’ force. ‘Limited war under high tech conditions’, which remained in force for over 10 years, has been replaced by ‘local war under informationalised conditions’’ after studying the lessons of the Second Gulf War, ‘Operation Enduring Freedom’ in Afghanistan and ‘Operation Allied Force’ in Kosovo.

3. The PLA Science and Engineering University serves as a centre for defence related scientific, technological, and military equipment research. The university also provides advanced information warfare and networking training [3] .The Information Warfare (IW) faculty has recently focused its research on rootkit design and detection. The PLA Information Engineering University provides PLA personnel advanced technical degrees and training in all aspects of information systems, including information security and information warfare [4] .The IW strategy of PLA is geared towards the combined employment of network warfare tools and electronic warfare weapons against an adversary’s information systems in the early phases of a conflict. China’s military has shifted its focus from its reliance on massed armies of the Maoist era People’s War Doctrine and is becoming a fully mechanised force linked by advanced fully integrated and networked technologies. Informationisation is essentially a hybrid development process, continuing the trend of mechanisation and retaining much of the current force structure, while overlaying it with advanced information systems to create a fully networked Command and Control (C2) infrastructure. The concept allows the PLA to network its existing force structure without radically revising current acquisition strategies or order of battle. [5] The originator of the INEW strategy, Major General Dai Qingmin, a prolific and outspoken supporter of modernizing the PLA’s IW capabilities, first described the combined use of network and electronic warfare to seize control of the electromagnetic spectrum as early as 1999 in articles and a book entitled An Introduction to Information Warfare, written while on faculty at the PLA’s Electronic Engineering Academy. [6] Dai advocated for the combination of electronic warfare coupled with computer network operations against enemy C4ISR system as a mean to disrupt information collection during combat operations. [7] Dai was promoted to head the communication department and eventually to lead the 4th department of the Chinese General Staff. [8] 

4. Having seen the broad overview of Chinese thought process and policy in combating cyber warfare, it is imperative to understand the key entities or the enables of its computer network operations to get an insight of Chinese cyber warfare capabilities.

(a) General Staff Department (Figure1). The General Staff Department (GSD) of PLA has divided computer network operations between the 3rd and the 4th departments. The 3rd Department which heads the signals intelligence collection effort has the responsibility for overseeing computer network defense and computer network exploitation. [9] The 4th Department is responsible for computer network attack. Offensive EW is the GSD 4th department’s traditional role [10] . According to open source reporting the department is now responsible for implementing INEW, for offensive IW in the PLA. The 4th department, also referred to as the Electronic Countermeasures Department (ECMD), oversees both the operational ECM units and R&D institutes conducting research on a variety of offensive IW technologies. The 4th department’s oversight of IW dates back to at least 1999 and probably earlier. The GSD’s decision in 2000 to promote Dai Qingmin to head the 4th Department suggests that the GSD probably approved his vision of adopting INEW as the PLA’s IW strategy. [11] 

General staff department

Political department

2nd Department (Military Intelligence Department)

1st Department (Operations Department)

Science & Technology Committee

General Office

Meteorological Bureau

Survey & cartography bureau

Confidential Bureau

Military Affair Department

4th Department (Electronic Counter measures & Radar Operations Department)

Communications Department

3rd Department (signals Intelligence Department)

Army Aviation Bureau

Military Training Department

Moblisation Department

Service Arm Department

Retired Officers Office

Guards Bureau

Legal Advisory office

Management Bureau

General staff department

General staff departmentFigure1. General Staff Department of the People’s Liberation Army [12] 

(b) IW Militia. Starting in the late 1990s and early 2000s, the PLA began the process of creating IW militia units comprised of academics, commercial information technology experts, and possibly former computer hackers. Integrated into commercial information technology firms, these units have direct access to technical expertise, the latest hardware and infrastructure, and sophisticated software design. [13] Qiao Liang and Wang Xiangsui note in Unrestricted Warfare that "a pasty-faced scholar wearing thick eyeglasses is better suited to be a modern soldier", and while this is clearly a stereotype, this does reflect the idea that cyber warfare requires more brains than brawn. By 2003, the Chinese Academy of Military Science published writings establishing four IW militia units as a proof of concept. [14] These IW militia units are centered in China‘s Guangdong province which is home to commercial information technology companies in China. The militia units recruited personnel with computer network expertise, advanced degrees, and educational experience outside of China. [15] These units focus their research on "launching hacker attacks, proliferating viruses, jamming information channels, and disrupting nodes of adversary networks" [16] In 2006, the Academy of Military Science explicitly directed the PLA to establish IW militia units. [17] The exact number of IW units or the level of their capabilities is currently unknown. In March 2008, the newest IW unit organized in the Ningxia Province. Reporting the event on the county website revealed the mission of the unit, its size, and organization. The website stated that the unit is comprised of 80 personnel and organized into three detachments which are specialized in the full range of computer network operations. [18] The new unit would undertake following operations [19] :-

(i) In peacetime, extensively collect information from adversary networks and establish databases of adversary network data.

(ii) In wartime, attack adversary network systems, and resist enemy network attacks.

(c) Cyber-Espionage. Computer hackers are another capability available to China. The Chinese academic community and hacker groups around the world are heavily focused on researching new ‘zero-day’ vulnerabilities. Some reports suggest that Chinese researchers are also willing to purchase zero day attack tools from third parties, though this has not been independently corroborated. White hat information security researchers (those pursuing overt legal research in the field) are developing extensive government customer bases for hardware and possibly software support. Many of the most prominent earlier groups and their leaders have either disbanded or transformed themselves into seemingly legitimate security firms. Large groups like X focus and Black Eagle Base have reinvented themselves as commercial operations, in line with state security and information security objectives. NSFocus, which is a prominent commercial information security firm, evolved out of the Green Army Alliance, an early and prominent hacker group active from 1997 through 2000. The NSFocus website still retains the logo of the Green Army Alliance and the list of its founding members features some of the most prominent hackers in China. [20] 

(d) Task Oriented Structure Some operations involve multiple individuals who are responsible for specific tasks such as gaining and establishing network access, surveying portions of the targeted network to identify information of value, and organising data exfiltration. There is an entry or breach team tasked only with gaining entry and maintaining a flexible, redundant presence in the target network. Their job is essentially picking the lock and ensuring not only that the door stays open, but that there are multiple doors available if the one being used is closed. Once the breach team has successfully established access to the network, a possible second team or individual conducts the data reconnaissance and ultimately locates and exfiltrates targeted data. Additional individuals or teams probably tasked with the collection of the actual targeted information have greater skill and highly detailed knowledge of the targeted networks. Their efforts to locate and move data off the network often involves techniques that place a premium on redundancy, stealth and comprehensiveness of preparation and attention to detail. Using network intelligence, which has been gathered during earlier reconnaissance efforts, the collection teams have in some cases copied the data from the servers and workstations, to a second server that acts as a staging point where they compress, encrypt, segment and replicate it before distributing it through encrypted channels out of the targeted organisation, to multiple external servers that act as drop points. These drop points may also play an obfuscating role, ensuring that investigators are unable to identify the data’s final destination [21] .

5. In addition to the PLA formed IW militia units, there are six technical reconnaissance bureaus (TRB) formed throughout the country. The full purpose of these TRBs remains unknown but along with conventional signals intelligence collection, it is apparent that computer network exploitation is one of their tasks. The Chinese Communist Party (CCP) media outlet accepted that the first TRB received commendations for considerable achievements in informatization building. [22] In 2002, a similar report noted that the third TRB received its fifth consecutive award for outstanding research in IW theories. [23] This implies that the TRB existed as early as 1997 and would have developed in big way by now.

6. Computer hackers are another capability available to China. In 2007, Time reported on a computer hacker, Tan Dailin, also known by the screen name of Withered Rose. Tan, who was a student at Sichuan University of Science and Engineering, is the leader of the Network Crack Program Hacker group. Founded in 2004, the Network Crack Program Hacker group earned its reputation by hacking into other hacker group websites and by July 2005 drew the attention of the Sichuan Military Command Communication Department. The department invited Tan‘s group to participate in a computer hacker competition sponsored by the Chengdu Military Command. Tan‘s group won the competition and then had a month of intense training organized by the provincial military command, simulating attacks, designing hacking tools, and drafting network-infiltration strategies. China vehemently denies any connection between hackers and the PRC. China‘s State Council Information Office said that accusations that the hackers are targeting overseas entities are groundless, irresponsible and also have ulterior motives. [24] 

7. Network Crack Program Hacker is one of the many hacker groups in China. Honker Union, Red Hacker Alliance, Titan Rain, GhostNet, and Student Hacker Union are other prominent groups with membership ranging in size from several members to tens of thousands. [25] Tim Stevens with Jane‘s Intelligence Review, reports that the presence of thousands of hackers groups pursuing nationalistic goals makes it difficult to determine the lines between civilian and military computer network operations. [26] It is likely that hacker groups continually reinvent themselves as they, "founded, grow, evolve, and then shift to new names or groupings given their apparently illegal nature. [27] Chinese law prohibits hacking and the government has periodically taken legal action against such groups, presumably in an attempt to demonstrate Beijing‘s resolution to prevent such activities. [28] 

8. China continues to develop and improve their capability in conducting computer network operations. The Office of the Secretary of Defense outlined in its 2010 report to US Congress on the security developments involving the PRC that the PRC utilizes a large, well-organized network of enterprises, defense factories and affiliated research institutes and computer network operations to facilitate the collection of sensitive information and export-controlled technology. [29] In a discussion of China‘s modernization program, the report continues that, "foreign investments, commercial joint ventures, academic exchanges, repatriated PRC students and researchers, and state sponsored industrial/technical espionage," are identified means used to improve military research, development, and acquisition. [30] The Chinese have made a substantial investment in cyber warfare and they have a very large organization devoted to it and they are getting pretty aggressive. [31] 

9. Concerns about China’s net force were heightened after the attacks on US computer systems and after the Chinese militia carried out IW exercises, which included India, the US, Taiwan and Japan as target countries. The aim of such training was to disrupt critical infrastructure like banking, power supply and telecommunication networks in the target country as part of China’s strategy of asymmetric approach to warfare. In the cyber domain, the Chinese have adopted three methods for targeting such networks. These includes:-

(a) The use of e-mails for planting virus.

(b) Phishing.

(c) The introduction of ‘intelligent Trojans’ and ‘vacuum Trojans’.

10. Hackers’ tools are becoming more robotic and simple; for instance, a vacuum Trojan will extract information from a pen drive automatically when connected to a USB port. It is also believed that the next step could be planting the targeted sites with the more difficult to detect fake data or partially fake data. In Nanjing, the PLA has developed more than 250 Trojans and similar tools. Here, it needs to be remembered that foreign companies like Network Solutions, were made to hand over 300 computer viruses by the Ministry of Public Security’s lab in an effort to speed up the certification of antivirus products. Further, the Chinese Academy of Sciences, which provides suggestions about national information security policy and law, has established the State Lab for Information Security. The lab has ‘National Attack Project’ as one of its research programmes. Also, select professionals have been inducted into militia organisations to boost combat capabilities in future wars. It is therefore safe to believe that the Chinese have the capabilities to conduct cyber warfare directly eith the help of IW militia and technical reconnaissance bureaus and indirectly wage it with hacker groups.