Careful what you wish for—change and continuity in China’s cyber threats (part 1)
5 Apr 2018|

Although there’s been a discernible reduction in the magnitude of Chinese cyber intrusions in the past few years, the threat has been transformed, not diminished. While US diplomacy has helped reshape Chinese cyber activities during this period, the reorganisation and professionalisation of Chinese cyber forces constitute a greater long-term challenge.

In September 2015, then-US President Barack Obama and Chinese Communist Party (CCP) General Secretary Xi Jinping announced:

[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

This agreement was initially hailed as a ‘significant step’ despite strong skepticism about its prospects for success. Initially, reports and assessments pointed to a distinct decrease in the operations of Chinese advanced persistent threat (APT) groups, although a range of factors other than US pressure likely accounted for the change.

In October 2017, the first US–China Law Enforcement and Cybersecurity Dialogue reaffirmed that, ‘Both sides will continue their implementation of [that] consensus’. Since then, however, debates about the agreement’s efficacy have continued, and the US later warned its Chinese counterparts about apparent backsliding.

As of March 2018, the US government’s Section 301 investigation into China’s ‘acts, policies, and practices related to technology transfer, intellectual property, and innovation’—which serves as the basis for the tariffs imposed against China by the Trump administration—has found:

China continues its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.

So, there’s indeed a degree of continuity in Chinese cyber-espionage activities. Despite this, notable changes have occurred, particularly since late 2015. In particular, there now appears to be clearer prioritisation and greater sophistication in targeting, which has increasingly been undertaken, often with some plausible deniability, by China’s Ministry of State Security.

US pressure and diplomacy evidently have affected Beijing’s calculus. To be sure, debate continues regarding how CCP and military leaders responded to the high-profile exposure of the activities of ‘APT1’, Unit 61398 of the Chinese People’s Liberation Army (PLA) in 2013, and then the US Department of Justice’s 2014 indictment of five officers from that same unit. The initial decrease in Chinese cyber-espionage operations is often dated to mid-2014.

Such ‘naming and shaming’ could be dismissed as being utterly ineffectual against the shameless. Or it could be seen as having a major effect by revealing that such detailed attribution is feasible, while exposing the full extent of the group’s activities.

China’s pursuit of industrial espionage has evidently been undertaken in accordance with national objectives for economic development and military modernisation. The scope and scale of these operations—including the risk of detection—however, may not have been clearly known to high-level leadership. And certain activities may have reflected ‘moonlighting’ or corruption by PLA units, which has since been targeted in Xi’s anti-corruption campaign.

Although the sincerity of Beijing’s commitment should certainly be questioned, the evidence that the Section 301 findings provide for ‘cyber-enabled theft of intellectual property’ since 2015 is rather limited (which I’ll look at in my next post). Most incidents of IP theft detailed in the report, including the targeting of SolarWorld and Westinghouse, were undertaken prior to 2015 by the Third Department of the former PLA General Staff Department (3PLA).

The 3PLA was once regularly used to advance economic interests, including on behalf of Chinese state-owned enterprises. Such activities were consistent with China’s concept of national or state security (国家安全), which explicitly includes a focus on economic security. For instance, as the Section 301 findings reveal, in 2012 China National Offshore Oil Corporation (CNOOC) requested that Chinese military intelligence provide information on US oil and gas companies to strengthen CNOOC’s position in negotiations.

Since 2015, as the PLA has concentrated on building up its military cyber capabilities, 3PLA has likely redirected its activities away from hacking for commercial purposes. Notably, in December 2015, the PLA embarked on a major reform and reorganisation that included the creation of the Strategic Support Force (战略支援部队, SSF).

The SSF has consolidated most of the PLA’s military cyber forces into its Network Systems Department (网络系统部) to build up a new ‘Cyber Corps’ (网军). It includes elements of the former 3PLA, as well as the 4PLA, which was responsible for electronic warfare and offensive cyber operations.

The SSF integrates the PLA’s space, cyber, electronic and psychological warfare capabilities into a single force that’s designed to achieve dominance in critical ‘strategic frontiers’ (战略边疆) that are seen as the ‘commanding heights’ of warfare.

The PLA’s apparent concern about the disparity between its cyber capabilities and those of the US was a major impetus for the SSF’s establishment. Since the SSF is directly under the command of the PLA’s Central Military Commission, its creation has consolidated and centralised control over China’s military cyber forces.

Although 3PLA units may have gained valuable operational experience in their commercial espionage activities, PLA leaders may prefer that they concentrate on building up actual combat power.

For instance, writing in early 2016, Major General Hao Yeli (郝叶力), former deputy head of 4PLA, highlighted the importance of improving cyber-operations capabilities. She alluded to the importance of establishing a more ‘positive image’ and countering the ‘guilty presumption’ that China’s Cyber Corps primarily engage in IP theft.

Since the establishment of the Strategic Support Force, China’s military cyber forces appear to have refocused their efforts on becoming a ‘sword for deterrence and shield for defence’ in this domain.

In the meantime, the Ministry of State Security appears to have taken up cyber espionage to advance state interests, often exploiting ambiguities in the Xi–Obama agreement. It’s certainly true that while that framework contributed to changes in Chinese cyber-threat activities, China has since made progress in its ambitions to emerge as a ‘cyber superpower’ (网络强国).