Scope Note
The present study is intended to be a detailed follow up and expansion upon a 2009 assessment prepared for the U.S.-China Economic and Security Review Commission of China’s evolving computer network operations capabilities and network intrusion incidents attributed to China. Concern in the United States over alleged Chinese penetrations of both commercial and government networks has only intensified in the past two years as successive incidents have come to light in the media and more organizations voluntarily come forward. The Commission requested a study that both reviewed developments since the 2009 study was completed and examined new issues related to cybersecurity, China, and potential risks to U.S. interests. Specifically, Northrop Grumman information security analysts were tasked by the Commission to address:
1. The state of development in Chinese cyber-warfare strategy including the major military institutions and authors prominent in developing employment concepts and strategic guidance for the People’s Liberation Army (PLA);
2. New developments in Chinese practices and capabilities for computer network exploitation to support intelligence penetration and collection against U.S. networks;
3. The potential implications for U.S. military forces in the western Pacific Ocean region, as well as in the continental United States (CONUS) if China staged a network based attack on U.S. systems and infrastructure;
4. The major actors within China (both state-affiliated and state-sponsored) who appear to be engaged in the development computer network operations (CNO) and computer network exploitation (CNE); any identifiable institutional linkages among these groups and government patron organizations supporting them;
5. The activities and research interests of China’s most prominent or influential telecommunications research institutes, companies and consortiums and an assessment of any substantive linkages to the PLA, People’s Republic of China (PRC) or PRC ministries with security or information technology portfolios;
6. A comparative assessment of the tools and techniques associated with contemporary cyber criminals and with state-sponsored operations originating in China to assess the distinctions that can be drawn in the operations and tools common to cyber criminals and cyber espionage activity;
7. An examination and assessment of the potential network security vulnerabilities, if any, that might be posed by the collaboration between Chinese and U.S. cybersecurity firms.
The Chinese source material for this study came from authoritative PLA publications or authors, PRC government ministries responsible for science and technology policy, Chinese defense industries, China’s information technology sector, relevant industry websites and publications, and PRC information technology (IT) industry media and event reporting; additional material related to the role of academia and industry in the development of China’s information warfare (IW) programs was obtained from technical journals, research summaries and academic writings sponsored by Chinese universities and PLA and civilian research institutes doing work in IW relevant fields.
Analysis of recent intrusions attributed to China and telecommunications supply chain vulnerabilities are based on non-proprietary, publicly available information. The present analysis of these potential areas of vulnerability is meant to serve as a reference point for continued and more detailed analysis of how U.S. telecommunication supply chains may be better protected in the future.
The result is a comprehensive review of current Chinese efforts to integrate computer network operations into a broader military and intelligence context as well as provide a snapshot of current research and development (R&D) priorities in areas related to CNO. The result will hopefully serve as a useful reference to policymakers, China specialists, and information operations professionals in both industry and government.
Executive Summary
The PLA’s sustained modernization effort over the past two decades has driven remarkable transformation within the force and put the creation of modern command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) infrastructure at the heart of the PLA’s strategic guidelines for long term development. This priority on C4ISR systems modernization, has in turn been a catalyst for the development of an integrated information warfare (IW) capability capable of defending military and civilian networks while seizing control of an adversary’s information systems during a conflict.
Information Warfare Strategy
PLA leaders have embraced the idea that successful warfighting is predicated on the ability to exert control over an adversary’s information and information systems, often preemptively. This goal has effectively created a new strategic and tactical high ground, occupying which has become just as important for controlling the battlespace as its geographic equivalent in the physical domain.
The PLA has not publicly disclosed the existence of a computer network operations strategy distinct from other components of IW, such as electronic warfare, psychological operations, kinetic strike, and deception, but rather appears to be working toward the integration of CNO with these components in a unified framework broadly known as “information confrontation.” This concept, as discussed by the PLA, seeks to integrate all elements of information warfare—electronic and non-electronic—offensive and defensive under a single command authority.
Earlier in the past decade, the PLA adopted a multi-layered approach to offensive information warfare that it calls Integrated Network Electronic Warfare or INEW strategy. Now, the PLA is moving toward information confrontation as a broader conceptualization that seeks to unite the various components of IW under a single warfare commander. The need to coordinate offensive and defensive missions more closely and ensure these missions are mutually supporting is driven by the recognition that IW must be closely integrated with PLA campaign objectives. The creation of what a probable information assurance command in the General Staff Department bureaucracy suggests that the PLA is possibly creating a more centralized command authority for IW that will possibly be responsible for coordinating at least network defense throughout the PLA.
As Chinese capabilities in joint operations and IW strengthen, the ability to employ them effectively as either deterrence tools or true offensive weapons capable of degrading the military capabilities of technologically advanced nations or hold these nations’ critical infrastructure at risk in ways heretofore not possible for China will present U.S. leaders and the leaders of allied nations with a more complex risk calculus when evaluating decisions to intervene in Chinese initiated conflicts such as aggression against Taiwan or other nations in the Western Pacific region.
Chinese Use of Network Warfare Against the United States
Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict. A defense of Taiwan against mainland aggression is the one contingency in the western Pacific Ocean in which success for the United States hinges upon the speed of its response and the ability of the military to arrive on station with sufficient force to defend Taiwan adequately. PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict.
The effects of preemptive penetrations may not be readily observable or detected until after combat has begun or after Chinese computer network attack (CNA) teams have executed their tools against targeted networks. Even if circumstantial evidence points to China as the culprit, no policy currently exists to easily determine appropriate response options to a large scale attack on U.S. military or civilian networks in which definitive attribution is lacking. Beijing, understanding this, may seek to exploit this gray area in U.S. policymaking and legal frameworks to create delays in U.S. command decision making.
Key Entities and Institutions Supporting Chinese Computer Network Operations
The decision to employ computer network operations and INEW capabilities rests with the senior political and military leadership and would be part of a larger issue of employing force during a crisis. Once that decision was made, however, the operational control for the military use of CNO rests with the PLA’s Third and Fourth Departments of the General Staff Department (GSD). The Third Department (3PLA), China’s primary signals intelligence collector is likely tasked with the network defense and possibly exploitation missions. The Fourth Department (4PLA), the traditional electronic warfare arm of the PLA, likely has the responsibility for conducting network attack missions.
The PRC government actively funds grant programs to support CNO related research in both offensive and defensive in orientation at commercial IT companies and civilian and military universities. A review of PRC university technical programs, curricula, research foci, and funding for research and development in areas contributing to information warfare capabilities illustrates the breadth and complexity of the relationships between the universities, government and military organizations, and commercial high-tech industries countrywide. In the civilian academic environment, the PRC government (in concert with the PLA in some cases) uses at least five established national grant programs to fund research related to information warfare and to fund the PLA’s informationization programs. At least 50 civilian universities conducting information security research nationwide benefit from one or more of roughly five main national-level high technology grant programs, reflecting what appears to be a broad technology development plan consistent with published national priorities.
The PLA is heavily reliant upon China’s commercial information technology (IT) sector to aid research and development into dual use and military grade microelectronics and telecommunications. Rather than isolate certain state owned IT firms as exclusively “defense” in orientation, the PLA, often operating through its extensive base of R&D institutes, alternately collaborates with China's civilian IT companies and universities and benefits as a customer of nominally civilian products and R&D. The military benefits because it receives the access to cutting edge research. This work is often carried out by Chinese commercial firms with legitimate foreign partners supplying critical technology and often sharing the cost of the R&D.
A secondary benefit to the PLA of this strategy is the ready access to the latest commercial off-the-shelf (COTS) telecommunications technology brought in by China's access to the foreign joint ventures and international commercial markets.
This close relationship between some of China’s—and the world’s—largest telecommunications hardware manufacturers creates a potential vector for state sponsored or state directed penetrations of the supply chains for microelectronics supporting U.S. military, civilian government, and high value civilian industry such as defense and telecommunications, though no evidence for such a connection is publicly available.
Potential Risks to the U.S. Telecommunications Supply Chain
The pervasiveness of globally distributed supply chain networks means that virtually every sector of private industry has the potential to be impacted by a compromise. The vectors into the telecommunications and integrated circuit (IC) supply chain specifically can come from either upstream (manufacturing channels) or downstream (distribution channels). Each vector presents distinctive opportunities, and also distinctive operational costs, to potential attackers.
The geographically distributed nature of IC production means that a single chip may incorporate circuits designed in multiple locations around the globe. This model reduces the cost of new product development but it also creates additional security and integrity risks. Without strict control of this complex upstream channel, a manufacturer of routers, switches, or other basic telecommunications hardware is exposed to innumerable points of possible tampering and must rely on rigorous and often expensive testing to ensure that the semiconductors being delivered are trustworthy and will perform only as specified, with no additional unauthorized capabilities hidden from view.
Deliberate modification of semiconductors upstream of final product assembly and delivery could have subtle or catastrophic effects. An adversary with the capability to gain covert access and monitoring of sensitive systems could degrade a system’s mission effectiveness, insert false information or instructions to cause premature failure or complete remote control or destruction of the targeted system. Although the potential for damage can be extreme, the complexity of the technical challenge to alter a design, ensure the compromise is printed on the circuit board, and that the hardware reaches its intended target limits the roster of candidates with the skills and resources necessary to accomplish an upstream supply chain penetration.
A more feasible vector is the downstream distribution channels supplying the targeted organizations where the engineering and logistical challenges are less complex. By providing counterfeit hardware that already contains the Trojanized access built into the firmware or software, a foreign intelligence service or similarly sophisticated attacker has a greater chance of successfully penetrating these downstream supply chains.
The technical and logistical challenges associated with hardware supply chain compromises render these types of attacks generally feasible for only extremely well-resourced organizations, such as nation-state intelligence organizations that have the access to necessary technical personnel to engineer the firmware compromise and the depth of operational expertise to ensure the counterfeit hardware enters the supply chain and reaches its intended target.
Regardless of the sophistication of the attackers, a successful penetration of a telecommunications supply chain such has the potential to cause a catastrophic failure of select systems and networks supporting critical infrastructure for national security or public safety. Although the complexity of these types of attacks may limit the numbers who can succeed, it does not lessen the impact if they do.
A Comparative Analysis of Criminal vs. State Sponsored Network Exploitation
Organized cyber criminals and state-sponsored intelligence professionals conducting computer network exploitation often operate in the same environment and sometimes against similar categories of targets. This overlap poses attribution challenges for information security professionals, policymakers, business leaders, and members of the law enforcement and intelligence communities, all of whom have uniquely different responses to these two groups of actors. Distinguishing among them is not merely an academic or theoretical debate. The actions of each group, if left unchecked, have the potential to inflict serious damage to U.S. national security at multiple levels. Professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policymaking information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.
Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks. Many victim organizations, however, lack the resources to maintain a large or highly skilled information security organizations to adequately defend against these adversaries.
Criminal operations typically do not place value on compromising and maintaining access to a single servers or individual user machines. They require instead high degrees of flexibility and agility to move among many targets within an organization’s network.
Activities attributed to state sponsored operators often appear to target data that is not easily monetized in underground criminal online auctions or markets but highly valuable to foreign governments. Highly technical defense engineering information, operational military data, or government policy analysis documents rarely if ever appear to be a priority for cybercriminal groups.
Cyber intelligence analysis must begin considering questions about the likely identity of the end user of stolen information in addition to the identity and affiliation of the attackers to develop insights into what information is likely to be targeted in their organizations. More holistic models that blend counterintelligence analysis and methods with traditional information security engineering are more descriptive and provide greater depth of understanding of the threat in support of information security planning.
Collaboration of U.S. and Chinese Information Security Firms: Risks and Reality
Collaboration between U.S. and Chinese information security firms, while not common to date, has raised concerns over the potential for illicit access to sensitive network vulnerability data at a time when the volume of reporting about Chinese computer network exploitation activities directed against U.S. commercial and government entities remains steady.
To date, the former joint venture between Huawei Shenzhen Technology Company Ltd and Symantec, Inc. is the only major partnering between a Western information security firm and a Chinese high technology company. In November 2011, the partnership announced that after four years of operations, Huawei would buy out Symantec’s portion, giving Huawei full ownership of the company. At present, no other information security firms have publicly announced plans for similar deals in China.
The risks arising from future partnerships between U.S. or other Western information security firms and Chinese IT firms are primarily related to the loss of intellectual property and erosion
of long term competitiveness, the same threats faced by many U.S. companies in other sectors entering partnerships in China. Intellectual property theft is a concern for virtually all U.S. businesses operating in China, according to a 2011 survey conducted by the US-China Business Council.
Partnering with an American or other Western anti-virus vendor does not necessarily allow the Chinese partner to obtain signature data earlier than legitimate participation in industry consortia such as the Microsoft Virus Information Alliance, but it may provide the Chinese partner with deeper access to U.S. markets over the long term.
The risks associated with these types of partnerships are not limited to Chinese business partners or to the security industry: these same threats of intellectual property theft exist in numerous industries and countries in which U.S. businesses operate.
Collectively, recent developments in Chinese computer network operations reflect a nation fully engaged in leveraging all available resources to create a diverse, technically advanced ability to operate in cyberspac. Computer network operations have assumed a strategic significance for the Chinese leadership that moves beyond solely military applications and is being broadly applied to assist with long term strategies for China’s national develop.