You are here

US-China Economic and Security Review Commission, "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," October 9, 2009

Report prepared by Northrop Grummman's Bryan Krekel, George Bakos, and Christopher Barnett.
October 9, 2009

Scope Note

This paper presents a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict. The result will hopefully serve as useful reference to policymakers, China specialists, and information operations professionals. The research for this project encompassed five broad categories to show how the People’s Republic of China (PRC) is pursuing computer network operations (CNO) and the extent to which it is being implemented by examining:

a) The PLA‘s strategy for computer network operations at the campaign and strategic level to understand how China is integrating this capability into overall planning efforts and operationalizing it among its field units;

b) Who are the principal institutional and individual “actors” in Chinese CNO and what linkages may exist between the civilian and military operators;

c) Possible targets of Chinese CNO against the US during a conflict to understand how the PLA might attempt to seize information control over the US or similar technologically advanced military during a conflict;

d) The characteristics of ongoing network exploitation activities targeting the US Government and private sector that are frequently attributed to China;

e) A timeline of alleged Chinese intrusions into US government and industry networks to provide broader context for these activities.

The basis for this work was a close review of authoritative open source PLA writings, interviews with Western PLA and information warfare analysts, reviews of Western scholarship on these subjects, and forensic analysis of intrusions into US networks assessed to have Chinese origins. The research draws heavily from journals and articles published by the Chinese National Defense University and the Academy of Military Sciences, the military’s highest authority for issues of doctrine, strategy, and force modernization. Many of these publications offer substantive insights into current thinking on strategy and doctrinal issues related to information warfare and CNO. Additional insights into the role of information warfare in broader campaign doctrine and strategy came from The Science of Military Strategy, The Science of Campaigns, two of the most authoritative sources on the subject available in the open press. The military’s official newspaper, The PLA Daily, and a range of Chinese military journals, official media, provincial and local media as well as non-PRC regional media, all provided data on information warfare (IW) training events.

Technical assessments of operational tradecraft observed in intrusions attributed to China are the result of extensive forensic analysis and discussions with information security professionals who follow these issues closely. A review of Chinese technical
journal articles on computer network attack and exploitation techniques also aided this study. This research was obtained from online Chinese databases accessible in the US.

A regular review of the contents and discussions posted on Chinese hacker Websites contributed to the analysis of these groups’ activities and capabilities. The focus of this effort was to identify possible interactions between members of these groups and the government. Conversations with Western information security analysts who closely follow these groups and actors contributed immensely to focusing the research and greatly aided our understanding of China’s hacker communities.
This study was not scoped to include research in China, consequently, the authors focused on the materials and insights presently available outside of China. Additional in-country research on this subject is an avenue of future effort that can—and
should—supplement the work presented here.

Executive Summary

The government of the People’s Republic of China (PRC) is a decade into a sweeping military modernization program that has fundamentally transformed its ability to fight high tech wars. The Chinese military, using increasingly networked forces capable of communicating across service arms and among all echelons of command, is pushing beyond its traditional missions focused on Taiwan and toward a more regional defense posture. This modernization effort, known as informationization, is guided by the doctrine of fighting “Local War Under Informationized Conditions,” which refers to the PLA’s ongoing effort to develop a fully networked architecture capable of coordinating military operations on land, in air, at sea, in space and across the electromagnetic spectrum.

This doctrinal focus is providing the impetus for the development of an advanced IW capability, the stated goal of which is to establish control of an adversary’s information flow and maintain dominance in the battlespace. Increasingly, Chinese military strategists have come to view information dominance as the precursor for overall success in a conflict. The growing importance of IW to China’s People’s Liberation Army (PLA) is also driving it to develop more comprehensive computer network exploitation (CNE) techniques to support strategic intelligence collection objectives and to lay the foundation for success in potential future conflicts.

One of the chief strategies driving the process of informatization in the PLA is the coordinated use of CNO, electronic warfare (EW), and kinetic strikes designed to strike an enemy’s networked information systems, creating “blind spots” that various PLA forces could exploit at predetermined times or as the tactical situation warranted. Attacks on vital targets such as an adversary’s intelligence, surveillance, and reconnaissance (ISR) systems will be largely the responsibility of EW and counterspace forces with an array of increasingly sophisticated jamming systems and anti-satellite (ASAT) weapons. Attacks on an adversary’s data and networks will likely be the responsibility of dedicated computer network attack and exploitation units.

The Chinese have adopted a formal IW strategy called “Integrated Network Electronic Warfare” (INEW) that consolidates the offensive mission for both computer network attack (CNA) and EW under PLA General Staff Department’s (GSD) 4th Department (Electronic Countermeasures)1 while the computer network defense (CND) and intelligence gathering responsibilities likely belong to the GSD 3rd Department (Signals Intelligence), and possibly a variety of the PLA’s specialized IW militia units.

This strategy, which relies on a simultaneous application of electronic warfare and computer network operations against an adversary’s command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) networks and other essential information systems, appears to be the foundation for Chinese offensive IW. Analysis of this strategy suggests that CNO tools will be widely employed in the earliest phases of a conflict, and possibly preemptively against an enemy’s information systems and C4ISR systems.

The PLA is training and equipping its force to use a variety of IW tools for intelligence gathering and to establish information dominance over its adversaries during a conflict. PLA campaign doctrine identifies the early establishment of information dominance over an enemy as one of the highest operational priorities in a conflict; INEW appears designed to support this objective.

The PLA is reaching out across a wide swath of Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning IW capabilities, incorporating people with specialized skills from commercial industry, academia, and possibly select elements of China’s hacker community. Little evidence exists in open sources to establish firm ties between the PLA and China’s hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the PRC’s civilian security services. The caveat to this is that amplifying details are extremely limited and these relationships are difficult to corroborate.

China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.

Analysis of these intrusions is yielding increasing evidence that the intruders are turning to Chinese “black hat” programmers (i.e. individuals who support illegal hacking activities) for customized tools that exploit vulnerabilities in software that vendors have not yet discovered. This type of attack is known as a “zero day exploit” (or “0-day”) as the defenders haven't yet started counting the days since the release of vulnerability information. Although these relationships do not prove any
government affiliation, it suggests that the individuals participating in ongoing penetrations of US networks have Chinese language skills and have well established ties with the Chinese underground hacker community. Alternately, it may imply that the individuals targeting US networks have access to a well resourced infrastructure that is able to broker these relationships with the Chinese blackhat hacker community and provide tool development support often while an operation is underway.

The depth of resources necessary to sustain the scope of computer network exploitation targeting the US and many countries around the world coupled with the extremely focused targeting of defense engineering data, US military operational information, and China-related policy information is beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship.

The type of information often targeted for exfiltration has no inherent monetary value to cybercriminals like credit card numbers or bank account information. If the stolen information is being brokered to interested countries by a third party, the activity can still technically be considered “state-sponsored,” regardless of the affiliation of the actual operators at the keyboard.

The US information targeted to date could potentially benefit a nation-state defense industry, space program, selected civilian high technology industries, foreign policymakers interested in US leadership thinking on key China issues, and foreign military planners building an intelligence picture of US defense networks, logistics, and related military capabilities that could be exploited during a crisis. The breadth of targets and range of potential “customers” of this data suggests the existence of a
collection management infrastructure or other oversight to effectively control the range of activities underway, sometimes nearly simultaneously.

In a conflict with the US, China will likely use its CNO capabilities to attack select nodes on the military’s Non-classified Internet Protocol Router Network (NIPRNET) and unclassified DoD and civilian contractor logistics networks in the continental US (CONUS) and allied countries in the Asia-Pacific region. The stated goal in targeting these systems is to delay US deployments and impact combat effectiveness of troops already in theater.

No authoritative PLA open source document identifies the specific criteria for employing computer network attack against an adversary or what types of CNO actions PRC leaders believe constitutes an act of war.

Ultimately, the only distinction between computer network exploitation and attack is the intent of the operator at the keyboard: The skill sets needed to penetrate a network for intelligence gathering purposes in peacetime are the same skills necessary to penetrate that network for offensive action during wartime. The difference is what the operator at that keyboard does with (or to) the information once inside the targeted network. If Chinese operators are, indeed, responsible for even some of the current exploitation efforts targeting US Government and commercial networks, then they may have already demonstrated that they possess a mature and operationally proficient CNO capability.

Click here to download the report. Click here for the US-China Economic and Security Commission website.