China and Cyberspace

The People’s Republic of China (PRC) maintains a robust capacity to conduct cyber operations through the combined use of network and psychological operations, media propagation, and electronic warfare capabilities. China’s People’s Liberation Army (PLA), views these four forms of operations as occurring within one collective “information domain,” control over which is critical for future great-power conflicts.¹ The Chinese notion of “information domain” encompasses cyberspace, but also includes other areas where information is present. In this section, we focus primarily on Chinese information capability in cyberspace.

The Chinese Communist Party (CCP) has taken extensive steps to control internal and external information flow both at home and abroad.² To this end, the PRC has undertaken an extensive reorganization of its military and increased its efforts to expand its influence abroad. Collectively, these policies have been implemented with the dual purposes of advancing the PRC’s diplomatic and economic interests on the world stage and bolstering China’s military position in the event of a large-scale conflict.³

To fully understand how China conducts cyber operations, one must first understand the doctrinal basis for the PLA’s approach to cyber warfare. Just as Russia draws much of its cyber conflict doctrine from the former Soviet Union, China also draws on the legacy of the CCP’s Leninist organizational principles.⁴ Indeed, CCP strategic planners dating back to Mao heavily emphasized the importance of the control of information and its role in subduing technologically and materially superior opponents. Hence, China’s use of cyber capabilities should be viewed as an outgrowth of older doctrines, updated to meet new strategic and technological realities.

China’s strategy of “informationization” (信息化) has its roots in a series of reforms made to the PLA in the wake of the Gulf War. Having witnessed the dismal performance of the Iraqi military during Operation Desert Storm, PLA military observers concluded that Coalition dominance of the C4ISR⁵ sphere was the key factor in their subsequent dismantlement of the Iraqi military.⁶ As a result, PLA observers concluded that control over the information space would be the decisive factor in future conflicts. Throughout the 1990s China’s government embarked upon a project of extensive military modernization, with the goal of creating a fully “informationized” fighting force.⁷ The importance of informationization has also been heavily emphasized in Chinese strategic planning since the early 2000s, through internal PLA publications and strategic planning documents released by China’s National Defense University (中国人民解放军国防大学). Most recently, China’s 2015 Defense White Paper outlined the need to have the capability to fight and win wars under “informationized conditions.”⁸ Taken collectively, it is clear that China’s leadership regards control of the information domain—and thus cyberspace—as an operational lynchpin in future conflicts.

As part of this focus on the importance of information, the PLA differs significantly from its Western counterparts in its approach to cyber and network operations. Rather than seeing cyber power as a distinct capability (in the same vein as air, land, sea, and space), China’s military planners view cyber and network operations as occurring in an “information domain.”⁹ This domain encompasses network, psychological, and media operations, as well as electronic warfare.¹⁰ To achieve control over the information domain, these parts must act in concert in peacetime and wartime. This view on how the information domain should be approached is reflected in the way the Chinese state organizes its military intelligence-gathering organs. Under current PLA doctrine, the ability to conduct informationized warfare requires extensive knowledge of a potential adversary’s systems and capabilities. This necessitates constant operational preparation of the environment (OPE) which blurs the lines between peacetime and wartime operations.¹¹ Moreover, network operations are not undertaken with the sole purpose of preparing for military conflict. China also routinely uses network operations to advance other aspects of its national power.¹²

China’s cyber capability is comprised of many military and non-military actors spanning the public and private sector. Given the CCP’s somewhat byzantine bureaucratic structure, as well as the considerable overlap of Chinese public and private entities, it is somewhat difficult to assess how China’s cyber and network capabilities are organized. However, some clues can be gained from doctrinal publications released by the PRC. According to the Science of Military Strategy (战略学), Chinese network forces are broken down into three categories:¹³

• Specialized network warfare forces (军队专业网络战力量): These forces comprise primarily PLA Units that are trained to conduct offensive and defensive network operations. It is likely that most, if not all, of these units are assigned a military unit cover designator (MUCD/部队代号).
• Authorized nonmilitary forces (授权力量): These comprise non-uniformed operators, such as the Ministry of State Security (MSS) and the Minister of Public Security (MPS).
• Civilian forces (民间力量): These can include cyber militia/auxiliary forces, which are embedded within civilian institutions such as universities and telecommunications companies.

Prior to China’s 2015 military reorganization, it was understood that the PLA General Staff Department (GSD) Third Department, also referred to as 3PLA, was tasked with managing and coordinating lines of effort across all three of the aforementioned types of forces.¹⁴ This responsibility appears to have passed to the PLA Strategic Support Force following the 2015 military reorganization.¹⁵ The main actors within these three branches are as follows.

As indicated earlier, the PLA appears to be the primary coordinating vehicle through which China conducts operations. Prior to 2015, China’s capabilities were managed by the General Staff Department (中国人民解放军总参谋部), which was subordinated to China’s Central Military Commission (中国共产党中央军事委员会). The General Staff Department, in turn, oversaw the Third Department of the People's Liberation Army's General Staff Department (3PLA) and the Fourth Department of the People's Liberation Army's General Staff Department (4PLA), which supervised signals intelligence gathering and electronic warfare, respectively. Starting in late 2015, China’s military underwent a major reorganization, creating the PLA Strategic Support Force (中国人民解放军战略支援部队). The Strategic Support Force comprises elements of the former General Staff Department and General Armaments Department. According to testimony given to the U.S.-China Economic and Security Review Commission, the Network Systems Department (网络系统部) of the Strategic Support Force has inherited 3PLA’s mission set, headquarters location, and much of its organizational structure.¹⁶ Consequently, the former 3PLA SIGINT bureaus appear to be organized primarily according geographical location, with the lion’s share of departments focused on targets in East Asia, Europe, and the United States. Their roles and organizational structures are as follows:

• First Bureau: Performs a supporting role to the rest of the department. The bureau appears to be tasked with maintaining information security within the former 3PLA, as well as handling cryptography.¹⁷
• Second Bureau (Formerly known as Unit 61389): ¹⁸ Also known as APT-1, this unit primarily conducts operations in the United States and Canada. It appears to collect data on military targets, as well as engaging in industrial espionage activity.¹⁹ The bureau gained notoriety in 2013 after the cybersecurity firm Mandiant published a profile of its ongoing operations against the United States.²⁰ Tools that this group uses include WEBC2, BISCUIT, and COOKIEBAG.²¹
• Third Bureau: Appears to primarily collect radio communications from areas in China’s periphery, including North and South Korea, Taiwan, and Central Asia.²²
• Fourth Bureau: Collects signals intelligence on Korean and Japanese targets.²³
• Fifth Bureau: Collects signals intelligence on Russian targets.²⁴
• Sixth Bureau: Primarily tasked with surveillance targets in South and Southeast Asia.²⁵
• Seventh Bureau: The exact nature of the Seventh Bureau’s mission is unclear, though it appears to provide a supporting role to the rest of the former 3PLA. It maintains extensive network attack and defense capabilities, as well as other means for network-centric warfare.²⁶
• Eighth Bureau: According to analysis from the Project 2049 Institute, it is possible that this bureau is focused on targets in Europe, as well as other parts of the world. Hence, it is possible that this bureau is primarily tasked with targeting Latin America.²⁷
• Ninth Bureau: Focuses on absorption and analysis of strategic intelligence.²⁸
• Tenth Bureau: Appears to be concentrated on surveillance of Russian-based missile sites.²⁹
• Eleventh Bureau aka the 2020 Unit: The exact nature of this bureau’s mission is unclear, though circumstantial evidence suggests that it focuses on Russian targets.³⁰
• Twelfth Bureau aka “Putter Panda”: Targets space-based sensing and satellite capabilities, as well as tracking information from European aerospace and telecommunications agencies.³¹

Ministry of State Security (MSS)

The Ministry of State Security (中华人民共和国国家安全部), or MSS, is China’s primary civilian intelligence organization, with a mission that is roughly analogous to that of both the FBI and CIA.³² The MSS appears to be tasked with counterintelligence and elimination of dissent within China, as well as collecting on intelligence targets abroad.³³ This entails traditional intelligence gathering missions, as well as industrial espionage activity on the part of the PRC.³⁴ Substantial evidence has emerged indicating that the MSS supports and directs China’s cyber operations, such as APT3, also known as Gothic Panda.³⁵ Additionally, the MSS directly oversees the China National Vulnerability Database (国家信息安全漏洞库), or CNNVD, which catalogues known security vulnerabilities in the Chinese network space.³⁶ According to the threat intelligence research firm Recorded Future, the CNNVD routinely withholds or delays the release of vulnerabilities, with the intention of stockpiling them for exploitation.³⁷

Ministry of Public Security (MPS)

The Ministry of Public Security (中华人民共和国公安部) is China’s main internal security force. The MPS’s responsibilities primarily cover domestic policing, counterterrorism operations, and domestic information control within the PRC, as well as managing the People’s Armed Police (中国人民武装警察部队), the main gendarmerie force within China.³⁸ Consequently, the MPS has a substantial role in overseeing network governance within China and plays a key part in maintaining network security. As a result, the MPS has assisted in drafting the PRC’s cybersecurity Multi-Level Protection Scheme (MLPS), which dictates security protocols for network operators within China.³⁹ The MPS acts in close conjunction with the Ministry of Science and Technology (中华人民共和国科学技术部), which oversees the creation and implementation of tech standards within China.⁴⁰ Many of these tech standards are written in a way that disadvantages foreign firms seeking to operate within China, and are commonly seen as a vector for technology transfer.

Cyber Militias

The PLA has partnered with numerous institutions within China’s civilian sector to create a number of “cyber militias” that are called upon to perform network operations. These institutions range from telecommunications companies to academic institutions and municipal governments within China. The exact means by which these cyber militias are incorporated into the PLA’s order of battle is not entirely clear. However, from the limited information that is available, it seems that they serve as nodes for civil-military integration between the PLA and China’s civilian economy, as well as being a source of technical expertise that China’s military can draw upon.⁴¹ It does not appear that China’s cyber militias are currently tasked with conducting offensive CNO or other sensitive tasks such as industrial espionage.

China’s Internet Service Providers and Telecommunications Firms

Although they are not assigned a formal intelligence gathering or military role, China’s telecommunications firms play a key supporting role in bolstering the PRC’s strategic position within the network domain.

China’s telecommunications firms are not technically part of the PRC governmental apparatus, nor are they officially classified as State-Owned Enterprises. However, there are indications that major Chinese telecommunications firms such as Huawei may act as de facto proxies of the PRC.⁴² These firms enjoy extensive financial backing from the Chinese state, and play a supporting role in advancing China’s strategic interests abroad. For example, Chinese telecom firms have taken an extremely proactive role in attempting to influence international standards, such as those governing 5G networks.⁴³ This drive to sway standards directly impacts China’s efforts to improve its position within the network domain. The dual nature of standards writing is aptly summarized by one commentator who noted that authorship of telecom standards is a “commercial advantage which parlays itself into a security advantage…Whoever controls the technology knows, intimately, how it was built and where all the doors and buttons are.”⁴⁴ Critically, Chinese telecom firms that operate abroad are still subject to PRC law.⁴⁵ Hence, these firms would be required to divulge information that passes through their networks to PRC military and intelligence authorities.

Another risk is posed by the prospect of Chinese firms acquiring and compromising elements of foreign supply chains. For example, in 2005 the Chinese firm Lenovo acquired IBM’s PC manufacturing division.⁴⁶ Lenovo has strong ties to institutions such as the China Academy of Sciences (中国科学院), which in turn has a close working relationship with both the Chinese government and the PLA’s information warfare organs.⁴⁷ It has also been implicated in past cyber-espionage activity conducted by the PRC.⁴⁸

China’s cyber capabilities render it a tier-1 cyber operator, whose competencies are comparable to that of Russia and other large nation states. Officially, China spends $154.3 billion annually on its military, although that number is probably closer to $190 billion when the “unofficial” is factored in.⁴⁹ The exact breakdown of China’s defense budget is classified, and so it is difficult to estimate the total spent on cyber capabilities. Given that cyber capabilities are identified as one of four critical domains in China’s 2015 Defense White Paper, it is likely that a considerable amount of money is devoted to developing network capabilities.⁵⁰

Moreover, China is in the process of aggressively expanding its high-tech manufacturing sector through state-directed initiatives such as the “Made In China 2025” (中国制造2025) program, as well as long-term planning initiatives, including the Medium- And Long- Term Plan for Development of Science and Technology (国家中长期科学和技术发展规划纲要).⁵¹ It is clear that China seeks to direct the necessary funds to achieve self-sufficiency in critical sectors such as information technology, which could lead to the erosion of the U.S.’s advantage in this area.⁵² The PRC has also invested considerable sums of money in critical dual-use technologies such as artificial intelligence and quantum computing, both of which have a variety of potential military applications, such as machine learning systems and cryptography.⁵³

In both peacetime and wartime, China employs its cyber warfare abilities to enhance its overall strategic position. Critically, these network capabilities are not employed in a vacuum but work as part of a cross-domain effort to incorporate elements across the DIME⁵⁴ spectrum. Put another way, China’s network capabilities support “cyber-enabled operations” across lines that can be grouped into several broad categories:

Advancing Diplomatic Claims

China has routinely employed cyber operations as a means of exerting influence over adversaries and potential partners. For example, its routine penetration of Taiwanese networks is part of a more extensive effort to exert economic and military pressure on the island to reduce its autonomy.⁵⁵ China has also used network operations to support diplomatic and trade efforts, even in cases where the PRC does not necessarily have an actively antagonistic relationship with the target entity. In late 2018, for instance, substantial evidence emerged indicating that network operators supported by the PRC had targeted the Alaska State Government in the midst of ongoing trade negotiations between China and the state government.⁵⁶ Interestingly, a large number of the network operations undertaken by the PRC target sub-state actors, many of which are associated with the so-called “Five Poisons” (五毒): Tibetan separatism, Uigher separatism, Falungong activity, Taiwanese independence, and pro-democracy activism.⁵⁷

There have been numerous documented cases of groups tied to the Chinese government employing network operations to harass activist groups abroad, especially those tied to minority ethnicities within China.⁵⁸ For example, the Red Alpha and Ghostnet campaigns featured highly sophisticated attacks targeting Tibetan advocacy groups.⁵⁹ These phishing and watering hole attacks, along with software exploits and malware, were designed to work across multiple platforms (e.g. Windows, MacOS, Android, etc.).⁶⁰ In the aggregate, the large number of sophisticated operations against dissident groups suggests that the CCP considers their suppression to be a high priority, and worth the risk of international backlash in order to silence groups it perceives as threats to the PRC’s internal stability.

While China routinely employs cyber operations to support its diplomatic efforts, these campaigns do not appear to share a uniform modus operandi. Moreover, the exact identities of the actors undertaking these operations is difficult to ascertain, since actors associated with the PRC government take steps to obfuscate their role. For example, in the case of operations undertaken against the government of Alaska, the attackers employed an IP address associated with Tsinghua University to conduct their network reconnaissance.⁶¹

Improving International Perceptions of China

Unlike the Russian Federation, China does not appear to employ large-scale “troll farms” tasked with shaping the public perception of the PRC abroad. Instead, China seems to shape its perception abroad using groups like the United Front, which seeks to shape discourse among foreign policymaking and business spheres.⁶² China also routinely utilizes other soft power instruments, such as the work of Confucius Institute and Chinese-backed think tanks, to mold foreign perception within academia.⁶³ There have been a few operations undertaken by Chinese “patriotic hacking” groups. For example, the “Honkers Union/Red Guest (红客) group targeted U.S. websites in the wake of the 2001 Hainan Island Incident involving the collision of U.S. and Chinese military aircraft and has remained semi-active since. However, these incidents almost never escalate beyond the level of petty site vandalism and do not appear to be closely coordinated by the Chinese government.⁶⁴

Bolstering China’s Military Capabilities

As discussed earlier, the PRC considers “network warfare” to be one of the four key components of the information domain, which it views as being of paramount importance in future conflicts. In a wartime situation, it is likely that China would employ network operations to disrupt the U.S. military’s supply chain and C4ISR capabilities, thus dramatically reducing its combat effectiveness.⁶⁵ Additionally, the PLA augments its capabilities with large segments of the civilian cyber economy, which could support network operations in the event of a conflict.⁶⁶

Advancing China’s Economic Interests

Perhaps the most consequential component of Chinese cyber activity is their use of network capabilities to conduct industrial espionage against foreign targets. These operations have been undertaken by organs of the Chinese military (such as the former 3PLA Second Bureau), as well as groups such as APT 12/Gothic Panda, whose affiliations are less clear-cut but are still clearly backed by the PRC government.⁶⁷ Network-based industrial espionage is a favored strategy of the PRC in part because it enables China to intake vast amounts of proprietary information at comparatively little cost, and also because the difficulty of attribution grants them a veneer of plausible deniability.⁶⁸ It has been noted that many of China’s cyber operators that conduct industrial espionage use relatively unsophisticated methods with comparatively poor tradecraft practices, perhaps suggesting a preference for bulk collection over plausible deniability.⁶⁹ Regardless, when left unchallenged, it is clear that PRC-backed cyber operators have a record of accomplishment, being extremely adept at using network operations to obtain key intellectual property, thereby enabling China to leapfrog its technological and economic competitors.