The Cyber Dragon

An excerpt of this article was published in the July issue of Proceedings. The full article is provided here for further context and explanation. This article does not reflect the views of the Department of Defense, Department of the Navy or U.S. Cyber Command.

China and the United States appear to be engaged in a long-term competition, and one area of particular concern is cyberspace. What used to be considered a significant, overwhelming advantage of U.S. military capabilities relative to the rest of the world, including China, has recently been called into question. Recent Chinese military writings confirm the centrality of cyberspace operations to the People’s Liberation Army (PLA) concepts of “informationized warfare.” This paper examines Chinese writing on these concepts. It proposes that China has been actively seeking to position its sources of information power to enable it to ideally “win without fighting” or if necessary, win a short, overwhelming victory for Chinese forces. It concludes with some recommendations for how the U.S. might counter China’s informationized war strategy.

Chinese Strategic Thinking and “Informationized War”

There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!

-Cosmo, from the movie “Sneakers”, 1992

You may not be interested in war, but war is interested in you.

-Leon Trotsky (1879-1940)

Chinese military and strategic thought is markedly different from Western tradition. Fundamentally, China views the natural state of the world as one of “conflict and competition” rather peace and cooperation. The goal of Chinese strategy is to “impose order through hierarchy.”[1] The natural conclusion is that due to this state, the world needs global powers, perhaps even a super power, to manage the conflict and competition and bring harmony. Timothy Thomas has identified several components to Chinese military thinking, to include: [2]

1. A more broad and analytic framework that holistically incorporates information-age strategy;
2. While remaining prominently Marxist, it “examines the strategic environment through the lens of objective reality and applies subjective judgment to manipulate that environment to one’s advantage”;
3. The use of stratagems integrated with technological innovation, creating a hybrid combination targeting the adversary’s decision-making process to induce the enemy to make decisions China wants;
4. The constant search for shi, or strategic advantage. Shi is thought to be everywhere, “whether it be with the use of forces, electrons, or some other aspect of the strategic environment”; and
5. The object of “deceptively making someone do something ostensibly for himself, when he is actually doing it for you.”

Shi is the “concept born of disposition … of a process that can evolve to our advantage if we make opportune use of its propensity.” Chinese military thought seems to differ from Clausewitz, becoming focused on shi where Clausewitz finds “ends” and “means” as the most important. Shi aims to use “every possible means to influence the potential inherent in the forces at play” to its own advantage, before any engagement or battle takes place. Therefore, the engagement never actually constitutes the decisive battle that Clausewitz envisions, because it has already been won.[3]

Chinese military writing contemplates war transitioning to an “informationized” state “in which informationized operations is the main operation form and information is the leading factor in gaining victory.” Information is a resource to be harvested and exploited, as well as denied to the enemy or manipulated for advantage. Nations and militaries “can be wealthy or poor in this resource. Overall wealth in information is what will ultimately matter most in peacetime competitions, crises or military conflicts.” [4]

China considers herself at an information disadvantage, so her use of information harvesting and exploitation in cyberspace align with her strategic intention. Thomas likens it to three faces of a “cyber dragon”: peace activist, spook and attacker. The peace activist is the face of the dragon concerned with internal and external soft power (improving China’s image, respect and perhaps fear or awe of China abroad, while remaining on guard internally against a Chinese version of an “Arab Spring” or “Orange Revolution”). The spook is the uses of cyber techniques to not only acquire information but also to reconnoiter adversary information systems, perhaps laying the groundwork for future attack or deterrence capabilities. The attacker face uses offensive capabilities and concepts to deter, or if necessary, paralyze the information capabilities of the adversary. The goal is that these three faces “work in harmony to achieve dominance over any potential adversary.”[5]

People’s Liberation Army (PLA) books such as the Academy of Military Sciences’ Science of Military Strategy and Ye Zheng’s Lecture on the Science of Information Operations “reflect a consensus among Chinese strategists that modern war cannot be won without first controlling the network domain.” This tracks with current U.S. doctrine that emphasizes dominance in the network domain as “central to deterring Chinese forces and protecting U.S. interests in the event of crisis or conflict.”[6]

Importantly, PLA writers emphasize first strike and first mover advantage in the network domain to “degrade or destroy the adversary’s information support infrastructure and lessen their ability to retaliate.” This creates strong incentive to strike in the network domain just prior to the formal onset of hostilities.[7] China’s lines of effort in support of this strategy include:

1. Gaining information through reconnaissance of cyber systems, and manipulating or influencing Western or American perception and technology to establish strategic advantage;
2. Using that reconnaissance information to position its forces, to locate vulnerabilities, and be in a position to conduct system sabotage;
3. In a crisis, using system sabotage to either render information technology systems impotent, or expose strategic cyber geography to establish offensive cyber deterrence.[8]

Chinese writers publicly state that China lacks the ability to successfully launch a first strike at the present time. This is because they believe that Chinese networks are constantly penetrated by adversaries, and because of U.S./western control of most of the Internet’s core architecture. PLA writers do recognize the vulnerabilities of relying on Western technology supply chains for hardware and software operating systems.[9]

Chinese writings suggest information is the bonding agent for strategic action from which China will be able to amass enough power that it will be unnecessary for her to use military force to accomplish her objectives. If force is necessary, China will be in such an advantageous position that the military conflict will be a forgone conclusion. Consider the game of chess. Andrew Marshall, former Director of the Office of Net Assessment, noted that “most of the game is not directly aimed at checkmating the opponent’s king. Instead, the early and middle parts of the contest are about building a more advantageous position from which checkmating the opponent almost plays itself out.”[10] Indeed this is why most competitive games of chess end not in checkmate, but rather concession or a draw. The player on the losing end knows that he or she will lose, perhaps in a finite number of moves.

Recently, the Chinese political and military leadership established a new unit within the PLA to enhance its cyber operations capabilities, space operations and cyber espionage. This new unit, called the “Strategic Support Force,” is part of a larger military reorganization program. In some ways, it might be seen as a counter to the establishment in the United States of U.S. Cyber Command. Along with hoped for improvements to China’s already formidable cyber offensive and defensive capabilities, the unit will also focus on space assets and global positioning services, as well as interference with RADAR and communications.[11] This is a clear sign of the importance that the leadership places on fighting and winning in the information domain.

Beyond its military activities, China’s information control system remains critical to ensuring regime survival. However, understanding this system is made more difficult by the fact that the PRC goes to great lengths to “deliberately and systematically attempt to control how China is understood by both foreigners and Chinese alike,” according to Christopher Ford.[12] He goes on to note:

The modern Chinese information space remains a controlled one, subject to pervasive government monitoring and censorship, widespread and increasingly sophisticated methods of media-savvy opinion management, and the ever-present possibility that the citizenry will face penalties for venturing too far beyond the bounds of the CCP’s official line.[13]

Diplomatic and international policies are also built around giving China maneuvering room to interpret norms, rules and standards to serve domestic needs, principally through the primacy of state sovereignty. China must constantly seek to balance economic growth with maintaining the Party’s grip on power. Not only is Internet usage controlled and censored, but it is also a tool for state propaganda.[14] Chinese “journalists” are, to a large degree, arms of the Chinese propaganda system, transmitting the official “party line” to the population, while at the same time providing feedback “to the leaders on the public’s feelings and behavior.”[15]

Chinese authorities use a number of techniques to control the flow of information. All Internet traffic from the outside world must pass through one of three large computer centers in Beijing, Shanghai and Guangzhou – the so-called “Great Firewall of China.” Inbound traffic can be intercepted and compared to a regularly updated list of forbidden keywords and websites and the data blocked.[16]

Within China, the government heavily regulates and monitors Internet service providers, cafes and university bulletin board systems. It requires registration of websites and blogs, and has conducted a number of high profile arrests and crackdowns on both dissidents and Internet service providers. This “selective targeting” has created an “undercurrent of fear and promoted self-censorship.” The government employs thousands of people who monitor and censor Internet activity as well as promote CCP propaganda.[17]

While the CCP retains the ability to shut down entire parts of the information system, to include Internet, cell phone, text messaging and long-distance communication, it truly prefers to “prevent such incidents from occurring in the first place. And here lies the real strength of the system.”[18] The “self-censorship that the government promotes among individuals and domestic Internet providers is now the primary regulating and control method over cyberspace and has experienced great success.”[19]

China has long been rightfully accused of being a state sponsor of cybercrime and intellectual property theft . This has led to a high level of domestic cybercrime “due in large part to rampant use and distribution of pirated technology,” which creates vulnerabilities. It is estimated that 54.9 percent of computers in China are infected with viruses, and that 1,367 out of 2,714 government portals examined in 2013 “reported security loopholes.”^[20] Chinese networks themselves, by virtue of their size and scope, may represent a gaping vulnerability.

Options for the U.S.

Both the 2015 National Security Strategy and 2015 DoD Cyber Strategy state that the U.S. desires to “deter” or “prevent” China from using cyberspace to conduct malicious activity. To do so, the United States may want to consider strategies which have the following desired outcomes:

1. Build up Chinese confidence that they are achieving their goals and devote resources to attacking networks where the United States wants them to be;
2. Increase ambiguity in China’s understanding of the information they are able to acquire;
3. Introduce doubt in China believing it has the ability to disrupt American information networks; and
4. Force China to expend more resources focused inward to controlling information within China that threatens Communist Party control.

Unlike the other domains, cyberspace is entirely man-made and the physical properties which characterize it can be altered, almost at will and instantaneously. Traditional geographic constraints do not apply, and we can alter the cyber strategic geography to reinforce American competitive advantages that can aid in achieving some of the goals mentioned above.

For example, many American networks that interest Chinese cyber forces reside on public and commercial Internet service provider (ISP) backbones, such as those owned by Verizon and AT&T, and use commercially available equipment, like Cisco routers. We like to think of “cyberspace” or “the Internet” as being a “global commons,” (see the 2015 NSS), but in reality, nearly all the physical infrastructure and equipment is privately owned and subject to manipulation. The information itself travels on electrons, which can also be manipulated.

The U.S. might develop alternative information pathways and networks, perhaps solely owned and operated by the government or military and not connected to the public ISP backbone. By keeping the existence of a separate network a secret, China may continue to devote resources to attacking and exploiting existing government networks residing on public ISP’s. Alternatively, the U.S. could permit China to acquire access to this surreptitious network in order to feed it deceptive information. In either case, the Chinese regime’s confidence in its ability to disrupt or deceive U.S. information networks could be placed in doubt at a time of our choosing.

Existing information networks could be made more resilient. Peter Singer recommends that we think about resilience in terms of both systems and organizations. He identifies three elements underpinning resiliency: the capacity to work under degraded conditions, the ability to recover quickly if disrupted, and the ability to “learn lessons to better deal with future threats.”[21]

The DoD can also play a role by establishing more consistent network security standards. Cleared defense contractors (CDC), such as Lockheed Martin, Northrup Grumman and Boeing for example, are priority targets for espionage. The DoD can leverage its buying power to mandate accountability, not only for the products developed by the contractors, but also for the security of the information networks they use. It can work to bring “transparency and accountability to the supply chain” to include using agreed-upon standards, independent evaluation, and accreditation and certification of trusted delivery systems. It should address supply chain risk mitigation best practices to all contracting companies and the Department.[22] Resiliency, risk mitigation and security can reduce China’s confidence that it can successfully execute system sabotage or offensive deterrence.

Another strategy might be to develop capabilities that permit the U.S. to execute cyber blockades or create cyber exclusion zones. A cyber blockade is a “situation rendered by an attack on cyber infrastructure or systems that prevents a state from accessing cyberspace, thus preventing the transmission (ingress/egress) of data beyond a geographical boundary.” Alison Lawlor Russell has researched the potential of blockades, carefully examining case studies of Russian attacks on Georgia in 2008 and Estonia in 2012, and comparing them to more traditional maritime blockades and “no fly zones.” She notes that it is a “legitimate tool of international statecraft … consistent with other types of blockades” and can be, though not always, considered an act of war.”[23] Cyber exclusion zones seek to deny a specific area of cyberspace to the adversary, sometimes as a form of self-defense.[24]

As previously stated, China’s information strategy is designed foremost to ensure regime survival. It has erected a massive information control system for the purpose of monitoring, filtering and controlling information within China and between China and the world. The Chinese Communist Party spends more money and resources on domestic security and surveillance than the PLA.[25] Clearly, in the minds of the Chinese Communist Party, information control is a critical vulnerability. Therefore strategies which seek to keep China focused inward may be advantageous. The U.S. might invest in technologies which can be easily inserted into the Chinese market that encrypt communication or permit Chinese users to bypass government monitors. Targeting China’s information control regime should align with current and historic cultural proclivities. For example, environmental degradation, corruption and an urban-rural divide are areas of concern for the Chinese people. Sophisticated highlighting of these issues put pressure on the Communist Party.

The U.S. will not be as successful if does not address the modern, “informationized” concept of war. This should not be taken as a call to change our understanding of war or its nature. War remains violent and brutal, and should be avoided when possible. But the use of information to exploit the adversary and achieve strategic advantage is not being addressed by strategic and military planners as well as it might. Information capabilities in the electromagnetic spectrum, cyberspace, and elsewhere remain stove-piped and walled off from planners. The Department of Defense (and the U.S. government) continues to treat information as a separate compartmented capability rather than treat it holistically – a resource that supports our national security.

The 2015 DoD Cyber Strategy does make mention of force planning, to include the training and equipping of cyber forces. However, cyberspace is just one part of the information domain. We need to better integrate the growth in advanced technology into planning, not just acquisition. We need to consider the impact of dual use technology and its proliferation worldwide, not just to China. We must consider the implications of Chinese information technology companies providing goods and services in the U.S. – especially to the U.S. government. The DoD should develop human capital investment strategies that leverage America’s strengths, and consider new ways to recruit, train and keep the best and brightest in the military, intelligence and national security communities. Just as the “space race” of the Cold War ushered in the modern “Information Age,” .

Conclusion

China’s use of cyberspace operations to support her strategic goals is like the canary in the coal mine. While the U.S. maintains several competitive advantages, it is clear that China is investing large amounts of time, energy, people and resources to achieve her strategic desires, probably within our lifetime. Yet there is reason for the U.S. to be hopeful. It engaged in a long-term competition with the Soviet Union, and was ultimately victorious. This competition was not so long ago, and America has a wealth of talented veterans in the military, civilian and academic worlds who know what it takes to engage in a long-term competition with a rival while trying to avoid a shooting war.

[1] Jacqueline N. Deal, “Chinese Concepts of Deterrence and Their Practical Implications for the United States,” (Washington, DC: Long Term Strategy Group, 2014).

[2] Timothy L. Thomas, “China’s Concept of Military Strategy,” Parameters 44, no. 4 (2014-15).

[3] Francois Jullien, The Propensity of Things: Toward a History of Efficacy in China (New York: Zone Books, 1999). p. 34-38.

[4] Barry D. Watts, “Countering Enemy Informationized Operations in Peace and War,” (Washington, DC: Center for Strategic and Budgetary Assessments, 2014).

[5] Timothy L. Thomas, Three Faces of the Cyber Dragon: Cyber Peace Activist, Spook, Attacker (Ft. Leavenworth: Foreign Military Studies Office, 2012).

[6] Joe McReynolds et al., “Termite Electron: Chinese Military Computer Network Warfare Theory and Practice,” (Vienna, VA: Center for Intelligence Research and Analysis, 2015).

[7] Ibid.

[8] Timothy L. Thomas. China’s Cyber Incursions. Fort Leavenworth: Foreign Military Studies Office, 2013.

[9] Ibid.

[10] Watts, “Countering Enemy Informationized Operations in Peace and War.”

[11] (Rajagopalan 2016)

[12] Christopher A. Ford, China Looks at the West: Identity, Global Ambitions, and the Future of Sino-American Relations (Lexington: University of Kentucky Press, 2015). p. 13-14

[13] Ibid.

[14] Rebecca MacKinnon,. “Flatter World and Thicker Walls? Blogs, Censorship and Civic Discourse in China.” Public Choice 134 (2008): 31-46.

[15] Ford, p. 19-21.

[16] Michael Wines, Sharon LaFraniere, and Jonathan Ansfield. “China’s Censors Tackle and Trip Over the Internet.” The New York Times. April 7, 2010.

[17] Thomas Lum, , Patricia Moloney Figliona, and Matthew C. Weed. China, Internet Freedom, and U.S. Policy. Report for Congress, Washington, D.C.: Congressional Research Service, 2013.

[18] Ford, p. 32.

[19] Ibid. P. 38

[20] Amy Chang. Warring State: China’s Cybersecurity Strategy. Washington, D.C.: Center for a New American Security, 2014.

[21] P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (New York: Oxford University Press, 2014). p. 170-171

[22] Ibid., p. 202-205.

[23] Alison Lawlor Russell, Cyber Blockades (Washington DC: Georgetown University Press, 2014). p. 144-145.

[24] Ibid., p. 146-147.

[25] Chang.