22 January 2017

Evaluating the US-China Cybersecurity Agreement, Part 2: China’s Take on Cyberspace and Cybersecurity

By Gary Brown and Christopher D. Yung

Part one of this three-part series showed how differing approaches to their respective national interests drove China and the United States to contrasting views on the implementation of cyber policies and explored the U.S. position as well as the 2015 agreement between the two states. This article, part two, details China’s approach to cyberspace and cybersecurity. Part three will conclude by reviewing reactions to the agreement, and assessing its success to date and its longer-term prospects.

China’s Approach to Cyberspace

China takes a different tack than the United States when it comes to cyberspace. Privacy and communication rights have not played a dominant role in the development of China’s cyber policy. Rather, Beijing emphasizes the importance of cyber sovereignty. At the World Internet Conference in December 2015, President Xi Jinping called for states to be allowed to set their own rules for cyberspace in their own countries. In other words, Xi appeared to be advocating for China’s continued ability to limit its citizens’ access to the Internet, and for a greatly reduced U.S. role in Internet operations and rule setting. Xi has always promoted China’s notion of “internet sovereignty.” He also called for transforming the current global internet governance system to make it more “multilateral, democratic, and transparent,” surely a criticism of the dominant position of U.S. in Internet governance.


The Chinese have also advanced the argument that the United States is attempting to “militarize” cyberspace. Professors Wen Bohua and Xu Weidi, writing in a report titled The International Strategic Situation and China’s National Security (2012-3), published by the Military Science Publishing House, are illustrative of this perspective. That is, while everyone agrees that cybersecurity is important to national security, the Chinese emphasize the threats coming from non-state actors and the difficulty in attribution – tying events with some level of certainty to particular hackers. The United States, on the other hand, “believes that the main threat of cybersecurity comes from cyber powers, particularly China and Russia, and thus sets them as its targets of cyber militarization.” Thus, the Chinese argue that while the U.S. preaches cybersecurity cooperation, at the same time “it develops various cyber proxy technologies to infiltrate into China and Russia and spread false information, with an aim at sabotaging the political stability in China and Russia.” Hence China’s emphasis on “cyber sovereignty.”

China has long been known for its prolific cyber espionage activities. Over the years, Chinese intrusions into U.S. military systems became so prevalent that they merited a category name: Advanced Persistent Threats (APT). The term has come to mean the category of cyber threat presented by a capable adversary that focuses on stealthily exfiltrating information, and maintaining access to systems so they can be exploited indefinitely. APTs often use remote access tools (RATs), and a 2011 report on Chinese activities was titled Operation Shady RAT. In Shady RAT, Beijing targeted around 72 private and public organizations. In the operation, individuals within an organization received emails that infected their systems with a Trojan virus. The malware would then communicate with a designated server, alerting the hackers of a path into the computer. The hackers could access the infected machine, exfiltrating key data while escalating privileges to establish additional backdoors, creating a foothold to further control the machine.

Despite convincing evidence tying them to cyber misbehavior, Chinese officials have reacted strongly to U.S. accusations of cyber misconduct. Beijing has issued many statements asserting that China opposes any form of hacking activities, and noted that “China forbids any actions that may sabotage cyber security, including hacking, and deals with such crime severely.” Although China has generally denied involvement, the United States is convinced Beijing is responsible, or at least aware, of much of the economic espionage originating from its territory.

Beyond denying culpability for activities aimed at the U.S., China notes that its own computer networks are frequently under attack, and that a large portion of these attacks originate in the United States. China claims to have been the target of tens of thousands of cyber attacks every month originating from the United States. The significance of this number is relative; DoD has reported upwards of 10 million attacks per year and the number is increasing. Every nation falls prey to cyber attacks, so this argument is of limited use to Beijing. More specifically, China has accused the NSA of targeting economic concerns such as telecommunications equipment manufacturer Huawei, blurring the very line between economic and security matters the United States has advocated for reinforcing.

Although China has denied accusations that its military has carried out large numbers of cyber economic espionage events, significant evidence indicates otherwise. In 2013, cybersecurity companies like Mandiant started to publish evidence concerning People’s Liberation Army (PLA) Unit 61398. Unit 61398 – formerly a part of the Second Bureau of the General Staff Department – consists of thousands of military cyber members, and is believed to specialize in computer network operations, compromising information systems across a number of strategic and economically important industries. Mandiant found that a majority of computer security breaches in the hundreds of organizations they monitored could be traced back to China and Beijing is aware of them. A DoD report echoed Mandiant’s findings, stating that the cyber attacks “appear to be directly attributable” to China’s government.

Mandiant’s 2013 threat report analyzed enough data for it to assert that the APT group conducting these activities was located in China and is at least affiliated with Unit 61398. Mandiant observed a relationship between PRC strategic priorities, the operations of PRC SOEs, and data stolen through cyber intrusions, mainly from a group dubbed APT1. They found that in over 97 percent of 1,905 cases, APT1 intruders were observed connecting to their attack infrastructure with IP addresses registered in Shanghai and systems using simplified Chinese characters. Even if APT1 is not a government entity, Beijing certainly knows of its operations, and is to some extent at least morally accountable for their actions.

China is also thought to have hacked into the communications of corporations and organizations worldwide in an attempt to, among other things, gather information about political activists inside China. In particular, Operation Aurora, a Chinese breach of at least 34 major U.S. companies, significantly increased tension between the two States.

Internal Controls

Internally, Beijing has attempted to maintain control over its citizens’ cyber communications by employing a force of overseers at least 100,000 strong who are in charge of monitoring blogs and social media sites. The Chinese government also uses sophisticated technical means such as the so-called Great Firewall. The Great Firewall is a government censorship and surveillance tool that uses keyword filtering, blocks potentially unfavorable sites, and limits data from foreign countries. The Great Firewall was established in 2003 after Beijing recognized the impracticability of mass human monitoring of the Internet. The Great Firewall employs automated technologies to conduct wide-scale filtering and blocking of all Internet addresses, Internet hosts, and data to prevent citizens from accessing certain types of content.

The United States has criticized China’s Great Firewall, and Chinese citizens have enjoyed some success at circumventing it, reportedly facilitated to some extent by the U.S. government. In response, the Chinese government developed an additional tool to control the communications of its citizenry — the Great Cannon.

The Great Cannon strengthens Beijing’s ability to control the Internet inside China. The Great Firewall is only able to monitor traffic and interrupt content and connections, purely a censorship tool. By contrast, the Great Cannon can attack certain IP addresses and not only shut down the connection, but hijack traffic to these addresses and replace benign unencrypted web content with malicious content.

The first known use of the Great Cannon against a U.S. site was on March 26, 2015 against two GitHub pages run by China censorship monitor GreatFire.org. The coding site was flooded with traffic, making it intermittently unresponsive for a couple of weeks. Github appeared to be chosen as the target not only because it hosts GreatFire.org and the New York Times Chinese edition, but also because Beijing is generally unhappy with Github for helping users circumvent the Great Firewall. A major question that arises from this attack is why China decided to showcase it in such an open manner, as the same outcome could have been achieved through more covert means. It may be that China has begun to feel more confident in its standing in the international community and as a consequence is more willing to act assertively to support its expansive notion of cyber sovereignty.

In addition to technical means, China has used its legal system to control information flow. Beijing passed a new cybersecurity law that will take effect in 2017. Among other things, the law requires users to register for social media platforms using their real names and bans broadly-defined categories of speech, such as speech that “endangers national unity.”

Human rights groups have condemned China’s proposed new cybersecurity law because it further threatens free speech. Sophie Richardson, China Director at Human Rights Watch said, “While the Chinese government has genuine security needs, these new laws … generally treat peaceful critical speech and activism as national security concerns.”

International Cyber Governance

China’s push to increase national regulation of the Internet may be intended partly to weaken the preeminent role of the United States in cyber governance, instead emphasizing national sovereignty and control. This model would weaken openness and freedom of expression. The Chinese have framed the argument along the lines of “hegemony versus fairness” within the cyberspace domain. According to Professors Wen Bohua and Xu Weidi, writing in the aforementioned report:

“The United States has invented the network-based virtual space and thus made tremendous contribution to the human society. Cyberspace which is merging with the real world at an accelerated pace has become a common asset of mankind. Does this cyberspace belong to the whole world or the United States alone? Although often claiming cyberspace to be a ‘global commons’ on its lips, deep inside the United States still takes cyberspace as its own ‘property’ and believes that what it says counts here in this domain.” 

China and a few other Asian nations who would like to increase governmental oversight have advocated for an international code of conduct for information security. The states in favor of the code of conduct seek to set international norms and rules guiding behavior in cyberspace. They claim the transnational and autonomous nature of cyberspace poses a challenge to international security as well as social and economic development. To address this, they propose international norms and rules that would stress cooperation, security, and transparency. As further evidence of this “hegemonic mindset” the Chinese offer the example of the conference of the International Telecommunications Union in Dubai in 2012. There, according to Wen and Xu,

“developing countries had a fierce struggle with Western countries on issues of cyber control and enhancement of national sovereignty over the Internet. At last, although the developing countries made the maximum concession to the United States over cyber control, the latter still refused to sign the revised draft International Telecommunication Regulations. Behind this lay the hegemonic mindset of the United States — it was unwilling to set such a precedent to let the international community make collective decision on international rules over cyberspace.”

Gary Brown is Professor of Cyber Security at Marine Corps University. Christopher D. Yung, Ph.D., is Donald Bren Chair of Non-Western Strategic Thought at Marine Corps University. The views expressed here are personal and do not represent the views of Marine Corp University or the U.S. military.

No comments: