Pages

15 April 2021

Cyber World War: The People’s Republic Of China, Anti-American Espionage, And The Global Cyber Arms Race

By Joshua E. Duke

“O divine art of subtlety and secrecy! Through you, we learn to be invisible, through you inaudible; and hence we can hold the enemy’s fate in our hands.”

– Sun Tzu, c.500 BC

The flood gates of the information age have been blasted open forever. Short of global electrical failure, robots taking over the world, or mankind’s evacuation of the planet, global connectivity, instant communications, and massive information accessibility are here to stay, along with all the dangers and benefits related. The internet and network connectivity have become too integrated within the basic daily functions of societies and nations for information services to be overly regulated or censored, and as the world becomes perpetually more dependent on networks to function, more technologically adept generations grow up with the entire history of human knowledge at their fingertips. The entire cyber warfare enterprise of Computer Network Attack (CNA) and Computer Network Defense (CND) is blossoming, along with telecommunications and other vital industries, which means more and more people will be trained in these areas, in addition to information technology and computer sciences. As people are trained to operate in a network-centric world, more of the world will be under a perpetual threat from cyberattacks, and more people will be employed to defend it.

The global cyber arms race is in full swing, and American leadership is necessary to ensure the future of freedom of thought and individuality in cyberspace. The alternative is a sharp contrast, centered around the People’s Republic of China’s (PRC) communist censorship and propaganda machine, combined with their allies around the world, intent on securing ultimate power and crushing the United States in the process. This article examines the physical and cyberspace dangers posed by the PRC and its allies, detailing a long-term strategic trend of anti-American actions taken in recent history that have not been adequately addressed or publicized. This article begins with an examination of a variety of actions the PRC has taken against America over multiple decades and the extent of their success. An interconnected multinational web of espionage, cyber warfare, and targeted actions designed to collapse the United States is then exposed, highlighting the need for renewed American leadership in cyberspace and on the world stage. Any action taken against any entity with the purpose of degrading their capabilities, manipulating them, or spying on them, using the realm of cyberspace as the primary conduit, is cyber warfare. A short explanation of cyber warfare basics is provided at the end of this article, with examples of what the cyber battlespace consists of.

The People’s Republic of China (PRC) and the Titan Rain Hackers

The PRC is the largest cyber threat on Earth, with the most extensively trained cyber espionage personnel, and the longest history of practical hacking expertise. The United States government did not prioritize cyber advancements until faced with the threat of other states, China, in particular, developing attack mechanisms in cyberspace that the United States had no defense against. This has set the U.S. behind in the cyber arms race, allowing the PRC to take the lead in cyber developments, perpetually. Unless the U.S. catches up with the PRC’s cyber developments and surpasses them, Americans and American organizations will continue to be targeted, manipulated and exploited by PRC cyber espionage efforts, unable to defend themselves, unable to distinguish between what is real or fake online, and unable to establish effective cybersecurity. The PRC’s success in cyber activities targeting the United States additionally exposes U.S. national security vulnerabilities within the U.S. cyber infrastructure which can be exploited, illustrating to the world how easy targeting the U.S. is and will continue to be until the U.S. cyber infrastructure is hardened, and until cyber actors begin to be publicly attributed and punished. The People’s Liberation Army (PLA) is the branch of the Chinese Communist Party that maintains control over cyber operations, primarily through its Unit 61398.1 The PLA has additionally enhanced their intelligence operations by adapting their Signals Intelligence (SIGINT) capabilities to cyberspace by using networks for signals collections.

Advances in technology that allow communications technologies such as microphones and cameras to be combined with network interfaces like cell phones and laptop computers have further contributed to the potential damage cyber actors can have, improving the collection capabilities of intelligence organizations around the world as they are developed. With the combinations of these technologies, any device with a network interface, or that is connected in any way to any device with a network interface, which is also used for communications, can be compromised through cyberspace. The PRC has taken advantage of this factor by refocusing the signals intelligence collection element of the PLA’s military-technical reconnaissance bureau to cyber espionage.2 The PRC’s focus continues to shift further towards cyber elements for both offensive, defensive, and espionage-related operations due to the digitization of information becoming widespread and inevitable as the world progresses forward in the information age. The process of global digitization is both beneficial and dangerous, simultaneously creating a wealth of information more readily available to the public than ever before, as well as a multitude of separate caches of information available to competent hackers that know how to infiltrate databases for cyberespionage.

The People’s Republic of China is a particularly effective threat due to the adaptation of their extensive intelligence collection techniques to cyber espionage. The PRC has been actively engaging in large scale and continuous espionage against American corporations and United States government organizations for decades to accelerate their own economic and military developments.3 These efforts have been extremely successful over the years, yielding top-level nuclear weapon designs, satellite and rocket technical information, and a wide range of government and corporate trade secrets.4As technologies have advanced, and the world has become networked, PRC espionage efforts have shifted into cyberspace, giving them more effective plausible deniability, greater overall access to sensitive information, and a larger field of targets to penetrate and steal from. While the PRC denies direct involvement, the Titan Rain espionage activities which took place in the first years of the twenty-first century, are widely believed to be the work of the PRC’s PLA.5 The cyber actors involved in Titan Rain successfully penetrated some of the most sensitive organizations in the United States.6

Tracked and documented by Shawn Carpenter for a year and a half, the Titan Rain cyber thieves penetrated a large number of secure networks, including the “systems of the U.S. Army Information Engineering Command, Defense Information Systems Agency, U.S. Army Space and Strategic Command, Army Aviation and Missile Command, Department of Energy, Homeland Security, State Department, and Naval War College,” extracting 10-20 terabytes of sensitive Department of Defense information.7 In addition to stealing more data than is contained in the entire Library of Congress,8 Titan Rain hackers also targeted the World Bank, and the National Aeronautics and Space Administration (NASA).9 The Titan Rain attackers, operating out of the Guangdong province of China, used Trojan horses to infiltrate systems, hijacked portions of hard drives in target systems to use for file encryption, erased their electronic fingerprints when finished, and left a reentry beacon to facilitate easy access at a later time.10

The PRC has long had a foreign espionage goal of advancing its economic and military status, and cyberspace has provided the opportunity for them to realize their vision of total “control of the world economic sector”,11 which they’ve sought for some time. Chinese strategies for cyber warfare suggest the PRC believes that nothing is off-limits that does not create physical damage, that war is already happening in cyberspace on multiple levels and with multiple nations, and that “information systems are weapons” to be used to fight this ongoing war.12 The extensive PRC space program and aspirations for developments in space technologies, in addition to the notable targets of NASA and the U.S. Army Space Command, suggest that the PRC is also engaging in cyber espionage to advance its space capabilities. Space-related targets likely include satellite developments, Anti-Satellite weapon technologies, dual-use space launch, and ballistic missile capabilities, space transportation developments, and technologies required to finish bringing the Chinese nuclear triad online with long-range strategic bombers. Titan Rain should be viewed as a major success for the Chinese hackers involved as well as the PRC government, who not only directly benefited the most from the stolen data but were able to maintain plausible deniability throughout years of operations, avoiding any kind of retribution.

The attackers were extremely effective at erasing evidence of their presence after completing operations. Shawn Carpenter’s rogue counter-hacking exploits which led him on a chase around the world are possibly the only reason Titan Rain was ever traced back to the Guangdong province of China and the PLA.13 Titan Rain’s exposure helps illuminate the repeating echo-chamber cycle of Chinese espionage against the United States, coming only a few years after the 1999 Congressional ‘Cox Committee’ investigation revelations about Chinese espionage campaigns. The ‘Cox Committee’ investigation showed the theft of various types of information and classified data, including highly sensitive thermonuclear weapons data being siphoned out of multiple National Weapons Laboratories by PRC operatives. The extent of their espionage effectively catapulted the PRC’s nuclear arsenal capability into a new and far more threatening era of strategic and miniature nuclear weaponry, data and technology, through successful technical data acquisition and the successful theft of “classified information” pertaining to “every currently deployed thermonuclear warhead” developed by the United States at that time.14

PRC operations have been uncovered at nearly every level of American society—from satellite corporations to national weapons laboratories dealing with nuclear data and advanced technologies. PRC espionage campaigns have led to the theft of advanced nuclear weapon design information from the U.S. on several known occasions, in addition to many likely unknown occasions due to the methods and practices used by the PRC being so effective and successful.15 By stealing information instead of producing it themselves, the PRC has been able to capitalize on American results that have taken “hundreds of millions of dollars,” and a multitude of tests to achieve.16 A frightening picture is painted when realizing that PRC collections activities in the U.S. are incalculable due to the nature of PRC collections procedures, which potentially make every American citizen of Chinese descent, every PRC immigrant, and every foreign national from the PRC potential collection agents according to PRC doctrine.17 By adapting these techniques to cyber espionage, the PRC minimizes their potential for failure, essentially sending armies of hackers to target small amounts of information each, echoing again the revelations from the ‘Cox Committee’ that showed many hundreds of Chinese spies each targeting small pieces of information across the United States.

This method is highly effective in the cyber arena. More hackers being used means more computers operating, which allows more targets to be targeted, and ultimately makes every target easier to infiltrate and exploit. The PRC’s cyberspace strategy would fail without their international calling card of denying everything, which falls in line with ancestral doctrines of Chinese strategy, most notably Sun Tzu’s declarations that “all warfare is based on deception,” and that the best way to defeat an enemy is to defeat them without a fight.18 The PRC leadership, including President Xi Jinping when he met with President Obama in 2013, consistently denies any involvement with any hostile cyber activities traced back to China,19 including the Titan Rain hackers. In response to the Titan Rain attacks, and a large number of other incidents involving the PRC, the United States and the world have raised cybersecurity and cyber warfare to one of the most important topics facing the world, along with the legislation, policies, and cybersecurity initiatives to go with it.

While a direct response to Titan Rain was not possible due to a lack of positive attribution of the incidents, several measures have been taken in response to the escalation of cyber threats, in large part due to the extensive success of Titan Rain, and the PRC’s official stance on cyber espionage. Since Titan Rain’s exposure, the United States has initiated its Comprehensive National Cybersecurity Initiative, which focuses on enhancing cooperation, intrusion detection, cyber counterintelligence, and research and development of new cybersecurity tools and tracking technologies which will enable the U.S. intelligence community to more effectively attribute cyber incidents, and enhance U.S. national and economic security.20 Part of the focus of the U.S. has also significantly shifted to defending private sector economic partners which directly impact the U.S. government and Americans, in a response to the massive PRC targeting of the corporate sector of the United States for economic gain.21 Unfortunately, the PRC does not act alone against the United States and was named alongside Russia, Iran, and North Korea as a “strategic threat” to the “prosperity and security” of the United States, in the 2018 Department of Defense Cyber Strategy (2018).22
The Cyber Threat Alliance: Is the friend of my enemy my enemy—or my friend?

China’s neighbor and nominal ally, North Korea, has also enhanced its presence in cyberspace. North Korea has established a cell phone network in the country and has also been “implicated in malicious cyber activity … since 2009,” including being credited with erasing “critical data,” from government, media, and banking networks in South Korea in 2013.23 With the combined technologies of cell phones and network access, North Korea has the ability to conduct cyber operations, including espionage operations. North Korea’s reliance on the PRC for connectivity has also integrated them into the Chinese cyber infrastructure, allowing them to operate worldwide. Developing cyber warfare capabilities is inevitable and highly desirable for North Korea. Their development and implementation of an intranet is substantial progress in this area, and because it exists in combination with both a “national fiber-optic network,” and the national cell phone network, North Korea has everything needed to conduct cyber warfare operations.24 To demonstrate this, North Korea released a “hard drive erasing malware” attack on Sony Pictures Entertainment in November of 2014.25 After the Sony hacks, multiple targets were hit in South Korea, including a “power and nuclear operator”,26 which is a concerning shift in focus from entertainment to critical infrastructure. If this shift in North Korea’s broader international focus of cyber targets continues, North Korea will become a substantial threat to U.S. national security through cyberspace.

The North Korean General Reconnaissance Bureau’s Unit 121 is “strongly suspected of having a presence in China,” and participates actively in cyber activities for North Korea.27 North Korea uses cyber operatives in other countries as well to take advantage of those nations’ networks, making tracing and attributing cyber acts to the North Korean government very difficult. Unit 121 being primarily based out of China essentially gives North Korea access to the Chinese cyber infrastructure while minimizing the potential for international repercussions for North Korea if caught conducting cyber warfare activities. At the same time, Chinese cyber agents can use the North Korean cyber bureau as a cover to conduct PRC cyber operations, providing PRC operatives with plausible deniability if caught, thereby avoiding the same international repercussions that would have a much greater impact for the PRC than for North Korea. Advances in North Korean government-sponsored cybercrime have grown quickly, leading to financial institutions being targeted around the world, to include a “successful cyber heist” from a New York Federal Reserve bank account in Bangladesh, costing “an estimated $81 million.”28

Across the ocean in America’s backyard, the PRC has another substantial cyber ally – Cuba. The Castro Regime pursued a strategic course of action aimed at facilitating the long term internal combustion of the United States of America for decades, along with significant allies that have participated with them on a global scale, including Iran, the Russian Federation (RF), and the PRC, who has assisted in upgrading their outdated SIGINT technologies. Cuba is “perfectly located” to intercept “all U.S. communications,” in “the only place outside of Fort Meade in the Western Hemisphere” that provides access to “large-scale interception of [U.S.] communications.”29 When combined with the communist government’s endless need for finances to continue operating and surviving, the “trafficking of U.S. secrets” to the rest of the international community provides an enticing and lucrative business opportunity for the nation.30

Cuba is a significant cyber force, partially because of its location, and partially because of their associations and allies. One major threat factor from Cuba is their deeply rooted cooperation with Iranian intelligence operatives pervading Latin America, including active involvement with established Quds Force “operations units in Venezuela”,31 where “Cuban intelligence involvement … is deep and wide.”32 Another threat factor is Cuban cooperation with the strategic goals of Russian and Chinese subversion operations within the United States and around the world. When these nations’ forces are combined and viewed as a single cooperating threat, the following disturbing threat landscapes become clearly intertwined:
The Cuban Military Intelligence Directorate’s premium communications interception capabilities;
Iranian Quds Force operatives’ ability to freely multiply across America’s southern border, after being trained by Cuban intelligence to act, speak and present themselves as Hispanic in order to hide their Middle Eastern origins;
Combined Cuban and Iranian interests in supporting Hezbollah and other terrorist organizations;33
Massive offensive Chinese and Russian cyber operations targeting the American economic, political, election and technological infrastructures;34
Russian espionage training and nuclear technology expertise exported to America’s enemies around the world.

When these forces are viewed as a whole, the market for intelligence trading of United States-based information is a very black market indeed.

For instance, Russia trained the Cuban intelligence service. Cuba supports Hezbollah in Venezuela, with Iran, who is on the verge of becoming a nuclear power due to Russia and China. North Korea’s governance is in flux due to COVID-19, with power changes potentially shifting the nation away from peace. Russia continuously takes action to facilitate, and advocates for, America leaving the Middle East, with Iran’s help, including targeting American proxy forces around the world while incentivizing agitators where American forces operate, most notably in Iraq and Afghanistan. Iran partially controls Iraq, Cuba and Iran control Venezuela, and China has become the single most dominant force in cyberspace, working with Russia and other actors to subvert American stability. The global melting pot is about to start boiling, and if the United States does not re-establish itself as the global leader in cyberspace, technological advancements, and network security, the world of tomorrow could turn into a very unpleasant place. Active cyber engagements against the United States are not unique to the PRC and Russia, and another underappreciated cyber player needs to be addressed – Iran.

The Islamic Republic of Iran maintains a high degree of control over its society, including the business world of Iran, which provides the Iranian government and its cyber organization, the Iranian Cyber Army (ICA), with cyber assets working inside and outside the government.35 In March 2016, the Federal Bureau of Investigation (FBI) indicted seven Iranians working for two Iranian companies, ITSecTeam and Mersad Company, who were engaged in cyber warfare activities against the United States on behalf of the Iranian government.36 The hackers and the companies have known ties to the Iranian government, which gives them access to the State cyber infrastructure in addition to the business cyber infrastructure that their organizations use to conduct daily business. The Iranian government has used a combination of government and State-sponsored hackers for a variety of cyber activities since 2009, including targets in the United States. The attacks for which the Iranians mentioned above were indicted for involved a successful penetration of the Bowmen Dam in New York’s Supervisory Control and Data Acquisition (SCADA) system. The access gained by the hackers would have provided them, and the Iranian government, with full control of the dam’s control functions, had the dam not been fortuitously offline for maintenance at the time.37

The ICA, acting as an arm of the Iranian Islamic Revolutionary Guard Corps (IRGC), has also targeted online financial assets, such as bank websites. According to the FBI indictment, the organizations were assaulted over a long period of time on a regular basis with Distributed Denial of Service (DDoS) attacks, costing American financial institutions “tens of millions of dollars” to fix.38 Victims of these attacks included 46 major American financial institutions and “hundreds of thousands” of American customers.39 The ICA also targeted Twitter in 2009, started a cyber war with China by attacking a Chinese search engine in 2010 called Baidu, and has targeted anti-Iranian government and anti-Islamic websites in Europe and around the world for defacement.40 In 2016, Iranian hackers also compromised “15 million Iranian users” through the messaging program, Telegram, targeting anti-Iranian activists, and using tactics similar to the IRGC’s cyber tactics.41 The Iranian government declined to comment.

Iran’s connections with various terrorist organizations around the world, including funding and material support to them,42 also suggest that cyber capabilities, cyber training, or cyber tools may be shared between the ICA and cyber terrorists. The world’s leading state sponsor of transnational radical Islamic terrorism gaining cyber capabilities that allow them to successfully penetrate the command and control systems of infrastructure networks and facilities within the United States is a scary concept and should be a top concern for the intelligence community and policymakers in America. Adversarial nations, including Russia, Iran, China, North Korea, and Cuba, have formed a massive global alliance to take advantage of perceived vulnerabilities in U.S. national security, and have the potential to establish themselves as the leading force in the world if left unchecked in cyberspace. These authoritarian cyber-threat nations do not care about individual liberties, viewing freedoms as a threat to their continued existence. It is therefore in their interest to eliminate freedom and liberty wherever they can, and many of them have attempted to do so in the U.S. through election interference down to the city level, infiltration of campaigns, and influence operations designed to subvert one of the most important tenets of American independence – the right to vote.

In the relatively near future, governments, corporations, and individuals may lose the ability to effectively keep their own secrets and personal information safe, the ability to ensure secure and accurate democratic election processes, and the ability to control or monitor the massive quantities of information that are constantly flowing through cyberspace. The field of cryptanalysis is on track to perpetually surpass advances in cryptology unless mathematics revelations start to happen that allow more complex algorithms to be applied to the encryption process. This would leave the field of CND perpetually behind the realm of CNA that attackers use to exploit systems. If America does not shift this trend and break the global encryption algorithms first, U.S. leadership in the world will suffer, and individual liberties will be put at great risk. Individual citizens of the United States and the rest of the free world have a responsibility that has been widely neglected as the world moves into the information age—to protect themselves against authoritarian subversion of their freedoms.

Cyberspace is not inherently safe, it is inherently unsafe, and the carefree use of electronic devices contributes to authoritarian goals of eliminating liberty from the world. Americans must gain a better understanding of network security by enhancing their education and knowledge of the vulnerabilities inherent in using electronic devices in order to secure their freedoms in cyberspace and maintain democracy in the world. Without fair and secure elections, liberty will die. America must re-establish itself as a global leader on the world stage, militarily, in cyberspace, and with regards to human advancements and expansion into space, in order to maintain and advance the principles of individual freedom and humanitarianism in the international community. The international community, for its part, has responded to these increased cyber threats with the creation of the Tallinn Manual, which correlates existing international laws with cyberspace activities in an attempt to apply the existing laws of war to cyber espionage and cyberattacks.43 By enhancing the authority of law over cyberspace, law enforcement organizations and national governments will be better prepared and capable of addressing future cyber activities targeting their nations or their people. While the Tallinn Manual is a good first step, the staircase keeps climbing, and it is up to the people to move forward, step by step into the future.
Defining the Cyber Battlespace: Cyber Warfare, Networks and Threats

Cyber warfare is divided into offensive and defensive activities. Offensive cyber warfare activities encompass the developing field of CNA operations, the purpose of which is to cause physical or operational damage to an adversary, either using solely cyber capabilities, or in conjunction with other activities of warfare.44 CND operations encompass defensive cyber activities, including cyber counterintelligence initiatives designed to detect, prevent, and counter CNA activities directed against the defender. Cyber defenses include protective software and hardware, white-hat hackers who search for weaknesses in order to secure them, and other measures taken against unauthorized network access or malicious activity. Cyber Network Exploitation (CNE), or cyberespionage, however, is the most prominent form of cyber warfare today. CNE is conducted on a regular basis by every nation in the world with a cyber capability, in addition to many non-state actors that use nation-state infrastructures to carry out operations. Stealing information is not a just cause for conventional war, which results in a variety of relatively low risk CNE operations with potentially high payoffs, depending on the situation. This dynamic makes CNE operations an enticing and widespread activity that is desirable and lucrative for nations and individuals to engage in.

Networks are one of the primary methods of entry for CNE operations, and access to them needs to be protected to ensure information security. Networks are essentially circuits of devices linked together. Networks can either be closed or open. A closed network is contained within itself with no external access, such as the internal computer network of a business, where users can only access the network from a computer physically connected to that network. An open network, on the other hand, can be accessed by anyone from anywhere, so long as they know how to gain access or have access to a device that is authorized. The internet is an open network, and as such, provides a conduit for access to all other networks connected to it. The SIPRNet is a Secret-level classified internet network used by the U.S. military, which is an open network like the internet, but which is not connected to the internet and cannot be accessed by devices not authorized to access it. Networks can be accessed through other networks, through software, through hardware, or through direct interface, which means every network can be compromised through a variety of paths, all of which must be protected and monitored.

Networks can be compromised through inadequate software security, compromised hardware components, through the internet or another device on the same network, or directly by manual interface. Hackers and programmers can manipulate the software supply chain of a target in order to gain access to a closed network through software programming designed to create a back door into the system. By compromising hardware components, access can also be granted in much the same way. When supply chains for electronics are outsourced to foreign countries by the United States, end-users of American electronics are immediately put at risk for being compromised by whichever nation the supply components are being manufactured in. Closed networks of computers consist of multiple devices connected to one another. By gaining access to one device on the network, the entire network can be compromised. All of these methods of network exploitation must be constantly and perpetually secured and monitored in order to detect and prevent threats to the network’s integrity. Threats can be posed by essentially anyone with a computer and an internet connection to any network that is connected to the internet, or connected to any device directly or indirectly which is in turn connected to the internet or connected to any device that has the capability of logging onto the internet through WiFi.45

No comments:

Post a Comment