China syndromeChina bolsters its information warfare capabilities

The U.S.-China Economic and Security Review Commission has just come out with a new report, titled “Capability of the People’s Republic of China to
Conduct Cyber Warfare and Computer Network Exploitation.” The report offers details about the way China is integrating computer network operations (CNO) into its military operations. Of special interest to us would be the way China is using its CNSs for spying in the West. Here is the relevant section from the report’s executive summary:

China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.

Analysis of these intrusions is yielding increasing evidence that the intruders are turning to Chinese “black hat” programmers (i.e. individuals who support illegal hacking activities) for customized tools that exploit vulnerabilities in software that vendors have not yet discovered. This type of attack is known as a “zero day exploit” (or “0-day”) as the defenders haven’t yet started counting the days since the release of vulnerability information. Although these relationships do not prove any government affiliation, it suggests that the individuals participating in ongoing penetrations of U.S. networks have Chinese language skills and have well established ties with the Chinese underground hacker community. Alternately, it may imply that the individuals targeting US networks have access to a well resourced infrastructure that is able to broker these relationships with the Chinese blackhat hacker community and provide tool development support often while an operation is underway.

The depth of resources necessary to sustain the scope of computer network exploitation targeting the U.S. and many countries around the world coupled with the extremely focused targeting of defense engineering data, U.S. military operational information, and China-related policy information is beyond the capabilities or profile of virtually all organized cybercriminal enterprises and is difficult at best without some type of state-sponsorship.

The type of information often targeted for exfiltration has no inherent monetary value to cybercriminals like credit card numbers or bank account information. If the stolen information is being brokered to interested countries by a third party, the activity can still technically be considered “state-sponsored,” regardless of the affiliation of the actual operators at the keyboard.

The U.S. information targeted to date could potentially benefit a nation-state defense industry, space program, selected civilian high technology industries, foreign policymakers interested in US leadership thinking on key China issues, and foreign military planners building an intelligence picture of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis. The breadth of targets and range of potential “customers” of this data suggests the existence of a collection management infrastructure or other oversight to effectively control the range of activities underway, sometimes nearly simultaneously.

In a conflict with the U.S., China will likely use its CNO capabilities to attack select nodes on the military’s Non-classified Internet Protocol Router Network (NIPRNET) and unclassified DoD and civilian contractor logistics networks in the continental U.S.(CONUS) and allied countries in the Asia-Pacific region. The stated goal in targeting these systems is to delay U.S. deployments and impact combat effectiveness of troops already in theater.

No authoritative PLA open source document identifies the specific criteria for employing computer network attack against an adversary or what types of CNO actions PRC leaders believe constitutes an act of war.

Ultimately, the only distinction between computer network exploitation and attack is the intent of the operator at the keyboard: The skill sets needed to penetrate a network for intelligence gathering purposes in peacetime are the same skills necessary to penetrate that network for offensive action during wartime. The difference is what the operator at that keyboard does with (or to) the information once inside the targeted network. If Chinese operators are, indeed, responsible for even some of the current exploitation efforts targeting U.S. Government and commercial networks, then they may have already demonstrated that they possess a mature and operationally proficient CNO capability.