The US and China have significant differences on the legitimate uses and preferred shape of cyberspace. The 2011 White House International Strategy for Cyberspace, for example, states that the US will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.”
In contrast, Beijing has argued for a norm of cybersovereignty, the idea that states have the right to control their own cyberspace much like they do any other domain or territory.
While China has become increasingly more vocal and assertive about how cyberspace should be governed, it has yet to offer any justifications on how and why a state may conduct computer network attacks or espionage. Still, even in the absence of any official Chinese policies, it is possible to identify the motivations of state-backed hackers. Chinese leaders view cyberspace as essential to fostering economic growth, protecting and preserving the rule of the Chinese Communist Party, and maintaining domestic stability and national security.
Given these overarching interests, computer network operations are conducted to achieve three goals: To strengthen the competitiveness of the Chinese economy by acquiring foreign technology by cyber espionage; weaken opponents of the regime and resist international pressures and foreign ideologies; and offset US dominance in conventional military capabilities.
Confronted by China-based hacking, the US has had some success in shaping Chinese cyber economic espionage, and in identifying a few norms that may limit cyberconflict. These agreements have emerged in part because the US has been able both to threaten and appeal to Chinese interests. Washington, however, is much less likely to get Beijing to exercise restraint in espionage directed at political and military targets because they remain tied to regime survival and national security.
Cyber espionage as technology policy
Chinese cyberoperations are scattered across services and ministries. The People’s Liberation Army (PLA) General Staff Department Third Department is responsible for many cyberespionage operations and manages at least 12 operational bureaus and three research institutes. Joe McReynolds argues that there are two other types of forces: PLA-authorized forces which are teams of specialists in the Ministry of State Security and the Ministry of Public Security authorized to carry out network warfare operations; and nongovernmental forces that spontaneously engage in network attack and defense, but can be organized and mobilized for network warfare operations by the PLA if necessary.
In addition, some attacks seem to occur without the government’s knowledge or direction, undertaken by criminals and freelance actors. Criminals and state-backed hackers often “operate in the same environment and sometimes against similar categories of targets,” and PLA hackers may conduct attacks for personal gain on their own time.
The vast bulk of computer attacks originating from China have targeted private sector companies in an effort to steal intellectual property, trade secrets, and other information that could help China become economically more competitive. Chinese policymakers do not want the country to be the “factory to the world” forever, and worry that the economy is too dependent on labor-intensive, low-end manufacturing and too reliant on foreign technology. As President Xi Jinping told a gathering of the country’s top scientists and engineers in June 2014, “Only if core technologies are in our own hands can we truly hold the initiative in competition and development. Only then can we fundamentally ensure our national economic security, defense security and other aspects of security.”
To become more innovative, China has significantly ramped up spending on research and development, expanded enrollment in science, technology, engineering, and mathematic disciplines at universities, and promoted research megaprojects in areas such as extra-large scale integrated circuit manufacturing, manned aerospace and moon exploration, nanotechnology, protein science, and quantum research. The stated goal is for China to become a 'world leading' science and technology power by 2049, the centenary anniversary of the founding of the People's Republic of China.
The country has also, however, relied on industrial espionage directed at high technology and advanced manufacturing companies. Hackers have also reportedly targeted the negotiation strategies and financial information of energy, banking, law, pharmaceuticals, and other companies. In 2013, the Commission on the Theft of American Intellectual Property, chaired by former Director of National Intelligence Admiral Dennis Blair and former US Ambassador to China Jon Huntsman, estimated that the theft of intellectual property totaled $300 billion annually, with 50 to 80 percent of that being from China.
CrowdStrike, FireEye, ThreatConnect, Defense Group, and other cybersecurity firms have used IP addresses, domain names, malware, shared techniques, and other technical measures to identify Chinese hacking groups tied to the PLA as being behind the economic espionage. The Department of Justice released similar evidence when it indicted five PLA hackers for stealing the business plans, internal deliberations, and other intellectual property of Westinghouse Electric, United States Steel Corporation, and other companies. The attacks are not solely on US companies. Security firms have identified victims in Germany, Australia, Japan, India, and the United Kingdom.
Domestic stability, information control, and intelligence collection
State-supported hackers also use cyberattacks to gather information on agencies, institutions, and individuals who might influence international debates on topics of importance to Beijing or threaten domestic stability. The embassies, foreign ministries, and other government offices of Germany, India, Indonesia, Romania, South Korea, Taiwan, and others have been targeted. China-based actors allegedly hacked the computers of the 2008 Barack Obama and John McCain presidential campaigns, State Department, White House; the UK Foreign Office, House of Commons, and Ministry of Defense; and the computers of former Australian Prime Minister Julia Gillard and ten federal ministers, including the foreign minister and defense minister.
There are also a set of targets connected to domestic stability and regime legitimacy. Tibetan and Uighur activists have been targeted and think-tanks and other nongovernmental organizations and academic institutions who deal with China have also had their networks penetrated. Journalists have had their Gmail accounts compromised, and hackers attacked The New York Times after it published a story on the wealth of the family of Wen Jiabao, China’s former prime minister. The Wall Street Journal, Washington Post, and Bloomberg, which published a series on the business empires of the families of other Chinese leaders, including President Xi Jinping, were all also attacked.
One of the most high-profile attacks in the Sino-US relationship has been tied to intelligence and counter intelligence operations. In June 2015, US media reported that Chinese hackers had gained access to the servers of the Office of Personnel Management (OPM), allowing them to steal 22 million records, including security background checks and data on intelligence and military personnel. These records included the Standard Form-86, which contains information perfect for blackmail – records of financial trouble, drug use, alcohol abuse, and adulterous affairs. The records might also allow Chinese counterintelligence agencies to identify spies working undercover at US embassies around the world. China’s Ministry of State Security reportedly combined medical data stolen from Anthem insurance – which included Social Security Numbers and other personal data of 80 million current and former members and employees – and OPM security files together to create a more complete picture of US officials. “This is part of their strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation,” a US government official told The Washington Post.
Preparing for informationized wars
The 2015 Chinese Military Strategy White Paper states that the PLA must prepare for “informationized local wars” against technologically advanced adversaries. As a result, Chinese hackers breach Defense Department networks in order to better understand US military capabilities, accelerate the modernization of the People’s Liberation Army, and prepare of military conflict and the disruption of US forces.
Two PLA groups, Units 61938 and 61486, have reportedly stolen information from over two dozen Defense Department weapons programs, including the Patriot missile system and the US Navy’s new littoral combat ship. The most high-profile case has been the hacking of defense contractors involved in the F-35, which have forced the redesign of specialized communications and antenna arrays for the stealth aircraft. Department of Defense officials say that the most sensitive flight control data were not taken because they were stored offline, but the fuselage of China’s second stealth fighter jet, the J-31, is very similar to that of the F-35. In response to a question about attacks on defense contractors, Lieutenant General Vincent Stewart, director of the Defense Intelligence Agency, told a congressional hearing, “I do not believe we are at this point losing our technological edge, but it is at risk based on some of their cyberactivities,” referring to China.
Chinese hackers also break into US networks in preparation for a potential military conflict. Chinese military analysts often write of the PLA’s need to seize information dominance at the beginning stages of a conflict with a technologically advanced adversary through cyber attacks against command and control computers as well as satellite and communication networks. The PLA would also attempt to disrupt US forces in the Western Pacific through attacks on transportation and logistics systems. Preparing for these attacks requires cyber espionage.
Chinese military writings also suggest that cyberattacks can have a deterrent effect, given American dependence on banking, telecommunication, and other critical networks. A highly disruptive or destructive attack on these networks might reduce the chances that the United States might get involved in a regional conflict. Some Chinese intrusions into critical infrastructure may intentionally leave evidence behind to act as a warning that the US homeland may not be immune to attack in the case of a conflict over Taiwan or the South China Sea.
The US response and the future of Chinese hacking
In addition to improving government and private sector network defenses through efforts such as information sharing and President Obama’s Cybersecurity National Action Plan, the US has responded to state-sponsored Chinese cyberattacks in two ways.
First, Washington has tried to create a distinction between legitimate espionage for political and military interests and the cyber enabled theft of intellectual property. As President Obama framed it, “Every country in the world, large and small, engages in intelligence gathering. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.”
Beginning in April 2013, US officials adopted a strategy of naming and shaming, publicly calling out China for economic espionage. This provoked denials and counterclaims from Beijing, especially after disclosures from the National Security Agency contractor Edward Snowden that the US was engaged in surveillance and cyber espionage. After the US indicted five PLA hackers in May 2014, the Chinese government suspended a bilateral working group on cybersecurity established the previous July.
What finally seems to have gotten Beijing’s attention was the threat of sanctions and the possible disruption of the planned September 2015 summit meeting between presidents Xi and Obama. In the weeks before the meeting, officials suggested that the US would sanction Chinese individuals or entities that benefited from cybertheft. Beijing dispatched Meng Jianzhu, a member of the politburo responsible for state security, to negotiate, and during the summit the US and China announced an accord in which “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Washington and Beijing also agreed to identify and endorse norms of behavior in cyberspace and establish two high-level working groups and a hotline between the two sides.
China and Britain reached a similar agreement a month later, and in November 2015, China, Brazil, Russia, the US, and other members of the Group of Twenty accepted the norm against conducting or supporting the cyber-enabled theft of intellectual property. The cybersecurity firm FireEye has reported a decline in the number, a trend confirmed by Assistant Attorney General John Carlin. In fact, FireEye argues the decline may predate the agreement, motivated by China’s desire to modernize the PLA and bring cyber operations under more centralized control as well as a side effect of Xi Jinping’s anti-corruption campaign and efforts to clamp down on criminal use of state resources. The decline in number of attacks may be accompanied, however, by a rise in the sophistication of attacks.
As a complement to the effort to create a prohibition against economic espionage, Washington has engaged Beijing in discussion about some of the norms of behavior for cyberconflict. Chinese hackers have reportedly broken into industrial control systems, and Adm. Mike Rogers, head of US Cyber Command and the director of the National Security Agency, told a congressional panel that China and “one or two” other countries would be capable of mounting a cyberattack that could shut down the power grid or other critical infrastructure. It must be assumed that the US conducts similar spying against Chinese networks, and the two sides have a shared interest in preventing escalatory cyber operations — attacks that one side sees as legitimate espionage but the other views as prepping the battlefield — that could lead to kinetic assaults.
In 2015, a group of government experts at the United Nations that included representatives from China, the US, Russia, and other countries, published a report arguing for a number of peacetime norms, including that states should not conduct activity that intentionally damages critical infrastructure or interferes with another country’s cyber emergency responders. China and the US reaffirmed their commitment to these norm in the September 2015 accords, and at the June 2016 Strategic and Economic Dialogue.
While China may in the future exercise restraint in the areas of economic espionage and attacks designed to prepare for conflict, there is no reason to expect similar limitations with cyberespionage on foreign political and military targets. These attacks will continue not only because they are tightly tied to domestic stability and national security, but also because no state has publicly repudiated espionage as a legitimate tool of statecraft, including the US.
The challenge for Beijing and Washington is to insulate the areas of shared interests from the political swings in the relationship that are bound to occur when intelligence gathering operations like the OPM hack or attacks on the Pentagon are discovered and revealed.
Adam Segal is the Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.