China emerges as leader in cyberwarfare

In recent weeks, China has been accused of hacking the Pentagon as well as British and German government offices.

September 14, 2007

When suspected Chinese hackers penetrated the Pentagon this summer, reports downplayed the cyberattack. The hackers hit a secure Pentagon system known as NIPRNet – but it only carries unclassified information and general e-mail, Department of Defense officials said.

Yet a central aim of the Chinese hackers may not have been top secrets, but a probe of the Pentagon network structure itself, some analysts argue. The NIPRNet (Non-classified Internet Protocol Router Network) is crucial in the quick deployment of US forces should China attack Taiwan. By crippling a Pentagon Net used to call US forces, China gains crucial hours and minutes in a lightning attack designed to force a Taiwan surrender, experts say.

China's presumed infiltration underscores an ever bolder and more advanced capability by its cybershock troops. Today, of an estimated 120 countries working on cyberwarfare, China, seeking great power status, has emerged as a leader.

"The Chinese are the first to use cyberattacks for political and military goals," says James Mulvenon, an expert on Chin's military and director of the Center for Intelligence and Research in Washington. "Whether it is battlefield preparation or hacking networks connected to the German chancellor, they are the first state actor to jump feet first into 21st-century cyberwarfare technology. This is clearly becoming a more serious and open problem."

China is hardly the only state conducting cyberespionage. "Everybody is hacking everybody," says Johannes Ullrich, an expert with the SANS Technology Institute, pointing to Israeli hacks against the US, and French hacks against European Union partners. But aspects of the Chinese approach worry him. "The part I am most afraid of is … staging probes inside key industries. It's almost like sleeper cells, having ways to [disrupt] systems when you need to if it ever came to war."

In recent weeks, China stands accused not only of the Pentagon attack, but also of daily striking German federal ministries and British government offices, including Parliament. After an investigation in May, officials at Germany's Office of the Protection of the Constitution told Der Speigel that 60 percent of all cyberattacks on German systems come from China. Most originate in the cities of Lanzhou and Beijing, and in Guangdong Province, centers of high-tech military operations.

German Chancellor Angela Merkel publicly raised the issue with Chinese Premier Wen Jiabao in Beijing last month. Mr. Wen did not deny China's activity, but said it should stop. President George Bush, prior to his meeting with Chinese President Hu Jintao in Sydney, Australia, at the APEC summit last week, stated that respect of computer "systems" is "what we expect from people with whom we trade."

The accusations, hard to prove conclusively, still illumine an emerging theater of low-level attacks among nations. This spring, presumed Russian hackers made headlines with a one-off cyberblitz of Estonia, shutting down one of the most wired countries in Europe for a week – blunt payback for removal of a Soviet war memorial.

But China's cyberstrategy is deemed murkier and more widespread. The tenaciousness of Chinese hackers, whose skills were once derided by US cyberexperts, has begun to sink in to Western states and their intelligence services.

Probes of the Pentagon system that would bring US intervention should China attack Taiwan are part of a program dating to the 1990s that links cyberwarfare to real-world military action by China's People's Liberation Army. The very probe shows success in China's long-term program, experts say.

"The Chinese want to disrupt that unofficial network in a crucial time-frame inside a Taiwan scenario," says Mr. Mulvenon. "It is something they've written about. When you read what Chinese strategists say, it is the unclassified network they will go after … to delay deployment. China is developing tremendous capability."

Much of the hacking prowess in China is attributed to "gray hat" hackers – techie mercenaries, often younger males, geeks proud of the title – who can be mobilized to attack systems if needed, experts say.

In cyberparlance, black hats are hackers whose professional life is spent trying to attack other systems. White hats are those who defend against attacks. But China is regarded as having a substantial number of hackers in the gray middle – cutting-edge technopatriots loosely affiliated with the Chinese government, but who are not formal agents of the state.

This allows many Chinese hackers to exist in a zone of deniability. To be sure, provability and deniability are central in cyberwarfare. The most difficult problem is how to prove who hacks a system.

In recent weeks, Beijing has officially expressed shock, pain, and denial of news reports like those in Der Speigel fingering China, and at a host of official and semi-official accusations. But China's ardent denials, in the face of its own professed desire to be a cyberattack specialist, are not entirely persuasive, analysts say.

"Sometimes [Chinese] will brag about their exploits, and other times they'll disclaim them entirely, blaming unknown rogue individuals," says Bill Woodcock, research director at Packet Clearing House, a nonprofit research institute that focuses on Internet security and stability.

The new focus by other governments on China's capabilities are part of getting to know a country long criticized for a lack of transparency. "China's ambitions are quite extensive. It is a great power that is rising, and so other people want to scrutinize you. That's part of being a great society," says a veteran European China-watcher in Beijing. "When you hack into the private files of other governments, people want to know what you are doing. If you talk about a harmonious world, and a harmonious society, and then you do things that aren't harmonious – you get called out."

Of particular alarm for Washington and other world capitals are so-called "zero-day attacks" – cyberpenetrations that look for software flaws to exploit. This is not an uncommon pastime for hackers. But in China's case, suspicion falls on professional hackers, says Sami Saydjari, a Defense Department computer-security veteran who now heads a firm called Cyber Defense Agency in Wisconsin.

"The Chinese ... [put] very strong controls over … their Internet, and it's highly unlikely there are hacker groups that have any substantial level of capability they don't control," says Mr. Saydjari.

Analysts say China constantly probes US military networks. But attributing this conclusively to the People's Liberation Army, fingered by German officials in Der Speigel, is almost impossible. To trace attacks to their source requires the help of those who control each link, or router.

Proving cyberattacks involves what Mulvenon calls the "Tarzana, California, problem." How does one know an attack "isn't coming from a kid in Tarzana who is bouncing off a Chinese server?" Mulvenon asks. "You don't. You can't predicate a response based on perfect knowledge of the attacker. But we think that correlation is causation. That is, 'Who benefits?' The best-case analysis is to correlate attacks with what Chinese have always said and written their goals are, which makes them by far the most likely suspect."

Cyberpenetration runs the gamut, from simple to sophisticated. There's a simple "Trojan horse attack," for example, said to be used against the German chancellery. Hackers send what appears to be a legitimate e-mail. When opened, it installs malicious software that allows hackers to open files in a private network, or disrupt it. A Trojan horse is not surprising in an unclassified system, says Saydjari. "But some of the attacks attributed to China have been quite sophisticated."

Beijing's control showed in September 2003, when the company that administers .com and .net domain names made unilateral changes to the Internet's functioning. System administrators around the world scrambled to make piecemeal fixes.

"The domain-name system was broken for more than two weeks for the rest of the world, but after a brief interruption, it got mysteriously … unbroken inside China after eight days," says Mr. Woodcock.

PLA doctrine explicitly states that information-technology disruption is part of "asymmetric" warfare. The US is more vulnerable than China to a cyberattack, says Saydjari, because of its greater reliance on high-tech, networked systems.

The PLA's "People's War" doctrine argues that all able-minded People's Republic computer users have a responsibility to fight for China with their laptops, says Woodcock. He argues that Beijing might call on ethnic Chinese hackers in any part of the world, hoping they might help. Even nonhackers might be asked to participate in "denial of service" (DoS) attacks – a weapon to shut down enemy websites that requires massive numbers of computers to accomplish. "The power of numbers is on their side," Woodcock says. China has the largest DoS capability in the world, he says, a concern to private-sector companies as well.

So far, China doesn't seem to be organizing DoS attacks, says Mr. Ullrich. During the EP-3 spy plane spat between the US and China in early 2001, some Chinese youths launched DoS attacks. But the government curtailed the attacks.

For several years, China has focused most of its military research and production on a high-tech air and missile-attack force – to overwhelm Taiwan. Hence, China's probe of the Pentagon NIPRNet. "They want to be able to attack the Net. They don't need a supersexy penetration program," Mulvenon argues. "They just bomb the Net itself. They disrupt the deployment of our military, simultaneously saturate Taiwan, delay the US arrival, and Taiwan capitulates. It's what they talk about."