The Department of Defense (DOD), in an unclassified summary of its 2023 Cyber Strategy, deems China as the US’ most flagrant threat in the realm of cybersecurity.
A classified version of the report, presented to Congress four months ago, serves as the blueprint for communicating defense priorities for the Pentagon’s 2022 National Security Strategy, 2022 National Defense Strategy, and the 2023 National Cybersecurity Strategy.
“This strategy draws on lessons learned from years of conducting cyber operations and our close observation of how cyber has been used in the Russia-Ukraine war,” according to Assistant Secretary of Defense for Space Policy John Plumb. “It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict and to fight and win if deterrence fails.”
While much attention has been focused on Russia’s extensive cyber operations in recent years, especially in the domain of ransomware and discord of critical infrastructure in the wake of Moscow’s full-scale incursion into Ukraine last year, many experts now assert that the risk from Beijing poses a more significant long-term threat to U.S. national security.
“China poses the most severe cyber threat to the United States by far. China persistently uses cyber espionage as an intelligence and economic tool, and it is better positioned than any other state to launch destructive cyber-attacks on the U.S. if it chooses,” Mike Sexton, Senior Policy Advisor for Cyber and AI at Third Way’s National Security Program, told The Cipher Brief. “That said, preventing US-China tensions from escalating to that point is one of the highest priorities of the Biden administration, so hopefully, the full extent of the threat will never manifest.”
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
According to data from cybersecurity technology firm CrowdStrike, China is estimated to have been behind 67 percent of state-sponsored cyber-attacks from mid-2020 to 2021, while the Russian government accounted for only one percent.
In July, U.S. officials and Microsoft disclosed that the U.S. State Department had unearthed a widespread Chinese hacking offensive that targeted senior officials, including U.S. Commerce Secretary Gina Raimondo, and said the group had breached the email accounts of close to 25 organizations.
It was revealed earlier in the summer, that suspected Beijing-backed Chinese hackers exploited a security vulnerability in the Barracuda email security apparatus to access the networks of hundreds of public and private organizations – one-third of them government agencies. The Google-owned cybersecurity firm Mandiant called the breach the “broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021”. It conveyed “high confidence” that the “espionage activity,” which likely started as early as last October, was done “in support of the People’s Republic of China.”
Microsoft’s threat intelligence team also asserted earlier this year, that Chinese government-backed hacking groups have been surreptitiously targeting U.S. critical infrastructure and potentially laying the foundation to disturb systems of information exchange, commerce and transport between Washington and Asian partners in times of crisis. In particular, Microsoft pointed to the notorious state-sponsored Volt Typhoon as having tapped into compromised network devices, sensors and routers since mid-2021, aimed at disarraying everything from communications, manufacturing and utility to maritime, government, construction and education.
In 2020, the Department of Justice indicted four members of the Chinese military for electronic penetrations that collected mass amounts of raw intelligence from OPM, Anthem, Equifax and Marriott.
Analysts say that while Russian cyber incursions are typically associated with sowing chaos, Beijing’s approach hinges on remaining as clandestine and quiet as possible, with cyber onslaughts that seek to destroy, and others that endeavor to collect, intelligence.
“China has historically been an extremely rational actor in its use of cyber. North Korea, Iran, and Russia have all leveraged their cyber power vindictively in the past, where it does not materially advance the national interest; China does not do this, although independent patriotic hackers may,” Sexton noted. “The Obama administration was briefly able to negotiate an agreement with China to cease economic espionage, but it did not last. This is an intractable asymmetric threat, as the U.S. government would never conduct cyber espionage to enrich its private sector, whereas this is routine in China.”
Sexton says Russia’s strategy is “slapdash and chaotic, largely because it outsources much of the state’s cyber work to cybercrime syndicates that operate with impunity in their territory under the tacit condition that they do not target Russia or its sphere of influence,” while the Chinese technique is “utilitarian, disciplined, and systematic,” conducted with “zealous aggression” but rarely resulting in material damage.
Steven Stanford, a Threat, Risk and Vulnerability Expert and retired U.S. Secret Service agent, pointed out that unlike the Russians and other Eastern European (former Soviet Bloc) hackers, the Chinese conduct their cyber-attacks based on geopolitical positioning or for business (private sector) intelligence purposes.
“The Chinese cyberattack operations pose the biggest threat to military operations and U.S. critical infrastructure, which most if not all are private sector businesses,” he explained. “Whereas the Russians and their former Soviet Bloc partners conduct cyber operations primarily to make/steal/extort money, the Chinese are in it to steal trade/technical secrets and disrupt government operations.”
So, what does China want?
Experts say the Chinese Communist Party (CCP) is primarily focused on stealing intellectual property from various industries, ranging from telecommunications and pharmaceuticals to aviation and manufacturing. Three years ago, Washington accused Beijing of trying to plunder sensitive information from leading COVID-19 vaccine developer Moderna.
The House China Select Committee this year, expressed concern over the vulnerability of U.S. ports, contending that the CCP could be snooping via the Ship-to-Shore (STS) cranes Americans buy from Chinese-owned conglomerate ZPMC. These cranes are vital to America’s global trade, loading and unloading cargo from container ships.
FBI Director Christopher Wray said in January, that the Bureau had two thousand open probes into purported theft of technology and information by the CCP, and that the Bureau was effectively opening a new case every twelve hours. He called the Chinese cyber threat “unparalleled”.
Although the United States is perceived as one of the most technologically advanced countries in the cyber-sphere, officials caution that Chinese capabilities are rapidly improving. Once characterized as relatively unrefined in its cyber pursuits, Beijing has seemingly matured its hacking enterprise to bolster a stealthy stream of aggressions against the U.S. and its global interests – aggressions that can circumvent prevalent security mechanisms and go undiscovered for extensive periods of time.
“China’s cyber threat is rising along with the country’s technological development and geopolitical ambitions. Chinese cyber threat actors have executed increasingly sophisticated campaigns and developed a structured modus operandi, including an enhanced capabilities-sharing system,” warns Eugenio Benincasa, a Senior Cyber Defense Researcher at the Cyber Defense Project for the Center for Security Studies (CSS). “Simultaneously, they appear to be cultivating a higher tolerance for risk and adopting bolder tactics, showing reduced deterrence from public exposures and indictments.”
It's not just for the President anymore. Are you getting your daily national security briefing? Subscriber+Members have exclusive access to the Open Source Collection Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.
Benincasa said China’s cyber offensive capabilities have gradually evolved over the past two decades, with a distinct shift in approach that became evident following the transfer of power in 2013 from former President Hu Jintao to President Xi Jinping.
“In the early phase of Chinese operations, China’s People Liberation Army (PLA) assumed a leading role in conducting cyber activities. During this period, PLA operations frequently employed crude and disruptive ‘smash-and-grab’ tactics that mostly ignored operational stealth, leaving little room for plausible deniability,” he continued. “This was apparent as the perpetrators left behind multiple forensic clues that could assist defenders in identifying them. Beijing later shifted a significant portion of cyber operations control from the PLA to the Ministry of State Security (MSS), China’s premier intelligence agency.”
In contrast to the PLA’s earlier “smash-and-grab” approach in the first decade of the 2000s, Benincasa noted that the MSS adopted a more covert strategy, including “employing intermediaries, front companies, and contractors.”
“The MSS aimed to uphold plausible deniability and establish networks of recruited individuals and organizations that could shoulder blame if exposed. This strategy sometimes extended to the extent of outsourcing to criminal elements,” he explained. “Chinese threat actors deploy diverse tactics for initial access, encompassing social engineering, strategic web compromise, and SQL injection. Recent analyses have unveiled that state-linked Chinese groups have exploited more zero-day vulnerabilities than any other nation. The restructuring of China’s offensive ecosystem has significantly emphasized exerting control over discovering and disclosing new vulnerabilities. With regard to skills and capabilities, China’s cyber threat actors’ sophistication will likely continue to evolve.”
Washington has also blamed Chinese universities for playing a vital part in hacking operations, from recruiting students to using front companies to infiltrate pivotal sectors.
“China’s higher education system plays a major role in its cyber and AI strategies,” said Sexton. “Universities and other institutions offer many ‘cyber ranges,’ which allow cybersecurity experts and students to test offensive and defense cyber capabilities.”
So, what is Washington doing about the burgeoning security risk of Chinese cyberattacks?
“In response to the Chinese, as well as other State-sponsored cyber attackers, the U.S. has created multiple entities to help educate, deter and investigate cyber-attacks,” said Stanford. “A few are NSA, CISA, FBI Cyber, U.S. Cyber Command and the Secret Service Cyber. In addition, the Five-eyes and their cyber security, NSA-type agencies are all working together to combat Chinese cyberattacks.”
In March, the White House unveiled its digital defense plan, pledging to utilize “all instruments of national power” to disrupt and disassemble malicious cyber actors.
“Since 2013, the U.S. has been openly confronting China regarding its cyberespionage activities, presenting distinct demands,” said Benincasa. “This could be considered tricky since there is no general prohibition against espionage in international law, and Beijing’s operations fall within a gray zone that remains below the threshold of coercion. Washington’s demands were never met, and for years, the US has been the main actor publicly denouncing China for its cyber espionage activities, releasing multiple attribution statements and indictments of individual intelligence operatives involved in such operations.”
From his purview, discerning intent of operations above the level of espionage is difficult, leaving the U.S. with limited options beyond fortifying its cyber defenses to detect and terminate espionage campaigns.
“At the same time, (the U.S.) should actively raise awareness of potential threats and promote information sharing with its allies both privately as well as publicly by means of attribution statements and indictments to rally support from countries with less advanced technical capabilities for detecting similar threats,” said Benincasa. “Additionally, it should openly condemn other concerning practices by China in cyberspace. This is particularly true concerning China’s introduction of regulatory requirements related to vulnerability discovery and disclosure processes. These allow for intrusive access to domestic network systems and foreign technology firms by China’s government agencies and establish channels for redirecting vulnerability research findings into state-sponsored cyber espionage operations.”
In conjunction with the recently released declassified summary, the DoD vowed that its dovetailing strategy emphasizes a continued collaboration “with domestic partners across the federal government to share best practice and expertise.”
“We will deepen our relationship with private industry through voluntary and timely information sharing,” Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang told reporters this month.
Unlike other cyber-savvy players like Iran and Russia, experts warn we are yet to witness the full breadth of Chinese capabilities.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
