Cyber War: The Next Threat to National Security and What to Do About It (8 page)

As Desert Storm unfolded, Americans sat glued to their TVs, watching those grainy videos of bombs being dropped down smokestacks. They cheered the renewed prowess of the once-again formidable American military. Saddam Hussein’s army was the fourth-largest in the world. His weapons, largely of Soviet make and design, the same as China’s arsenal, were mostly destroyed from the air before they could ever be used. The U.S. ground war lasted one hundred hours, following thirty-eight days of air strikes. Among those watching on television were the leaders of the Chinese military. The former Director of National Intelligence, Admiral Mike McConnell, believes that “the Chinese received a big shock when watching the action of Desert Storm.” Later they probably read
The First Information War
and other accounts and realized how far behind they really were. They soon began referring to the Gulf War as
zhongda biange
, “the great transformation.”

For a period of several years in the mid-1990s the Chinese talked very openly, for a Communist police state, about what they had learned from the Gulf War. They noted that their strategy had been to defeat the U.S. by overwhelming numbers if a war ever happened. Now they concluded that that strategy would not work. They began to downsize their military and invest in new technologies. One of those technologies was
wangluohua
, “networkization,” to deal with the “new battlefield of computers.” What they talked about publicly then sounds strikingly similar to what the U.S. Air Force generals were saying. Writing in his military’s daily paper, one Chinese expert explained that “the enemy country can receive a paralyzing blow through the Internet.” A senior colonel, perhaps thinking of the U.S. and China, wrote that “a superior force that loses information dominance will be beaten, while an inferior one that seizes
information dominance will be able to win.” Major General Wang Pufeng, head of strategy at the military academy, wrote openly of the goal of
zhixinxiquan
, “information dominance.” Major General Dai Qingmin of the General Staff stated that such dominance could only be achieved by preemptive cyber attack. These strategists created “Integrated Network Electronic Warfare,” something similar to the Netcentric Warfare fad that was sweeping the Pentagon.

By the end of the 1990s, China’s strategists had converged on the idea that cyber warfare could be used by China to make up for its qualitative military deficiencies when compared to the United States. Admiral McConnell believes that “the Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America’s control of the battlespace by building capabilities to knock out our satellites and invade our cyber networks. In the name of the defense of China in this new world, the Chinese feel they have to remove that advantage of the U.S. in the event of a war.”

A recurring word in these Chinese statements was “asymmetry” likewise, the phrase “asymmetric warfare.” Much of what we know about China’s asymmetric warfare doctrine is contained in a slim volume translated as
Unrestricted Warfare
. The book, written by two high-ranking Chinese army colonels, was first published in 1999. It provides a blueprint for how weaker countries can outmaneuver status quo powers using weapons and tactics that fall outside the traditional military spectrum. The publishers of the most widely available English translation view the book as “China’s master plan to destroy America,” a subtitle the Americans added to the front cover of the U.S. edition. And in case the reader misses the point, the cover shows the World Trade Center engulfed in flames. A quote on the back, from a right-wing lunatic, claims that the book “is evidence linking China to 9-11.” Despite the right-wing rhetoric surrounding the U.S. edition, the book is one of the best windows
through which we can understand Chinese military thinking on cyber war.

The book advocates tactics that have become known as
shashoujian
, the “assassin’s mace,” meant to take advantage of weaknesses created by an adversary’s seemingly superior conventional capabilities. The goal of the strategy is “fighting the fight that fits one’s weapons” and “making the weapons to fit the fight.” It proposes a strategy of ignoring the traditional rules of conflict, including, at its extreme, the prohibition on targeting civilians. It also advocates manipulating foreign media, flooding enemy countries with drugs, controlling the markets for natural resources, and joining international legal bodies in order to bend them to one’s will. For a book written a decade ago, it also places a heavy emphasis on cyber war.

This possible use of cyber war against a superior force does not mean that China is in fact intent on fighting the U.S., just that its military planners recognize that war with the U.S. is a contingency for which they must plan. The Chinese government has adopted the phrase “peacefully rising” to describe the country’s projected emergence as a (if not
the
) global superpower in the twenty-first century. Yet Admiral Mike McConnell believes that “the Chinese are exploiting our systems for information advantage, looking for the characteristics of a weapons system or academic research on plasma physics.” China’s rapid economic growth and dependence upon global resources, as well as its disputes with its neighbors (Taiwan, Vietnam), probably suggest to its military, however, that they have to be ready for possible conflict someday. And they are getting ready.

To the head of the U.S. military, Admiral Mike Mullen (Chairman of the Joint Chiefs of Staff), it all looks like it is aimed squarely at the United States. “[China is] developing capabilities that are very maritime focused, maritime and air focused, and in many ways, very much focused on us,” he said in a speech at the Navy League in May of 2009. “They seem very focused on the United States Navy
and our bases that are in that part of the world,” he continued. The 2009 update of the annual report from the Office of the Secretary of Defense on the “Military Power of the People’s Republic of China” supports these claims. The Chinese have developed long-range radar that can see past our air base on Guam. They have developed antiship missiles that close so fast that none of our defense systems could intercept them. China has purchased one Russian Kuznetsov-class aircraft carrier and is currently in the process of refurbishing it at Dalian shipyard. They will soon have the capability to start constructing new carriers and have put in place a training program so that pilots will be qualified for carrier operations. They have strung over 2,000 missiles along the coast facing Taiwan and are adding more at the rate of 100 per year. They are close to deploying a missile with a 5,000-mile range that could give them a sea-based nuclear strike capability.

It all sounds a bit scary, but look closer and you will see evidence that the modernization alone is insufficient to counter U.S. conventional force superiority. China’s military budget is just a fraction of America’s. Allegedly only $70 billion, it is less than one-eighth of the Pentagon’s budget before adding in the costs of the wars in Afghanistan and Iraq. A U.S. carrier strike group is one of the most powerful conventional forces ever assembled. Consisting of up to a dozen ships, including guided-missile cruisers, destroyers, frigates, submarines, and supply ships, a carrier strike group can cover over 700 nautical miles in a single day, which allows it to go anywhere there is ocean within two weeks. The U.S. Navy boasts eleven carrier battle groups. To keep that force modern, the Navy is in the process of constructing three next-generation Ford-class carriers, with the first carrier set to be launched in 2015.

The Pentagon’s annual assessment,
Military Power of the People’s Republic of China
, for 2009 estimates that the former Russian aircraft carrier will not be operational before 2015. The consensus view
in the U.S. intelligence community is that China is at least a decade away from being able to marshal a modern fighting force that is capable of convincingly defeating even a moderate-sized enemy like Vietnam. Not until 2015 will China be able to project significant power off of its shores, and only then in limited cases against an opponent less capable than the U.S. is now. Unless.

Unless
…they can even things up by using cyber war against such things as U.S. carriers. The Chinese were always impressed by U.S. carriers, but their attention was heightened in 1996, when President Bill Clinton sent two U.S. carrier battle groups to protect Taiwan during one particularly nasty exchange of tough rhetoric between Beijing and Taipei. So the Chinese military followed its new strategy and developed a “virtual roadmap” for how to take down an aircraft carrier battle group in a paper titled “Tactical Data Links in Information Warfare.” This unclassified paper, written by two Chinese Air Force officers, relies on open source material, most of which can be pulled off the web, to illustrate how the information systems that the U.S. military relies on can be jammed or disrupted using relatively low-tech means.

These are the kinds of tactics that
Unrestricted Warfare
’s strategy articulates. The book recommends a program to steal a potential enemy’s technology, find flaws in it to exploit, and develop one’s own version as part of a program to create a modernized and smaller force. Not lost on Chinese military strategists, however, is the abililty of cyber weapons to skip the battlefield altogether. China has prepared in the event of war to inflict damage on the enemy’s home front, not with conventional weapons, but asymmetrically, through cyber attack. The two paths of improvement only make sense together. Even with the significant modernization of equipment, China will not be the equal of the U.S. military for many decades. However, if China can use asymmetrical tactics like cyber war, it believes the new, modern Chinese forces would be sufficiently advanced to take
on U.S. forces that will have been crippled by Chinese cyber attack. Recently, Pentagon planners have had a scare put into them by an article in
Orbis
titled “How the United States Lost the Naval War of 2015.” In it, James Kraska paints a vivid picture of how in the near future China could take on the United States Navy and win.

THE EAST IS GEEK

From what we know of China’s cyber warfare capabilities and the espionage campaigns the Chinese have carried out, that two-pronged approach is exactly what the Chinese have undertaken. Since the late 1990s, China has systematically done all the things a nation would do if it contemplated having an offensive cyber war capability and also thought that it might itself be targeted by cyber war; it has

• created citizen hacker groups,
  
• engaged in extensive cyber espionage, including of U.S. computer software and hardware,
  
• taken several steps to defend its own cyberspace,
  
• established cyber war military units, and
  
• laced U.S. infrastructure with logic bombs.
  

While developing cyber strategy, China also made use of private hackers closely aligned with the state’s interests. The U.S.-China Economic and Security Review Commission estimates that there are up to 250 groups of hackers in China that are sophisticated enough to pose a threat to U.S. interests in cyberspace. We saw something of their early capabilities in 1999, when the United States led a NATO air campaign to stop the slaughter in Kosovo by Serbian forces. The U.S. had all but perfected its smart weapons and used them to eliminate the Serbians’ Soviet-era military apparatus without losing a
single American life (one U.S. warplane went down due to mechanical failure). Unfortunately, smart weapons can’t make up for bad intelligence. Six bombs dropped from U.S. aircraft hit the precise coordinates provided to the mission planners by the CIA. The target was supposed to be the Yugoslav Federal Directorate for Supply and Procurement, a planning agency of the Serbian military. The coordinates, however, were about 900 feet off from the Directorate and exactly on top of the Chinese embassy.

The Chinese held protests outside U.S. embassies and consulates, issued condemnatory statements within the UN and other bodies, and demanded compensation for the victims and their families. After the embassy bombing, U.S. and NATO websites were targeted with denial of service attacks. Government agencies had their in-boxes stuffed with spam messages protesting the bombing. Some NATO webpages were forced down, while others were defaced. The attacks did little damage to U.S. military or government operations. The effort amounted to little more than what we call “hacktivism” today, a fairly mild form of online protest. It was, however, a first use of cyberspace by China to protest. Chinese hacktivists did it again in 2001, when a U.S. “spy plane” allegedly entered Chinese airspace and was forced by Chinese fighter jets to land in China. However, while these Chinese citizen hackers were launching their primitive denial of service and spam attacks, China’s intelligence-industry partnership was also busy.

The Chinese government went after two underpinnings of the U.S. computer industry’s dominance of networking technology, Microsoft and Cisco. By threatening to ban Chinese government procurement from Microsoft, Beijing persuaded Bill Gates to provide China with a copy of its secret operating system code. Microsoft had refused to show that same code to its largest U.S. commercial customers. Then China copied the Cisco network router found on almost all U.S. networks and at most Internet service providers.
Cisco had a manufacturing plant for the routers in China. Chinese companies then sold counterfeit Cisco routers at cut-rate discounts around the world. The buyers allegedly included the Pentagon and other federal government entities. Counterfeit routers started showing up on the market in 2004. Three years later, the FBI and the Justice Department indicted two brothers who owned a company called Syren Technology for selling the counterfeit routers to a customer list that included the Marine Corps, the Air Force, and multiple defense contractors. A fifty-page report authored by the FBI and circulated within the technology industry concluded that the routers could be used by foreign intelligence agencies to take down networks and “weaken cryptographic systems.” Meanwhile, another Chinese company, Huawei, was selling similar routers throughout Europe and Asia. The major difference was that, unlike the counterfeits, these routers did not say Cisco on the front. Their label said Huawei.