Cybersecurity and Cyberwar (24 page)

Perhaps the biggest issue cyber experts raise about US strategy, though, is whether it places too much emphasis on the offense. Indeed, budget plans in 2014 show the US Air Force spending
2.4 times as much
on cyber offense research as on cyber defense. The concern goes beyond the traditional view that offense is the more destabilizing side (the worry that it encourages an attack mentality) and that defense is typically stabilizing (good defenses reduce the likely gains of any attack, discouraging offensive attacks in general). Rather, experts worry about the inherently seductive nature of cyber offense and the impact it might have on the military. As one report put it, offensive concepts like “cyber war, software exploit, digital catastrophe and shadowy cyber warriors” are much more glamorous than the defensive, like “security engineering, proper coding,
protecting supply chains
.” Yet defense is where the United States should be putting more of its efforts, not just because of how it aids stability and deterrence, but as a senior US military official said bluntly, “We're already very good at offense, but we're just as
bad at defense
.”

Regardless of where CYBERCOM and the broader US military come down on these issues in the years ahead, it's critical that the civilian side of the national security apparatus and civilian government leaders start to understand and contribute to them. Important plans and strategies for a powerful new technology are being made, but the broader civilian political system and populace has largely remained apart from the discussion. For example, the United States' strategic policy laying out its budding offensive cyber posture, is designed to “offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” But it only emerged in public discourse via leaks to newspapers,
months after it had been decided
.

It would be a mistake to draw a historic parallel between the destructive power of cyber weapons and nuclear bombs, as some civilian leaders have recently done (the head of the US Senate Armed Services Committee amusingly described a cyber weapon as just “like a WMD”). Yet there is a worrisome parallel in how civilian leaders nowadays, as in the past, might be caught off guard by how
operational plans actually make use of these new weapons. For instance, when General Curtis LeMay headed the new Strategic Air Command in the 1950s, he surprised civilian leaders when they finally got around to asking what he planned for American nuclear bomber forces, if there ever were a crisis with the Soviets. LeMay explained that he was not too concerned, because he'd just order a preemptive nuclear attack. “I'm going to
knock the s**t out of them
before they take off the ground.” It's a good thing they asked and shut down such plans before the Cuban Missile Crisis just a few years later. Today's leaders might want to ask if there are any cyber equivalents.

“The
most threatening actor in cyberspace
.”

So who won this not-so-prized description? Not al-Qaeda. Not the US military's Cyber Command. Not Facebook's privacy policy. Not even “RickRolling,” the Internet meme wherein victims are tricked into watching a horribly addictive music video by 1980s singer Rick Astley. Rather, this is how the US Congress described China in a major report.

Time and again, China has been described as the bane of the cybersecurity world, whether in government reports like those issued by Congress (another one by the US executive branch specifically named China as the “most
active and persistent
” perpetrator of cyber intrusions in the United States) or Western media articles (a typical headline: “China:
No. 1 Cyber Threat
”). Behind these pointed fingers are real concerns. While it did not specify an individual nation, the Pentagon's 2011
Strategy for Operating in Cyberspace
, designed to guide Cyber Command,
clearly placed China
among the most important threats in this realm. Indeed, many are now framing the US-Chinese relationship in cyberspace as a
digital echo
of that between the United States and USSR during the Cold War. Former presidential national security adviser Brent Scowcroft, for instance, describes the situation as “eerily similar,” while journalist David Ignatius summed up his meetings with top Pentagon officials in an article titled “Cold War Feeling on Cybersecurity.”

Unsurprisingly, Chinese writers and officials have reacted angrily to direct and veiled accusations, describing them as “groundless and reflecting
Cold War mentality
.” Moreover, they assert that it's China that is the aggrieved party and the one
more frequently under attack
. And in one way they're right. By the raw numbers, China suffers the
largest number of cyberattacks
in the world. The Chinese Ministry of Public Security has reported that the number of cyberattacks on Chinese computers and websites has soared by more than
80 percent annually
, while some
10 to 19 million
or more Chinese computers are estimated to be part of botnets controlled by
foreign computer hackers
.

But the story isn't that simple. The reason for China's heavy malware infection rate is that as much as 95 percent of the software that Chinese computers use is pirated, meaning that it doesn't get the same security upgrades and patches that legal license holders do, leaving them vulnerable to basic threats. As computer security expert James Mulvenon explains, “Therefore, China is right when it says that it is a victim of hacking, but the main culprit is its own disregard for intellectual property, not
state-sponsored espionage
.”

Regardless of the structural causes, Chinese analysts are quick to push back the country's reputation as an abusive cyber power. “China is accused time and again for launching cyberattacks abroad but there is never any solid proof. Actually, China has become a victim of such repeated claims,” summarizes
Su Hao
, an expert on international security at the China Foreign Affairs University. Moreover, Chinese officials and writers assert that most of the increasing attacks on Chinese computers originate in the United States. Government officials claimed in 2011 that China was the target of some 34,000
cyberattacks from the United States
, while in 2012 the numbers escalated to the point that Chinese military sites alone were targeted by American sources almost
90,000 times
.

While the numbers are arguable (they turn on the same varied meaning of “attack” that we saw US officials abuse as well), it is undeniable that a large amount of malicious Internet activity emanates from or at least moves through the United States. For example, security researchers at HostExploit have found that
twenty
of the top fifty crime-spewing ISPs in the world are American. Moreover, US government agencies like the NSA and Cyber Command are clearly active and expert in cyber operations. When documents leaked by
Edward Snowden in 2013 showed that the NSA had hacked the prestigious Tsinghua University in Beijing—home to one of six “network backbones” that route all of mainland China's Internet traffic—as well as the Hong Kong headquarters of Pacnet, which operates one of the Asia-Pacific region's largest fiber-optic networks, Chinese state media had a field day. “The United States, which has long been trying to play innocent as a victim of cyber attacks, has turned out to be the
biggest villain in our age
.”

Finally, Chinese cyber experts often express frustration at being painted as the main villain in a world they had little hand in creating. Many feel that the United States enjoys too highly privileged a position in the global cyber community, a legacy of its role in developing the Internet. They note, for example, that of the thirteen root servers that are essential to the functioning of the entire Internet, ten were originally located in the United States (and include US government operators like the US Army Research Lab and NASA), and the other three are in US allies (Japan, the Netherlands, and Sweden). Similarly, ICANN, which manages the protocol addresses essential to preserving the stability and smooth operation of the global Internet, started as a
US government entity
.

The result is that, far from taking the blame for cyber insecurity, China has increasingly taken the position that it must also equip itself for future cyberthreats and conflicts. As we read earlier, in 2011, the Communist Party–controlled
China Youth Daily
newspaper published an article by two scholars at the Chinese Academy of Military Sciences. In direct terms it described how the Chinese military establishment viewed developments in cyberspace, from the creation of the US military's Cyber Command to the revelation of Stuxnet. “Of late, an Internet tornado has swept across the world … massively impacting and shocking the globe. Behind all this lies the shadow of America. Faced with this warm-up for an Internet war, every nation and military can't be passive but is making preparations to
fight the Internet war
.”

In real terms, this has translated into a buildup of the People's Liberation Army's (PLA) cyber capabilities at just as rapid a pace as the building out of Cyber Command and the NSA over the same period.
According to gov
ernment sources, Chinese spending on cyber warfare became a “top funding priority,” and a host of new
units were created with the responsibility of “preparing attacks on enemy computer networks.”

While the Chinese military organization responsible for cyber operations is not as open about its structure as the United States military's (no online password-guessing games like at Cyber Command), many think it falls under the PLA General Staff Department's Third Department. This entity, based in Beijing, is very similar to the NSA, with a focus on signals intelligence and code-breaking, making it a natural fit for cyber activities. The department has
some 130,000 personnel
reportedly assigned to it. A key part is the Beijing North Computer Center (also known as the General Staff Department 418th Research Institute or the PLA's 61539 Unit), which some believe to be the Chinese equivalent of Cyber Command. It has at least
ten subdivisions
involved in “the design and development of computer network defense, attack, and exploitation systems.” There are at least twelve additional training facilities located around the country. Of special note is a unit located in Zhurihe that is permanently designated to serve as an “
informationized Blue Team
.” That is, the unit simulates how the US military and its allies use cyberspace and provide targets for Chinese units to hone their skills on in war games.

A particular hub that has drawn unwanted attention is the Second Bureau of the Third Army, Unit 61398, also known in cybersecurity circles as the “Comment Crew” or “Shanghai Group.” This is a key unit tasked with gathering political, economic, and military-related intelligence on the United States through cyber means. In 2013, it was caught stealing employee passwords to break into the
New York Times
' computer networks. Proving that the old saying “Never argue with a man who buys his ink by the barrel” still holds true in the cyber age, the
Times
then got its revenge by publishing a series of embarrassing exposés. The paper revealed that the once-secret Chinese unit was behind some 141 APT attacks across 20 different industries and governments, targeting everyone from Coca-Cola to the Pentagon and the United Nations. It even suffered the indignity of having a picture of its no-longer-secret headquarters, located on Datong Road in Shanghai, splashed
across the newspaper's front page
.

The 61398 unit is far from alone; some estimates point to as many as
40 other APT operations
of a similar scale. While its 12-story office building is next door to a massage parlor and wine importer,
a number of the other PLA cyber programs are colocated with engineering schools and technology firms. For instance, the 61539 center is next to Beijing University and the Central Communist Party School in the city's northwestern Jiaoziying suburbs.

Just as many US military cyber facilities are colocated with the NSA and civilian research programs, the PLA also draws from the wider cyber expertise resident in its eight-million-strong people's militia, supplementing official forces with a “patriotic hacker” program. These universities also make prime recruiting grounds, although sometimes in ways that later hinder attempts to keep the units secret. When Unit 61398 started to garner attention, researchers were found that its digital tracks hadn't been cleaned up. The Zhejiang University website even had a public notice that “Unit 61398 of China's People's Liberation Army (located in Pudong District, Shanghai) seeks to recruit
2003-class
computer science graduate students.”

Guiding this buildup is the concept of “informatization,” a hallmark in the Chinese military's approach to cyber operations. As one key Chinese military report put it, modern forces, and especially the American military, are so highly reliant on information that whoever dominates the battle of cyberwar will occupy the “
new strategic high ground
.” Gaining the “upper hand of the enemy” will be determined by “whether or not we are capable of using various means to obtain information and of ensuring the effective circulation of information; whether or not we are capable of making full use of the permeability, sharable property, and connection of information to realize the organic merging of materials, energy, and information to form a combined fighting strength; [and] whether or not we are capable of applying effective means to weaken the enemy side's information superiority and lower the operational efficiency of
enemy information equipment
.”

In execution, the Chinese plan for informationized war would most likely focus on defending PLA networks and, in turn, targeting the adversary's key nodes of communication, command, and coordination. The idea is to degrade an enemy's decision-making, slow down its operations, and even weaken its morale. Most importantly, they believe that the side that controls the flow of information can create “blind spots” that can be exploited, windows of opportunity to attack undetected or with a
reduced risk of counterattack
.