3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Experts Outline Chinese Cyberwarfare Tactics, MotivationsU.S.-China Commission Explores Cyber Threat Posed by Xi Jinping's Government
The U.S.-China Economic and Security Review Commission on Thursday held a daylong hearing on cybersecurity threats posed by Xi Jinping-led China, including the nation's expansive cyberespionage and disinformation capabilities, along with its technical prowess in cyberwarfare.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The first part of the hearing, a two-hour session entitled "China’s Perspective on and Capabilities for Cyberwarfare," featured witnesses who outlined doctrinal shifts within China that have perpetuated more aggression in the IT realm, along with motivations, capabilities and technical components of Xi's People's Liberation Army, including its new Strategic Support Force, or SSF, which conducts space, cyber and electronic warfare operations.
Witnesses included Winnona DeSombre, a nonresident fellow at the international affairs think tank The Atlantic Council and a fellow at the Belfer Center at Harvard University; Dean Cheng, a senior research fellow in Asian studies for the public policy think tank the Heritage Foundation; and John Chen, lead analyst at the Center for Intelligence and Research Analysis at SOS International, or SOSi.
The U.S.-China Commission is an independent agency, established in 2000, that provides recommendations on bilateral trade, national security and other China-related risks to the U.S. Congress and the president.
Its three-part hearing outlined China's growing adversarial approach to cyber, which aids what Chen called a highly "statist" economy.
Beginning the session, commission co-Chair Carolyn Bartholomew, former chief of staff, legislative director and foreign policy adviser to House Speaker Nancy Pelosi, said: "There has been an alarming rise in the frequency and the sophistication of China's state-sponsored and state-affiliated cyberespionage activity, as well as its targeting. China's cyber actors have deliberately and aggressively pursued targets across a spectrum of industries, including technology, defense, energy, healthcare, education and other key sectors, in pursuit of trade secrets and sensitive information."
Bartholomew called these activities "not only a U.S. challenge, but also a global one," which she said underscores the need for "collective action and security cooperation." She touted a July 2021 announcement from the Biden administration that the U.S. had been working with an "unprecedented group of allies and partners" to address "China's irresponsible and destabilizing behavior in cyberspace."
Global Information Dominance
DeSombre, in her testimony, told the USCC that "China is a major peer adversary in cyberspace" with offensive capabilities rivaling or exceeding those of the U.S.
She said China can launch cyberattacks that, at a minimum, cause localized, temporary disruptions to critical infrastructure, and China's defenses can "detect some U.S. operations and in some cases, turn our own tools against us."
DeSombre testified that China has bolstered its tactics by building "asymmetric capabilities" that the U.S. is constrained from developing due to international or domestic law.
"The U.S. prioritizes operational tradecraft in cyberspace and does not conduct economic espionage," she said. "The Chinese government, on the other hand, develops cyber programs that steal American intellectual property, alongside more traditional operations, and does not care whether they're caught. This apathy enables the regime to conduct far more frequent operations."
DeSombre said that Xi has "dramatically escalated" Chinese rhetoric and capabilities in cyber power and has modernized his military for technological "power projection," shifting propaganda priorities to pursue "global information dominance."
She also testified that Xi is "fundamentally changing the nature of cyberspace" by pursuing dominance with the Chinese private sector and weaning off Western technology.
DeSombre said China's "multi-stakeholder approach" to personnel development and its relationships with corporate and academic institutions through military-civil fusion allow it to pursue more aggressive ends in cyberspace.
Her recommendations for Congress included appropriating funds to secure the supply chain, diversifying the cybersecurity jobs pipeline and working with allies to support U.S. values across the information domain.
DeSombre called for mandatory federal breach notification laws, threat information sharing for critical infrastructure, expanded patching requirements for federal contractors and funding for research into federal SBOMs, which catalog software components.
She also urged executive branch agencies to add culpable Chinese institutions to their entity and sanctions lists.
Cheng, of the Heritage Foundation, delved into doctrinal changes within China that have redoubled the country's cyberspace efforts.
Cheng said the PLA "is in the midst of a doctrinal revision," including an organizational shift, circa 2015, that dictates how it's managed and organized. One of the results has been the creation of the SSF.
Cheng said the SSF's methods "involve attacking the adversary's broader systems, including military and civilian information networks, [and this occurs] in wartime but also in times of crisis and peacetime."
He stated: "PLA writings indicate that key targets for network and electronic warfare, as well as psychological warfare, include national and military decision makers, strategic early-warning systems, military information networks, energy, financial and transportation networks."
Cheng warned that Congress should not initiate a direct military response to China, calling it an "overreach extending into micromanagement," but said Congress should "strike at China through financial and other aspects that would signal … that their actions in the cyber realm have consequences."
Highly Centralized Structure
SOSi's Chen expanded on China's capabilities, discussing broader bureaucracy and cyber-operation overlap between the SSF and the country's ministries of Public Security and State Security.
"All of these actors nominally report to a group of centralized Chinese Communist Party bureaucracies, all headed by Xi Jinping," he said.
Chen said the SSF is distinct, however, in that it "alone has an acknowledged mandate to prosecute cyber warfare."
The SSF's missions, Chen testified, aim to "generate political outcomes favorable to the CCP." Most operations, he said, are conducted under a "high degree of centralized control."
He said China's "capable organizations" - commonly attributed as advanced persistent threats - are centrally commanded and organized at bases and bureaus directly reporting to SSF high command and China's Central Military Commission, its highest national defense organization.
"This combination of network and psychological warfare units is not a coincidence," Chen said. "It offers Xi Jinping a potent combined or boosted cyberwarfare capability in the SSF."
When combined, he said, the capabilities "can trigger a chain reaction of political and social effects resulting from human reactions to fear or uncertainty."
The analyst called for the creation of a "color-coded early-warning system" to "sensitize the public to forthcoming boosted attacks," increased civil defense outlays to prepare emergency services and the general population for response to critical infrastructure attacks, and funding for public affairs and transparency efforts to "help blunt the impact" of disinformation.
The policy experts confirmed that the Chinese can, and likely will, target civilian networks as part of their broader operations.
"This achieves the ultimate goal - which is victory," Cheng told the USCC. "The Chinese, I suspect, doctrinally are far more prepared to win ugly than to lose immaculately in this regard, which pertains to the cyber aspect."
DeSombre said the Chinese have another strategic advantage: their robust vulnerability research ecosystem.
"Unlike the international community, which actually directly discloses these flaws to vendors, China requires all these bugs to go first to the Chinese government," she said. "It likely results in the exploitation and use of these vulnerabilities in their cyber operations."
The hearing also featured panels with testimony from Mandiant Threat Intelligence, the Center for Security and Emerging Technology at Georgetown University, the Council on Foreign Relations, the Hoover Institution at Stanford University, and the Cyber Threat Alliance.