China’s Cyber Operations: The Rising Threat to American Security — Margin Research

China’s Cyber Operations: The Rising Threat to American Security

Looking at China’s cyber operations, this study utilizes a large body of open source data collected by the Margin Research team. It examines China’s strategy, tactics, and operations in cyberspace as well as Internet communications in Chinese software development and cyber operations. China’s interest in cyber grew rapidly in response to what it observed in U.S. military operations, beginning with Operation Desert Storm in 1991. By 2013, China emphasized cyberspace as a crucially important area in the struggle with principal competitors and adversaries such as the United States and the West more generally.

At present, China’s cyber capabilities and operations have increased exponentially to the point where they pose a highly significant national security threat to the United States and all China’s perceived adversaries. China continues to invest huge sums in this technology path. It is clear that the threat will continue to become even greater than it now is.

China’s starting point with respect to international competition in the cyber arena is, as in all other things, control: controlling dissent and competition through controlling information while supporting domestic entrepreneurs and industries. Theft of intellectual property, personal data, state secrets, and espionage form a central part of China’s approach to achieving information domination.

In the past 20 years, China revised its cyber objectives to include offensive capabilities and adapted its structures in line with them, undertaking major reorganizations to support these evolving objectives. These dramatic changes and details of the Chinese cyber threat are not well understood or appreciated; they need to become a central part of the U.S. national security discourse with respect to cybersecurity.

  • From late 2015 through 2016, the People’s Liberation Army (PLA) modernized through reorganization, consolidating previously dispersed units under the Strategic Support Force (SFF).
  • China issued new, extensive laws, policies, regulations, and standards to bolster a cyber governance regime designed to enhance control of information.
  • China adopted a strategy of Military-Civil Fusion managed by the Chinese Communist Party (CCP) Central Commission for Military-Civil Fusion Development, chaired by President Xi, to enhance cross-sector integration with a view to dominating the multi-billion dollar cyber economy, including with respect to cybersecurity.

China’s methods include the promotion of emerging technologies, coordination with higher education, and exploitation of intellectual property and options financing. China prioritizes coordination of space, cyber, and electronic warfare as strategic weapons. It integrates private actors with the government and, since 2015, has increasingly replaced criminal hacking groups with domestic professionals. China also has co-opted freelancers—criminal elements and hackers—on whose patriotism China can rely, while increasingly looking to more conventional, university-developed talent.

The Chinese government entered the competition for talent and has used a number of incentives, including money and positions, to achieve success. China also developed world class cybersecurity schools that emphasize artificial intelligence among other emerging technologies. Seven universities in particular, known as the Seven Sons of National Defense, feed PLA capabilities.

Evolution of China’s Cyber Strategy

For more than a century, Chinese leaders have seen the value of greater access to technology and information to support their national objectives and military capabilities. The Chinese Communist Party (CCP) has always understood the importance of controlling information for domestic control and in competition and conflict. Starting in the 1970s, China moved to acquire technologies in order to collect, store, process, and manage information, with the result most visible in areas such as 5G (communications) and AI (artificial intelligence).

China has been operating below the threshold of direct confrontation and at a level of visibility that reflects major advances made in this area. China has used the technology base as an opportunity to radically shape the national ecosystem and exploit it in new and innovative ways. The personal use of connected devices, such as mobile phones, laptops, and others, and social media and other applications, provide the means to use the technology base for information and control.

The Chinese government has implemented a number of applications that track individuals and their behavior. Users are able to access Chinese sites, or versions of U.S. sites, but the government monitors and controls interactions with servers and sites outside China.

The technology has also enabled espionage operations on a scale never before imagined. Operations include theft of intellectual property, extraction of personal data, and penetration of strategic systems—activities going well beyond the traditional intelligence mission of stealing secrets for national security purposes. China’s targets include vast amounts of data and access to protected networks as well as commercial enterprises to make China more competitive in world markets. As part of their long-term competition with the United States, the Chinese government and CCP view collection and hoarding of information as an investment in the future. It is a strategic aim, not merely a near term tactic.

In the area of cyberwarfare, the western governments see cyberspace as a “fifth domain” of warfare. The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not “control” of cyberspace, but control of information, a vision that dominates China’s cyber operations.

Defending Against Chinese Deception and Misinformation

Apart from defending against China’s espionage and other data collection efforts, the United States and its allies must anticipate and deflect the strategic use of deception and misinformation. Such tactics have often been employed throughout China’s political and military history. The historical failure to take these tactics seriously has inflated China’s ability to succeed where they decide to compete. This aspect of China’s military strategy goes back for generations, and it is not well-known or understood in the West. Indeed, it is one of the main reasons Beijing has been so successful.

China’s use of deception and misinformation in the cyber area multiplies the country’s political and economic advantages. The Chinese government’s control over domestic cyber operations includes sophisticated deception operations with regard to the outer world. The United States is not likely to be able to determine how much China has shaped the content of data. Knowing that China has “official” uses of cyber technologies does not itself enable the United States to drill into China’s cyber landscape and understand it fully. A new approach is needed.

Organization of China’s Cyber Operations

China’s cyber operations have undergone extensive reorganization. As part of its modernization effort, beginning in December 2015 and throughout 2016, the PLA consolidated previously decentralized cyber units into the SSF to improve the PLA’s combat capabilities. This effort transformed China’s cyber operations from loosely linked operators focused on access to trade secrets into a professional intelligence service engaged in cyber operations to defend critical infrastructure, conduct espionage, and prepare for combat. In addition to the SSF, two civilian ministries, the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), make up the main Chinese state entities engaged in cyber operations.

China also developed an extensive cyber governance regime to maintain control over the domestic flow of information and influence over cyberspace internationally. This regime is composed of laws, policies, regulations, and standards overseen by several departments under the guidance of the Central Cyberspace Affairs Commission.

The Chinese strategy of “Military-Civil Fusion” (MCF, 军民融合) is designed to facilitate cooperation between China’s civilian, commercial, and military and defense sectors and develop the PLA into a “‘world class military’ by 2049.” Expansive in scope, the strategy includes everything from efforts in big data and infrastructure to logistics and national defense mobilization. Domains that have been prioritized for development are cyberspace, security and informatization, biotechnology, and artificial intelligence.

Cybersecurity and Informatization Bodies

  • Central Cyberspace Affairs Commission (CCAC, also known as the Central Commission for Cybersecurity and Informatization CCCI)): The CCAC was formed in 2014 to integrate the “fragmented bureaucratic structures and policy areas” that had previously composed China’s approach to cyber.
  • Cyberspace Administration of China (CAC, 国家互联网信息办公室): The CAC is responsible for handling cyberspace and Internet content, enforcing the PRC’s various data regulations, and managing information infrastructures, personal data protection, and data security.
  • Strategic Support Force (SSF, 战略支援部队): The SSF is a theater command-level organization that centralizes the military’s strategic space, cyber, electronic, and psychological warfare missions.
  • Ministry of State Security (MSS, 国安部): The MSS is China’s main civilian intelligence and anti-espionage authority responsible for domestic and foreign intelligence operations, including human intelligence and cyber operations. It can compel (EN) Chinese citizens and organizations to engage in and support intelligence activities.
  • Ministry of Public Security (MPS, 公安部): The (MPS) oversees all provincial and local police departments, with responsibility for supervising public information networks, public security work and policing. It shares the counterintelligence mission with, and directed by, the MSS.
  • Ministry of Industry and Information Technology (MIIT, 工业和信息化部): The MIIT is responsible for China’s network infrastructure and assigned to tackle issues of data security.

Chinese Cybersecurity Laws

  • Cybersecurity Law (CL): The CL was the first of several regulations governing data protection in China and establishes requirements for data storage, as well as guidelines for maintaining network security, and also authorizes government authorities to conduct security checks of networks.
  • Data Security Law (DSL): The DSL governs data collected and stored in China and determines the requirements for its storage and transfer depending on its potential impact on national security. It also prohibits Chinese organizations and individuals from transferring data stored in China to the justice or law enforcement institutions of foreign countries without approval.
  • Personal Information Protection Law (PIPL): The PIPL is a legal framework designed to regulate how companies collect, process, and transfer personal data and applies to entities that collect, store, use, transmit, provide, or otherwise handle personal information of persons within the PRC, even if that entity is located or conducts business entirely outside of China. It also requires entities that handle critical infrastructure information, and which process a “large amount of personal information” to store personal information within China.

China’s Offensive Cyber Security Landscape

As China's quest to become a superpower evolves, Beijing has moved to eliminate barriers between its civilian-commercial industries and the state. Technology firms, particularly domestic cybersecurity enterprises, increasingly stand at the forefront of their fields, offering insight and services that constitute an important intellectual, personnel, and hardware resource for China’s government and military even while operating under increasing government restrictions.

Cybersecurity experts have also moved from large firms and established their own companies. A survey of selected Chinese cybersecurity firms indicates specific areas of focus, backgrounds of their founders, and, in some cases, their partners and investors. Most of these firms are dedicated to vulnerability research, threat detection, and security intelligence. Their services offer clients protection from offensive cyber activities.

A growing number of these firms also emphasize blockchain security. While their investors are predominantly Chinese venture capital firms, these companies service clients and maintain partnerships around the world. The PLA, China’s security services, and policymakers increasingly use this ecosystem to support their cyber operations.

The trajectory of China’s cyber industry is closely related to the proliferation of firms engaged in cybersecurity research. As part of its MCF approach, China’s leadership has emphasized the need to foster innovation in domestic technologies and has called on private enterprises to contribute to the security of the state and its citizens. People embedded in China’s cybersecurity industry stress that start-ups and smaller firms are an important source of this innovation and will continue to play a formative role in China’s national cyber strategy.

China’s cybersecurity firms operate under rigid constraints. The government touts the strategic benefits of keeping knowledge of vulnerabilities close to home, noting that vulnerabilities are no longer of use once exposed publicly by Chinese hacking teams at competitions. China therefore discourages its security researchers from participating in hacking competitions abroad, particularly those where zero-day vulnerabilities may be publicly disclosed.

Industry leaders in China see their cybersecurity universe as unique. They expect growth to continue to outpace overseas counterparts. Cybersecurity firms, particularly those dealing with personal data security, zero trust, cloud security, and privacy, are more likely to receive funding from the government, state-owned enterprises, and publicly listed companies than other candidates for Chinese government funding.

Cyber Personnel Recruitment and Operations

Competition in cyberspace is, ultimately, a competition for talent. Historically, China has recruited talented cyber personnel by appealing to hackers’ patriotic roots and by co-opting existing criminal hacking collectives. China also recruited early generation hackers from universities into the PLA and other government institutions. More recently, China has emphasized professionalism in cybersecurity with education reforms to develop elite institutions, fostering extensive military-civil fusion and militia programs, as well as bolstering relationships with the private sector.

University Recruitment and Involvement in Cyber Operations

Like Western institutions that have trouble fitting gifted, self-educated cyber experts into conventional institutions and institutional categories, China’s behavior suggests that Beijing also prefers personnel with a traditional profile. Since 2015, China has sought to replace its criminal hacking groups with domestic professionals. The CCP recognizes that talent is essential to the country’s cyber efforts and improving education is central to cultivating this talent, in addition to attracting overseas Chinese talent. Chinese universities develop top talent, conduct sensitive research programs in tandem with or funded by the government, and act as recruitment pipelines for the PLA, MSS, and related contractors.

China’s recruitment efforts in cyber are part of a larger effort to recruit expertise in a variety of national security areas. The “Thousand Talents” Plan, for example, attempted to reverse the brain drain of Chinese scientists and academics who studied and remained overseas by incentivizing them to return to China. The Ministry of Education and Central Cyberspace Administration (CAC) also launched an initiative to develop World Class Cybersecurity Schools (一流网络安全学院) to cultivate domestic cybersecurity programs that would allow the country to grow its pool of cyber talent.

China’s universities intentionally produce graduates capable of attacking and defending networks, regardless of how they are ranked. Two of the 11 World Class Cybersecurity Schools, Wuhan University and Huazhong University jointly created the National Cybersecurity School at the National Cybersecurity Talent and Innovation Base (国家网络安全人才与创新基地, the National Cybersecurity Center), which also contains two government-focused laboratories.

Academic links to China’s military and defense industry run deep. The government has established 29 national defense science and technology laboratories (国防科技重点实验室) in civilian universities, supervised by the PLA. In addition, 36 national defense labs (国防重点学科实验室) and 53 Ministry of Education defense labs (教育部国防重点实验室) operate out of nonmilitary universities. These schools graduate thousands of students who join organizations engaged in defense research every year.

In addition to training next generation offensive cyber talent and conducting cutting edge research on behalf of government ministries, Chinese universities have engaged in cyberattacks and conducted espionage. The APT1 hackers attributed to PLA Unit 61398 had connections to the PLA Information Engineering University (PLAIEU). Members of Unit 61398 were linked to Shanghai Jiao Tong University and likely recruited graduate students for the Unit from Zhejiang University's College of Computer Science and Technology.

The MSS operates the University of International Relations in Beijing and Jiangnan Social University. The MSS uses designated faculty elsewhere for intelligence purposes. The MSS works closely with other universities for training, conducting research, and cyber activities. Faculty at Hunan University and Tianjin University have been designated as MSS experts and awarded prizes by the ministry.

Military Recruitment and Military Civil Fusion

In most offensive cyber campaigns, the PLA relies on contractors; in its earlier efforts in offensive cyber, the PLA recruited hackers. With the reorganization of the military in 2015 and 2016, many of China's cyber operations were transferred from the PLA to the MSS.

The PLA Strategic Support Force (SSF) began civilian recruitment in 2018 but has suffered from issues in hiring and retaining civilian talent. Salary discrepancies and differences in culture between the SSF and the private sector likely make the SSF a less appealing place to work for domestic information security professionals. China has tried to circumvent this problem by eliminating barriers between China’s civilian research and commercial sectors, and its military and defense industrial sectors.

The PLA recruits civilians with cyber expertise into a militia reserve force to supplement the regular military. While these reserves would likely be limited to providing logistics and espionage, rather than offensive operations, this force reportedly numbers over 10 million. Military-civil fusion and the militia reserve force help the PLA exploit the civilian sector while retaining control over targeted offensive cyber campaigns.

The Growth of Domestic Hacking Competitions

Hacker conferences, where “hacker” is not synonymous with “criminal,” constitute an important source of knowledge about vulnerabilities and threats as well as innovations. Such conferences, especially those focused on security, offer ideal venues for recruiting and a space for government organizations, private companies, established hacking groups, and up-and-coming individuals to network. Sponsored by both the government and large tech companies such as Baidu, Alibaba, and Venustech, conferences like XPwn2017 and Tianfu Cup are often used by the PLA and MSS to recruit university students and other individual hackers.

Cutting off the exchange of knowledge between U.S. and Chinese cyber industries would undermine the ability of service providers to protect their products and network infrastructures and would also undercut visibility into changing developments in potential offensive cyber activities. But domestic cyber enterprises, as in most countries, also play a vital role in providing infrastructure, talent, and resources to State operations, sometimes by choice, sometimes under legal and political pressure.

The Role of Chinese AI in Open Source Code

Open source software (OSS) development solicits input from its community of users through technical standards meetings, code submissions, and online discussions, typically small communities that are targets for adversarial influence campaigns and software supply chain attacks. China exploits this regime and especially the Linux operating system to leapfrog development and to penetrate and manipulate the open code. There is no established trust metric to vet accounts or individuals that submit code. An attacker may contribute to the code libraries and submit deliberately vulnerable code or functional backdoors that will be exploited after the code is adopted.

China has developed a robust open source community that chips away at the security of U.S. software. Much of the world’s software relies on open source code that is freely available online and that may be redistributed and modified. Multiple open source libraries have been deliberately or accidentally corrupted by maintainers and developers, in China and elsewhere. China has open source code in its sights for malicious operations or operations designed to give advantages to China in its struggle with the United States and others.

By 2020, some 87% of Chinese companies were using open source software. GitHub, a primary platform for open source worldwide, features a large number of Chinese repositories with most major open source projects supported by Chinese companies. Alibaba, PingCAP, Baidu, Tencent, JD, and Huawei are the top six Chinese accounts on GitHub. Worldwide, China is second only to the U.S. in the number of GitHub users and contributors.

The volume of Chinese contributions to Western open source software has skyrocketed. In 2021, Huawei beat out Intel as the top contributor to the Linux Kernel. This software is the baseline of Western technologies like Google’s Android, NASA’s satellite software, and the Army's Common Operating Environment. Huawei has also contributed code to over 40 mainstream Western technical communities, including Kubernetes, OpenStack, Hadoop, TensorFlow, httpd, and MySQL.

Chinese military leaders want to use AI for offensive cyber operations. An analysis of 343 AI-related contracts executed by the PLA in 2020 shows a focus on procuring AI for intelligence, information warfare, and navigation and target recognition in autonomous vehicles. Military academics in China also look to use AI for stealth, scale, and adaptability in information operations, as well as for hyper-targeted phishing attacks.

President Xi Jinping’s stated goal in AI—to pursue both world leadership and self-reliance in AI technology—is in line with China’s use of open source technologies. Open source is also featured in China’s AI innovation plans. The MIIT New Generation AI Innovation Key Task List contained a task on “open source, open platforms,” to use open source and expand the number of data sets, models, and users for machine learning technologies.

China circumvents an overreliance on proprietary Western software by utilizing open source alternatives. After the United States sanctioned Huawei in 2019, the firm was barred from importing most U.S.-made chips and was no longer able to use the Android operating system in their phones. Subsequently, the United States has sought to prevent investment in Huawei and other Chinese companies with connections to the defense sector.

Preempting Chinese Cyber Operations

The present effort to discover suspicious cyber activity uses new AI techniques to create an analysis pipeline that surfaces highly significant insights about Chinese contributions to the Linux kernel, including the HULK robot. The analysis pipeline consists of a technology stack that ingests the Linux Kernel Mailing List (LKML) and the Linux Git repository, annotates the data, and then creates graphs of the annotated data searchable by analysts. Thus far, it has been possible to analyze the 36,000 contributors to the Linux kernel, highlighting 30 individuals exhibiting suspicious behavior, of which several are known to have submitted “hypocrite commits” that introduced exploitable vulnerabilities to the kernel. The individuals highlighted by the algorithm exhibit the same type of behavior, allowing analysts to explore this behavior in far greater detail than previously possible.

The HULK Robot is not the only automated bug-finding tool belonging to Chinese institutions. The Chinese government funds university labs conducting automated bug hunting in the Linux Kernel, which likely has a defensive purpose, but can easily be transferred to, or shared with, the larger Chinese national security community conducting research on offensive cyber activities.

arrow-up icon