After a multi-year investigation, the computer security firm Mandiant announced this week that it had tracked a cyber group back to its Chinese roots.[1] Even more explosive, it had concluded that the group is, in fact, a Chinese military unit, the Second Bureau of the Third Department of the General Staff Department of the Chinese People’s Liberation Army (PLA), with the Military Unit Cover Designator 61398.
Mandiant’s report confirms what has long been suspected around the world: Not only are there Chinese engaging in various cyber espionage and hacking activities, but many are acting at the direction and with the approval of the Chinese government.
Chinese Military Organized Differently
The PLA is organized along different lines than other militaries. Although the PLA has different services (including the PLA Navy, PLA Air Force, and the Second Artillery), it is mainly organized under four “General Departments,” which have responsibility across service lines:
- The General Staff Department (GSD) is responsible for military planning, intelligence, and operational implementation;
- The General Political Department is responsible for political oversight, morale, propaganda, and military law enforcement (e.g., judge advocate general activities);
- The General Logistics Department ensures the smooth flow of spare parts, food, ammunitions, etc.; and
- The General Armaments Department is responsible for weapons development, mans the various Chinese space facilities, and oversees the nuclear test sites.
Because of this different organizational approach, the PLA has likely concentrated its cyber assets into a handful of units and organizations, rather than the more dispersed, service-centric approach of the United States, which runs the risk of greater duplication of effort.
At the same time, certain functions that are managed by civilians in the U.S. are also part of the Chinese military. The GSD Third Department, for example, is the counterpart of the U.S. National Security Agency, monitoring communications, managing cryptography, and the like. But the American agency is a civilian one, whereas the Chinese entity is part of the military. Overall Chinese cyber efforts are therefore potentially more centrally directed; key targets and objectives may be attacked in a coordinated fashion from a variety of sources.
These targets, however, may not all be military or even oriented toward national security . Mandiant indicates that this organization has apparently engaged in corporate espionage. Unit 61398 reportedly collected information on such companies as Coca-Cola when the latter was attempting to purchase a Chinese beverage maker.[2] In this regard, there is no parallel with the U.S., since American government agencies are not authorized to engage in industrial or financial espionage in order to support commercial entities.
Cyber Attacks and PLA Military Thinking
Not surprisingly, the Chinese authorities have denied the charges, but the weight of evidence thus far provided by Mandiant appears to be overwhelming. As one American analyst observed, “Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”[3]
As important, such activities would seem to be consistent with PLA writings and statements regarding the nature of “information war” (xinxi zhan, 信息战) and “informationized warfare” (xinxihua zhanzheng, 信息化战争).
“Informationization” is the permeation of information technology into various aspects of a nation’s infrastructure and activities, including both the military and the broader society, to the point where it fundamentally alters that society’s nature.[4] Informationized warfare is the military aspect of “information war,” marked by the broader struggle for “information dominance” (zhi xinxi quan, 制信息权, also translated as information superiority). This entails the ability to control information at times and places of one’s own choosing, both to enhance and support one’s own operations and to degrade an opponent’s. This, in turn, requires developing the capacity to affect the collection, management, direction, and assessment of information.[5] It involves not only information systems but also influencing those who would use information—i.e., decision makers.
In the Chinese view, informationization means that information is no longer easily divisible into military and civilian. Similarly, information collection, and even potentially exploitation, is not necessarily restricted by “wartime” versus “peacetime.” As one Chinese volume observes, information war is ongoing, whether in wartime or peacetime, unceasingly. Because of the complex, intertwined nature of modern international politics and economics,
it is necessary in peacetime to undertake information warfare in the political, economic, technical, and military realms, as only then can one scientifically establish operational plans, appropriately calculate gains and losses in a conflict, appropriately control the level of attack, precisely strike predetermined targets, and seek the best strategic interest and long-term benefit.[6]
This is echoed in other PLA writings, which emphasize that modern information technology blurs the lines between peacetime and wartime, between military and civilian, and among strategy, operations, and tactics.[7] Rather than trying to delineate among these categories, the implication is that information is an integrated whole. In this light, it is not surprising that there should be a fairly unified Chinese organization tasked with information operations; that these would target a range of military, civilian, and commercial sites; or that such operations would be undertaken in peacetime.
What the U.S. Should Do
- Create a broad, multinational response. The response to China’s behavior should be forged among the major OECD countries, all of whom are targeted by Chinese computer network operations. Restrictions in one state can be circumvented by exploiting loopholes and security gaps elsewhere. The U.S. should be the motive force behind the creation of both a multinational clearinghouse of cyber activity information and support greater discussion among such major players as Great Britain, Germany, Israel, Australia, South Korea, and Japan.
- Implement new government-private cooperation. It was a private company that conducted the research that established Chinese culpability, and Chinese efforts are aimed as much at the private sector as the public. The Obama Administration should expand upon its proposed sharing of classified threat data, and establish the equivalent of the Combined Space Operations Center, where commercial and governmental computer security experts can share information on a regular, sustained basis.
- Go beyond the usual diplomatic responses. Given the commercial activities being affected by the Chinese actions, commercially related responses should rank as high as diplomatic ones. For example, if Chinese companies are benefiting from information extracted by this unit, are they essentially trafficking in stolen goods (in this case, intellectual property)? Would that make their directors subject to criminal charges, their foreign assets susceptible to seizure? How should this affect their ability to be listed on not just American but Asian or European stock exchanges? China’s actions fundamentally jeopardize the international rule of law in a variety of business contexts; it should not be able to benefit from its brazen flouting of those rules.
- Actually take a tougher line on China. The Obama Administration has actively sought out the Chinese military to cooperate on cyber issues and even engaged in joint “war games” together.[8] One can only imagine how Chinese officers viewed the gullibility of their American counterparts in such “cooperative” sessions, even as they were targeting them from Shanghai. Similarly, Secretary of State John Kerry’s comments questioning the need for a U.S. “pivot” to Asia, in the belief that it somehow antagonizes China, raises doubts about his understanding of how extensive China’s efforts have been.
An Integrated Response
The Chinese response to the controversy thus far has been one of “woxing, wosu” (我行我素): ignoring the American reaction. If American decision makers were expecting the Chinese to be ashamed of their actions, they are sadly mistaken (especially since the Chinese apparently view such actions as legitimate).
In order to make clear to Beijing that their actions are in fact illegitimate, there needs to be an extensive, integrated response. Just as Chinese cyber activities are not limited to the U.S. or solely targeted against military and national security systems, the response needs to be multilateral and comprehensive, involving not just all the elements of government but the private sector as well.
—Dean Cheng is Research Fellow in Chinese Political and Security Affairs in the Asian Studies Center at The Heritage Foundation.