The Diplomat author Mercy Kuo regularly engages subject-matter experts, policy practitioners and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Timothy Flannery – consultant and former US government senior analyst and advisor – is the 402nd in “The Trans-Pacific View Insight Series.”
Examine the relationship between China’s cybersecurity and statecraft.
Chinese leaders consider cyber power a key instrument of national power. President Xi Jinping, for example, has said publicly that his goal is to make China a “cyber superpower” through indigenous innovation. Accordingly, the Chinese Communist Party has in recent years been progressively organizing military, intelligence, and civilian resources to bolster China’s cyber capability.
The result of China’s push for preeminence is a multi-dimensional and highly adept Chinese cyber threat, ranging from laws and regulations that introduce data vulnerabilities for foreign firms operating in China to increasingly sophisticated APT campaigns exploiting third parties for access. The enlistment of advanced Chinese technology and telecommunications companies in cyber operations adds another feature to the threat picture.
An important consideration in thinking about China’s cyber operations is that, to date at least, China has been constrained in its actions by its desire to be a respected member and eventually leader of the global community. To this end, China has generally sought to conform to global norms, confining its more aggressive international behavior in cyberspace to activities seen as part of spy games – such as cyber-enabled espionage and influence operations – rather than in perceived “rogue” activity, such as infrastructure disruption.
There are indications, however, that Beijing may have tasked its cyber forces with prepositioning themselves in U.S. operational technology networks to possibly disrupt or damage critical infrastructure if political tensions with Washington reach the point of conflict. U.S. and international cybersecurity authorities have warned about this activity.
Identify China’s cyber tools and actors.
What sets China’s cyber activities apart from other nation-state cyber adversaries, such as Russia and Iran, is the number of individually identified groups associated with state-sponsored or sanctioned hacking, and the country’s unique and powerful position in the global economy. Up to 40 distinct Chinese Advanced Persistent Threat (APT) groups have been identified as operational in government and cybersecurity industry reporting. Several have been linked to the Ministry of State Security (MSS) and the People’s Liberation Army, although most attributed groups are linked to China only based on tools, infrastructure, and victimology.
In its 2023 annual global threat assessment, the U.S. Intelligence Community called out China for posing the “broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks.” Compared to past years, Chinese cyber actors have raised their game and are capable of very sophisticated attack campaigns. They exploit never-before-seen cyber weaknesses – so-called zero day vulnerabilities. They use commercial supply chain attacks to reach victims indirectly. And they have demonstrated the ability to use an IT system’s legitimate software and tools to engage in malicious activity, which makes discovery and mitigation by cyber defenders much more difficult.
Analyze the role of AI in China’s cybersecurity infrastructure.
Artificial intelligence can be used to super-charge malicious cyber operations by enabling the rapid scanning of devices for vulnerabilities, the creation of targeted phishing lures and better malware, and the assessment of massive data sets for valuable information. There is no doubt Chinese cyber threat actors recognize the leverage that AI can generate.
Several years ago, China announced its ambition to become a world leader in artificial intelligence by 2030 to support China’s economic development and protect national security. Given such an emphasis, China will almost certainly attempt to steal whatever AI technology it can because of the benefits it can yield and because Beijing doesn’t want to fall behind the West’s capabilities in the field. China has used cyber theft to speed its technological development in other areas such as aerospace and semiconductors. There is no reason to think it won’t use the same means to go after others’ intellectual property in artificial intelligence.
How can governments and companies improve cyber resilience?
The first step is creating a unit focused on cyber resilience, headed by an individual with both IT and business experience and who is actively supported by senior leadership. One of the key tasks of such a unit would be to bridge the silos of information within an organization, which so often impedes a detailed understanding of the steps each business unit must take to become cyber resilient.
Next, an organization should take an inventory of its IT and business networks. For many organizations, the trend toward cloud migration means digital assets stored off-premises or in a hybrid environment should be included in the inventory. With the help of business and IT process owners, the cyber resilience team should map the digital roles and activities that are essential to keep the organization functioning. Similarly, enterprises should survey cyber links to suppliers and vendors, estimate associated risks, and formally acknowledge hazards.
Once digital resources are inventoried, enterprises can then prioritize protecting key assets and monitoring high-value resources and significant system weaknesses. They should adopt a Zero Trust security framework to protect networks, implement stringent identity and access management controls, and secure virtual private networks (VPNs) and encryption. Networks should be segmented to keep malicious intruders from moving laterally. In addition, all data and systems should be backed up offline.
Assess the top three emerging threat of China’s cyber capabilities that the United States and allies should be monitoring.
One key emerging issue is the increased scale of threats derived from new data laws and disclosure regulations in China that funnel exploitable cyber vulnerabilities to government authorities. As if the scale and resources of the Chinese cyber threat were not already tremendous! Related to this sort of public sector encroachment, the Chinese government’s expanding control over the country’s technology sector allows it to leverage cutting-edge digital products and expertise more easily for cyber espionage and cyber disruption.
Second, as shown by the U.S. government warning last year about the Volt Typhoon campaign against networks tied to U.S. critical infrastructure sectors, Chinese threat actors have expanded the scope of their efforts beyond cyber espionage to include targeting devices vital to the operation of water utilities, power companies, and transportation and communications systems. This strategic positioning is consistent with the U.S. Intelligence Community’s assessment over the last few years of China’s capability in this area.
Third, careful attention should be paid to trends in China’s efforts to become a global leader in key information technology fields such as quantum computing and communications, artificial intelligence (as we’ve already discussed), and next-generation wireless technology such as 5G because these will support cyber capabilities. China’s attempts to play a major role in setting international standards in emerging technologies will also be important to watch because standards-setting can enhance competitiveness and capabilities for years to come.