Chinese Cyber Strategy Evolution

Overview

This session examines the evolution of Chinese cyber statecraft, focusing on China’s transition from large-scale data theft to more strategic and disruptive cyber operations. It highlights the integration of technological, academic, and diplomatic tools in China’s cyber strategy, and discusses the implications for global security and Western responses.

Evolution of Chinese Cyber Operations

• Chinese cyber activity has progressed through three main phases:
  • Pre-2015: Characterized by noisy, large-scale data theft and commercial espionage, with little concern for consequences or technical sophistication.
  • 2015–2020: Marked by a period of regrouping and covert operations, often described as a "phony ceasefire." This phase saw organizational reforms and a focus on building more sophisticated, harder-to-detect capabilities, partly in response to revelations from the Snowden leaks.
  • Post-2020: China’s approach has become more strategic, coordinated, and effective, with a willingness to preposition for potentially destructive attacks on Western critical infrastructure (e.g., Vault Typhoon). This represents a doctrinal shift from pure espionage to the capability and intent to disrupt or damage.
• The shift is driven by:
  • Organizational reforms and centralization of cyber capabilities.
  • Recognition of Western digital vulnerabilities and the perceived low threshold for disruption.
  • Lessons learned from observing both state and criminal cyber operations globally.

Strategic Integration and Global South Operations

• China often tests and refines cyber tactics in the Global South before deploying them more broadly. Examples include:
  • Cyber campaigns against India’s power grid, especially in contested border regions, resulting in significant disruptions (e.g., Mumbai blackout during COVID-19).
  • Long-term data exfiltration from the African Union headquarters, facilitated by backdoors in Chinese-built infrastructure.
• Economic initiatives such as the Belt and Road Initiative (BRI) and the Digital Silk Road are leveraged to gain access to digital infrastructure and enable cyber espionage.
• China integrates economic, diplomatic, and technical levers to strengthen its global cyber posture, using development projects to insert vulnerabilities and gain strategic advantage.
• In regions like the South China Sea, China uses cyber campaigns to support its geopolitical objectives, targeting countries like the Philippines during periods of negotiation and dispute.

Organizational Structures and Talent Development

• Major reforms in the People’s Liberation Army (PLA) have led to the creation of dedicated cyber forces and the separation of cyber, aerospace, and information support arms.
• Civil-military fusion is a core principle, integrating civilian talent and private sector resources with military objectives.
• Since 2015, cybersecurity has been elevated to a first-level academic discipline, leading to the establishment of specialized university programs and research centers.
• Large-scale talent development is achieved through:
  • Hacking competitions and capture-the-flag (CTF) events, often sponsored by state agencies and involving elite technical universities.
  • Partnerships between universities, state-owned enterprises, and cybersecurity companies, fostering the growth of cyber militias and a scalable cyber force.
  • Crowdsourcing initiatives and vulnerability research, with the state monopolizing vulnerability disclosure to maintain an advantage.
• This ecosystem enables China to rapidly develop and deploy cyber capabilities, while also enhancing deniability and complicating attribution.

Chinese Cyber Diplomacy and Attribution Approach

• China actively leverages economic and cyber diplomacy, particularly within BRICS and developing countries, to expand its influence and shape global cyber norms.
• There has been a notable shift from silence to active, government-led public cyber attribution:
  • Early attributions relied on recycled or leaked information, but recent efforts are more independent and professionalized.
  • Attribution reports now target both technical and psychological domains, sometimes including detailed information about alleged foreign operatives and internal dynamics.
  • Branding of operations (e.g., "Operation Futile") and publication of reports in English signal a more strategic approach to international communications.
• China uses public attribution both to mirror Western practices and as a tool for narrative control and retaliation, often denying responsibility for its own operations while attributing attacks to others.

Western Response and Cyber Strategy

• Western nations face the challenge of balancing necessary economic and diplomatic engagement with China against significant technical security risks.
• Key recommendations and observations include:
  • Shifting focus from solely data protection to resilience and service continuity, especially for critical infrastructure.
  • Recognizing that total disengagement from China is unrealistic; instead, responses should be tailored, realistic, and based on a clear understanding of actual risks.
  • The private sector plays a crucial role in protecting critical infrastructure, but current incentives often prioritize data security over operational continuity.
  • Legislative and regulatory changes (e.g., UK’s 2022 telecoms legislation) are needed to ensure that organizations with strategic risk have clear obligations for both data and service protection.
  • Awareness of the limitations of offensive cyber operations and the need for realistic assessments of what can be achieved through deterrence or retaliation.

Deterrence and Future Directions

• Cyber deterrence is evolving to include cross-domain and persistent campaigning, integrating cyber with other domains such as electromagnetic and information operations.
• China’s approach to deterrence is rooted in ongoing struggle and compellence, rather than simple retaliation, and emphasizes continuous friction and leveraging all elements of state power.
• The development of a robust, scalable talent ecosystem—through competitions, academic programs, and public-private partnerships—is central to China’s cyber power and should be a focus for other nations seeking to build similar capabilities.
• Western strategies should consider the integration and scalability of talent development, as well as the need to adapt to the changing nature of cyber threats and the lowering barriers to entry for disruptive operations.

Key Terms & Definitions

• Vault Typhoon: A Chinese cyber group known for prepositioning destructive capabilities in Western critical infrastructure.
• Prepositioning: Implanting cyber tools in advance for potential future disruptive attacks.
• Civil-military fusion: The integration of civilian and military resources and talent to achieve national objectives.
• Attribution: The process of publicly assigning responsibility for cyberattacks to specific actors or states.
• Belt and Road Initiative (BRI): China’s global infrastructure and economic development strategy, including digital components (Digital Silk Road).
• Cyber militia: Civilian forces organized to support regular military cyber operations, often drawn from universities and private companies.

Action Items / Next Steps

• Review recent research on Chinese hacker culture, talent development, and the evolution of cyber militias (e.g., reports by Eugenio Benincasa and others).
• Study the impact of hacking competitions, university programs, and civil-military partnerships on national cyber capabilities.
• Analyze your country’s approach to balancing engagement with China against cyber risk, considering both technical and geopolitical factors.
• Assess whether resilience and service continuity are adequately prioritized in national cyber strategies, and advocate for necessary legislative or policy changes.
• Monitor developments in Chinese cyber diplomacy, attribution practices, and integration of cyber with broader statecraft to anticipate future trends and challenges.