Did China tip cyber war hand?
August 28, 2011
By Andrew Erickson and Gabe Collins
The Diplomat Magazine
Amid growing US concerns over ongoing Chinese cyber attacks, attribution remains the most complex issue. At the open source level at least, it has been hard to find a ‘smoking cursor.’ That is, until the broadcast of a recent cyber warfare programme on the military channel of China’s state TV network.
The programme appeared to show dated computer screenshots of a Chinese military institute conducting a rudimentary type of cyber attack against a US-based dissident entity. However modest, ambiguous—and, from China’s perspective, defensive—this is possibly the first direct piece of visual evidence from an official Chinese government source to undermine Beijing’s official claims that it never engages in overseas hacking of any kind for government purposes. Clearly, Washington and Beijing have much to discuss candidly here if they are to avoid dangerous strategic tension.
China Central Television 7 (CCTV-7) is China’s official channel for military and agricultural issues. As part of its wide-ranging coverage, every Saturday it runs a 20-minute programme called ‘Military Science and Technology.’ It’s always worth watching, given the range of timely topics covered and the detailed analyses offered by Chinese specialists. The July 16 edition was particularly so.
Entitled ‘The Internet Storm is Coming’ (网络风暴来了), it begins with a broad discussion of cyber attacks. It showcases a statement by then-US Defense Secretary Robert Gates at the Shangri-La Dialogue in Singapore in June. This important international conference was also attended by Gates’ Chinese counterpart Gen. Liang Guanglie. Emphasizing that the United States was extremely concerned about the cyber attacks that it was continually suffering from, Gates suggested that some attacks could rise to the level of an act of war and prompt the United States to respond with force.
Chinese Military expert Du Wenlong then highlights President Barack Obama’s May 2009 remarks in which he emphasized the importance of securing the nation’s digital infrastructure and declared it a strategic national asset. Du explains that Washington would regard some types of cyber attacks as acts of war because modern military operations rely heavily on digital networks and cyberspace: ‘networks have become the basis for military action and for winning a war.’ Du appears to be well acquainted with his subject matter, and provides cogent explanations of complex cyber issues.
But here is where the programme deviated from its typical theoretical coverage of broad military trends for six seconds to offer an unusually-specific Chinese example. An initial screen was labelled ‘Vulnerability Report’ in large letters; a narrator intones that ‘there are many Internet attack methods.’
As the narrator discusses a means of implementing hard and soft cyber/network attacks, footage displays what appears to be a human-operated cursor using a software application with Chinese character labelling to launch a ‘distributed denial-of-service’ (DDOS) attack.
This particular DDOS is against a website formerly affiliated with the dissident religious group Falun Gong. Under large characters reading ‘Select Attack Target,’ the screenshot shows ‘Falun Gong in North America’ being chosen. Here it must be emphasized that DDOS attacks are generally extremely rudimentary. As will be explained later, if the footage in question was real, it’s likely a decade old.
Drawing on a ‘Falun Gong website list’ encoded in the software, the cursor selects the ‘Minghui Website’ from a pull-down menu of Falun Gong websites. Minghui.org is the main website of Falun Gong’s spiritual practice, and hence a logical target.
Hovering over a software window labelled ‘IP Address of a Website Chosen to Attack,’ the cursor selects the IP address 138.26.72.17. This was once linked to the University of Alabama in Birmingham. According to the Falun Gong-supporter-founded Epoch Times, a UAB network administrator ‘recalled that there had been a Falun Gong practitioner at the university some years ago who held informal Falun Gong meetings on campus. They couldn’t confirm whether that individual used the IP address in question, and said it had not been used since 2010.’ PC World added that the site was created ‘by “a former student and was decommissioned in 2001 as it violated our acceptable use policy,” according to Kevin Storr, a UAB spokesman.’
During this sequence, some interesting characters remained at the top of the screen: ‘Attack system…PLA Electronic Engineering Institute.’
The programme then returns to general cyber attack themes.
As this research note went to press, the programme footage remained readily visible and viewable on the CCTV website.
Why is this important? It’s significant that an official Chinese state TV channel showed even a symbolic representation of a cyber attack, particularly one on an entity clearly located in a foreign sovereign nation. First, as one of its central emphases, China insists forcefully on realizing an extremely expansive definition of national sovereignty—it’s difficult to see how such activities could possibly be in accordance with this overall approach. One of the greatest sources of friction in US-China relations are fundamental differences regarding the scope of sovereignty, with China almost invariably the more indignant and assertive party. Second, official spokespeople for most other nations thought to have substantial offensive cyber and intelligence capabilities studiously refrain from addressing those capabilities directly, and hence from potentially making statements that don’t appear to be credible about such issues. But Chinese officials instead issue blanket denials in this regard.
In 2010, for example, Chinese Foreign Ministry spokeswoman Jiang Yu denied that China has been responsible for cyber attacks: ‘Some reports have, from time to time, been heard of insinuating or criticising the Chinese government…I have no idea what evidence they have or what motives lie behind. Hacking is an international issue and should be dealt with by joint efforts from around the world.’
That same year, a spokesman for China’s Ministry of Industry and Information Technology declared: ‘accusation that the Chinese government participated in (any) cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China…We are firmly opposed to that…China’s policy on Internet safety is transparent and consistent.’
Unfortunately, despite this recent incident and a larger ‘inbox’ of mounting evidence to the contrary, Chinese official responses are likely to follow the well-trodden path of distributed denial of responsibility—thereby further straining Beijing’s credibility in foreign audiences.
Of course, as with many incidents involving apparent, alleged, or uncertain Chinese military capabilities, this one raises more questions than answers – what was the motive for displaying the software footage? Where did the footage come from, and how was it created? At what level were decisions to insert and retain coverage made? Who was the intended audience?
Since it seems unlikely, given its professed cyber security concerns and substantial technological capabilities, that Beijing allows itself to be defenceless against what it alleges to be the extensive predations of others in the offense-dominant domain of cyberspace, the alternative would appear to be that China is not being forthcoming in public about its development of offensive cyber capabilities. But why should this be, since virtually no Western experts or government officials believe such statements to be true?
The most plausible answer would appear to be that China’s government sees value in appearing to be defensive, and morally virtuous, before a domestic audience—its most important audience. It’s also possible that calling too much Chinese public attention to the nation’s cyber capabilities could remind Chinese netizens further of the extensive Internet censorship that currently constrains their lives online, and which many find increasingly frustrating.
Then there’s the issue of the extent to which China’s government may work with semi-, loosely-, and irregularly-affiliated, or firewalled-off, ‘Patriotic Hackers’ to do its bidding. Perhaps it’s seen as best to preserve at least some form of plausible deniability to deflect inquiries concerning these controversial issues, the better to unite citizens against perceived foreign threats and avoid unpredictable foreign invitations to strategic dialogue.
None of this, of course, explains the CCTV-7 footage’s provenance and appearance per se. On the one hand, a large ‘Attack’ button may seem cartoonish. On the other hand, this is no doubt a popular concept among Chinese cyber warriors and their foreign counterparts alike, who have been schooled originally in video and computer games like World of Warcraft and may have some say in how software is constructed—there’s no reason why such a configuration would be inherently dysfunctional.
Perhaps the least unlikely explanation is that programme producers sought specific footage to document specific cyber attack techniques. For reasons of Chinese pride, and perhaps PLA assertiveness, they wanted to show that China could do something itself in the face of perceived threats. Falun Gong, particularly despised by Beijing, offered a politically-correct and ‘morally justified’ target even for ideologically dubious techniques. Footage from previous interviews and interaction with the PLA Electronic Engineering Institute may have happened to be available in convenient form, and met visual requirements. In any case, it would seem that nobody in the decision-making chain objected at the time.
Perhaps most importantly, the CCTV-7 software contents appear to correlate so closely with a set of attacks that China is alleged to have engaged in a decade ago that their construction would appear to be tedious for the production schedule of a major weekly television programme.
Regardless of the realities concerning these particular software images, there does appear to be a larger pattern of related Chinese government activity. A 2002 RAND study by noted China security/cyber experts Michael Chase and James Mulvenon offers both context and a plausible explanation for the CCTV-7 footage. It may date to activities occurring in 1999 and 2000 that they analyse in depth, marshalling a range of sophisticated inductive and deductive approaches to support their arguments:
‘There is some evidence to suggest that the Chinese government or elements within it have engaged in hacking of dissident and antiregime computer systems outside of China…evidence exists to support the conclusion that the Chinese government or elements within it were responsible for one or more of the China-origin network attacks against computer systems maintained by practitioners of Falungong in the United States, Australia, Canada, and the United Kingdom. After the exposure of the role of certain Chinese security agencies in the attacks, the later, more sophisticated intrusions were believed to have been carried out by cut-outs, making it more difficult to ascertain the extent of government involvement. This was especially true of the attacks that occurred in winter and spring 2000.’
Chase and Mulvenon acknowledge that a Ministry of Public Security ‘rogue element’ might conceivably have perpetrated these attacks without senior party leadership or MPS leadership sanction. In analysing the considerably more sophisticated follow-on attacks of 2000, however, they offer evidence to suggest a state-level interest in their coordination:
‘The first of the renewed attacks against Falungong servers occurred on March 11, 2000, coinciding with the meetings of the National People’s Congress in Beijing. The hack, which used a denial-of-service technique…brought down the main server in Canada (www.minghui.ca), as well as three mirror sites (www.falundafa.ca, www.falundafa.org, and www.minghui.org).’
‘Attacks on Falungong servers reached a crescendo in mid-April 2000…The timing of the attacks coincided with two sensitive political events: (1) the impending vote in the United Nations Human Rights Commission on a UN resolution condemning Chinese human-rights abuses, including persecution of Falungong; and (2) the one-year anniversary of the April 25, 1999, gathering of Falungong practitioners outside the central leadership compound in Beijing.’
In viewing this summer’s CCTV-7 footage, then, we are quite possibly afforded a peek into relatively unsophisticated techniques from a decade ago. It certainly looks like a ‘smoking cursor,’ albeit a relatively modest one. China undoubtedly has far superior capabilities at its disposal today.
Regardless of the Chinese government’s public positions for domestic consumption regarding cyber attacks launched from Chinese soil, it will have to deal increasingly with an important foreign audience. The US International Strategy for Cyberspace, issued in May 2011, reflects the increasing seriousness with which the US government views cyber security.
The report declares that ‘When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country…We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.’
To be sure, identifying an attack source that could be retaliated against is exceedingly difficult. However, taking a more aggressive stance against cyber attacks, even to the point of having cyber attacks serve as a potential trigger for alliance mutual defence obligations such as Article 5 of NATO, raises a number of interesting doctrinal possibilities.
One is that physical infrastructure utilized in a cyber attack on US government assets could be held at risk, while another is that—similar to the US position on terrorism—the source country of a cyber attack could be held responsible for the actions of parties operating from its soil, whether or not they can be credibly linked to the country’s government.
As one of his last major official contributions to US-China relations, Robert Gates placed a very important message in China’s inbox:
‘I think we could avoid some serious international tensions in the future if we could establish some rules of the road as early as possible that let people know what kinds of acts are acceptable, what kinds of acts are not, and what kinds of acts may in fact be an act of war,’ Gates said. ‘I think that one of the things that would be beneficial would be for there to be a more open dialogue among countries about cyber (threats) and establishing some rules of the road (to achieve) clearer understanding of the left and right lanes, if you will, so that somebody doesn’t inadvertently or intentionally begin something that escalates and gets out of control.’
At the very least, it is in both Washington and Beijing’s interest to have such substantive cyber talks before attacks enter into new domains in ways that neither nation wants to see. It’s vital for the security of both Pacific cyber powers that Beijing reply in kind, without attempting to block or delete the message.
Andrew Erickson is an associate professor at the US Naval War College and fellow in the Princeton-Harvard China and the World Programme. Gabe Collins is a commodity and security specialist focused on China and Russia. This is an edited and abridged version of a longer analysis. The full version can be read here.