New cyber warfare unit
While China was assessed to have cyber warfare capabilities for quite some time, the declaration by its Central Military Council of the formation of a new military branch focussed on digital battleground technically called Strategic Support Force on 1st Jan. 2016 confirmed this. This new force is mainly aimed at providing resources capable of protecting China’s cyber and space security. On this occasion Xi pointed out that this force is central to achieving the “Chinese Dream” suggesting its importance.
This development has not come as a surprise. Last year China had released it’s first-ever White Paper on military strategy [entitled “China’s Military Strategy”] which stressed on need to shift to “active defence” and emphasized China’s commitment to “winning informationized local wars” as also becoming a maritime power. The White Paper also contained the first official acknowledgement of China’s commitment to building a cyber force with the capability to engage in offensive cyber operations.
In fact China’s major cyber warfare and intelligence-gathering groups have been elevated into the new Strategic Support Force- a military service-level force equal in standing to China’s army, navy, air force and missile services. The Strategic Support Force includes the 3rd Department of PLA, which has highly-trained personnel who specialize in network attacks, information technology, code-breaking, and foreign languages; the 4th Department, which has the responsibility for military electronic intelligence and electronic warfare; and the 2nd Department the traditional military spy service devoted to human spying. In addition the civilian intelligence organisations like Ministry of State Security (Foreign Intelligence) and Ministry of Public Security (Internal Intelligence) are also linked to it.
While the White Paper does not provide greater details of its strategy, it does mention important dimensions of Chinese cyber strategy. The White Paper points out that outer space and cyberspace are the “new commanding heights in strategic competition,” and notes that China faces serious new security challenges in this sphere. The main objective of this force is to protect China’s sovereignty in this arena. More details of China’s cyber security strategy are provided by statements made from time to time by the Chinese officials. In addition there are some books written by western scholars which analyse the Chinese cyber strategy.
The creation of this force preceded by the establishment of the National Security Commission and Central Network Security and Informatization Leading Small Group in 2014, with Xi as their head. These reflected the importance given by the Chinese authorities to the cyber space issues.
The Chinese do not use the term cyber security but they use “information security”. This term refers more specifically to the protection of digital information networks. The term “information security” refers to a broader swath of information and communications systems.
(The badge of newly created PLA Strategic Support Force, which was handed over by Xi on January 1, 2016.)
Emphasis on cyber power
The Chinese cyber strategy is the product of several years of systematic study of the issues connected with the cyber security. China’s interest in cyber warfare can be traced since Operation Desert Storm of 1991 that brought into focus the increased use of cyber technology and the salience of cyberspace in warfare. Since then China had been studying various aspects of cyber warfare and cyber security. From the study of the operations, it learnt about the weapon systems that help in dominating the cyber space. At the same time it focussed on understanding the strategic concepts of the cyber doctrine. Realising that the researches in other countries in this field would be important for formulation of its cyber strategy, it encouraged its experts to discuss the issues with their counterparts in other countries including US and Japan.
The Chinese experts held bilateral discussions with Japanese experts in 2009 on the issues connected with “Hegemony in the Internet Era”. They jointly produced a joint paper on the concept of cyber power. They came to the conclusion that a country’s capability for cyber warfare depends on its cyber power. The term cyber power refers to a country’s capability to take action and exert influence in cyberspace. According to the Chinese experts the cyber power is based on the following components-
1. Internet and Information Technology capabilities.
2. IT industry capabilities.
3. Influence of Internet in the country.
4. Use of cyberspace in various sectors particularly in economic sphere.
5. Cyber military strength i.e. ability to defend and capability to respond to cyber-attacks. This also includes network deterrence and capability for offensive action.
6. The extent of national interest in cyber strategy. In other words besides capabilities, there must be will of all stakeholders to use the cyber power to achieve its objectives. For this the cyberspace strategy must have theoretical guidance, behavioural norms/criteria for action, and a strategic plan.
Main features of cyber strategy
Chinese cyber security strategy has three drivers: economic, political, and military. Its objectives include (i) maintaining economic growth and stability, (ii) protecting the governing power of the Chinese Communist Party through information control, propaganda, and targeting of domestic sources of potential unrest, (iii) using computer network operations to signal dissatisfaction with foreign powers over developments outside of China, (iv) preparing for military scenarios and ensuring military superiority in cyber space in the event of a conflict, (v) studying and understanding potential adversaries’ military infrastructures, motivations, objectives, capabilities, and limitations in the cyber domain and (vi) advancing alternative narratives of government control over/handling of cyber security internationally.
There are five dimensions of the Chinese cyber strategy. First, China considers that its cyber strategy is a part of overall Chinese national security strategy. “No national security without cyber security” said President Xi Jinping to the state-run news agency Xinhua in April 2014. In Chinese thinking, strategic deterrence has a central role and the cyber strategy is seen as an essential component for strengthening military machine. The overall Chinese strategy depends upon several military and non-military capabilities like nuclear, conventional, space and information warfare, economic, diplomatic, scientific and technological as also the collective will of the nation. They all constitute essential components of a credible “integrated strategic deterrent.” With the focus on “integrated strategic deterrent”, Chinese cyber capabilities supporting its military machine have made impressive improvement in the last two decades. In Chinese concept, deterrence of cyber operations could serve the same purpose as the nuclear deterrence in international environment. For China, the cyber warfare is the decisive element in its strategy to ascend the international system and is central in military conflicts. At the operational level soldiers are increasingly dependent on cyberspace and at the strategic level the higher authorities depend on information using cyber space to take decisions. Hence weaknesses and strengths in cyberspace can be used to deter the adversaries and affect the strategic balance of power.
Therefore, China deliberately maintains an aggressive cyber warfare posture to deter its adversaries. Deterrence is achieved by projecting its capabilities for infiltration of critical infrastructure of adversaries; for military technological espionage to gain military knowledge; and for industrial espionage to gain economic advantage. US has been accusing China for several cyber-attacks. US accused that the Chinese cyber warriors had attacked their F-35 Joint Strike Fighter programme which is the centre-piece of future American air power capabilities as also for stealing sensitive data of Pentagon computers and US commercial companies. On the other hand, China also accuses US for espionage. They quote US Echelon and Prism programmes to support their charges.
Second, a related dimension is the concept of offensive operations. As early as 2005, Maj. Gen. Junepeng of PLA had claimed that China had acquired the capability to destroy the adversary’s networking and thereby paralyze the ability to respond. In this context he had named India along with US and Japan. While at that time it was doubtful if China had acquired the capabilities, yet this reflected the Chinese intents. The last year’s White paper emphasised on “active defence” which is interpreted as its objective of offensive operations. The U.S.-China Economic and Security Review Commission (2009) mentioned that Chinese military doctrine calls for exploiting the vulnerabilities of its adversaries in case of a conflict. The Chinese concept of “No Contact War” is significant in understanding the Chinese cyber strategy. The underlying principle is fighting wars without its forces coming into contact with the forces of adversaries and winning war without causalities. It involves application of all national capabilities in an integrated manner to conduct distant operations to achieve a quick decisive victory by disrupting, denying and destroying the enemy’s war waging potential and its command and control systems through remote delivery of destructive kinetic energy and effective cyber operations.
However, the use of cyber operations are not limited only to the war time. As mentioned above, the Chinese agencies use cyber operations for gathering intelligence to be used during a conflict. It also collects information from business houses of foreign countries so that its own entities may have an edge in competitive international market.
The third dimension is cyber diplomacy. Significantly while preparing for cyber warfare, China is also using the cyber diplomacy for the protection of its infrastructure and commercial companies. It has two objectives in cyber diplomacy. First is to ensure that the cyber-attacks on China are reduced, if not stopped. The US and China agreement on 25th September, 2015 is a good example of Chinese cyber diplomacy. By this agreement both sides agreed that they would not engage in cyber-enabled economic espionage against each other or support such activities, and that they would take the necessary actions to curb and cooperate on cybercrime issues. Another agreement has been made with Russia. China and Russia had pledged not to carry out cyber-attacks against one another, while promising more cooperation on cyber security. The second objective is promote and transform the global internet governance system in accordance with its notion of “multi-lateral” approach to the governance of global cyber space. China has organised two world conferences in 2014 and 2015 for this purpose. The Chinese concept is that cyber sovereignty of each nation should be respected. In more concrete terms this means, in Xi Jinping’s words, “respecting each country’s right to choose its own internet development path, its own internet management model, its own public policies on the internet, and to participate on an equal basis in the governance of international cyberspace?-?avoiding cyber-hegemony, and avoiding interference in the internal affairs of other countries.” This was supported by several delegates including the Russian PM.
The fourth dimension relates to the concept of “Cyber Power” and use of domestic products. This also includes strengthening of its information network to develop abilities to defend against the cyber-attacks. Information security concerns figure prominently in the major national R&D programmes of China. China’s Medium to Long-Term Plan (MLP) for scientific and technological development, with its megaprojects, and the recent Strategic Emerging Industries (SEI) initiative, have incentivized Chinese research establishments and industrial enterprises to develop their own intellectual property (IP). In several cases it is reported that the Chinese have acquired foreign technology and modified it to secure Chinese IP rights. China depends on indigenous equipment and technology. The 1999 encryption regulations restrict or ban outright the use of foreign encryption technology. Under the China Compulsory Certification for Information Security (“CCCi”), cyber products must undergo stringent certification procedures for sale in China. In 2003, the “National Coordinating Small Group for Cyber and Information Security” developed the “Document 27″ which laid the foundation of several policy decisions for use of cyber products within the country. The Multi-Level Protection Scheme (MLPS) introduced since 2008 to stifle the threat from foreign software is applicable to private users and small companies, business houses in strategically important sectors like finance and infrastructure and the public authorities. Since the formation of the “Central Cyber Security and Informatization Leading Group” under Xi in 2014, more steps have been taken in this direction The Chinese government considers foreign software to be a potential threat to national security. Chinese business houses are encouraged to use domestic software, technology and products.
The fifth relates to governance of all entities. The Chinese have realised that unless all the stakeholders work as one united force, it would not be possible to deal with the threats from cyber space. It realises that most of the users of cyber space are outside the Government and it can influence the users in variety of ways besides information stored with entities outside the government could be stolen by adversaries to their advantage. The control of internet is considered essential as the information is stored there and all the attacks are mounted on the communication and information networks. The civil and military agencies coordinate their activities. The “Central Cyber Security and Informatization Leading Group”, brings high-ranking officials together with representatives of widely varying ministries (including representatives from the Ministries of Finance, Education and Culture as well as the National Development and Reform Commission). The Leading Group is not an executive entity, but rather, it develops guidelines for the PRC’s cyber security policy. Several members intentionally belong to several parallel groups such as the “Central Leading Group for Comprehensively Deepening Reforms”. This overlapping is intended to enhance and encourage mutual cooperation. The private sector is an important part of the cyber security efforts. The Ministry for Industry and Informatization coordinates cooperation with the private sector. The rolling of all stakeholders together is an important aspect.
Conclusion-lessons for India
China has made impressive developments in cyber field. It has understood clearly the significance of cyber space in the current security environment and has taken steps to have a comprehensive strategy and necessary structures to achieve its objectives. In sum it has enhanced capacity to face cyber threats by establishing greater resilience in infrastructure and increased dependence on indigenous hardware and software; enhanced capabilities to respond to threats by building operational plans and stressing on R&D; taking steps through cyber diplomacy to reduce the threats; and strengthening the governance system that involves all the stakeholders.
For India, it provides good lessons. Some of its best procedures and practices should be considered for adoption. While India has come out with a National Cyber Security Policy in 2013, which is an important step, there are certain steps which needs to be taken. First is to have a National Cyber strategy as a part of national security strategy. The National Cyber Policy lists sources of cyber threats and recommends the tasks of various structures in para 5 under the heading of strategies. The comprehensive cyber strategy is needed to ensure all stakeholders work as a united force for the protection of our critical infrastructure. A coordinating mechanism needs to be established for this purpose. The joint task forces created by India involving private sector may be upgraded to ensure greater synchronisation. Second, while the National Cyber Policy does indicate that there will be a nodal agency for cyber security, this is yet to be named. Third our entities should depend on indigenous equipment and software. Suitable incentives need to be given. Fourth, more importantly like China (as also by US), India should have deterrence in place at least to limit attacks from adversaries and groups supported by them. This would require sharpening our abilities not only in defensive but also in offensive operations. A greater investment in research and development on cyber security issues is needed.
TimesofIndia