Last week the U.S.-China Economic and Security Review Commission (USCC) released its latest report on China’s capabilities for computer network operations and cyber espionage, created for them by Northrop Grumman and titled “Occupying the Information High Ground.” It’s a pretty long 137-page document that describes all of the group’s findings as a follow up of the previous 2009 report on the same subject, which was also prepared for the US-China Economic and Safety Review Commission. The review goes into details on what was asked from the study, and what they discovered. As a result, several news publications dissected it to find some faults. So let’s look at the bottom line, and try to find out whether China really is involved in cyber attacks, and how advanced they are.
First, the scope of the document covers:
- the state of China’s cyber warfare technology
- recent developments and practices that could be used to exploit U.S. computers and network
- implications for U.S. military operations in the Pacific Ocean region
- who exactly is engaged in these exploits
- what kind of tools are being used
Throughout the document, the authors focus on these topics and highlight their findings, which can at time be somewhat alarming, at least for the government. Unfortunately, this report focuses mostly on military targets and avoids corporate espionage, another big concern with China and often by the same actors, yet it is completely missing from the report.
On the strategy and development side, it appears that China has spent considerable efforts on modernizing their infrastructure. The stereotype of Chinese users on old computers running obsolete software working day and night in government offices couldn’t be further from the truth. According to the report, at least 50 colleges and universities conducting information security research get some type of technology-related grant from the Chinese government, which the authors conclude indicates a nationwide technology development plan that’s been in the works over the past decade. Also, it would appear that the PLO, China’s army, doesn’t have a specific cyber attack division, but instead integrates these tools under a single command authority.
One of the conclusions of this report is that China’s improved technology and dedication to cyber warfare could cause a big problem for specific scenarios, like a defense of Taiwan from mainland aggression, where the success would hinge on the speed of its response, something that can easily be compromised through sophisticated online attacks. As for U.S. based threats, the report does mention that because so many companies produce highly critical pieces of technologies in China, including military suppliers, there’s an innumerable amount of possible tampering points and companies need to employ extensive testing to ensure devices are delivered as specified, and no unwanted bug ends up being present.
One thing to keep in mind about the research, however, is that this is mostly based on an assessment of what the PLO aspires to, or what the government desires, not what the actual capabilities are, since those are much harder to pinpoint. Other reports paint a different picture, and show that China’s online capabilities are lower than other modern countries. Also, the report talks about the tactical thinking in China, and not the political implications, making no mention as to what the plans of the Chinese government might be, and whether they would even use these capabilities in a war. Finally, it’s important to remember that the U.S. is not standing still either. At the RSA conference earlier this month, the Deputy Secretary of Defense Ashton Carter said that while various parts of the military are always at risk for cuts, the cyber front is never affected by budget cuts.
Still, it’s probably no surprise for any IT admin or anyone who keeps up to date on security news that China is one major country where online attacks originate, and this isn’t likely to change any time soon. This report focused on the military aspect, but many estimate the cost to companies and organizations from Chinese-based cyber espionage or outright attacks is much higher. The specific findings of this report are important, but it’s only one facet of what the real story is all about.