22 June 2015

China's Irregular Warfare in the Cyber Domain

June 18, 2015

As the political crisis in Ukraine reached a boiling point early last year, Ukrainian military forces at first found themselves confronting rag-tag groups of rebel militias ostensibly spurred on by a desire for greater autonomy and self-determination. Soon, however, rumors began to spread of “little green men” aiding separatists and seizing airports. They were not your run-of-the-mill militia volunteers. No, these were well-equipped, well-armed, Russian-accented soldiers

In the dark areas of our information networks, electronic scouts, spies, and saboteurs sneak from node to node and from terminal to terminal surreptitiously pilfering the intellectual property of foreign nations. In other areas, protocol attacks are executed at a small scale to disrupt websites and organizations that certain governments have deemed a threat to their regime. The United States remains a favorite target, and the post mortem of many attacks reveal the culprits to be coming from Russia or China. Neither have acknowledged that these “little red bots” are directed by the state, nor acknowledge that they serve their interest. The denial begs incredulity, and without attribution or clearly-defined lines of command and control, neither country has any incentive to halt or hold back their cyber espionage efforts.

In all these examples, aggressive and effective “irregular warfare” is waged by irregular soldiers who do not serve under a defined and legitimate military chain of command. Falling somewhere between an unofficial state-directed militia and conventional military forces, they operate in a grey area between the various diplomatic and customary frameworks underlying modern warfare.

Modern Warfare as It is, Not as We Want It

Rising regional powers like China and Russia employ IW tactics outside of declared war because the consequences of full-scale armed conflict would likely be counter to their interests, raise the ire of the international community, and escalate the situation beyond their control. Nobody wants full-on war, it’s bad for business. Irregular warfare tactics give these states a degree of plausible deniability and nominally push the responsibility of escalation off of their shoulders. It is “have your cake and eat it too” warfare diplomacy. 

It is through these alternating periods of escalation and normalization that the most persistent side wins out. It is a war of attrition. While smaller nations less equipped to wage full-scale war have had to resort to these tactics out of desperation – see North Vietnam, the nascent Chinese Communist Party, and the thirteen colonies during the American Revolution – Great States are now employing this form of warfare as a convenient workaround against international norms and unwise escalation. 

For Russia, the bellwether for IW has been their unofficial, and still denied, intervention in the Ukraine. The appearance of the little green men in the cities of Donetsk and Luhansk demonstrate Russian interests in the region as well as their willingness to use irregular tactics.

For China, what firsts comes to mind as easy evidence of irregular warfare is the ongoing conflict in the East and South China Sea. China primarily uses administrative, geographic, and legal means to legitimize its territorial claims. It also uses “anchor buildings” – structures erected on the island to claim it has infrastructure. It is also using non-military fishing boats and its coast guard to escalate tensions, seize territory, and defend its claims. Analysts have taken to call these irregular forces “maritime militias” who are engaging in a “people’s war at sea”, a distinctly Chinese concept of citizen soldiers self-organizing into militia to fight.

While it is true that China has employed irregular warfare to advance its maritime claims, it has used these tactics in a much deeper and broader scope in the cyber domain. By using civilians, contractors, academic institutions, and unofficial military personnel as a proxy force to achieve its ends, China has epitomized the example of irregular cyber warfare.

The Skinny on Cyber Warfare

This is not warfare in the strictest or traditional sense. The cyber domain is fluid. Network reconfigurations, security updates, and anti-virus software destroy vulnerabilities that enable access to would-be hackers - and in CNO, access is everything. It takes a constant work to maintain or reconstitute accesses necessary for a cyber-attack in the event of war. To use an analogy, in the 1950’s to the 1980’s, the United States and the Soviet Union maintained a near-constant submarine, strategic bomber, and ballistic missile readiness so that in the event of war their assets would be in the most advantageous position. In all scenarios, they would be ready for first-strike or immediate retaliation. Intelligence preparation and logistical mobilization in peace-time are there for the inevitability of war, with the earnest hope it never happens.

PLA hacking, espionage, and reconnaissance on military, government, and critical information is an “intelligence preparation of the battlefield.” It is a strategic deployment of assets as a reserve in case of war. The sustained attacks felt by DOD and U.S. government networks are a manifestation of a larger strategy of preparation and perpetual mobilization. It is not the opening stage of warfare, nor are we in an “open cyber war” with China. In general, the PLA is doing what all militaries do: hoping for the best while preparing for the worst. While this is intolerable to some degree, these targets are “fair game.”

Efforts to deter this particular type of cyber espionage are likely to fail. Only unilateral action such as strengthening defense, mitigating avenues of access, and intelligence counter-espionage campaigns will serve to reduce the volume and impact of this type of cyber-warfare. To use another analogy, your opponent is always going to try to get the ball downfield, you’re not going to scare him into not playing. The best you can do is to build the best defensive line you can, anticipate where he’s running or throwing and prevent him from getting in your end-zone. 

The Internet Is Still Immature

The global information infrastructure, of which the internet constitutes a dominant part, is in a similar stage of development. In many ways it is in its painful transition from childhood to adolescence. In the late 19th and early 20th centuries, faced with U.S. and British uncontested dominion of the sea, rising n like Germany and Japan sought to tip the balance of power by countering the prevailing paradigm of the day, even as they benefitted from maritime trade. They strengthened their Navies, increased coastal defenses, and invested heavily in logistical infrastructure. The Germans, in particular, sought to disrupt trade and sea dominance through its use of commercial raiding in the Atlantic. In both World Wars, U-boats caused devastating losses for the British economy. Its use of irregular warfare typifies the asymmetric strategies used by rising powers against the firmly entrenched. Dissatisfied by the Pax Britannica, rising powers made the sea a much more dangerous place.

China has, on many occasions, claimed that the United States maintains a “cyber hegemony” characterized by its dominance in the international information infrastructure. A growing bloc of rising, autocratic-leaning powers are similarly frustrated with the current internet arrangement. The “eight immortals”, – the eight technology companies that dominate the international technology sector – U.S. control of ten of thirteen root name servers, and the Snowden allegations are seen as evidence of the U.S. hegemony at work and its willingness to abuse that power. The claims of hegemony unconsciously mirror similar claims by Germany and Japan vis-à-vis British and U.S. sea dominance in the late 19th and early 20th centuries. When faced with a global information infrastructure heavily dominated by Western powers – and the U.S. in particular – rising powers analogously seek to change the status quo to terms more favorable. At the same time, they benefit from of the openness that the Western model has created. During this transition it is likely that they will continue to do so. 

China and the United States, in particular seem to be destined for a contentious fight for world power, if the media and some academics can be believed. Apparently, the Thucydides Trap is still alive and kicking, even in this post-American, multipolar world. In a conscious reflection of their policy of multi-polarity, Chinese views on the internet vehemently emphasize the territorial sovereignty of cyberspace within the bounds of China’s borders. Terms used to define this run from simple, “internet borders”, to the pretentious, “westphalian cyber sovereignty.” Whatever the name, it is a border and content-controlled internet and undercuts human rights and what the internet has always symbolized. In an intentional effort to challenge the Western-dominated global infrastructure, China seeks to redefine what the internet is and how it should be governed.

The Internet Pax Americana

It is true that the internet policy the Chinese have espoused undermines the internet’s valuesand the very idea for which it was created. The political realities, however, render the internet’s evolution towards a more geopolitically-defined institution as an inevitability. Borders create borders, and defense creates defense. Irregular warfare in the cyber realm increases daily. Accessibility to the internet and the changing nature of technology have made the cyber realm the perfect battlefield for great-state irregular warfare tactics. If anyone can execute cyber-attacks - there are no non-proliferation treaties for malware – then anyone can play. The internet era of Pax Americana is over.

The internet is characterized by anonymity, openness, and the freedom to roam unfettered through the collective memory of human civilization. There are no flags, no banners, and, perhaps most importantly, no attribution. Although internet borders are springing up rapidly throughout the world – see China, Russia, and some talk for a Pan-European Intranet – for now it still maintains its non-attributable nature. Flags simply do not exist in the global network space.

Distance does not exist either. Fiber lines may stretch thousands of miles and connect one country to another, but thousands of miles means nothing to information that travels at the speed of light. In the cyber-domain, all borders are porous. Geographic distance offers neither the defense nor the comfort that it does in all other domains of war. All countries border one another and that sort of uncomfortable closeness lends itself to unconventional warfare tactics.

The Infestation of Little Red Bots

It is in this sea of ambiguity that “network privateers” – hackers, if you will – steal data, attack targets, and commit sabotage. There is no doubt that Chinese hackers have penetrated private networks and have stolen intellectual property. No room for argument there. The exact command and control of those cyber-attack forces is unknown, however. By unknown, I mean cannot be satisfactorily proven to the point that it elicits an admission of guilt. China has been quite adept at not getting caught with their hand in the cookie jar.

Like the little green men operating in the Ukraine, these Chinese hackers or “little red bots” have no flags or identifiable insignia. Without proof of their operating legitimacy or direct involvement of the government, simply knowing who executed the attack is not enough. China has shown a remarkable propensity for leveraging militias, volunteers, and non-traditional forces – read: irregular forces – to execute morally ambiguous operations while maintaining plausible deniability. This is true in the maritime realm, this is true in the cyber realm. Identification is not enough to deter further theft.

Some of little red bots have been identified, some have even been indicted, and all accusations have been met with steadfast denials by the Chinese apparatchik. China claims that hacking efforts are illegal and if found would be prosecuted, while at the same time claiming that China itself is a victim of constant cyber-attack. 

It seems odd, though, that a country where technology is tightly controlled that so-called illegal “hackers” would be able to operate with impunity, particularly ones associated with the military. Okay, maybe some attacks have slipped through without notice, sure. But even accounting for these, when you consider the sheer number of attacks coming from China, surely China must be aware of some. China has never offered an explanation to resolve this incongruence, and has no reason to do so. In any case, the circumstantial evidence paints a damning picture: either China encourages and requisitions cyber-attacks or simply allows them to happen. The behavior is not likely to change anytime soon, and the little red bots will grow and multiply.

Cyber Warfare, Cyber Espionage, and Cyber Theft

The bots have infested networks that vary from defense contractors, banks, universities, to municipal systems. Rather than positioning implants and exploiting vulnerabilities in preparation for a potential war, however, the little red bots are outright stealing information for a very different aim. Like privateers, they are seeking to take a source of the adversary’s wealth and disrupt his economic system certainly while undercutting military competitiveness. In a conscious extension of people’s war guerrilla and civilian forces, the Chinese establishment is allowing, if not encouraging, unrestricted commercial raiding on foreign intellectual property.

It is understandable that participants in this “cyber people’s war”, or cyber militias, attack government and military targets for intelligence value. This is to be expected, it is the reality of the world. However, in today’s international climate, using cyber means to steal from private corporations or educational institutions is, at its core, a digital version of the antiquated guerre de course, or commerce warfare. It is not part of the legitimate espionage machine that all nations begrudgingly accept (cyber espionage), nor part of the intelligence preparation in which nations presumably engage (cyber warfare). It is theft, plain and simple.

An Internet “Paris Declaration”?

By the 1860’s, maritime privateering had worn out its welcome and utility for the major powers of Europe. After the Treaty of Paris was signed and ended the Crimean War, the major signatories turned their attention to privateering and its role in warfare. A few weeks later, they signed what is known as the Paris Declaration Respecting Maritime Law, and formally abolished privateering as a practice. Still, privateering, or commerce warfare in general, would not be eradicated for another century. Despite The Hague Convention in 1907 and the London Naval Conference in 1909, the practice still continued in some degree both in and out of wartime. 

It was a good step, though. Despite the United States’ refusal to sign the declaration, it promised to abide by the spirit, if not the letter of the declaration. A half century would go by and the United States itself would become a power player in the naval domain. Only then, when it was a legitimate stakeholder in the system – a backer, a patron, and guarantor of the dominion of the sea – did it see or feel the need to set down international laws governing the wider maritime realm. Another half century would pass before that idea would become a reality. Only the Second World War and the era of international order that followed created a system that institutionalized rules and laws governing the sea.

Naval and Cyber Domain Analogues

Still, though, lessons can be learned from the naval domain. China now plays the part of the new-to-the-table power player and, certainly, seeks to change the world order to terms more favorable to its interests. The Naval domain went through three distinct phases in the modern era, and the global information infrastructure will likely walk down a similar road. Before the modern concept of a state or nation took on its modern relevance, the idea of sovereignty in the sea was simply a notional one. Next the domain evolved to having Nation-States’ standing Navies with irregular forces almost at constant war with one another, and the idea of sovereignty took hold. The idea that sea control was inseparable from national power, the Mahan imperative, was paramount. Finally, the modern concept of what the maritime domain should be finally arrived. With powerful guarantors and international agreements, the naval domain matured to become seen as something that is fundamentally universal.

The irregular warfare deployed by China in the cyber domain is evidence of the internet’s youthfulness. We like to think that technology and the realities of our world move at a snail’s pace, and our laws, treaties, and customs keep pace even as we struggle to understand and adapt to them. That is not the case. The cyber domain, being intermixed with state power, information power, military dominance, and wealth has become a critical entity in international affairs even as it changes and morphs constantly. Actions there have real consequences. Even as the privateer may have been a useful tool in the naval domain’s early days, its time came and went. Cyber theft and cyber commercial raiding have no place in today’s internet governance, but until the internet matures as an international entity there will be no protection for it as a universal domain.

John Costello is a US Navy veteran with years of experience in the intelligence, defense, and China communities.

No comments: