Once considered “sloppy” in its cyber operations, China’s online capabilities have grown rapidly over the past decade into a dangerous threat regarded as equal to U.S. military digital skills, a new congressional report warns.
Under Chinese President Xi Jinping, China’s military and government reorganized cyber agencies now boast new and sophisticated cyberwar tools along with powerful cyber-espionage accused of stealing trillions of dollars in proprietary and secret U.S. information.
“China has engaged in a massive buildup of its cyber capabilities over the past decade and poses a formidable threat to the United States in cyberspace today,” the bipartisan report by the U.S.-China Economic and Security Review Commission said last week.
Militarily, tens of thousands of Chinese hackers are preparing for war against the United States. The report said China now has 10 times more troops devoted to offensive cyber-attacks than does the Pentagon’s Cyber Command.
“As a result of these long-running efforts, China’s activities in cyberspace are now more stealthy, agile, and dangerous to the United States than they were in the past,” the 785-page report concludes.
The commission report provides the most detailed public assessment to date by the U.S. government of China’s cyber operations, policies and actors. A key finding is that China is devoting greater numbers of people and resources to cyber operations as part of a plan announced by Mr. Xi for China to become a “cyber superpower.”
For example, the People’s Liberation Army (PLA) employs as many as 60,000 troops to support cyberwarfare missions, “dwarfing the number of cyber operators associated with U.S. Cyber Command’s Cyber Mission Force by a factor of 10,” the report said.
The number of Ministry of State Security (MSS) cyber personnel is not known. However, civilian cyber militia groups that work with both the PLA and MSS number in the “thousands or tens of thousands,” the report said.
Beijing also is applying more of its cyber forces to preparing for offensive attacks than Cyber Command. The researchers for the congressionally chartered panel found that 18.2% of SSF forces focus on offensive operations. By contrast, just 2.8% of U.S. Cyber Command units are devoted to offensive cyber operations.
The Pentagon is working to bolster its cyber warfare capabilities but “is limited by manpower and resources,” the report said.
Cyber Command plans “persistent engagement” that would impose costs on China for malicious cyberactivity, contest its cyber forces in wartime, and disrupt cyber intrusions into U.S. and allied networks in peacetime, the report said.
However, experts told the commission that the PLA’s 10-to-1 advantage in cyber warfare personnel “could give the PLA an edge over U.S. cyber forces if a surge in malicious Chinese cyber activity overwhelms limited U.S. personnel,” the report said.
Even as Beijing bulks up, U.S. defenses against Chinese cyberattacks, both in government and the private sector, are fragmented and agencies have struggled to improve security. Military networks also are vulnerable to Chinese attacks because each service has its own systems and defenses.
Slightly more than half of the military’s 133 Cyber Mission Force teams are devoted to defending Pentagon networks, the report said.
“China’s formidable cyber capabilities call into question the U.S. government’s preparedness to protect its networks from a major Chinese cyberattack,” the report said.
Critical U.S. infrastructure systems are also vulnerable to Chinese cyberattack. Most infrastructure is owned by private companies and the government’s ability to defend electric grids, communications, financial and other online networks is limited to sharing information on potential threats.
“To prevail in the long-term competition with China, policymakers must find ways to impose greater costs for malicious cyber activity and strengthen domestic cyber defenses while upholding the liberal values the United States has historically championed,” the report concludes.
Regarding cyber spying, the report said that Chinese theft of sensitive data and technology has already weakened the United States. Millions of records on Americans pilfered electronically from U.S. databases are now being used by China’s intelligence services to target U.S. officials and others for blackmail and recruitment as spies.
In perhaps the most notable incident, Chinese hackers obtained access to an estimated 22 million records from the federal Office of Personnel Management in 2015 and also hacked travel and financial data on millions more from the hotel company Marriott and Equifax, the report said.
The MSS, China’s lead civilian intelligence service, is now in charge of cyber espionage and has retooled its cyberattack capabilities. It is now the world leader in identifying software vulnerabilities — a key offensive tool to gain remote access to computer networks for sabotage or data theft.
“Sophisticated Chinese cyber-espionage campaigns in recent years have compromised greater numbers of sensitive targets within the U.S. government and the private sector than ever before, raising questions about [China’s] insight into U.S. vulnerabilities that could be exploited for coercion or disruption during a crisis or a war,” the report said.
The MSS exploits software vulnerabilities known as “n-days” and “zero days” that are discovered by thousands of researchers and cyber militia teams devoted to finding the flaws. According to the report, China used more zero-day attacks than any other nation between 2012 and 2021.
One flaw allowed the MSS to break into iPhones to spy on minority Uyghurs in western China, where the central government’s repressive policies have been widely criticized.
Another major Chinese hack was revealed in 2021 when software giant Microsoft revealed that a zero-day flaw in its Exchange email software allowed hackers access to as many 280,000 computer networks, including at least 30,000 in the United States. Targets ranged from municipal governments and small businesses to healthcare providers and manufacturers.
China’s People’s Liberation Army also has set up a new unit, the Strategic Support Force (SSF), that blends cyber, information, psychological and electronic warfare forces into a single military branch.
“The Strategic Support Force is at the forefront of China’s strategic cyberwarfare operations and plans to target both U.S. military assets and critical infrastructure in a crisis or in wartime,” the report said.
The U.S. is not the only target of China’s beefed-up cyber abilities. There have also been critical infrastructure attacks in recent months against networks in Taiwan and the electric grid in India.
Chinese cyberwarfare power was greatly enhanced after officials in Beijing observed how U.S. military operations in Iraq in the 2003 invasion relied extensively on information technology. That led to the PLA’s drive for “informationization” weaponry and capabilities.
Information warfare in a future conflict will be built on cyber power, the report said.
“The battlefield spans not just the physical domains of land, air, and sea but also space, cyberspace, the electromagnetic spectrum and the human mind,” the report said.
The SSF’s use of cyber and other information warfare will target enemy political systems, economies, scientific and technological bases, culture, and foreign policies. For example, military strategists say that in the opening stage of war, Chinese hackers will conduct “blinding cyberattacks on an adversary’s computer networks can paralyze its combat processes at the outset of a conflict, thereby ensuring one’s own information dominance.”
In war, the Chinese will use “network warfare” against military and civilian targets, including command and control networks, air defense networks and civilian infrastructure.
The report states that some experts who testified to the commission believe the United States remains more powerful than China in the cyber realm for now. But others told the panel that China is already an equal based on newly developed cyber tools that rival or exceed those the U.S. military can field.
The Office of the Director of National Intelligence stated in its 2021 annual threat assessment that Chinese cyberattacks capabilities are “substantial” and “at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States.”
The report stated that a decade ago, Chinese government cyber operations were ridiculed by most analysts for their “simplicity and sloppiness.” The tactics included email “phishing” to gain log-in credentials, and the use of flash drives to infect target computers with malware.
Now the Chinese are deemed on par or more powerful than the United States in terms of cyber capabilities by adopting advanced tactics like vulnerability exploitation and the use of third parties to disguise the activities.
China’s ruling Communist Party under Mr. Xi in 2014 created a new organization called the Central Cybersecurity and Informationization Leading Small Group. Four years later, the unit was enhanced and renamed the Central Commission for Cybersecurity and Informationization that now controls all information strategy and policy.
New regulations required all companies in China to assist in cyber warfare and cyber-espionage activities, one reason Chinese-owned internal platforms such as the wildly popular TikTok site have received sharp scrutiny from both the Trump and Biden administrations.
China’s drive for cyber superpower status was spurred on by the discovery in 2010 of the Stuxnet computer virus that damaged Iranian nuclear centrifuges and National Security Agency contractor Edward Snowden’s leak in 2013 revealing NSA cyber penetrations into Chinese networks. China also built up cyber tools to squelch online opposition to the Chinese Communist Party and to identify and silence dissidents.