July 21, 2021

IntelBrief: Operating in the Gray Zone: China’s Cyber Operations Call for a Unified Response

(AP Photo/Andy Wong)

Bottom Line Up Front

  • The Biden administration responded to China’s aggressive cyber operations by “naming and shaming” Beijing in an attempt to confront the growing threat posed by criminal hackers.
  • For China, cyberattacks are an asymmetric means of confronting the West while attempting to maintain a thinly veiled veneer of plausible deniability.
  • The hacking operations are intended to pilfer sensitive information and intellectual property, including military technology and medical data, to bolster the efforts of the Chinese Communist Party and related government entities.
  • Notably, no sanctions accompanied the condemnation; many governments are wary of China’s willingness to use economic coercion against countries and companies that criticize Beijing.

The Biden administration recently responded to China’s aggressive cyber operations by “naming and shaming” Beijing in an attempt to confront the growing threat posed by criminal hackers. The United States was joined by numerous allies, including the European Union, the United Kingdom, Canada, Australia, New Zealand, Japan, and the North Atlantic Treaty Organization (NATO), in condemning China’s massive global hack of Microsoft Exchange email server software, which is used by multinational corporations, government agencies, and military contractors. The attacks, which compromised tens of thousands of computers around the world, have been linked to China’s Ministry of State Security (MSS), one of the country’s top intelligence services. The hackers were described by U.S. officials as criminals used by the MSS to carry out the attacks on Microsoft. In remarks earlier this week, U.S. Secretary of State Antony Blinken said, “The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security.” China denied its involvement in the Microsoft hack, and accused the U.S. of mounting its own cyberattacks against Chinese government, scientific, aviation, and other technical institutions over the past decade.

For China, hacking operations and cyberattacks are an asymmetric means of confronting the West while attempting to maintain a thinly veiled veneer of plausible deniability. As with Russia, the PRC is the main agitator behind the attacks, either organizing and actively encouraging malevolent actors, or simply choosing to ignore threats emanating from their respective homelands. Given the vast internal security apparatuses wielded by Moscow and Beijing, there is no doubt that if the Russian or Chinese governments wanted to stop the attacks, they could do so. Western countries remain tethered to a binary paradigm of war or peace, while China, Russia, Iran, and a range of other actors, are increasingly comfortable operating in the so-called "gray zone," security challenges defined by U.S. Special Operations Command (SOCOM) as “competitive interactions among and within state and non-state actors that fall between the traditional war and peace duality, [which] are characterized by ambiguity about the nature of the conflict, opacity of the parties involved, or uncertainty about the relevant policy and legal frameworks.”

Another component of the Biden administration’s response is the unsealing of a U.S. Department of Justice indictment charging four Chinese nationals for their involvement in hacking operations going back at least ten years. The operations allegedly intended to pilfer sensitive information and intellectual property—including military technology, trade secrets, confidential business information, and medical data (including sensitive information related to COVID-19 vaccines) —to aid efforts by the Chinese Communist Party (CCP) and entities connected to the Chinese government in gaining a strategic advantage over Western rivals by using stolen data for financial gain and bypassing lengthy research and development processes. The UK’s National Cyber Security Center alleged that Chinese hackers frequently targeted maritime industries and naval defense contractors, as well as some European governments. The MSS allegedly established front companies to coordinate and obfuscate malign state-sponsored activities, which include ransomware attacks and cyber extortion schemes. Refining cyberattacks and disinformation operations has been at the forefront of China’s efforts to improve its ability to disrupt Western countries while also gaining valuable intelligence from governments and companies alike.

Notably, no sanctions or diplomatic expulsions accompanied the condemnations, as many governments are wary of China’s financial might and willingness to punish countries and companies that speak negatively of China’s actions. Two Canadians, Michael Kovrig and Michael Spavor, have been in prison now for approximately 1,000 days as part of the spat regarding Huawei chief Meng Wanzhou. Speaking in 2012, former director of the National Security Agency and previous commander of U.S. Cyber Command Keith Alexander described cyber espionage as the “greatest transfer of wealth in history,” noting that U.S. companies lose hundreds of billions of dollars per year through intellectual property theft and cybercrime. But because this theft is not accompanied by “shots fired,” there has been less of an impetus to demand a forceful and comprehensive response. If this is a “digital Cold War,” as some have labeled it, one of the obvious vulnerabilities of the West is its inability to forge a unified response with teeth. The recent revelations from the Biden administration also highlight the growing importance of enhanced public-private partnerships, not just as buzzwords in the recommendations section of a policy paper but also as state policy objectives. Without close cooperation between governments and companies like Microsoft, hackers and cyber criminals will continue to exploit system vulnerabilities with impunity.