The Cyberspace Strategic Intelligence Research Center was officially founded at an information center of the General Armaments Department (GAD) of the Chinese People’s Liberation Army (PLA) on June 26, 2014. Experts believe that the center will provide strong support in obtaining high-quality intelligence research findings and help China gain advantage in national information security.
. . . .
The center is designed to become an authoritative research resource for Internet intelligence, build a highly-efficient cyberspace dynamically-tracking research system, provide high-end services for hot and major issues, and explore approaches of intelligence analysis as well as identification and appraisal with cyberspace characteristics.
. . . .
The center will adopt the expert engagement system as the basic organization form, engaging experts from such key equipment and technology development fields as cyberspace situation awareness and fundamental research while giving attention to such key development directions as strategic policies.
Bill Gertz, with his characteristic attentiveness to these kinds of things, wrote an article about this yesterday, in which he pondered the curiosity of announcing a new “military cyber spying center” so soon after the U.S. criminal indictment of five PLA hackers. Other well-informed sources echoed this sentiment:
Michelle Van Cleave, former DNI national counterintelligence executive, a senior counterspy policymaker, said the PLA announcement is interesting for its timing.
“In May, we indict five PLA officers for cyber espionage against the U.S. and the Chinese deny the charges,” she said in an email. “Next they announce a whole new center dedicated to the same thing, only now they’re calling it research.”
But is that what is really going on here?
One thing to note is that the host institution for this new Center is the PLA’s General Armaments Department (GAD). The GAD is one of four top-level headquarters elements for the PLA, the others being the General Staff Department (with responsibility for operations and intelligence), the General Political Department (political and ideological affairs), and the General Logistics Department (quartermaster functions other than weapons). It is effectively a weapons R&D and procurement organization, with no direct operational responsibilities. “Spying” per se is an operations matter that, as far as the PLA goes, would be managed by the GSD’s Third Department,¹ not by the weapons labs of the GAD. Indeed, this appears to have been the case for the PLA hacking units operating under the cover designators “61398” and “61486”:
Last year, the private security firm Mandiant first disclosed that a Shanghai-based military group, Unit 61398, was engaged in cyber espionage.
The five PLA military hackers indicted May 1 were part of this unit.
Then last month the firm CrowdStrike revealed a second cyber espionage group, called Unit 61486, also based in Shanghai. It attacked and penetrated U.S. defense, satellite, and aerospace companies, as well as similar targets in Europe, since 2007.
Those two units are part of the PLA General Staff Department in charge of intelligence.
Admittedly, the opaque language used in the description of the new Center’s function (probably exacerbated by translation issues) doesn’t help. But jargon in the cyber domain is still pretty fuzz-laden even in English (ask ten people what “cyber intelligence” means and you’ll get answers ranging from ordinary malware reports to “any sensitive data obtained through unauthorized network access”). Judging from the context, my guess is that the Center is really supposed to be focused on what we used to call network security research. The reference to “expert engagement” and “specially invited experts” suggests that the Center is a military-hosted interagency point of engagement for the various other centers of cyber expertise elsewhere in the Chinese government, such as the Academy of Military Sciences and the Chinese Academy of Sciences, neither of which report up through the GAD.
Now, this does not mean that the Center’s purpose is innocuous. By their nature the applications for this kind of research are never limited solely to defensive matters, and that same research would doubtless be used to develop tools useful for cyber espionage and offensive mischief. The GAD is, after all, a weapons development institution. But actual spying activities themselves would be handled by an operational unit, and the existence of this Center does not by itself speak to the actual existence or nonexistence of operational activity.
The other caveat, of course, is that I am only interpreting the article — in other words, what the Chinese government intends to convey to the public, which may or may not reflect what is actually going on behind the scenes. Nonetheless, it is important to understand the nature of their public rhetoric to get a picture of what they’re doing. Similar to our own “critical infrastructure protection” initiatives over the past 15 years, the Chinese government has recently floated the idea that defensive cyber needs to be a national priority. In that light, the announcement of this Center is neither rank hypocrisy nor an accidental confession to cyber espionage, but rather a logical extension of the Chinese government’s stated commitment to defensive cyber (and, they would argue, wholly consistent with their denial of U.S. charges regarding offensive intelligence operations). Do I believe their denial? No. But this announcement doesn’t have much to do with it.
¹ I originally said the Second Department (military intelligence), but, of course, cyber belongs within the purview of the Third Department, the GSD branch traditionally responsible for SIGINT. As the cyber order-of-battle continues to evolve, some analysts also believe that the Fourth Department (ELINT) also plays a cyber role. More on this in a separate post.