What is the PLA Cyberspace Strategic Intelligence Research Center?

Earlier this week there was an interesting announcement on China Military Online (the online version of the official newspaper of the Chinese military):

The Cyberspace Strategic Intelligence Research Center was officially founded at an information center of the General Armaments Department (GAD) of the Chinese People’s Liberation Army (PLA) on June 26, 2014. Experts believe that the center will provide strong support in obtaining high-quality intelligence research findings and help China gain advantage in national information security.

. . . .

The center is designed to become an authoritative research resource for Internet intelligence, build a highly-efficient cyberspace dynamically-tracking research system, provide high-end services for hot and major issues, and explore approaches of intelligence analysis as well as identification and appraisal with cyberspace characteristics.

. . . .

The center will adopt the expert engagement system as the basic organization form, engaging experts from such key equipment and technology development fields as cyberspace situation awareness and fundamental research while giving attention to such key development directions as strategic policies.

Bill Gertz, with his characteristic attentiveness to these kinds of things, wrote an article about this yesterday, in which he pondered the curiosity of announcing a new “military cyber spying center” so soon after the U.S. criminal indictment of five PLA hackers. Other well-informed sources echoed this sentiment:

Michelle Van Cleave, former DNI national counterintelligence executive, a senior counterspy policymaker, said the PLA announcement is interesting for its timing.

“In May, we indict five PLA officers for cyber espionage against the U.S. and the Chinese deny the charges,” she said in an email. “Next they announce a whole new center dedicated to the same thing, only now they’re calling it research.”

But is that what is really going on here?

One thing to note is that the host institution for this new Center is the PLA’s General Armaments Department (GAD).  The GAD is one of four top-level headquarters elements for the PLA, the others being the General Staff Department (with responsibility for operations and intelligence), the General Political Department (political and ideological affairs), and the General Logistics Department (quartermaster functions other than weapons).  It is effectively a weapons R&D and procurement organization, with no direct operational responsibilities.  “Spying” per se is an operations matter that, as far as the PLA goes, would be managed by the GSD’s Third Department,¹ not by the weapons labs of the GAD.  Indeed, this appears to have been the case for the PLA hacking units operating under the cover designators “61398” and “61486”:

Last year, the private security firm Mandiant first disclosed that a Shanghai-based military group, Unit 61398, was engaged in cyber espionage.

The five PLA military hackers indicted May 1 were part of this unit.

Then last month the firm CrowdStrike revealed a second cyber espionage group, called Unit 61486, also based in Shanghai. It attacked and penetrated U.S. defense, satellite, and aerospace companies, as well as similar targets in Europe, since 2007.

Those two units are part of the PLA General Staff Department in charge of intelligence.

Admittedly, the opaque language used in the description of the new Center’s function (probably exacerbated by translation issues) doesn’t help.  But jargon in the cyber domain is still pretty fuzz-laden even in English (ask ten people what “cyber intelligence” means and you’ll get answers ranging from ordinary malware reports to “any sensitive data obtained through unauthorized network access”).  Judging from the context, my guess is that the Center is really supposed to be focused on what we used to call network security research.  The reference to “expert engagement” and “specially invited experts” suggests that the Center is a military-hosted interagency point of engagement for the various other centers of cyber expertise elsewhere in the Chinese government, such as the Academy of Military Sciences and the Chinese Academy of Sciences, neither of which report up through the GAD.

Now, this does not mean that the Center’s purpose is innocuous.  By their nature the applications for this kind of research are never limited solely to defensive matters, and that same research would doubtless be used to develop tools useful for cyber espionage and offensive mischief.  The GAD is, after all, a weapons development institution.  But actual spying activities themselves would be handled by an operational unit, and the existence of this Center does not by itself speak to the actual existence or nonexistence of operational activity.

The other caveat, of course, is that I am only interpreting the article — in other words, what the Chinese government intends to convey to the public, which may or may not reflect what is actually going on behind the scenes.  Nonetheless, it is important to understand the nature of their public rhetoric to get a picture of what they’re doing.  Similar to our own “critical infrastructure protection” initiatives over the past 15 years, the Chinese government has recently floated the idea that defensive cyber needs to be a national priority.  In that light, the announcement of this Center is neither rank hypocrisy nor an accidental confession to cyber espionage, but rather a logical extension of the Chinese government’s stated commitment to defensive cyber (and, they would argue, wholly consistent with their denial of U.S. charges regarding offensive intelligence operations).  Do I believe their denial?  No.  But this announcement doesn’t have much to do with it.

¹ I originally said the Second Department (military intelligence), but, of course, cyber belongs within the purview of the Third Department, the GSD branch traditionally responsible for SIGINT.  As the cyber order-of-battle continues to evolve, some analysts also believe that the Fourth Department (ELINT) also plays a cyber role.  More on this in a separate post.

No comments | Trackback

Proliferating Stuxnet

Ralph Langner, the industrial control systems expert who first identified Stuxnet’s target, dissects the worm into its active ingredients:

Most people think of Stuxnet’s exploits as some complex, but structured hacker stuff on the operating system level, plus some mushy, arcane 70s-style controller code that cracked centrifuge rotors. In reality, the automation side of Stuxnet is as modular, structured and complex as the coding that can be found at the operating system level.  So let’s try to break down Stuxnet’s exploits in categories:

1. Operating system exploits (generic)
1.1 Two stolen digital certificates
1.2 Four zero-day vulnerabilities plus at least one known vulnerability
1.3 Peer-to-peer update logic

2. Windows application exploits (generic)
2.1 Default database password for SCADA application, plus SQL injection, plus forced SQL execution
2.2 Hijacking the legitimate driver DLL (s7otbxdx.dll)
2.3 Executing arbitrary code in project folders of the engineering software

3. Controller exploits (generic)
3.1 Code injection to any operation block, taking priority over legitimate code
3.2 Hooking system functions
3.3 I/O Filter & faker

4. Physical process exploits (mostly target specific)

From all the exploits listed, only exploit category four is tied to a specific target configuration.

In short, Langner believes that a lot of this stuff is more reusable than people appreciate, and worries about the proliferation risk.  In the worst case, he thinks that we may soon see the free availability of pre-packaged, fully configurable cyberweapons to “immoral idiots and geniuses alike,” much like the arming of the “script kiddies” in the prior decade.

I personally suspect that he may place too much weight on weapon engineering (and underestimates the intelligence and targeting activity that presumably preceded it), but read his whole argument.

No comments | Trackback

What is “Strategic” Cyberwar, Anyway?

In my last post I mentioned that the focus of our model would be on “strategic cyberwar,” and then, inserting a handful of marbles in my mouth, I mumbled something unintelligible about “a level of decision-making” residing “several layers above” all of that horrible technical stuff that somehow always involves doing something obscure to the Windows registry.

Of course, there is a good reason for such evasiveness:  trying to be too precise about whether a certain form of cyberwar is “strategic” rather than “operational” or “tactical” leads us straight into a definitional swamp.  I won’t try to drain the swamp here; however, it strikes me that it might be useful to spend some time getting a little more resolution on what we mean by “strategic” (and, correspondingly, what will be directly addressed in our model, and what will be abstracted away).

The traditional rule of thumb about the levels of war (drawn from the world of kinetic violence) is that tactics are about battles, operational art is about campaigns, and strategy is about wars. Unfortunately, this amounts to more marble-mouthed garble when it comes to the gray zone that cyberwar inhabits.  None of the traditional military intuitions of time, scale, or geography really apply here:  is a sustained DDoS attack conducted over several days against the servers of a dozen companies a battle, a campaign, or a war?

To try to address this, we can adapt the old aphorism to the technical particulars, which would produce something like this:  If tactical cyberwar is about attacks on a particular network, and operational cyberwar is about attacks on a system of related networks, then strategic cyberwar is about attacking the adversary’s system of systems.

But that does not seem any more helpful.  Depending on how one chooses to define “network” and “system,” that proposition could mean anything (or nothing) at all.  Part of the problem is that there is no particular relationship implied between the scale of the “network” or “system” and the size of the strategic actor.  Indeed, taken literally, nothing prevents any operator of a “system of systems” from becoming a strategic actor.  Intuitively, this is not what we mean.  An iPhone is a complex device with many different component systems.  But we do not generally view the teenager who has “jailbroken” her iPhone as having committed an act of strategic cyberwar.

Where do these intuitions come from?  I think that the answer is found not in “strategic,” but in “cyberwar.”  In the end, cyberwar is still war. There may be plenty of strategic behavior in cyberspace, just as there is plenty of strategic behavior in the kinetic world, but only a subset of that strategic behavior pertains to a prosecution of a war.

That declaration, of course, does not wholly solve the problem; questions of exactly what constitutes a war in our age of global terrorism, insurgency, international sanctions, etc., continue to vex academics and lawyers.  But we need not decide the precise boundaries of war and peace; our purpose is only to set up a scale for our model.

So, to put it all together:

  • In the levels-of-war hierarchy, the strategic layer sits atop the operational layer, which in turn rests on the tactical layer.
  • At that top level, the applicable scope of concern is attacks upon a “system of systems.”  This implies high complexity and subspecialization near the top level of organization  — in effect, the “macroinfrastructure” of the affected strategic actor.
  • Cyberwar is still war.  War implies violence.
  • Nation-states continue to enjoy a monopoly on legal violence.  The entities that purport to wage war are either nation-states or those who aspire to the sovereign status of nation-states.
  • Therefore, “strategic cyberwar” relates to attacks upon the macroinfrastructure of either (a) nation-states; or (b) entities that aspire to the sovereign status of nation-states.

This is not to say that other actors will not have important roles; in fact, I expect to see nation-states employ “tactical delegates” to a much greater extent than is the case in the kinetic world.  And there will be no shortage of “non-aligned” marauders roaming through the substrategic (operational and tactical) levels of cyberspace; most crime, for instance, is an essentially tactical endeavor.  But I believe the nation-states and their aspiring peers will set the strategic agenda.

Admittedly, there is a circular feel to some of this reasoning:  cyberwar is war; by definition, only nation-states can wage war; ergo it must be that nation-states constitute the important level of analysis.  Part of this may also be the result of the Westphalian bias that afflicts students of modern military history.

But I think that there is at least one other reason to believe that nation-states, rather than private subnational entities or even public transnational entities, will continue to occupy the seat of decision when it comes to cyberstrategic warfare.  I believe that the nature of cyberweapons — or at least the kind we can reasonably call “strategic” — will be such that they will effectively require the sovereign authority of a nation-state to develop and maintain.  This is not so much because national governments have abundant financial and technological resources (wealth and genius are not the sole province of national governments).  Rather, it is because the intelligence requirements to design, construct, test, and maintain a strategic cyberweapon may be so extensive (and require such intrusive and likely illegal measures to collect) that only a sovereign entity will be capable of doing it on a competitive scale.  We will consider this issue in a future post on the nature of strategic cyberweapons.

No comments | Trackback

Building a Model of Strategic Cyberwar

In early 2009 I began thinking about a decisional model for the conduct of “strategic cyberwar.”  By “strategic,” I’m talking about a level of decision-making several layers above the technical particulars that dominate most of today’s discussions about cyberwarfare.  The particular vulnerabilities of today’s information networks, and the morphology and lifecycle of today’s worms, viruses, and botnets, are interesting and important, but I regard all of these matters as essentially tactical in character.  Some attributes of today’s cyberweapons will become irrelevant as the underlying technology inevitably changes; other attributes are more fundamental and will tend to persist regardless of technological change.  It’s the latter category that I’m most interested in, because those factors will continue to shape strategy and doctrine beyond the next operating system release.

Until I stopped work due to other real-life priorities, I had articulated a crude set of general principles which addressed, among other things:

  • A basic model of a strategic cyberattack weapon (what I’m tentatively calling a “logic attack weapon” or “LAW”)
  • The minimum intelligence requirements for a strategic LAW
  • The essential need to reliably predict a LAW’s effects on a complex target system
  • The notion of a “shelf-life” of a given LAW against a given target system
  • The need for a wide array of supporting “live” interactions with the enemy in cyberspace (for intelligence, testing, and strategic pre-positioning purposes)

I also sketched out a physical map concept intended to describe the strategic geography of the battlespace, with discrete “terrain” elements denoting civilian non-critical infrastructure, civilian critical infrastructure, and military infrastructure.  Naturally, the map wasn’t intended to portray physical distance, but rather an “attack distance” determined by weapon effectiveness, network architecture, defensive arrangements, and so on.  I borrowed from the safecrackers’ view of the world and decided that the appropriate metric of attack distance for these purposes was time.  Predictably, the mechanics get a little bit complex with a two-dimensional paper map since the attack distances between different elements might change at different rates — and, after getting a headache, that’s about where I left things.

In any event, I had all but forgotten about this shelved work until I recently ran into Bruce Costello (designer of the First Strike and Dropshot I/II/III strategic nuclear wargames) on the consimworld forums.  Bruce also has been thinking about cyberwar concepts for a number of years (and in fact is working on a new game design).  This inspired a conversation about these topics, and I’ve been inspired to pick this effort up again.  Strategy is a timely subject, with the U.S. DoD taking its first baby-steps toward articulating a doctrine of cyber-retaliation.

My objective over the next few months is to think about and articulate a complete set of principles for this strategic model of cyberwar.  I don’t know that this will result in a playable “game,” per se (I have no game design experience and really am only a fledgling wargamer).  However, if it provides some useful vocabulary and concepts to the broader discussion, I think it will have been a worthwhile exercise.  Let’s see where this all goes.

No comments | Trackback
Powered by WordPress