31 March 2023

After Meeting in Moscow, Will Xi and Putin Combine “IT Armies” and ICT-driven Hybrid Warfare Efforts Against the West?

DANIEL PEREIRA

“…the ICT-driven hybrid warfare landscape – at this point – has been digitally carpet bombed by both the Chinese and Russians – burning and smoldering.”

This week, the Washington Post reports that China’s Xi Jinping and Russia’s Vladamir Putin ended their three-day meeting in Moscow as signatories of “two agreements, one affirming their partnership and one setting out plans for economic cooperation, which they discussed at a joint news conference,” including (as the WSJ reported) “ten documents on economic cooperation stretching until 2030.”

What is more interesting is what Xi and Putin did not discuss at that news conference, which is the potential for the interplay and fusion of their information technology-driven hybrid warfare efforts directed at the West.

Historically, both countries both their current autocratic leaders and the legions in their official “IT Armies” and non-state actors resident within their sovereign boundaries (given free rein by the state) are masters of the dark arts of kompromat, information warfare, and narrative warfare – increasingly in the digital domain. NATO Review defines hybrid warfare as “an interplay or fusion of conventional as well as unconventional instruments of power and tools of subversion.” Invariably, novel information threat vectors are found at the intersection of this “interplay and fusion” that is the hallmark of hybrid warfare. At this point, the complexity and uncertainty that we all feel at the hands of multiple global, parallel crises – including the war in Europe – are fundamentally driven by these unintended consequences of unimaginable use cases of information and communications technology (ICT) to nefarious and destabilizing ends.

Our goal with this post is to provide an update on the ICT-driven hybrid warfare landscape, which – at this point – has been digitally carpet bombed by both the Chinese and Russians – burning and smoldering. Our hope is that this analysis is differentiated from the coverage of the meeting that just concluded in Moscow – squarely putting unique, underreported issues (which were not propagandized at the meeting by China and Russia or covered by the global media) at the center of your risk awareness.
Background

Last year many of our most trafficked research and analysis was concerned with hybrid warfare efforts around the time of the invasion of Ukraine, laden with information technology strategic risk, subversion, and innovation, including:

We Are In The First Open Source Intelligence War: We are witnessing the world’s first war where open-source intelligence is providing more actionable insights than classified sources. Here are views on what this shift means for governments, businesses, NGOs, and Citizens.

No, The World Is Not Destined to Live Under PRC or Russian Rule: The rise of China’s military, economic, and technological power deserves serious study. There are threats that need to inform decisions by government and business leaders. These threats include the most powerful cyber espionage operation on the planet, as well as extensive human and technical intelligence operations, much of which is used to inappropriately rob open societies to the benefit of the Chinese economy. China’s intentions are clearly to continue to grow its power. Xi Jinping has stated repeatedly that the rise of China is destiny, and he expects that China’s economy will become the largest in the world in his lifetime.

Dr. Scott Shumate Profiles Russian President Vladimir Putin: This OODAcast is a special edition focused on profiling Russian President Vladimir Putin with Dr. Scott Shumate, who has over 30 years of experience evaluating national leaders, terrorists, spies, and insiders. Scott shares his unique perspective on Putin informed by his extensive experience and insight. Is Putin suicidal? Is he a rational actor? Will he escalate to cyber-attacks? These questions and more are discussed with Dr. Shumate.

Russia downed satellite internet in Ukraine -Western officials: Russia was behind a massive cyberattack against a satellite internet network which took tens of thousands of modems offline at the onset of the Russia-Ukraine war, the United States, Britain, Canada, and the European Union said on Tuesday. The digital assault against Viasat’s (VSAT.O) KA-SAT network in late February took place just as Russian armour pushed into Ukraine.

‘The big one is coming’: tech giant’s stark Russia warning: The chief technology officer of $US50 billion ($67 billion) cybersecurity giant CrowdStrike has warned that Russia is still likely to launch large-scale cyberattacks against the West in response to sanctions and accusations of war crimes. Although doomsday predictions about Russian retaliation have so far proved wide of the mark, Australian Mike Sentonas said cyberwarfare had still played a significant role in the campaign, starting with early attempts by Moscow to destabilize its target Ukraine.
Russia’s Narrative Warfare Campaign

“This necessitates further work…to identify and archive these narratives, given the Kremlin’s vast propaganda ecosystem across traditional, digital, and social media.”

For the latest insights on the breadth and scope of Russia’s IT-driven hybrid warfare efforts, we recently provided an analysis of “Narrative Warfare and the Invasion of Ukraine“:

In a new report, the Digital Forensic Research Lab (DFRLab) team analyzed upwards of 10,000 articles from Kremlin and pro-Kremlin media that used false and misleading narratives in the run-up to Russia’s invasion of Ukraine in late 2021 and early 2022.

These narratives were used to:Provide a justification for the attack;
Obfuscate operational planning; and
Deny responsibility for the war.
What Next?: Holding Russia Accountable and Preserving Evidence

The report concludes with a discussion regarding holding Russia and its proxies accountable for the war:While Russia’s pre-war propaganda and incitement to violence violate its obligations under the International Covenant on Civil and Political Rights (ICCPR), it remains a question whether those narratives would constitute a crime under international law.
While international law does not prohibit disinformation and other “ruses of war”—though some legal scholars now argue that this position should be re-evaluated—Kremlin disinformation published in the lead-up to the invasion may be evidence of planning or preparing for an act of aggression.
Additionally, disinformation narratives that started prior to the invasion and continued afterward may be evidence that Russian or Donbas officials knew the invasion was inconsistent with the United Nations (UN) Charter and constituted a “manifest violation” of it.
This necessitates further work by the global research community to identify and archive these narratives, given the Kremlin’s vast propaganda ecosystem across traditional, digital, and social media.” (1)

Xi Jinping’s Hacker Academy Ecosystem at Scale

“…how were the Chinese team participating in the 2021 Tournament in Vegas? And would there be a Chinese presence at future international CFP Tournaments?”

Our August 2021 OODA Network Monthly Meeting included a discussion of Def Con 29, held in Las Vegas from August 5-8, 2021. After the discussion, we were left with a specific research question ripe for follow up:

“A Chinese Team (Katzebin) won the Def Con 29 CTF competition. It was the second year in a row that a Chinese team had won the competition (A*0*E won the Def Con 28 CTF). Hacking competition comparisons to Olympic gymnastics and diving are appropriate: High-performance team and individual contributions coupled with the gold, silver, and bronze podium dominance of American and Chinese teams. During our OODA Network conversation, a network member familiar with global CTFs queried: “Considering the recent Communist Party of China (CPC) restrictions on hacker participation in CTF events outside of the CPC, how were the Chinese team participating in the 2021 Tournament in Vegas? And would there be a Chinese presence at future international CFP Tournaments?” The recent creation and success of the internal China-based CTF competition, known as The Tianfu Cup, was also of note in the monthly meeting.

We eventually returned to researching that question: In so doing, like a spy thriller, the issue converged with Apple, Inc., The iPhone iOS, the privacy wars between Google and Apple, CPC surveillance technologies, The NSO Group, and the Chinese suppression of the Uighurs in Xinjiang, a northwestern province of China. Our initial research analysis can be found at the graphic link above. Below, find a startling report by Cyberscoop on the state-sponsored growth of the Tianfu Cup and its strategic role in the growth of the CPC’s cyber capabilities.
How Xi Jinping leveled-up China’s hacking teams


“China’s investments in cybersecurity education set the stage for a new, more prolific era of digital espionage.”


From the early 2000s to 2015, China’s hacking teams caused havoc for private companies and U.S. and allied governments. In a series of high-profile breaches, they poached government databases, weapon system designs, and corporate IP. From the breach of the Office of Personnel Management, to Marriott, to Equifax, to many, many others, the People’s Republic of China’s digital warriors demonstrated the full potential digitally mediated espionage.

But if Chinese President Xi Jinping has his way, this litany of breaches represents only the beginning of China’s digital prowess.

A year after coming to power in 2013, Xi began to prioritize cybersecurity as a matter of government policy, focusing the bureaucracy, universities and the security services on purposefully cultivating talent and funding cybersecurity research. During his time in office, the Chinese state has systematized cybersecurity education, improved students’ access to hands-on practice, promoted hacking competitions, and collected vulnerabilities to be used in network operations against China’s adversaries.

These investments are now coming to fruition, and, as a result, China’s hacking teams are poised to reap the benefits of a nearly decade-long cultivation of cyber talent and capabilities. These better-resourced and trained teams put companies at risk of further compromise and create an additional imperative for U.S. and allied nations to improve defenses of government networks.
China’s hacker bootcamps

In the 2000s, Chinese policymakers talked about hackers as “the talented few.” Finding the talent government officials needed was “like finding flowers in a field of wheat,” as one policymaker put it. U.S. indictments of hackers operating during this period illustrate the point. The professor who managed APT40 out of his Hainan University office hosted cybersecurity competitions to find hackers that could be brought onto the team — even using them to find software vulnerabilities. The notorious APT41 includes one of these talented few —Tan Dailin — whose career stretches back all the way to the early 2000s. Tan started out as a patriotic hacker working out of his Sichuan dorm room, standing up the Network Crack Program Hacker outfit. His career eventually blossomed to a full-time hacker for the PRC government.

Tan’s skills and entrepreneurial spirit launched his career, but self-starting success doesn’t scale. China wanted more. According to Xi, “competition in cyberspace is, ultimately, a competition for talent,” His policies — aimed at ending the government’s hunt in vast fields for hard to spot flowers — show just how serious he is about this.

Xi established his leadership on the issue of cybersecurity by forming in 2014 the Cybersecurity and Informatization Leading Small Group. The group quickly demanded that the Ministry of Education evaluate and standardize the content of China’s cybersecurity college degrees. Inspired by the United States’ National Initiative for Cybersecurity Education, a board of academics from universities across China created a list of core competencies that students should have when they graduate with a cybersecurity degree. In typical PRC fashion, they gave the cybersecurity degree a numbered code: 0839. By 2015, the Ministry of Education rolled out the standards nationwide, and universities adjusted their curriculums accordingly.

In 2016, Xi promoted his Leading Small Group — originally designed as a sort-of temporary committee—to the Cybersecurity and Informatization Committee of the CCP Central Committee (CIC). Upon launch, it was one of about 25 such committees within the core of the Party. Xi retained his leadership of the body.

Concurrently, Xi launched a formal government agency in 2016, the Cyberspace Administration of China (CAC), to represent the CIC’s work to other governments and businesses. The CAC’s composition and offices are the same as the CIC but is presented to foreign audiences as a government agency. This structure allows decisions made by the CCP Central Committee — such as launching China’s crackdown on technology firms and forced the delisting of Didi Chuxing from U.S. stock markets — to appear as the actions of a government regulatory agency, rather than the Party.

One of the CAC’s first acts was to publish a National Cybersecurity Strategy for China. Focused on moving away from looking for flowers and toward cultivating a crop of talent, this strategy outlined nine “strategic tasks” for policymakers to undertake. These ranged from increasing cybersecurity awareness to improving talent cultivation. As with many central government policies, the public strategy document isn’t particularly prescriptive about how to achieve these tasks, allowing provincial and municipal governments to innovate and compete on policy ideas.

Shortly after the strategy was published, two provincial policy ideas caught the central government’s attention. Modeled on North Carolina’s Research Triangle Park, China’s National Cybersecurity Talent and Innovation Base in the central city of Wuhan sits at the confluence of railway lines that make it easily accessible by high-speed rail to people across China. Here, provincial officials built what would become a sprawling 15 square mile campus, with a quarter of it dedicated to the National Cybersecurity School, the Offense-Defense Laboratory, the Combined Cybersecurity Research Institute, and supporting computational, data storage and cyber range facilities. The remainder of the campus offered tax incentives to people and businesses wishing to set up shop next to the base. Central government policymakers got wind of the project and made it a national asset, with the CAC holding a signing ceremony for the base’s construction at the end of 2016.

The following year, Guiyang’s Big Data Cyber Range suffered a similar fate. Begun as a provincial project in 2015, the Guiyang range now hosts cybersecurity competitions, industrial hardware for OT hackers, and apparently enough server space to count as “big data” (likely a low bar). Much like the base in Wuhan, policymakers in Beijing liked what they saw and adopted the range as a national effort by the central government, christening it as the Guiyang National Big Data Cyber Range in 2017.

The same year, this effort to improve training infrastructure expanded beyond co-opting physical assets, as a new education initiative took root. Just as China modeled reforms of its cybersecurity degrees on the U.S. National Initiative for Cybersecurity Education, policymakers in Beijing also drew on the United States’ designation of some schools as Centers for Academic Excellence in Cybersecurity to shape cybersecurity education. In 2017, China rolled out its designation of some schools as World-Class Cybersecurity Schools (WCCS) offered to those perceived as providing the best educational offerings.

Besides signaling to other universities the qualities and content that should be replicated, the designation also allows potential employers to quickly assess a graduate’s competencies by association. The WCCS designation does not apparently confirm any additional funding or resources, only prestige. The program mirrors the Center for Academic Excellence-Cyber Operations certification awarded by seven U.S. agencies, including the National Security Agency and Department of Homeland Security. China’s first tranche of awardees in 2017 included seven universities. Four more schools received the award two years later.

To attract students and fill these programs, China hosts thousands of capture-the-flag hacking competitions every year. In 2016, China’s best hackers were leaving the country to burn software vulnerabilities at competitions aboard — and collecting eye-watering sums to do it. Nowadays, China runs hundreds of cybersecurity competitions, sometimes with thousands of teams.

Growing the availability of domestic competitions serves at least two purposes for Beijing. First, these competitions provide China’s security services with a steady stream of vulnerabilities to be used in hacking operations. Industry titans, like the founder of the security firm Qihoo360, have gone on the record claiming that software vulnerabilities represent a “national resource” — akin to timber and coal. By 2017, China’s Ministry of Public Security rolled out a drastic new policy to control this resource: Software vulnerability researchers could only travel abroad for foreign competitions with express approval of the ministry.

But the CCP also wanted the country’s best hackers to show off their prowess at home and inspire others to do the same. To attract college students, the Ministry of Education collaborated with the China Information Technology Security Evaluation Center — the 13th Bureau of the Ministry of State Security, which is responsible for some MSS hacking operations — to launch the Information Security Ironman competition in 2016. The competition spans every province in China, includes hundreds of universities, and tiers the competitors so only the best schools compete with one another. To capture the magic — and compensation — of the international software security competitions that Chinese vulnerability researchers can no longer travel to, like Pwn2Own, China’s infosec community launched Tianfu Cup in 2018. Other hacking competitions have sought to bolster China’s capabilities in automated software vulnerability discovery and exploitation — like the DARPA Cyber Grand Challenge they are modeled on.

To facilitate the success of China’s hacking teams, the PRC began requiring software vulnerability researchers to first disclose any vulnerability they find to the Ministry of Industry and Information Technology within 48 hours of discovery. Microsoft’s 2022 Digital Defense Report concluded that the policy had led to the PRC collecting and deploying more 0-days. A more wholistic view of China’s policy environment may conclude that policies against researchers traveling abroad, mandating vulnerability disclosure to the government and investments in technologies to automatically find ever more software vulnerabilities combined to create this trend.
What Next? The State of Play in China

So, where do China’s state hackers stand now? A recently released report, authored by several of the World-Class Cybersecurity Schools in partnership with the Chinese Academy of Sciences, the Ministry of Education and the cybersecurity firm Beijing Integrity Technology describes the current landscape. The authors expect China’s deficit of cybersecurity experts to fall to 370,000 by 2027 — likely seen as a big success since 2017 estimates put the then-deficit at around 1.4 million. (The drastic drop likely reflects better survey and market data, rather than the sudden education of a half-million cybersecurity practitioners.) Still, the paper reports aggregate “production” of new cybersecurity experts to exceed 30,000 per year. Overall, the authors find the education system to be producing more, better prepared cybersecurity experts and continue to advocate for students to get more hands-on experience.

The report’s principal purpose is to lay out what the authors call the “4+3 Method” of cyber confrontation skills and development — an approach that harmonizes the preceding seven years of public policy in China. The “4” represents four key competencies for cybersecurity professionals: actual confrontation, software vulnerability discovery, “combat impact assessment” (likely a euphemism for security evaluation), and engineering and development skills. The “3” represents three methods of demonstrating the 4 capabilities: cybersecurity competitions (confrontation, defensive exercises, and vulnerability discovery), “confrontation practices” (cyber range practice and actual network confrontation), and “crowd testing and incident response” (open security testing, software vulnerability awards, security competitions and technology sharing).

In coming years, the policies that led to the report’s 4+3 Method will likely produce the harvest of hackers that Xi aimed to produce when he first came into power. This means that China’s hacking teams, when considered in whole, will no longer be dominated by the gun slingers of the past like Tan Dailin. Instead, defenders will have to contend with masses of nameless civil servants, each specializing in any one particular skillset, managed by a bureaucracy that has matured over the last decade. As such, we may see many fewer clusters of activities and IOCs successfully emanating from China clustered into APTs, Pandas, or elements of the periodic table. They will be replaced by an ever-growing collection of uncategorized actors, as the agencies managing these operations are able to promote stealth at scale, implemented by well-trained hackers.

For all the effort China has put into its hacking teams, fundamental truths about conflict dynamics in the cyber domain still constrain its operations. The exploitation of a vulnerability may impact one country more than another — just compare the U.S. government’s exposure to the compromise of Solar Winds compared to China’s exposure from the same system. Shared dependencies — such as the widespread use of Microsoft Windows — may constrain some operations. PRC policymakers have long hoped to foster a competitive operating system for the Chinese market. None are forthcoming. Even Huawei’s attempts at a domestic mobile operating system are — from my personal experience — are quite glitchy.

But if China delivers on its ambitions for a more self-contained computing ecosystem, that could change the landscape of competition. Free of mutual dependencies in hardware and software, operations could increase in speed and persistence, as compromise would no longer mean risk of operational blowback. We’re maybe a decade off from seeing these dreams come to fruition. But it wasn’t much less than a decade ago that Xi came into power and made cyber capabilities one of China’s priorities.

No comments: