The Evolution of Chinese Cyber Offensive Operations and Association of Southeast Asian Nations (ASEAN)

Introduction

The strategic environment consists of “continuous confrontation with the potential for persistent conflict in which major state powers are constrained (both domestically and internationally) from decisive military action and rapid resolution” (United States Army 2008, p. 11). Nations such as China display the capacity to employ a ‘whole of society’ approach to espionage and coercion (Eftimiades 2020). Based on its own declarations, there is but one China in the world, Taiwan is an inalienable part of China’s territory, and the Government of the Peoples Republic of China is the sole legal government representing the whole of China. No country, no forces and no individual should ever misestimate the firm resolve, strong will and great capability of the Chinese Government and people to defend state sovereignty and territorial integrity and to achieve national reunification and rejuvenation. (Ministry of Foreign Affairs of the Peoples Republic of China 2022)

In the spirit of not underestimating Chinese resolve, this paper seeks to understand the contemporary and recent historical Chinese cyber resources and strategy utilised to generate influence, specifically as they relate to Southeast Asia, and to understand Chinese efforts to establish a cyber ‘sphere of influence’ to support future expeditionary operations and ultimate control of Taiwan (Grady 2022).

RAND defines influence as “the coordinated, integrated and synchronised application of national, diplomatic, informational, military, economic and other capabilities in peacetime, crisis, conflict and post-conflict to foster attitudes, behaviours or decisions by foreign target audiences” (Larson et al. 2009). Influence is critical for China to achieve its objectives, in the Chinese-Taiwanese context and more broadly in the realm of economic and political competition with Western states such as the United States of America. Cyber capabilities provide a low-risk means of achieving influence and of closing the technology gap through activities such as Intellectual Property (IP) theft. The theft of IP allows for rapid and cheaper development of technology, allowing for increased influence abroad through more affordable and sharable assets, thereby providing leverage for the broad adoption of those technologies to support critical infrastructure, business capabilities, and social media. In turn, this supports increased permeation of the technology and enhanced access to information overseas, to support more IP theft, coercion, and the development of a mature intelligence collection apparatus.

China relied heavily on Western technologies in the early stages of development at the end of the 20th and beginning of the 21st centuries. These technologies provided the backbone of their systems and the precursors to their own domestic production today. Western companies saw Chinese sales of systems, such as firewalls, as a short-term business opportunity, rather than as a component of a series of strategic Chinese objectives enabling mass censorship (Whiting 2008). Chinese technologies have subsequently matured rapidly. The borderless nature of the Internet provided China with opportunities for cyber industrial espionage, IP acquisition, and surveillance overseas. This was supported by efforts to defend China from external influence, most notably through the deployment of the Golden Shield, or Great Firewall. Through poor cyber security practices and a desire to generate increased revenue, Western countries have enabled Chinese cyber operational units to obtain information while also validating Tactics, Techniques, and Procedures (TTPs).

This paper notes that attribution is difficult, given the deliberate attempts to obfuscate identification employed by many threat actors. An example is Yanluowang, a threat actor who appears to have undertaken deliberate efforts to disguise him or herself as Chinese in origin (Garkava & Ashmore 2022). Despite this difficulty, the capability for large multi-national commercial cyber security providers, such as Mandiant, Palo Alto, Sentinel One, Recorded Future, and others, to track, correlate, and identify Advanced Persistent Threat (APT) activity across borders should not be underestimated. Indeed, the international capabilities of cyber security companies allow them to identify trends and relationships, and then to share observations in ways that nation states are less likely to be willing to do. Noting this capability, this paper has been written in conjunction with proprietary threat data supplied by Mandiant. In the interests of academic integrity open-source information has been utilised wherever possible.