China’s ability to penetrate foreign cyber systems for espionage purposes has been widely documented and has become a major reference point of global diplomacy and strategic analysis. The country’s cyber defences have not been discussed in the public domain very much at all. When it has, the focus has been largely on civilian aspects and for peacetime environments. By some accounts, from Chinese and international sources alike, China does not perform too well in civil sector cyber security. What sort of challenges would that present China in a war with the United States?
Measuring cyber defence
In the information age, as great powers move decisively to military and geopolitical strategies premised on cyber power, we need to take account both of their strengths and weaknesses in this area of capability. We should have a sense of their potential for offence and their ability to defend in cyberspace. So it is remarkable that little public attention has been paid to China’s cyber defences as its geopolitical confrontation with the United States in this domain intensifies.
If it were only a civil sector interest with technical aspects confined largely to the corporate world, there may have been adequate coverage of the state of cyber security in China. For example, we have the Global Cyber Security Index of the International Telecommunications Union (ITU), which ranks China well behind leading Western powers and even quite a few small countries. The 2018 assessment ranked China 27th among the 175 countries studied, behind small countries like Croatia (24th) and Mauritius (14th), and certainly behind the United States (2nd) and Japan (14th).
There are numerous studies on this subject by Chinese government agencies, private companies and scholars—few of which have been referenced in Western studies of China’s cyber power. They paint a similarly negative picture as the ITU index. If anything, those Chinese analyses suggest that the ITU assessment is an over-estimate of China’s cyber defences. This is possible because the index results in part from discussions between the ITU and Chinese officials keen to put forward official propaganda.
There is no strong consensus on how to measure cyber security capabilities. Most countries, China included, do not publish comprehensive data that allows a reliable assessment. This means one can only look at proxy measures. These might include notable breaches, surveys of industry professionals, reviews of policy actions, or opinions of leading figures.
Military cyber defence
For the military strategic analyst, it is important to observe that almost all work on comparative cyber security at the national level has been oriented to the peacetime environment and the civilian sector. This work remains highly relevant to military and strategic outcomes but is a smaller part of that picture.
The ‘peacetime’ environment of cyberspace, no matter how dark our view is of the current cyber confrontations between the United States, China and Russia, is a far cry from what these countries would be capable of doing in wartime and are actively planning to do in that eventuality.
What do we know about the cyber security of the People’s Liberation Army (PLA), its Central Military Commission, its theatre commands, and the operational elements (platoons and squadrons, or weapons platforms and systems)?
The best place to start answering this question is to look at the workforce that can provide cyber defences and the agencies and corporations entrusted with the task. This is addressed in my 2018 book, Cybersecurity in China. One focal point for assessing the military work force is the graduate output and course quality of civilian and military universities and technical colleges.
The picture is grim. As just one small indicator, in November 2019, the Chinese Universities Alumni Association (CUAA) published its annual ranking of the best Chinese universities for information security on a nine-point scale. Two universities achieved equal top positions of 7-star rating, five attained 6-star rating, while another 16 were awarded a 5-star rating. None were rated as world class (eight or nine stars).
Between 2013 and 2019, as evidence of the urgency with which the PLA views the problem, its Information Engineering University more than doubled its intake of undergraduate majors in cyber security (from 326 to 737), and pushed aside almost the same number of places in other disciplines. (That university was rated 5-star out of nine in the discipline of cyber security by the CUAA analysis.)
PLA perceptions of their weaknesses in other aspects of military cyber defence have been well documented in their military journals, as reflected in a 2020 article by Simone Dossi. Senior Chinese leaders refer to the country’s weak cyber industrial base, especially castigating their continued reliance on US technologies and corporations. These deficiencies in sovereign cyber security capability negatively affect their military capabilities. China’s moves to informatised warfare, joint operations and modern command and control systems on which cyber military operations depend have lagged well behind those of the United States.
For the PLA in wartime or during a military crisis involving the United States, there are at least three significant challenges. First, if the United States sees cyberspace as one of China’s biggest military vulnerabilities, then surely the Americans would see that as a primary target of attack to undermine the Chinese position by sowing confusion and paralysis–attacking civil and military cyber targets.
Second, the United States would seek to disable key Chinese weapons platforms, guidance systems and communications networks by direct cyber attack.
Third, and more importantly, strategic decapitation of theatre commands and even the national command by cyber attack would be a major US priority . Current US concepts of military cyber operations owe a lot to the initial concept of command and control warfare so prominent in the early 1990s. The United States might not be able to count on the success of all such operations during a war, but it is certainly planning them. In March 2020, the Commander of US IndoPacific Command, Admiral Davidson, made such specific threats with respect to China.
For its part, China cannot discount the certainty of being targeted in this way, and being forced, through weaknesses in its cyber defence, to devise political strategies to cope with those three outcomes: cyber paralysis, disablement of key platforms and weapons, and command decapitation.