China: c-c-changes

This article on unintended consequences of China's President's Xi Jinping's drive to purge the China's Communist Party of corruption is likely to go unnoticed by most. Which is a shame, because it shows most clearly just how divided CCP is and how many different factions there are.

Some key quotes:

Chinese leader Xi Jinping in fact says no one is immune from his corruption probes and that he is going after both “tigers” and “flies,” party lingo for officials high and low. Few in China actually believe that Xi is trying to rid China of that evil, however. After all, the Communist Party has become completely infested, and the president appears to be targeting only political adversaries, such as the infamous Zhou Yongkang, the former security czar, using “corruption” as an excuse.

Matter of fact, the purges have gone so far that

that former leaders Jiang Zemin and Hu Jintao are now asking him to slow the effort, in part because he is threatening their extensive patronage networks and also because his investigations could shake the foundations of the party itself.

And that, the last part, is why Xi Jinping could be the biggest game changer in China after Deng Xioaping's opening up of China and economic reforms that have set China on its current course.

How all this is relevant to cyber security and risk management is left as an exercise to the reader.

Cyber war and Russian view

Keir Giles’ wrote a good paper that you really should read on the Russian view of the information warfare/operations (cyber warfare) legality. This is a fairly neglected aspect of information warfare studies and is completely ignored by cyber warfare experts in the West, who consider the Western view to be the sole view. It is because they are largely WEIRD. The West is largely in introspection around diversity, where diversity now means that everyone has the same values, shares same culture and is working towards the same goals in the similar fashion. Indeed, that’s not diversity at all.

Cyberspace, cyber war and international law

US and allies (EU, Australia, NZ, …) share the view that ‘that existing international law and international commitments are suficient to regulate cyber conlict.’ The Tallinn Manual and other widely accepted legal view on international and customary law assumes that this view is universal.

However, nothing could be further from the truth. China, Russia and others with similar approach to information security (where the term includes propaganda, control over information flow by the government, etc.) disagree with the idea that the current international laws are sufficient.

This position may be surprising, but it is a rational position from Russian and Chinese perspective. Both Russia and China feel threatened in the current environment. Threatened by the lack of clearly defined rules, laws and treaties that would show what is and isn’t allowed.

Both China and Russia are sticklers for rules: rules present lines that are not meant to be crossed. Rules also present opportunities. Opportunities to find loopholes, opportunities to follow the letter of the rule whilst blowing raspberries at the spirit of the rule. Opportunities to dance on the line whilst never actually crossing it.

In short: the west is happy with slight uncertainties and fluid state of customary law because they are all singing from the same song-sheet. China and Russia want to have a fresh set of rules that are specific for cyberspace: this way they will have the certainty and the ability to continue with their merry ways without actually breaking any rules.

Not everyone is WEIRD

If you are told that you are WEIRD don't take it as an offence. It likely means that you belong to about 12% of the global population that is Western, Educated, Industrialised, Rich, and Democratic *. Good as it may sound, it also puts you in the disadvantage when dealing with people from different cultural backgrounds.

Problem reliance on studies that were done solely with WEIRD participants is that it skews the results and, worst of all, assumes certain cultural background in the decision makers:

[M]any studies have shown that Americans, Canadians and western Europeans rely on analytical reasoning strategies — which separate objects from their contexts and rely on rules to explain and predict behaviour —substantially more than non-Westerners. Research also indicates that Americans use analytical thinking more than, say, Europeans. By contrast, Asians tend to reason holistically, for example by considering people’s behaviour in terms of their situation.

That WEIRD has had a significant negative effect on a range of social sciences is not surprising. That it isn't sufficiently accomodated for in risk management theories and decision making theories during the last decade, though, is.

Progressive risk managers tend to look to behavioural economics, anthropology, psychology, sociology and communicology to improve their skills and their organisation's management of risk. But relying on studies that assumed a certain cultural background in the decision makers can, rather than improve their ability to help decision makers make the best decision under uncertainty, make things worse.

Remember, culture plays an important role. So do emotions, even if certain behavioural economists tend to ignore those.

Cyber and the art of conversation

Spurred by Justine Aitel’s talk at SOURCE Boston where she supposedly (not being there is a bit hard to confirm that) said that IT risk and/or security industry need to use the term “cyber” in order to reach the business audience more effectively.

Yes, security has a problem communicating. No, it is not what you think it is. Yes, using “cyber” can help. No, it’s not what you think it is.

Communication - listen!

Infosec people love to talk. Incessantly when it’s about something near and dear to them, sky falling or their latest gadget or … you get the idea. They also love to talk about listening, and how we’re not doing it right. And don’t interrupt us while we’re telling you how we need to listen more and talk less. :-) Yes, the secret to good communication is listening.

In corporate world that translates into knowing and understanding:

1. The industry you are in. Both locally and globally. Profoundly know local industry, keep tab on what leaders globally are doing, see how it translates to your local environment. How?

  • Read the industry magazines. There are plenty of online resources, papers, etc. Keep a cursory track.
  • Join a couple of industry bodies. There’s always one or two forums.
  • Ask in your company, but always be ready to also look outside.

2. What your organisation’s goals are. Not the stated ones, the real ones. The ones your organisation needs to take in order to make whatever it is they promised to the markets a reality. How?

  • Talk to people at the coalface, so to speak. Project/program managers, architects, developers, marketing and advertising, finance.
  • Establish good relationship early on with a few people in different areas. Look for people that you get along well personally, regardless of the perception of their position. Organisations leak bits of information everywhere - your role is to pull it all together for yourself.

3. What the department heads, the chief executives and others in the position of power need in order to meet their Key Performance Indicators. Sometimes this will be stated quite bluntly, other times you will need to put a lot of disparate data together in order to see the bigger picture. How?

  • Establish initial rapport, just offer to see if you can help people with anything.
  • Make a presentation of what you/your team are doing. Show how it is relevant to your audience. To get something you have to offer something.
  • Simply ask. Ask how you can help.

4. The type of conversations to avoid: Purely negative conversations that don’t offer “and this is how we can fix it” suggestions are a drain. Steer clear.

People say this is easier said than done, but the fact is that you need to talk to people at all levels.

  • It helps if you are naturally curious.
  • It doesn’t help if you are naturally extroverted: in that case you will need to work on your listening skills.
  • It doesn’t help if you are naturally shy: in that case ask someone you are at ease with to introduce you to those you want to talk, to break the ice.
  • It doesn’t help if you are: I'm not shy. I'm just very good at figuring out who's worth talking to. Most of you aren't.

Cyber here, cyber there, pretty soon there’s cyber everywhere

No, talking about cyber as “the big bad thing that will end us all if we don’t …” is not going to help anyone. Your company already navigates more risks that most infosec people can imagine, and does so on a daily basis.

Talk about “cyber” and explain to the decision makers and anyone that will listen (that’s a good way to get time with the decision makers, too) about what cyber really is and how it relates to current affairs.

Hint and a useful trivia to break the ice: explain that the term “cyber security” came to be as a response to countries spearheaded by Russia and China that consider “information security” at the national level to include propaganda, control of information flow within the country, etc. After Russia started pushing for a UN resolution on “information security” that covered, in some interpretations, dissent as an information security problem, the West started using the term “cyber security” in national conversations to distance themselves from the Sino-Russian definition.

If you’re in Europe, use the example of Russia and Ukraine. If you’re in the US, use the before example, but also the espionage from China and how the cultural differences (serious problem) make the discussion harder (draw analogies between IT and the rest of the organisation?) because of differences in understanding of the terms. No commonly defined terminology = mucho confusion.

And in the end, it helps if you know just what cyber really is. Trust me on this, you don't want to propagate the half definition of this phenomena.

Cyber espionage - the Chinese way

We reviewed the Chinese intelligence community structure, the way they collect data and, as a result of the first two, also tackled the monolith myth of China in order to explain why most things you hear about Chinese cyber activities do not make sense nor survive any closer analysis. Now it is time we have a look at Chinese cyber capabilities and their use.

This is Part 4 of the four part series:

  1. Chinese intelligence structures
  2. The Chinese way of collecting data
  3. China: the monolith myth
  4. This post

Rapid rise, asymmetric going on symmetric and information warfare

China has in a quick succession went from the underdog on the cyber scene to one of the leaders of the pack. In 1996, when public internet was allowed in China, there were only 2 million users. Now, in April 2014, there are about 620 million internet users in China. For comparison: that’s twice the total population of the USA. Chinese quickly grasped that the internet is the new way to do business, whatever business they’re in. PLA recognised the power of the internet and in 1998, two short years after internet became publicly available, two Chinese colonels wrote a seminal work for the time: Unrestricted Warfare. At the time of its publishing the book caused a stir in the US because it identified US military’s dependence on ICT networks as its major vulnerability - something that PLA could target and exploit in asymmetric warfare.
PLA’s strategy for use of electronic and cyber warfare has since evolved dramatically. First, because it is no longer an underdog:

The PLA is pursuing a highly ambitious cyber-warfare agenda that aims to link all service branches via a common ICT platform capable of being accessed at multiple levels of command and has created three new departments of Informatisation, Strategic Planning and Training to bring this agenda into being.

Moreover, PLA took the opposite direction on cyber, technology and information superiority to the US since late 1990s: US started with the information warfare concept in the 1990s, then slowly rejected the softer aspects of it and focused solely on network-centric warfare and electronic warfare. PLA started with network-centric warfare and electronic warfare and started incorporating information warfare concepts to arrive at information confrontation concept today.

Cyber espionage and conflict

A lot of available information in China deals with cyber warfare (to use Western term), but there’s precious little talk about cyber espionage. Cyber espionage is the topic is tightly linked with China in the Western sphere of influence, thanks to operations such as Titan Rain, Aurora (with later revelation that it was, in fact, counter-intelligence job) and Ghost Net.

Like Russia, so too China considers war to be the final stage on the conflict continuum. Stages on the conflict continuum can be roughly divided into:

  • meddling in other country’s internal affairs via purely informational means (including meeting Dalai Lama, supporting Tibetan independence, supporting Uighur plight, …)
  • social conflict (increased terrorist, ethnic separatist, extremist activity);
  • armed conflict;
  • war.

What this means for Chinese understanding of cyber conflict is that “support for separatist movements”, I.e. Tibetans, Uighurs, etc. ranks on the conflict continuum, whereas industrial espionage is a simple legal issue. To China industrial espionage, even state-sponsored, is just way of conducting business, if illegal. Hostile information activity on the other hand is squarely on the conflict continuum. The West takes the opposite view, but there aren’t enough people versed and understanding both views to build a bridge.

Industrial-scale industrial espionage

There is no doubt that entities in China are indulging in large scale industrial espionage of a variety of industries across the globe. But,

the overall picture is reminiscent of China’s earlier humint-driven efforts to collect foreign science and technology. There is still a significant ‘Wild East’ aspect, characterised by an apparent absence of effective co-ordination and the involvement of a multiplicity of actors with different motivations.

Two distinct groups of targets of Chinese espionage are:

  1. Covert science and technology (RSA, Lockheed-Martin, etc.)
  2. Political and economic intel on foreign governments and NGOs and opposition groups outside China.

The former is focus of 3/PLA, whilst the latter is traditional MSS ground. Since China’s intelligence services maintain a distinct culture of isolationism from other services it is not unthinkable that both 3/PLA as well as MSS have developed their own cyber espionage capability.

Former head of NSA, General Alexander said that China operates an industrial-scale cyber espionage aimed at the US government and US industries. So far Chinese spies have yet to show that it has the ability to actually process and put to its own benefit all this stolen information. In the end, the two cases that are used as examples of Chinese industrial espionage (yes, only two well documented cases after all this time) the AMSC wind turbine affair and the Nortel long-term espionage serve best to explain the difference. In the AMSC case the industrial espionage was performed by the erstwhile business partner that managed to steal not just the code but also the coder. This dealt a significant blow to the organisation and it all happened in a really short period of time.

In the Nortel case the adversary had access to the internal network and all the information Nortel had for at least a decade with no significant impact to Nortel stemming from the breach and espionage itself. It was Nortel’s poor business practises and lack of competitiveness that did it in.

It is unknown how much China’s Standing Committee (and the Party bureaucracy) can do about the cyber espionage undertaken by Chinese intelligence services and other parties in China.

The two top priorities for the Chinese Community Party are maintaining economic growth and domestic stability and averting any challenges to the leadership of the Party. Reigning in cyber and other espionage, if it is contrary to the top two priorities, is out of the question.

China: The monolith myth

Diversity that is China

China is always seen by the West as a big, monolithic country. That nothing could be further from the truth does not shake that popular wisdom, which is typical of cultural biases and heuristics. After all, our brain is mostly wired to deal with small communities of similar people - it is nigh impossible to consider the country with the population size of China.

This is Part 2 of the four part series:

  1. Chinese intelligence structures
  2. The Chinese way of collecting data
  3. This post
  4. Cyber espionage - the Chinese way

China has

  • 1.35 billion (BILLION!) people. That’s like having 165 NYCs in China. Or 292 Sydneys. Or 4.5 USAs. Or 74.5 Australias. Or … you get the message.
  • 56 recognised ethnic groups. Compared to Europe’s 87.
  • 7 major Chinese language branches of the Sino-Tibetan language family. Considered to be just dialects and many, many sub-dialects. (For comparison, all European languages (with 8 branches) are part of the Indo-European language family.)

Diversity in the upper echelons

So China is very, very diverse. The myth that a country that size can be driven by a well-oiled machine that knows everything and manages everything is, at best, laughable. The story of corruption and machinations by Bo Xilai (one of the 25 members of China’s Politburo, candidate for the Standing Committee, etc. Up and coming politician - until downfall, that is) and Zhou Yongkang (China’s former domestic security tsar, and Bo Xilai’s only defender on the Standing Committee) show that China’s upper echelons far surpass “The Game of Thrones” in terms of political manoeuvring.

But, we’re here to talk about Chinese intelligence and cyber security monolith myth.

Intelligence services and the policy community

It should come as no surprise that China does not have a single formal office for assessing intelligence and producing analyses that would reflect agreed government position. The infighting, entrenched individuals and departments do not want, nor see any need, to cede power or to share it. President Hu Jintao reportedly tried to organise a central office for intelligence - twice. That China still doesn’t have one speaks volumes.

So what does China have? For the purposes of foreign policy and national security (including cyber intelligence) they have three Leading Small Groups (LSGs): two for foreign policy and national security (really a single body with two different names) and an LSG for Taiwan. Of course.

The role of the LSGs is to bring together senior policymakers to debate and provide advice and recommendations on major policy issues to
China’s ultimate decision-making body, the Politburo Standing Committee.
The LSGs operate by consensus.

Like everywhere else, it should be no surprise that China’s intelligence organisation has to fight for the time with decision makers. And just like everywhere else their products, even if they are good, will be questioned and often overruled. Much like everywhere else, there will be plenty of in-fighting in the intelligence community, too. Even at the highest levels. Why? Because that’s how Mandarin (that would be bureaucrats) court operates.

Firstly, modern China has witnessed a significant growth and diversification of interest groups and centres of power, to the point that it has become hard if not impossible for entities used to exercising control over foreign and security policy to continue doing so.

PLA isn’t in charge, either

So if the intelligence services largely fight for the time and don’t really run (or primarily implement) the country’s cyber policy (shocking, isn’t it?) then the PLA most definitely does. After all, that Mandiant report on APT1 places it squarely and irrefutably on PLA.

[T]he PLA’s role in Chinese politics and policymaking has been on a steady decline since the end of the Mao era. There are no longer any military leaders on the Politburo Standing Committee and the institutional mechanisms available to the PLA – principally the Central Military Commission and its participation in the LSG process – do not obviously allow for the exercise of disproportionate influence over foreign policy.

The argument now will go: ‘but that’s not what we’re saying. We’re saying that the PLA is just implementing the cyber policy’. And the standard response to that would be: “Duh!” Follow-up question is: who sets the policy? At what level? How do they make sure that there’s no independent activity? In other words: for the monolithic China myth to survive, there should be no Bo Xilai, no chasm between different intelligence services, no infighting.

No, China is not a monolithic structure, a modern day massive hive mind where everyone is pulling together to the best of their abilities to ensure glorious victory. What there is is a lot of groups and individuals trying to get an edge on their competitors. If that includes getting intelligence and IP from elsewhere so be it.

The Chinese government is guilty in as much as it doesn’t enforce strict computer laws when targets are external to the country. But in that China is by no means an outlier.