 Cyber Conflict Module 14, Chinese Cyber Background. Once you have completed the readings, lecture, activity, and assessment, you will be able to articulate the significance of Mandiant's APT-1 report. The three types of computer network operations outlined in China's Science of Military Strategy. Welcome to Cyber Conflict Module 14. In February 2013, the cyber security firm Mandiant released the report APT-1, exposing one of China's cyber espionage units. This document highlighted the organization and operations of a highly active and secretive Chinese cyber espionage group, Unit 61398, and highlighted its connections to the Third General Staff Department of the Chinese People's Liberation Army, or PLA. The Mandiant report was granular about Unit 61398, including members, location, IP addresses it used for hacking operations, and even some of its secret tactics, techniques, and procedures, or TTPs. Another extraordinary aspect of the report was its outline of how broad the Chinese intrusions were, providing evidence that the unit had targeted more than 141 public and private organizations within the United States and other English-speaking countries. Other cyber security firms had reported on serious Chinese intrusion sets in the past, but had never provided the detail of Mandiant's APT-1 report. In 2009, the Information Warfare Monitor, a Canadian cyber security organization, released a report on the Chinese intrusion set GhostNet, accusing the Chinese government of hacking political, economic, and foreign media targets in 103 countries. The report implicated China in hacking multiple computers associated with the office of the Dalai Lama and other exiled Tibetan individuals in an apparent attempt to track their political and diplomatic moves. Subsequent investigations of other Chinese intrusion sets have also shown what seems to be a narrow mission focus. The intrusion set Byzantine Hades was purportedly a Chinese operation with designs on obtaining sensitive U.S. military technology to include technology associated with the F-35 Joint Strike Fighter. Your readings for this module highlight the actions of Bin Su, a Chinese operative arrested for attempted to steal information about the U.S. Air Force's C-17 cargo plane, and F-22 and F-35 fighter jets. As with so many malware intrusions, these Chinese sets all seem to have gained access through fierce phishing emails. Regardless, none of the reports seemed anywhere nearly as granular and specific as Mandiant's APT-1 report. Not only the Chinese government, but also some in the cyber security world, were unhappy with the APT-1 report. And contentious philosophical debate ensued. The Chinese government was obviously alerted that its cyber operations had been discovered. And by 2014, most of the activities of APT-1 had ceased and likely moved further underground. Given that the report highlighted covert TTPs, many cyber security analysts assessed that blowing operational security and exploiting the knowledge of Chinese intrusions for further intelligence gain were not in the best interest. Historically, obtaining information on Chinese cyber strategy has been extremely difficult. China is famous for its operational security, but the 2013 Science of Military Strategy published by the Chinese Academy of Military Sciences astonishingly mentioned a formal cyber strategy. The 2013 publication was the first in which the PLA outlined specific types of computer network operations that could be used during a conflict, including network reconnaissance, network attack and defense operations, and network deterrence. The document defined network reconnaissance as exploiting loopholes in an adversary's computers so that spyware could exfiltrate data or scam for vulnerabilities. Network attack and defense operations were described as the quote, highest form of military struggle in the network domain, end quote. As these capabilities can best neutralize a strategic competitor's command and control and intelligence systems during a conflict, network deterrence was defined as quote, actions which display network attack and defense operational capability and the firm resolve for retaliation to prevent the adversary from daring to carry out large-scale network attacks, end quote. Important to remember is that these three types of computer network operations are meant to be mutually supporting as they facilitate both offensive and defensive operations while increasing the likelihood of deterrence. The previous lecture mentioned China's integrated network electronic warfare strategy. However, critics, both internal and external to Chinese military establishment, have been quick to point out the many inefficiencies contained in that paradigm. The main criticism addressed the lack of organizational efficiency through compartmentalizing China's computer network operations mission within multiple organizations, diluting its overall effectiveness and unity of effort. Until recently, the mission was split between several organizations within the PLA, the Chinese Ministry of State Security and the Ministry of Public Safety. This stove piping seemed to be the impetus behind a December 2015 reorganization of many elements into the formation of a Chinese strategic support force that included China's space forces, demonstrating the growing importance of space-based communication technologies. Organizing cyber capabilities under one command and in line with its army, navy, air and missile forces is significant because it removes the possibility that they might be held hostage to bureaucratic infighting, especially during a conflict. Additionally, one command will likely improve the operational efficiency of Chinese network reconnaissance and network attack missions and allow for the easier implementation of the integrated network electronic warfare strategy. Chinese military expert Yin Zhu, writing in a Chinese state-run newspaper, noted that the strategic support force will provide, quote, potent battlefield support for joint operation actions of multiple services and arms so as to achieve the goal of winning local wars under informationized conditions, end quote. China is actively seeking ways to become more efficient and effective with its cyber capabilities. Mandiant's APT-1 report may have exposed some of China's organizational shortcomings, not only to the United States and other adversaries of China, but also to China's own leadership. The APT-1 report may very well force China to reevaluate the organization of its cyber units so as to increase its operational security and become stealthier in the area, a prospect that is surely daunting. True or false, Mandiant's APT-1 report was significant because it cited in granular detail the pervasive nature of Chinese cyber espionage operations. The answer is true. Which of the following is not one of the three types of Chinese computer network operations? a. Network reconnaissance b. Network attack and defense operations c. Network deterrence d. Network disruption operations The answer is d. Network disruption operations The activity for this module asks that you consider the information you learned in this module regarding how the Chinese employ three types of computer network operations network reconnaissance network attack and defense operations and network deterrence. Research each of the three terms above and briefly describe their meanings and differences. e.g. how is network reconnaissance different from network attack or deterrence? Locate a strategy that the United States military employs in cyberspace. How does the United States differ from China in this regard?