 I'd like to introduce myself. My name is Benjamin Penny. I'm the director of the Australian Centre on China and the world. First, I'd like to acknowledge and celebrate the first Australians on whose traditional lands we meet and pay our respects to the elders of the Ngunnawal people past and present. It's a very great pleasure to be introducing this lecture today for two reasons. First, when our centre was set up about five years ago, one of the rationales for doing so was to deepen and add complexity to the general understanding of China amongst members of the general public, journalists, policy makers and others. We've often noted, those of us who've been involved with Chinese studies over time, that the level of discussion is usually fairly shallow. People have a nodding acquaintance and they do rather a lot with not so much. One of the questions, of course, that comes up in normal conversations with people about China in the last few years has had to do with cyber security. It is, in fact, I think a classic case of where general perceptions of China and cyber security have been not very well informed. And for that reason, I think this lecture today is absolutely fulfilling our role to add complexity, to deepen understanding of what is a really most important topic and one which, generally speaking, is not well understood. The second reason it gives me great pleasure to introduce this lecture today is that it's the first time that the Australian Centre on China in the World and the National Security College here at the ANU have actually formally cooperated in a major event. The NSC and CIW, as we are known, academically, as the ANU is so fond. ANU, CIW and NSC are, in fact, kind of twins. We were born at the same time through the largesse of the Commonwealth government. And for the last few years, we've looked at each other across the campus and acknowledged and admired the work of the other. But until now, we've not really forged the kind of relationship that I think both sides have always intended to forge and want to put some flesh on that line. So I'm really pleased that this is the first of, I hope, many occasions that we can cooperate, not only in these kind of public occasions, which are wonderful, but also in other aspects of activities based at the university. So personal thanks to Rory for initiating this, which I think is a really potentially very strong cooperation. So to today's lecture, John R. Lindsay is a remarkable person with degrees from Stanford and MIT with your actual military experience in the Navy. And as you can see now, it comes to us from the Monk School of Global Affairs at the University of Toronto. He's an Assistant Professor of Digital Media and Global Affairs. He has published in, I think, I'm not a professional in this field, but it looks to me like most of the major journals in which one would want to publish if one was involved in this field. He's the co-editor of China and Cybersecurity, SB&I strategy and politics in the digital domain, which is Oxford University Press from last year. And he's completing a book, Shifting the Fog of War, Information Technology and the Politics of Control. I think this will be a fascinating lecture, a stimulating lecture, and I think John is the ideal person to tell us about the topic of the role of cybersecurity in Chinese foreign policy. I'll invite him to the lectern and say that after his lecture, we will be doing questions and answers for a while. So, John, thank you. Thank you very much. Thank you, Benjamin Penny, for this opportunity. Thank you, Rory Metcalf, for bringing these two schools together. And I also want to thank Roger Bradbury for putting together what has been an absolutely stimulating set of discussions on cybersecurity and policy and ways forward to study this. So, my interest and China's interest in cybersecurity started at about the same time, although I didn't know it at the time. I was a very junior naval officer working at the NATO headquarters in Italy, and I became very interested in this fact that here we were fighting a war of there were no boots on the ground and everything we did was mediated by information technology. So, it started many years of interest in the role of information technology and its effect on military power. Well, during that same conflict, we accidentally blew up the Chinese embassy. And the next day, Jiang Zemin called a meeting of the Central Military Commission and they made a few decisions right then. They decided they needed to start investing in technologies that would allow China to see far, strike far, and strike fast. They decided that they needed to start developing exactly the things that the enemy was afraid of. And so we're put in place a number of initiatives to develop space weapons, cyber warfare, as well as some of the ballistic missiles that we now have seen fielded in the last couple of years. So, as my interest in battlefield networks continued to develop, China's activity in the cyber domain also continued to develop. And so if you are interested in network-centric warfare or the revolution of military affairs, it became impossible to ignore China. China became a central case for understanding the larger effect of technology on security. So I will say that I come to China a bit late. I've learned a great deal from people, including people in this room. And my C++ is probably a bit better than my Putonghua. But this is a complex domain and I think that that kind of interdisciplinary collaboration tends to be critical. So my strategy has been to lean on a lot of people that know a lot of different aspects of this particular problem. So this isn't just a blatant advertisement for the book that was just mentioned. I also wanted to point out a couple of things. First of all, I want to talk about the cover of this book. What you're actually looking at are a pair of ghosted images, both of them were taken at the Wujiang World Internet Conference last year, 2014, November. And this is a picture of the exhibition hall where you have several Chinese corporations, internet corporations, mobile phone corporations, and then of course there are two policemen that are wandering around. And this really captures two aspects which I think are central to understanding China's experience with the internet. China wants the economically open internet to get rich, but China wants to make sure that they have political control of that openness. They want to unbundle the political and the economic dimensions of this liberal socio-technical institution. Now, this also is taking place at Wujiang, which is sometimes described as the Venice of China. It's a lovely town with canals all over the place, but it has also been utterly emptied out. And for this particular event, there were no residents, and it was populated with people that were acting as if they lived there and acting as if they were selling things. And the place was entirely clean and bright. So this is yet another metaphor for this idea that China is taking the internet and reconstructing it in a more sanitized and attractive version. So when we think about China and cybersecurity, this really is the view from the West. And of course we're looking at an FBI wanted poster that came out in May 2014, shortly after the U.S. Department of Justice indicted these five individuals, allegedly members of the Chinese People's Liberation Army. Important to point out that this was an indictment of individuals, not an indictment of the organization, not even a direct tie explicitly to the Chinese state. It wasn't until the North Korean hack of Sony that the U.S. actually made a tie between the explicit nation state and hacking activity. But nevertheless, these five were brought together and this Department of Justice indictment focused on economic espionage against a number of countries, companies, excuse me. Now interestingly, these same five individuals and the organization in Shanghai that they're associated with were first exposed a year before in a report by a private company named Mandiant. Now Mandiant talked a little bit about, in fact a lot about commercial espionage, but also talked a great deal about espionage against military and government targets. Now when the U.S. opened this indictment, there was no mention of military and government espionage. The U.S. has tried to make a very bright line distinction between commercial espionage for commercial profits, transferred by the state in order to help corporations in that country, which the U.S. sees as unacceptable and espionage more broadly. Why might the U.S. want to do that? Well the answer is now obvious thanks to Mr. Snowden. Mr. Snowden revealed that the Chinese that the cybersecurity problems across the Pacific really go in both ways. And in fact for all the volume of Chinese activity against Western interests, the sophistication of activity from coming from the United States who gets Chinese targets of all kind is of a whole different order. Now this was a very difficult moment for China. Here is Edward Snowden who is blowing all of these American operations. In a sense there's a sense of shot and froid that here is America that has been accusing China of raiding the world's networks. And yet now here's the U.S. doing the same thing. China often describes the situation as a thief crying stopped thief. And yet at the same time here's a dissident in Hong Kong note the traditional characters. Here is China harboring the dissident who is fleeing another government whose rules it is broken. And of course this is happening also during Xi Jinping's coming out party, right? He's supposed to be getting together with Barack Obama and Sunnylands during the same time, sort of stealing the national media spotlight. So this is kind of a very difficult set of circumstances for China to work through and deal with. Now cybersecurity involves a lot of technology but the technology is put to political and economic work. And the kinds of political and economic tasks that states use that technology for can often result in very different kinds of operations and even very different technological characteristics. So what we're looking at here is a tale of two advanced persistent threats. That word advanced persistent threat is a word that had traditionally been used to describe only China but I think it's only fair to describe the national security agency as an advanced persistent threat as well. We're looking at two operations, both of them disclosed in early 2015. The green one over here on the right disclosed by the private cybersecurity firm of Kaspersky in Moscow, which specializes in publicizing American operations. And the other one we're looking at an operation described by the citizen lab at the University of Toronto. So in this other one called Equation Group, which is almost certainly the national security agency based on a lot of artifacts that relate to other attacks that you may have heard of including the Stuxnet operation against Iran, flame, gauss and a number of other things. There's a lot of code that is shared here. And when you look at these different modules, they do some very interesting things. They look for very precise configurations, very precise targeting to make sure that they're looking at the right machine on the right network. If they don't find it, they delete themselves. There are modules, especially the one called Grayfish. They're at the bottom, which is designed to maintain an incredible degree of persistence. It actually overwrites the firmware to withstand military grade erasure of the disks. This is something that computer scientists sort of laughed at, didn't think it was possible. Suddenly Kaspersky shows that not only is it possible, it is being exploited quite rigorously. This is an actor that is very interested in stealth, in precision and persistence. It also happens to have been found in states like Russia, Iran, Pakistan and a number of other countries that would have a peculiar interest to that particular actor. Now compare this to what's been described as the Great Cannon. You're all probably familiar with the Great Firewall. The Great Firewall sits between the global internet and its connections to China. It's actually described as a man on the side attack. The Great Firewall basically listens, it taps all of that information going back and forth. If dirty words that are on the official banned list come by, then the Great Firewall will send a reset command to the server, so it will stop serving content into China. So what happened is in late 2014, an organization called Greatfire.org, and they supply a lot of software that dissidents can use to circumvent the Great Firewall, found itself under tremendous denial of service attack. One of the biggest DDoS attacks that it had ever been seen was being attacked by billions of computers an hour. A lot of that infrastructure actually residing on GitHub machines located in the United States. How did this work? Well, it actually used the same architecture as the Great Firewall, but rather than being a man on the middle, it was a man, excuse me, a man on the side, it was a man in the middle. And if you were outside of China and you were making requests to a Baidu server, now you might not know that you're making a request to a Baidu server, perhaps you're visiting a Taiwanese server, but there is an advertisement that's being served up from China. China was serving up these little JavaScript pieces back to your computer, and that essentially created a giant botnet that allowed all of these unwitting computers then to be enrolled in this distributed denial of service attack, in a sense, a weaponization of the internet. This is noisy, this is loud, and this is focusing on suppressing politically subversive activity in the eyes of the Chinese state, quite the opposite of what we're looking at on the American side. So when we're talking about cybersecurity, we're talking about a lot of different things and focusing on the political and economic intentions of those attacks is really critical for looking at that activity. So let's transition a little bit to talking about China's overall approach to the internet. Chinese internet development started a little bit later in the mid-ought years, but really started to take off quite quickly. 2015 numbers put Chinese netizens or Chinese internet users at about 640 million. Still only half of the population, so China's internet penetration is not as significant as what we see in countries like Australia, the United States, Japan, and Europe, upwards of about 90% or higher, that China's full of paradoxes. Here we have both development and developing country overlap together. China is very interested in trying to do these two things that I set out at the beginning. They want to use the internet to get rich and take advantage of all of the opportunities that being connected to the world offers and yet at the same time, try and control the political liabilities that would come with maintaining that openness as well. So China recognizes quite explicitly that the internet is an engine of growth. Xi Jinping has talked about it as two wheels on an engine, two wings of a bird. Development must go together with security. China's economic miracle has been largely based on exploiting opportunities in the supply chain and low and medium end production where they have been able to achieve massive economies of scale which mean they're utterly dependent on the integrated global economy which of course in turn is utterly dependent on the internet. Now at the same time, China talks about needing to ensure the rational and positive use of the internet by curbing any malicious uses. Now in a 2010 document on the internet in China by the State Council, they talked about several things which were not quite acceptable. No organization or individual may procure, duplicate, announce or disseminate information having the following contents. Being against the cardinal principles set forth in the Constitution. Endangering state security, divulging state secrets, fair enough, subverting state power and jeopardizing national unification. Damaging state honor and interest, instigating ethnic hatred or discrimination, jeopardizing ethnic unity, jeopardizing state religious policy, disrupting social order and stability, disseminating obscenity, pornography, gambling, violence, brutality, terror, abetting crime, humiliating or slandering others, trespassing in the lawful rights and interests of others and other contents forbidden by laws and administrative regulations. So I'm sure most people in this room have already broken at least three of these laws before breakfast. So what we see is a lot of law that enables a fairly arbitrary enforcement of those as the situation may allow. Now, you're probably wondering who this little creature is at the bottom. This is the grass mud horse. I'm not going to try and say its name in Chinese because if I do and I get the tones wrong, I'm going to insult several of your parentage and your relatives. I wouldn't want to do that. But this character shows up as if you come in a bit of a folk hero for the evasion of censorship techniques. China has one of the most sophisticated information control regimes in the world and involves filtering dirty word blocking and it also involves more active measures to shut down sites and change and guide content. But of course, there's a constant arms race between those efforts to stop that discussion and playful attempts to try and work around so-called harmonization of the internet and this creature is one advocate for that. The goal at the end is to make cyberspace clean and chipper. Now, this is a bit of an eye chart. I'm just going to call a few things to your attention. That's China's overall policy. How does China put it together? I think of China as an authoritarian system. Many scholars describe it actually as a fragmented authoritarianism. It's a big country, it's growing quickly. It's a very, very difficult place to manage and when you ask Chinese information security professionals who manages cybersecurity in China will sort of laugh at you and they'll say gongbaoji di, right? Kung Pao chicken. Now, you guys have probably enjoyed this at a Chinese restaurant. It's all chopped up, mixed together, kind of spicy, lots of nuts. That is a pun on the first character if you were to talk about the Ministry of Public Security, State Secrecy Bureau, the Party Encryption Bureau and of course the PLA Bingding, right? So here we have your Kung Pao chicken. Everybody managing a slightly different part. Now, as elsewhere in the Chinese government everything's broken into these three big silos. The PLA, of course it's a party's army not the state army. The Chinese Communist Party policy making organs and then the executive implementing organs over on the state council side. Now, you'll notice in the middle that you have a couple of these leading small groups which is the party's mechanism for different policy issues were collapsed in early 2014 and elevated to the presidential level to create this new cybersecurity and informatization leading small group. Before that, it was a much lower level state informatization group and that was looking at overall Chinese information technology policy and a subgroup within that focused on security and cryptography and they released a lot of documents in 2003, started releasing money but then got distracted by other things, the Olympics, the financial crash and meanwhile, an indigenous cybersecurity industry started to grow up and develop a lot of its own interests. Now, that SILG, the original state informatization leading group, actually fell under the ministry of industry and information technology, very technocratic bureau that manages the internet service providers and a lot of the technical infrastructure of the internet. When these were elevated and turned into this new SILG, the cybersecurity informatization group with the heads of all of the relevant agencies, the administrative organ was taken out of MIIT and put underneath the state internet information office, okay, and this falls beneath, of course, the state council information office which manages propaganda information control and this was a very clear message in my mind that we're really going to emphasize the information control aspects when we're talking about cybersecurity to the extent that management has been taking away from the technocrats and given to the propaganda ministries. The state internet information office has since been renamed the cyberspace administration of China that is being run by a guy named Lu Wei who doesn't have much of a technical background but did run Xinhua. So again, when Chinese are talking about cybersecurity, they're not necessarily talking about the same technical things that we are in the US in the Western world. What's the result? Well, one result I would argue is that information security, Xinqianchuan is not the same as network security, Wang Luanchuan. Wang Luanchuan is what we talk about as cybersecurity in the West where we're talking about a reliable and technically robust and resilient internet. Information security is a much broader concept which includes, in fact, emphasizes the content of that activity. As a result, you have an open season on the Chinese internet for cyber crime. In fact, you see levels of cyber crime that would not be tolerated in the West as long as they are only focused on economically exploitative activity. It's very interesting to look at the differences between the Eastern European cyber crime which targets Western Europe and the United States. This is an export activity. It does not prey at home. Eastern European cyber criminals do not prey on Eastern European victims. China, by contrast, is largely a homegrown activity. This is Chinese criminals praying on Chinese victims as well as participating in a larger global cyber crime ecology. This is enforced only sporadically. There'll usually be a large roundup like there was last July. 15,000 people will be arrested, some of them for more political reasons than actual hacking. And in the meantime, a lot of the buying and selling of stolen credentials, envelopes, video game accounts, and other digital goods happen right virtually out in the open. And if you know the jargon, then you can go ahead and track what this looks like. And we have a couple of authors from a Tsinghua who did exactly that. This is a Jing-Jing and Cha-Cha down at the bottom. It was a little icon. Used to be just a Shenzhen internet which would pop up if you were doing dirty word searches and they would remind you to keep the internet safe. So again, focusing on Xinxi Anxuan, not Wangluan Anxuan. Let's look at another dimension of Chinese activity, the dimension of Chinese activity that of course gets the most press in the west. We're looking at not a Snowden document but yet another leaked document too that was leaked to an American news agency which is a classified picture of the NSA's tracking of targets, both commercial and government within the United States that have been hit by Chinese advanced persistent threat actors. And as you can see, it's kind of an epidemic. The United States looks like it has measles. There are only two kinds of organizations. Those have been hacked by the Chinese and those that haven't discovered that just yet. China often denies that this is going on. How do we know that it's China? Attribution is a big complex problem. It's often described as one of the hard problems of cybersecurity. I'll just give you one taste of why the little bits of evidence come together and point pretty unambiguously at China. First of all, a pretty strong motive. There's a lot of targets. There would be the kinds of targets that China would be interested in focusing on the industries which have been targeted for growth, focusing on some of the civil society dissident targets we talked about and focusing on government military targets. We're looking here at a non-governmental organization in Washington DC that deals with a lot of China issues and we're looking at phishing emails that come in and this is Eastern US time, exactly 12 hours off of China. That's what you're looking at is in the morning, there's a big spike, it kind of drops off, there's lunchtime, goes back up after lunch, then the swing shift comes in in the evening and then it drops off throughout the evening in China's standard time. This is very regularized bureaucratic work-a-day activity happening on weekdays, happening in the morning, lunch break, going back again. This is a large, robust, industrial-scale phishing activity. You put that together with artifacts that show up in code, linguistic characteristics, and some other technical indicators, you start to put together a pretty interesting and persuasive case that doesn't have a reasonable alternative explanation that this is a Chinese penetration. This is another bit of an eye chart but I only want you to look at the shape of this particular curve. This is a list of open source APT penetrations that have been attributed with some confidence to China. Some of them by government organizations, most of them, however, by private cybersecurity firms. Starting in about 2004 and going to about mid-2003, I'm currently working on bringing this a little more up to date. It's looking at targets that are exclusively government, exclusively commercial, and those that involve mixed targeting, and they're sorted in the order in which they were reported, and then the long bar goes back to the earliest known penetration that was reported there. This data is very, very noisy, very unreliable, it's hard to track activity of any kind when it happens to be self-hiding. No intelligence organization wants to reveal what their activity actually is, so we're seeing what is visible, and we're seeing what Western media and cybersecurity firms are willing to report. But there's some robustness check on this in that individual APT actors, like APT-1, that we talked about a little bit with the Shanghai-based organization at the beginning, actually follow a very similar pattern. Focusing first on government targets, but then broadening the aperture to include more and more commercial targeting. Really see a steepening of reporting, which is both more of a Western interest and awareness in this activity, but also a higher level of Chinese activity. But interestingly, you also start to see more and more long-term penetrations and more and more sophisticated penetrations rooted out as we go on. This is interesting and is tentative, I will say very tentative evidence, that we are actually getting better at identifying and deflecting and penetrating and dealing with some of these penetrations. I think it's quite possible that we will look back on 2011 and 2012 as the happy time in Chinese cyber exploitation, of course as a reference to 1941 when German U-boats plowed the sea in the Battle of the Atlantic and they sunk convoys with wild abandon. And it was only once the allies cracked enigma, figured out how to do anti-submarine warfare, started convoying up, in other words, put their counterintelligence and defensive procedures into place that the balance turned decisively against the Germans. And we're starting to see that as well, as governments as well as and firms start to really up their counterintelligence game and make this a less permissive environment for Chinese threat operators. So we see a tremendous amount of activity and people like former NSA director, General Keith Alexander have described this activity as the greatest movement, greatest transfer of wealth in history. Others have described it as this tidal wave of wealth moving from west to east and certainly we do see a great deal of activity. But does activity translate into productivity for China? Does it translate into competitive advantage? And I would argue that China faces a number of serious obstacles in taking that illicitly gained information and translating that into something it can use. You can think of this in terms of a number of transaction costs that stand between the acquisition of information and the application in the competitive international environment. First of all, if you're bringing in terabytes of information, you need to find that needle in a haystack. This is an intelligence problem. Then you need to make sure that you get that valuable information to somebody in the government or an industry that can actually use that information. They need to be able to apply it. Maybe they need to retrofit their industrial production lines. Maybe they need to change some policy and that policy has to have an effect back out in commercial or military or political competition. This is a very non-trivial set of steps that need to go through and the collection of that information which is the only thing that we see, especially when we only focus on the technical dimension, that is only the very first step. Now there are certainly cases, individual cases where you can look at products that have been reverse engineered and brought to market. You can look at deals which have fallen through because the Chinese knew the negotiating position of the other kind. So I don't want to say that there isn't anything to be gained here. I'm saying that we need to be a little bit skeptical. Now again, how would you test any proposition like this? We have the same problem that we're talking about a self-hiding phenomenon. China will not admit that it has engaged in industrial espionage so you certainly have a difficult time seeing how that is working. Well what we can look is maybe for something that's kind of an analog, okay? So let's look at cases where China is bringing open source science and technology data from lots of different sources, from scientific conferences, from industry shows, from journals. China has invested a great amount of effort in setting up a network of open source analysis centers to do exactly those processes that I'm looking at. This is looking at just open source information. This is not talking about ill-gotten information as well. Now China, like any good government bureaucracy, likes to report its activity and here it's reporting two different kinds of numbers. One, the expenditures of money for acquiring foreign technology information. And second, the expenditures for actually absorbing. And there's a very systematic process that different Chinese industries have described for creating indigenous information for bringing this over, understanding reverse engineering, disseminating it, re-innovating it. And so they track this information. And what's very interesting is as we move across the odd years into 2011, we go from most of the money being spent on getting information from outside of China to an increasing percentage of that money being spent on making sense and absorbing and applying that information. So you can think about this as China goes up the value chain, it becomes more difficult to understand and deal with and incorporate that information that you're getting from whatever source. This is a fairly robust finding for scholars of innovation who really focus on the soft or non-technical compliments that must be in place in order to innovate. The institutions, the legal systems, the venture capital, the recreational opportunities, the things that make Silicon Valley tick and are very difficult to duplicate even within the United States. So the bottom line here is China can steal text but it has a hard time stealing the context which is actually needed to maintain an innovative advantage. So let's move from industrial espionage which second to cyber crime would be the most actual activity that we see. And let's move to what is less probable but in many ways more worrisome and certainly something that captures a lot of media headlines on both sides of the Pacific. What you're looking at here is a screenshot from a Chinese documentary called The Cyber Storm Has Arrived. It's on CCTV 7. If you guys are in China, I recommend you watch, this is the PLA's channel. There's always exciting things being run on this particular station. And this was a documentary in 2011 which talked about cyber war and things that the US was doing, China was doing, the future war is going to be in cyberspace. But in this military production there was this really weird moment where this picture came up and here's the University of Alabama at Birmingham and there's the Falun Gong organization being targeted by this very silly graphical interface that says attack or cancel, right? This is not an actual piece of technology clearly produced for propaganda but isn't it interesting that even in a piece that is designed to talk about military interactions we have a focus on information control. We have a focus on domestic security exported into the international internet. So looking a little more seriously at PLA doctrine there are a consistent number of themes which have emerged throughout the past several years. We're looking at here a couple of quotes that I've pulled from the 2013 update of the science of military strategy. Chinese kind of the Soviet system of doing scientific strategy where it goes through several committees and then it's released in these various documents. This is the large overview capstone document and the 2013 version was interesting because it put incredible emphasis with respect to the previous edition on cyberspace, space, the naval domain and thinking about deterrence, how to pull all of these together. And here you see a couple of discussions of the central place that information warfare is going to play in that concept of operations. This was echoed in the 2015 military strategy which Beijing released in which a document says that the world revolution in military affairs is continuing, space and cyberspace have become the new high grounds of conflict. It is in the information domain that wars will be fought and lost or won. And you see a couple of themes that emerge again and again. This is an asymmetric form of interaction. One of the most effective means for a weak military to fight a strong one, right? A way to try and deal with American military strengths by looking for the weak underbelly which in this case would be command and control and logistics systems that the US depends upon in order to maintain its specific fleet far forward, you need to have that digital tether running that. So this is an attractive asymmetric target. It's discussed as a long range way of interacting. It may be hard for China to get military force around the world but it can do it instantaneously through cyberspace. It's potent. The United States is so dependent upon information technology that it's a way to paralyze but only if you move first. And this idea of moving first comes up again and again and again. There's this strong idea that you need to paralyze the other side's networks before your side is paralyzed. There's sort of this cult of the offense in the cyber domain that is very built into the way that the PLA talks about this. And then there's this very interesting quote down at the bottom, right? Need to try and get our way without winning sort of this very Sunza type concept and we might do that by blending together civilian activity and military activity which is fairly meaningful in the cyber domain where you would use a lot of the same techniques for cyber espionage that you might use to infiltrate critical infrastructure. So how realistic is this? Now, first of all, I would caution you against thinking that, okay, that quote I just put up there is some interesting Chinese way of war. This is somehow Sunza in the digital age. That's actually not the case. What we're looking at is a common meme that has been produced, reproduced, and rediscovered by great power militaries throughout the 20th century. So we're on the far side. This gentleman is Schlieffen, Alfred Graf von Schlieffen. Yes, that Schlieffen. That's the Schlieffen of the Schlieffen Plan. Not normally thought of as a theorist of information technology, but just a few years after he handed off the plan for European annihilation to Molki the Younger, he wrote this interesting essay called On the Future of War in 1908. And it's got this passage in there where he talks about, in the future, the modern Alexander will sit back in his office in a comfortable chair and have the entire battlefield spread out on a map and there will be dirigibles sitting above the battlefield that can see everything and will be transmitting their reports via telegraph and wireless so that he can calmly direct the battle, which will then be quite decisive and advantageous. Schlieffen Plan, of course, didn't work out that way. Now we fast forward and we look at the Soviets. This is Marshal Nikolai Algarkov in the mid-Cold War, looking out at some newfangled technologies that the Americans are developing through DARPA, looking at the first generation of smart weapons, later brilliant weapons, all kinds of efforts that the Americans are pursuing to try and deal with the qualitative disadvantage they face vis-à-vis Warsaw Pact forces in central Europe by creating all kinds of advanced technologies, which will allow them to find, fix, and finish Warsaw Pact forces deep in the heart of Europe. And so he starts writing about a military technical revolution. This will be as big as Blitzkrieg. Information technology is substituting information for mass. Well, this fellow, Andrew Marshall, is reading a lot of this and says, that's interesting, the Soviets are afraid of this, we should double down and do any more of this and starts writing about this, commissioning academic studies, and he starts writing about the Revolution of Military Affairs. The Revolution of Military Affairs is going to be offense dominant, long range, potent, asymmetric, all of those things that the Chinese were talking about. And indeed, in books like Unrestricted Warfare, written in the 90s by the sky, now major general, you see an importation of ideas that start with the Soviets looking at the Americans, the Americans copying Soviet ideas, Chinese now writing about American ideas, and now we're looking at Americans back translating Chinese ideas and talking about a Chinese way of war. Now, there is a consistent expectation that the Revolution of Military Affairs will be fast, quick, and decisive, and yet it is constantly disappointing, okay? We see that confusion and the fog of war continues to reign on the battlefield and to the degree that it does work for US and NATO forces that have tried to put it together, it works because you have this bottom up innovation amongst junior officers, NCOs and embedded civilians working in a very decentralized manner. China is beginning to understand this, but recognizes that empowering its NCOs, empowering its JOs is a very difficult thing for an army like the PLA and its institutional legacy as the party's army to really wrap its hands around. So the institutional component, just like in the commercial case, looms large in actually translating that technological potential into military advantage. The fog of war is not just something that exists on the battlefield, it's something that afflicts cyberspace as well. And what we're looking at here is a screenshot from Iran before the Stuxnet attack, looking at its industrial control system, which of course was attacked by the Stuxnet virus, put together allegedly by the US government and with help or maybe with the major leadership of the Israelis, we don't quite understand that yet. But the point I wanna make is that when we talk about military or disruptive cyber-physical events, we're looking at an N of maybe four, maybe six depending on how you count, very few and it requires a great, a high degree of sophistication. Mistakes are made on both sides, right? We're not supposed to know about Stuxnet. We know about Stuxnet because the coders, even though they were at the top of their game, it was a national security administration with all kinds of support, years and years of preparation, they mocked up an entire copy of Natanz, broke things in the safety of the Negev Desert back somewhere in the United States. They still made mistakes, simple ones like they controlled for all of the antiviruses that people might use, ESET, Symantec, Kaspersky, but they didn't control for this really strange one in Belarus, right? And that's one of the ones that actually compromised Stuxnet. So mistakes get made even when you're at the top of your game. So suddenly China now finds itself in this interesting situation. It's written a lot about information warfare considering that it's an asymmetric capability, but the asymmetry is actually running in the opposite direction. China has very little experience fighting a network-centric war, going up against a very, very experienced adversary. And even in that case, mistakes are being made. So that's something to worry about and we'll continue to develop this even though the political conditions that would get us there are perhaps quite remote. So let's come back down to Earth a little bit and talk about what some of the activity looks like and what we might actually be able to do about it. Well, for those of you that have been following the news, you probably read back in September, there was a big meeting between Barack Obama and Xi Jinping again, and one of the major topics was cybersecurity. And it came to a landmark deal, which in effect said, we agree that we will not use ICT, information communication technology, to target commercial entities by state-sponsored actors, and we will not take that information and give it to other commercial actors for commercial gain. So is this a landmark deal? We're advancing cyber norms. We have a new moment for peace and cooperation, or are these guys just had a bit too much of whatever they're drinking there? The wording of this same agreement interestingly was repeated at the G20 meeting in Turkey a couple of months later. I just want to say this is fairly landmark stuff. But the activity emanating from China, and we can only assume until we have another Snowden emanating from the United States as well, did not diminish. Interestingly, it appears that some of the noisiest PLA actors have actually toned down their activity. And in the MSS, the Ministry of State Security, which is like China's CIA, that activity has actually increased. That's very interesting because MSS is widely recognized by companies that operate and have to deal with regulation in China. The most sophisticated technical operators live in the MSS. So what's happened? The incentives are not to end cyber espionage. The incentives are to up your game and don't get caught. Going to engage in it, make sure that it's more sophisticated. There's no mechanisms for enforcement here. This is merely a gentleman's agreement. Cyber activity depends upon deception. We can expect that deception to become more and more sophisticated and enduring. So that really brings us right back to where we began. We started off in Wuzheng. We're gonna end back here in Wuzheng. This is a picture of some of the canals and we've got a couple of Chinese fishermen and they will continue to apply the electronic canals. And within China itself, they will continue to clean it up and try and make cyber space clean and bright. The second Wuzheng Internet Conference was held just this last year. I received an invitation. I was going to go. They wanted to review the script of my talk. I said that would be fine if I can review your attendance list and I never heard from the invaders again. But some very similar things happen, right? So the delegates, which this time included Xi Jinping as well as foreign ministers from Russia, from Kyrgyzstan, from Kazakhstan, talked a lot about multilateral that is state-to-state internet sovereignty. Attempts to try and create new governance mechanisms, which would emphasize the sovereign control of states over their own digital networks. In a sense saying, what happens within Chinese network stays within Chinese networks and everybody else should agree to remain outside of it. This is a direct challenge to the legacy system which is described as the multi-stakeholder system, a loose network of companies, civil society groups, academic scientists, as well as government representatives that have in a collaborative, voluntary manner put together the protocols that have built the internet and for which China has benefited tremendously. So this is all fine and well, but should we really be concerned about this? I would put to you the proposition that China has benefited tremendously from the existing multi-stakeholder system and in many ways doesn't actually want to break the internet. The internet is too valuable. Indeed it is essential to the continuing growth, although slightly slow of China's economy and that growth of course is essential to the legitimacy of the party. So China does not want to strangle the goose that is laying the golden eggs, right? It just wants to try and modify the way that it's organized. Now can China credibly commit to a norm of internet sovereignty? I would also suggest that the answer is probably not. Again and again we've seen China interested in going outside of its borders, whether it's to tamp down activity that dissidents are engaged in, whether it's to rifle through the files of reporters at the New York Times, the Wall Street Journal, because they're concerned that they may be putting embarrassing pictures, embarrassing stories of China out on the open press, whether it's China's continuing interest in trying to gain some kind of illicit commercial advantage, China has a difficult time credibly committing to living up to the norm of internet sovereignty which it is advancing. And furthermore, as China continues to invest in the globalized economy, it is also becoming more and more of a stakeholder in exactly the system that it is criticizing. So just to sum up and kind of put up for you a couple of these inequalities up here to maybe help us make sense of cybersecurity in general and the case of China in particular. First is recognizing that the concept of cybersecurity does not mean the same thing to all countries. Information security in China emphasizes content as much as if not more than technical activity and that myopic focus on political information control is not creating a secure internet. Not only allows economic criminals to function, it is a target rich environment for foreign intelligence exploitation as well. Second, espionage is not the same as advantage. We see a great deal of activity but that's not the same as intelligence productivity. Not only are there the transaction costs that I talked about, there's also an active adversary that is doing the same thing. China is also being penetrated when China says that it is a victim of cyber espionage. China is not wrong. Now, the US tries to make a bright line between national security targeting and commercial targeting. In practice, that can be a little bit gray, right? You can target commercial firms that are involved in the defense industry and you can certainly hand that over. You can target commercial firms because there might be an intelligence advantage to doing so. Huawei has servers all over the world. You might wanna penetrate that particular company if you wanted to have intelligence collection in any other company that was using Huawei's equipment. You might want to, if you were the US government, you might want to collect information to aid a trade delegation, which is not going to help a specific firm but is going to help an entire industry. So there's a bit of a gray line here. And to the degree that intelligence services are either defending or aiding the competitive position of another country, it's going to create a little bit more strategic complexity in that espionage equation. Third, doctrine is not the same as capability. China writes some very aggressive military doctrine but for the most part, even though there's a large effort at reorganization going on right now, it is still largely aspirational. China's not put in place the institutions and does not yet have the experience to make that right. And lastly, even though there's a great deal of resentment in the existing governance institutions of the internet, China is far too invested in them to actually offer a credible alternative. So I think what we can expect is a great deal of friction but not necessarily a degradation because of the activity we were seeing in cyberspace. I actually sum up by saying that the bad news about cybersecurity, which is all over the newspapers, may perversely be good news for international relations. Informatization is this interesting word, shin shi hua that the Chinese use to talk about the transformation of all dimensions of society by information technology. So business, society, military affairs are all being informatized. And sort of this Marxist lend this idea that technology drives tactics and everything else. So in the same way that the industrial revolution changes the means of production, now the information revolution changes everything. And so China is then compelled to come up with national policies. But unlike everywhere else in the information revolution where there's more of a bottom up flavor, this is a very kind of heavy top down national information technology policy. Yes, gentlemen of your blue. Thanks for the great picture. My question is, the cyber attack on the Ukraine's power grid, which happened in December of the 19th, doesn't add another dimension to our sense of the word? Do you think the different nations working now are being making the essential services for the technology sector? So that's a very interesting, so what he's talking about there was an incident which appears to have received some confirmation now that an attack originating from Russian sources shut down the power grid in Ukraine in the middle of the winter, powers offline for about six hours, and then brought up. So this is the first time that the electrical power system has been shut down by a malicious intentional act. That certainly is a watershed in terms of kind of cyber attack being used for some of the things that we've all been most afraid of. But in my opinion, this has actually followed very much the same script of tentative restraint that we've seen in other places, right? This is an action that happens two and a half years into a conflict, it's preceded by a lot of probes, and it's turned off and it's mitigated within six hours, okay? So things could change in the future, but we're still seeing a great deal of restraint built into exploitation and disruption in the cyber domain. So again, more of this to come, but you're looking at more complexity, not necessarily catastrophic danger. Tom Worthington from the Research School of Computer Science here. You mentioned the Olympic Games along the way. In 2000, late 2000s, I was invited over to Beijing to help with designing their website, which was run by the People's Daily. Are there vulnerabilities in China's use of the internet that'll make them nervous? They gave me a tour of the data center and I thought, if I just change the front page of the People's Daily tomorrow to say, Chinese government overthrown, everyone would believe it. So are there vulnerabilities that the Chinese government has to address in the aspects of the internet, even to protect itself from their own factions within the government? Yeah, absolutely. I think this compobulation of Chinese internet policy creates all kinds of flaws that can be exploited. I mean, you mentioned Olympic Games, I wasn't sure if you were talking about Stuxnet or the actual Olympic Games, but of course it was that famous image of the Windows blue screen broadcast up on the birdcage. So these flaws kind of exist, and if they exist, they could probably be manufactured remotely. One thing that I think is very interesting and you're starting to see some discussion of it in US government back channels and other strategic places, is looking at Chinese information control as a counter value target. So in the lexicon of deterrence, you distinguish between counter force taking out somebody's capabilities and counter value shutting down something that the adversary cares about. So China has signaled quite obviously that they care a great deal about information technology and they've built this tremendous technical infrastructure to facilitate that. Well, the Great Firewall is a piece of technology and it's a piece of technology that could be hacked. Should it be, could it be how would China react? Fascinating research project. Somebody should look into that. But absolutely, I think that anything that you're using cyberspace for is going to open up vulnerabilities and they've put such an emphasis on that that I think that they have signaled to many that this is right for exploitation. I think on that I would also point out that when China talks about the fact that it's being hacked, it's being hacked by civil society activists that are trying to help people like greatfire.org to get around the Great Firewall. The US government has invested hundreds of millions of dollars in an internet freedom initiative that basically are helping people to hack through the Great Firewall. Now, this is a vital national interest to the Chinese Communist Party and here's the government actually funding, US government funding, hacking tools to go through that. So I think in a sense, the Chinese government is absolutely right that it's not just Mr. Snowden, there's all kinds of hacking activity that's sanctioned by the US government just for this instance. Just a final quick word from me as head of the National Security College. I want to firstly, I want to thank Benjamin Penny and the Centre on China and the world here for this first moment of partnership between these two critical acronyms of the ANU, NSC, CIW, ANU, remember those three. We are looking forward to working together, been on a range of issues and I think the fact that both our centres, I think we're born in the same spirit of partnership of university, the policy community and the international engagement is a sign that we should work together. So thank you. I want to especially thank John Lindsay for I think a very important talk today, a very important presentation and John will be videoing this and it'll be on the internet. Perhaps not in China, I don't know, we'll see in times to come. I think it's a very worthwhile talk from an Australian national security policy point of view because a lot of the insights that you've given us into the very dynamic nature of competition in cyberspace between China and the United States and others suggests that the future is not preordained in security relations. There's a lot of mutual vulnerability there. There's a lot of contingency, a lot of dynamism and I think there is a chance for governments to really try and help shape the future. So I think as a policy thinker, I find that a most useful set of insights. I think your expertise speaks for itself. I think there'll be a lot of people in this room and elsewhere who'll be going through this talk again and your wider work. So I want to thank you again for your contribution to the National Security College's Cyber Security Week this week, our wider conference. We look forward to the continued partnership with you. So thank you, John. Thank you.