Tracing the Red Line – Follow-up Observations about China’s Cyber Strategies

FireEye’s report “Red Line Drawn” determined that a range of political, economic and other forces were contributing to a shift in Chinese cyber operations more than a year prior to the Xi-Obama agreement. Since mid-2014, we have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S. and 25 other countries. Making sense of this reality both from a global perspective and from a cyber defender’s perspective requires consideration at multiple levels.

First, at the level of international relations and grand strategy, intrusions on U.S. and Western targets have not stopped. “Red Line Drawn” highlights 13 companies subject to intrusions in the past year. China-based operations have diminished for some, but continued for others where theft can often be explained as an espionage-related exception to the Xi-Obama agreement. In this respect, for those unfortunate targets still in the Chinese crosshairs, nothing has changed.

Beyond the U.S. and some Western targets, there are indications that Chinese cyber activity may have increased. It is possible and likely that Chinese operators previously attacking U.S. and Western targets have been re-tasked to exploit victims in Asia. For these organizations, the changes reported in “Red Line Drawn” brings little relief.  Moreover, at global scale, lasting change is measured in years and not days or even months. Many of the contributing factors to the visible change in China cyber operations are potentially temporary, such as internal reorganization and heightened regional tension.

On the larger global perspective, changes in the activity of state-related offensive operations are welcomed by all parties; however, China’s ability and desire to stop all of the cyber operations it is ultimately responsible for is still unknown. A framework published by Jason Healey of the Atlantic Council in 2012 highlights the responsibilities of a nation to stop many different types of cyber operations generated by its citizens and within its borders. His paper “Beyond Attribution: Seeking National Responsibility in Cyberspace” outlines various aspects of state responsibility for cyber operations.

At the deepest level of control, cyber operators are state-integrated, meaning a government attacks targets using government and integrated third party proxy forces. State-executed attacks are similar, but use only government forces. However, there are many other ways in which a nation can support cyber operations beyond state-executed and state-integrated attacks. These include state-rogue-conducted attacks that involve government forces acting on their own initiative without top-down authorization. There are also state-ordered attacks that occur when the government directs third parties to conduct an attack, and state-coordinated attacks where government is involved in coordinating attacks. Similar categories include state-shaped and state-encouraged attacks.

At this point in the analysis of Chinese offensive operations, it is unclear how deep the level of control or influence of the Chinese government extends. Because the level of activity has dropped, potential Chinese state-integrated, state-executed, and possibly state-rogue-conducted operations may have been curbed – or at least redirected to non-U.S. targets. State-ordered, state-coordinated, state-shaped and state-encouraged actions may still be in force. The remaining three levels of responsibility include: state-ignored, where the government is aware of attacks but is unwilling to take action; state-prohibited-but-inadequate, where the government wants to stop attacks but is incapable of doing so; and state-prohibited, where the government wants to and can stop attacks emanating from its digital territory.

It remains to be seen what impact these possibly temporary factors will have in China’s cyber operation policy. Similarly, the changes reported in “Red Line Drawn” could also be just a temporary part of a more complex and active long-term Chinese plan. The passing of time will allow for continued reassessment of the threat posed from Chinese cyber operations, but for now, vigilance is appropriate.

Moving to a more micro level of analysis, the security approach for individual organizations should not change. Security teams do not just focus their defensive activities against targeted threat actors from China. Targeted threat operators from Russia, North Korea, Iran, and other countries continue to be active, with most increasing their participation and more nation-state participants conducting cyber operations every month. For instance, the period since mid-2014 has witnessed an increase in aggressive cyber activity from Russia, coinciding with that country’s invasion of Ukraine. Cyber criminals have become increasingly aggressive, opportunistic and novel in their ways to monetize information. In addition there is hacktivism and cyber terrorism. The threat to individual organizations is more real and challenging than ever.

Beyond targeted threat activity, every organization connected to the Internet must be able to defend itself against opportunistic attackers. Simply possessing any information or computing resources of value makes Internet-enabled organizations a worthwhile target for opportunistic intruders. The rise of ransomware that encrypts data, paired with the willingness of criminals to issue tailored extortion demands, has severely stressed the security resiliency of law firms, hospitals, state agencies and countless others. Distributed denial of service (DDoS) attacks remain another weapon of choice for digital extortionists, with threats to “dump” personally identifiable information, intellectual property and other confidential data on the Internet rounding out the list of worries facing security managers worldwide.

Findings in the “Red Line Drawn” report demonstrate that China’s cyber operations pace against the U.S. and 25 other countries has decreased; however, both at a macro and micro level, the threat landscape is always changing and still indicates significant risk. Until more time has passed, we advocate remaining vigilant when assessing and preparing for Chinese cyber operations while also preparing for the rapid changes in non-Chinese threats.