Why Can’t You Just Be Normal: 20 Years of China’s Three Warfares Doctrine and the Abuse of Cyber Norms
People’s Republic of China (PRC) cyber threats have evolved over the past 20 years - challenging the boundaries of acceptable and (un)defined norms for state-sponsored cyber activity - and this evolution has been reflected in how the PRC has employed computer network exploitation and attacks (CNE and CNA) in its operations over time. In recent years, we have seen an aggressive shift of PRC cyber threat activity aimed toward critical infrastructure as a primary target (i.e., military, logistics, and communication) - such as Volt Typhoon - and the continued high tempo of secondary targeting of civilian-owned infrastructure and organizations. But are we truly witnessing a seismic shift in the tactics and targeting by the Big Three PRC Intelligence Services - the People’s Liberation Army (PLA), Ministry of State Security (MSS), and Ministry of Public Security (MPS) - or are recent events the culmination of the biggest open secret in the cyber domain? This talk will delve into the history and evolution of the PRC’s cyber programs from early days of nationalistic cyber defacements stemming from the 2001 US-China Hacker War through today’s drumbeat of exposed information operations and attacks aimed at global critical infrastructure; all viewed through the lens of the Three Warfares Doctrine.
First approved by the Chinese Communist Party Central Commission in 2003 as a methodology to guide PLA information operations and political influence campaigns, the Three Warfares Doctrine has permeated through PRC cyber operations crossing its Intelligence Services.
This talk will walk through the evolution of China’s CNE/CNA cyber programs with a focus on the application of the Three Warfares Doctrine as a framework to understand more recent developments, such as:
Targeting shifts and how China’s broader CNE/CNA ecosystem (e.g., government and civilian components) have simultaneously posed challenges and immense opportunities to observe and understand PRC cyber threats and their tactics, techniques, and procedures (TTPs) today;
Historical shifts in PRC cyber threat actor behavior and how the US government categorized these observables between CNE vs. CNA;
How current shifts in PRC cyber threat actor behavior suggest a clear rise in CNA (prepositioning) and how to discern CNA vs. CNE when TTPs look so similar (such as by understanding the victimology and identifying the primary and secondary reasons for the activity); and,
Our understanding of the PRC cyber threat from the US government perspective and how law enforcement and intelligence operations (e.g., indictments, infrastructure disruptions, etc.) have contributed to its evolution in different ways over the years.
This talk will further layer in an analysis of acceptable behavioral norms in the cyber domain, and how the PRC’s aggressive collateral exploitation of innocent civilian victims is well outside of those norms and indicative of inherent weakness in their cyber operations strategy. Additionally, their dependance on exploiting insecure devices and infrastructure has provided an opportunity for the private sector to identify and expose threat activity emanating from China. This presentation will put forth a common ontology for understanding the PRC cyber threat through an operational and strategic lens in support of closer collaboration and development of innovative solutions - by the private sector in concert with the US government - to tackle the many facets of the common threats we face.