By: Preston Lim, YLS ‘21
In the past several years, the Chinese government has successfully expanded its national cyber program. Harvard University’s Belfer National Cyber Power Index ranked China as the second most comprehensive cyber power in the world, behind the United States and ahead of both the United Kingdom and Russia. While the United States has maintained an edge in several competencies, Chinese cyber capabilities far outstrip those of the United States’ allies in the Indo-Pacific. Countries like Taiwan, India, and South Korea are increasingly vulnerable to Chinese cyber attacks. While many commentators have focused on the scope of China’s cyber capabilities, few have focused on how China has directed and abetted the proliferation of offensive cyber capabilities (“OCC”) and on the dangers this proliferation poses.
1. China’s Role in OCC Proliferation
The proliferation of OCC refers to the sale or transfer of specific cyber tools as well as of organizational and technical know-how. Private and semi-private firms often create and sell OCC to customers around the world. For example, Good Harbor Consulting, a U.S.-based private firm led by former counterterrorism coordinator Richard Clarke, played a critical role in establishing a secret Emirati cyber unit known as DREAD. Good Harbor Consulting supplied the Emiratis with both organizational and technical know-how and helped DREAD to develop sophisticated cyber capabilities. State-sponsored proliferation of OCC is important too. China has directed and abetted the proliferation of OCC, thereby risking the exacerbation of local conflicts and making the world less safe. Cyber counter-proliferation efforts cannot just focus on private and semi-private firms, but should also focus on the role of state actors like China.
Information regarding Chinese-directed proliferation of OCC is not widely available to the public, but there are various hints of the nature of Chinese activity. It is well known, for example, that the Chinese government has trained North Korean cyber agents at institutions such as the Harbin Institute of Technology. Such training, according to Jason Bartlett, provides “ample opportunity for…North Korean cyber agents to obtain the necessary skills and knowledge to conduct high-level cyberattacks against the United States and its allies.” Many North Korean cyber agents—most notably, the unit known as “Bureau 121”—operate covertly out of the Chinese city of Shenyang, though it should be noted that the Chinese government does not always sanction North Korean cyber attacks launched from Shenyang. Indian defense analysts have similarly accused China of training and aiding Pakistani cyber agents. Though the precise extent of Sino-Pakistani cyber cooperation is unclear, it is likely deep given the strategic and military ties between the two countries.
The motivations behind China’s sale or transfer of OCC remain unclear. By providing Pakistan and North Korea with such capabilities, China is able to improve ties and create goodwill with both countries. More speculatively, inasmuch as Chinese cyber authorities fear attribution, the transfer of OCC to Pakistan and North Korea may provide the Chinese state with the ability to direct cyber attacks from those countries without involving Chinese cyber operators.
Of course, Chinese state organizations are not the only actors capable of selling or exporting OCC. Chinese private and semi-private firms, such as Guangzhou-based Boyusec, likely play a major role in the proliferation of OCC. Just as the Russian-based cybersecurity services provider ENFER often acts with the support or approval of the Russian Federal Security Service, so too are Chinese cybersecurity firms likely to operate in support of Chinese grand strategy.
2. The Ramifications of OCC Proliferation
The proliferation of OCC leads to at least two serious consequences. First, the proliferation of OCC can exacerbate local conflicts. In the case of the Indian-Pakistani conflict, cyber capabilities provide both states with an expanded toolkit, but also risk the evolution of the conflict into “conventional and/or nuclear war.” During the Sino-Indian border clashes last summer, for example, the power went out in Mumbai in an attack that was likely part of a broader Chinese cyber campaign. While Indian and Chinese diplomats managed to contain the border conflict, similar cyber attacks by Pakistan could easily lead to hot clashes along the border or disproportionate cyber retaliation. In short, the Chinese provision of OCC to Pakistan could well lead to conflict escalation between India and Pakistan.
Second, the proliferation of OCC is difficult to control. By sharing OCC with North Korean cyber agents, for example, the Chinese government might have opened something of a Pandora’s box. Given the pace of innovation in the field, North Korean cyber agents are capable of rendering more deadly Chinese-originated packages and programs. The end result, of course, is to make the world less safe for people around the world. North Korean agents can easily deploy improved OCC to mount sophisticated cyber espionage operations and devastating cyber attacks worldwide and can often escape blame due to the many difficulties of cyber attribution.
China’s role in the proliferation process should not be overstated. Countries like North Korea and Pakistan have funded and developed indigenous cyber programs. As with other state actors, they already have access—through both the open and black market—to various “Access-as-a Service” firms that specialize in the development and deployment of sophisticated OCC. Some commentators have gone so far as to suggest that the state-directed transfer of cyber capabilities is minimal. One brief from the Global Commission on the Stability of Cyberspace argued, for example, that “little evidence suggests that states actively share or transfer cyber capability to one another.”
Yet China’s provision of OCC to both Pakistan and North Korea demonstrates that China plays a modest role in the proliferation of OCC. More research is needed into the precise scope of Chinese cyber cooperation with foreign states. As China seeks to displace American cyber dominance, the pace of proliferation may increase rather than decrease, as China seeks to share select practices and programs with trusted partners. Moreover, the Chinese state bears at least some responsibility for private and semi-private Chinese firms’ development and export of OCC. State behavior matters and will continue to matter as great power competition between China and the United States deepens.
3. Responding to OCC Proliferation
How should members of the international community respond to cyber-proliferation? Clearly, counter-proliferation efforts cannot focus merely on handicapping or regulating private and semi-private firms, but must also address state behavior.
Traditional diplomatic solutions like arms control agreements may prove ineffective in slowing the pace of proliferation. Kenneth Geers has argued for an international arms control treaty for cyberspace, modeled on the 1977 Chemical Weapons Convention. The international community has already tried its hand at fitting cyber proliferation into a traditional arms control framework. Under the Wassenaar Arrangement—to which China is not party—states pledged to place export restrictions on dual-use goods in an attempt to cover at least some cyber weapons. Yet as Michele Markoff of the Office of the Coordinator for Cyber Issues recently observed, cyber technology tends to have more than two uses and thus does not fit well into the Wassenaar framework. It is also much more difficult to track the proliferation of cyber capabilities than of intercontinental ballistic missiles or even dual-use chemicals. Thus, Cold War-style arms control agreements are likely to prove ineffective in the cyber context.
This is not to dismiss the role of diplomacy or of international bodies. The UN Group of Government Experts (“GGE”), for example, usefully drew attention in its 2013 report to the “potential for the development and the spread of sophisticated malicious tools and techniques, such as bot-nets, by States or non-State actors.” As Markoff has pointed out, capacity building is key to fostering cyber cooperation and understanding. Countries like the United States and United Kingdom must thus continue to build cyber knowledge and expertise among less developed states. Bodies like the GGE should continue to sound the alarm on the risks of cyber proliferation and set priorities for the international community.
Individual states also have a number of practical counter-proliferation measures that they might pursue. Governments might consider placing firmer restrictions on the ability of former government officials to work for private cyber firms or foreign governments. Multiple U.S. and Israeli cyber officials, for example, have graduated from public service to lucrative careers in the private sector, selling their technical know-how to the highest bidder and speeding the proliferation of sophisticated cyber capabilities. By articulating stricter restrictions on post-government employment, states around the world will be able to better track and contain cyber-proliferation. In so doing, states should consider pairing employment restrictions with meaningful criminal penalties. If countries like the United States or Israel lead the way with such employment restrictions, China might eventually follow suit.
Lastly, criminal law has an important role to play in slowing the proliferation of OCC. National authorities already use criminal law tools to hold cyber criminals to account. The U.S. Department of Justice, for example, has indicted prominent cyber criminals in the past. Individual states cannot go it alone, however: global cooperation is particularly important in the criminal domain, since prosecutions of cyber crimes must often draw on evidence that is of a “transnational nature.” The Council of Europe’s Budapest Convention demonstrates the potential for international cooperation on cyber crime. The preamble of the treaty, for example, calls for the pursuit of a “common criminal policy aimed at the protection of society against cybercrime.”
Thus, a criminal law approach might prove more effective in containing cyber proliferation than arms control treaties or export restrictions. A regional bloc like the Council of Europe or, in the future, ASEAN, might try to forge a framework that criminalizes activities associated with cyber proliferation. Such regional understandings might in turn pave the way for broader international discussion and eventually lead China to focus more squarely on controlling cyber-proliferation.