The independent resource on global security

New domains of crossover and concern in cyberspace

New Domains of Crossover and Concern in Cyberspace
Data bitstream. Photo: Shutterstock


In the wake of the crisis in Ukraine and Russia’s annexation of Crimea, Western analyses have paid relatively sparse attention to the impact of these geopolitical shifts on Chinese views on territorial and peripheral stability. This essay uses 434 Chinese-language documents as a baseline to analyse how experts in China have internalized the lessons learned from the crisis in Ukraine. Understanding how Chinese academics, economists, engineers, officials and military personnel view Russian tactics and strategy in Ukraine ofers insights into how the concept of hybrid warfare and the use of proxies might factor into China’s future calculations. This analysis suggests that beyond allegations of employing its own ‘little green men’ on land and ‘little blue men’ at sea to enforce its territorial claims, China may be trending towards a more holistic and Russian view of hybrid and proxy warfare in a new territory—cyberspace.


Hybrid warfare and cyberspace

Hybrid and proxy warfare are hardly new concepts in China. Decades ago, China followed Russia in supporting a revolution that spanned the breadth of society. More recently, in 2003, China’s Central Military Commission and Communist Party codified the ‘three warfares’ as psychological, media and legal operations. Beyond the similarity with Russian views on holistic campaigns that penetrate multiple levels of society, the Deputy Secretary General of the China National Security Forum has noted that, similar to Ukraine, in the Asia-Pacific, ‘…small to medium scale military conflict or tensions are difficult to completely rule out, particularly given the US soft war of economic penetration and political subversion of China, combined with instigation of proxy warfare against China by neighbouring countries with which it has historical disputes…’.

While hybrid warfare may be a well-worn concept, a new key element in this ‘soft war’ and the future of hybrid warfare is cyberspace. An expert in the Unit of Engineers in China’s National Security Policy Committee points to ‘network warfare’ (络战) conducted by the West in Ukraine through its use of cyberspace to: (a) control and manipulate public opinion and attack the government; (b) conduct network monitoring and information attacks on government and military systems; and (c) provide substantial funding and information to support opposition groups. His use of the term ‘warfare’ when describing these activities suggests China’s application of a broader Russian definition to characterize conflict in cyberspace.

Using this broadened definition of warfare, Chinese experts denounce the negative impact of Western influence through ethnic and religious nationalism and democratic principles that are spread through exchange students, non-governmental organizations and economic interactions in a globalized market economy. These trends are all facilitated by information flows through cyberspace. Over a quarter of the Chinese analyses surveyed cover the role of external propaganda and elections in Ukraine. Some pinpoint how the USA has utilized its own proxies in the form of non-governmental agencies and online propaganda to infiltrate and influence local opinion. Others provide detailed analyses on how Facebook, Twitter, Vkontakte and YouTube, among others, were leveraged for the Euromaidan movement. Given this basis, China and Russia have become increasingly aligned on such issues as Internet sovereignty and the control of information flows.

In fact, experts from China’s Second Artillery and the National Security Policy Committee, among others, have directly linked instability in Ukraine to US and European cyberattacks to control and manipulate online content, opposition parties and domestic public opinion. In the face of the revelations of Edward Snowden on US cyber espionage programmes, the prevailing sense in China is that it remains particularly vulnerable and needs to make advances in not just detection, but also defence, retaliation and ofence. These analysts argue that the USA sees China as a ‘new rival’ () on a par with or even exceeding Russia, citing Western references to a ‘new cyberspace cold war’ (新冷). In so doing, they mimic Russian sources by referring to threats from ‘external cyberterrorism’ (外部网恐怖主) and ‘Western hacker attacks’ (西方网黑客的攻).

At the national level, Chinese experts decry how the West has used cyberspace to control civilian networks and infrastructure, to demonize national leaders and their policies and to spread rumours that result in ethnic conflicts and social disorder. Zhu Zhihua, Deputy Director of the Association of Contemporary International Studies, highlights how external powers have used such incidents as the 5 July 2009 unrest in Xinjiang, the 3 July 2011 railway incident in Wenzhou and the 8 March 2014 Malaysian Airlines flight disappearance to wage online campaigns to undermine China. Zhu notes that the stronger cyber capabilities of the Five Eyes countries—Australia, Canada, New Zealand, the United Kingdom and the USA—allow them to work in concert with the US Rebalance to the Asia-Pacific to attack the Chinese Communist Party and the Central People’s Government from within by fabricating rumours, inciting extreme emotions, intensifying ethnic conflicts and encouraging social chaos.

At the regional level, Chinese analysts see cyberspace as a key mechanism used by the USA to reinforce its hegemonic role, exacerbating a spectrum of concerns over Taiwan, Xinjiang and Tibet, as well as the East China Sea and South China Sea. They argue that China must learn from how the USA and European powers infiltrated and controlled Ukraine’s government and military networks. In confronting these threats, Chinese experts emphasize the development of civil-military integration and interoperability in cyber command countermeasures and mitigation techniques, as well as in cyber reconnaissance and cyberattack capabilities. They advocate China strengthen its public and private networks, exert greater control over content and harden its broadband networks to close the technical loopholes used by other countries to undermine China’s ‘sovereignty security’ (安全), ‘political security’ (政治安全) and ‘social stability’ (社会).

Overall, Chinese analysts note that in the face of Western encirclement on land, sea and now in cyberspace, China must follow Russia’s example by placing a greater emphasis on the reputation and modernization of its own military to ensure its security and national interests. In the words of Chu Maoming, a Counsellor in China’s Ministry of Foreign Afairs, China must learn from Russia’s actions in Ukraine to be confident in its theory, its path and its system in order to unswervingly forge ahead with its ‘emergence’ (). To this end, Russia’s own prioritization and modernization of its military could be equated with that which Chinese official and non-official discourses label its ‘Strong Military Dream’ (强军 ), an extension of the ‘China Dream’ (中国梦).


Cyber convergence

As the China Dream and Strong Military Dream play out in cyberspace, China’s and Russia’s tactics and strategies are showing signs of convergence. Beyond China’s alleged use of what could be deemed their own variant of ‘little green men’ with nomads and paramilitaries at land borders, or ‘little blue men’ with fishermen and coastguard vessels at maritime borders, Chinese and Russian views are becoming increasingly aligned on cyberspace, which cuts across both spheres. The holistic nature of cyberspace lends itself to more pervasive and ultimately punishing political, economic and military campaigns against broader populations and non-combatants.

Moreover, non-combatants do not exist in cyberspace, making it the perfect environment to carry out hybrid warfare. Despite the centrality of this sphere for future proxy activities, it remains the least understood. This is, in part, due to the diffiiculty of attribution and the number of patriotic hackers and proxy entrants in this field. Determining whether actions are those of a proxy individual or group as opposed to a military or government remains diffiicult. This is a point frequently made by Chinese analysts such as Dong Qingling at Beijing’s University of International Business and Economics when discounting allegations against Russia and China, pertaining to alleged cyber intrusions and cyberattacks in Ukraine or on other networks.

With the enhancement of forensics, such dilemmas could diminish in the future. In the meantime, civilian and military analysts in China have pushed for and made improvements to cybersecurity, military and civilian integration and legal structures, and enhanced regulation of and joined up working on cyberattack and defence mechanisms. They have also advocated comprehensive cyberwarfare practices that emphasize counterattack capabilities and interference, as well as improved protection and monitoring of networks through defensive and offensive exercises.

There are also indications that China’s integration of proxies into information operations is already under way, with the alleged involvement of domestic universities, foundations and industries—thought to often have support from the PLA or Ministry of State Security—in broader campaigns that intrude on networks of multiple countries in South East Asia and South Asia, as with Advanced Persistent Threat 30 (APT30). The latter series of incidents, alleged given its scope duration and focus on the South China Sea to have originated from within China, lasted over 10 years and compromised government, media and industry in 17 countries.

Much like hybrid warfare in the Russian context, which prioritizes controlling and shaping the flow of information, such campaigns are likely to become more common in the future. They allow for military operations short of war and for information to be leveraged prior to and during conflict. They take forward the US model studied from the first Iraq war of Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (C4ISR) and look to shape it to Chinese requirements both on and of the battlefield. Since cyberspace does not discriminate in the same way between combatants and non-combatants, this new realm of engagement allows for a 24/7 campaign.

The connectivity of persistent multi-layered tactics, cyber command countermeasures and cyberattack capabilities between China and Russia also appears to be growing. Similar malware campaigns are alleged to have emerged from within both China and Russia with an emphasis on using spearphising, man-on-the-side, man-in-the-middle and watering-hole attacks to exploit browser, VPN and social engineering vulnerabilities.

Among these, a 2015 distributed denial of service (DDoS) attack allegedly using an Adobe Flash vulnerability was conducted against the website of the Permanent Court of Arbitration at The Hague, while adjudicating the Philippines’ case against China on the South China Sea.28 Although often considered a nuisance attack to take down systems, this type of DDoS attack can also be used to weaken the perimeter of the system to gain access and to potentially exfiltrate information. While differing in tactic, the nature of this incident is comparable with a 2015 intrusion and theft of data allegedly using a fake VPN server against the Dutch Safety Board investigating the MH17 crash, which was thought to have come from the hacker group Pawn Storm in Russia.

By 2016, the mass theft of data from the Democratic National Committee, comparable to the exfiltration of an estimated 25 million US employees’ clearance data from the US Ofce of Personnel Management discovered in 2015, highlighted again a basic form of cyber intrusion—spearphishing and remote access Trojans—as an inroad to domestic crises of confidence, damaged political systems and potential future blackmail. From The Hague to Washington, DC, these cases illustrate organizations and individuals with a politically and legally significant impact on China and Russia finding themselves subject to cyber intrusion and cyberattack.

Other similar malware campaigns thought to emanate from within China and Russia include the Clandestine Fox and Russian Doll, which are both thought to exploit spearphishing campaigns and Adobe Flash vulnerabilities to target aerospace and defence, construction and engineering, high-tech industry, telecommunications and transport infrastructure. In these cases, the tactics and intent behind the campaigns are not only convergent, but also likely to become increasingly commonplace. The challenges associated with identification of the perpetrators—whether at the technical attribution level or the political diplomatic level—suggest that cyberspace will be the crux of future hybrid warfare.

An example of how this future is expanding from simple data exfiltration to kinetic attacks on critical infrastructure came in a 2015 cyberattack on electricity utilities in Ukraine. Forensic reports on the malware, staging and coordination suggest that the hackers were either based in or supported by Russia. DarkEnergy malware, used in combination with denial of service attacks and the wiping tool KillDisk, not only cut electricity for an estimated 225 000 people, but also created an air of confusion and panic over the restoration of services among providers and users. Studies suggest that the motivation behind the attack was not simply to test out the ability to comprehensively take down critical infrastructure, but also to elicit embarrassment.

Thus, while this campaign lasted only four hours and was mitigated in part by the ability to use the analogue equipment in the facilities to restore functionality, it is telling how cyberattacks can be used in broader campaigns to cut vital services to a populace and to raise questions over the competence of first responders and the respective government. Given the level of penetration of such campaigns as APT30 into South East Asia and South Asia, the likelihood of similar tactics appearing in the Asia-Pacific region is high. Whether from government entities or patriotic hacker proxies, campaigns that target the entirety of society can greatly supplement the conduct of more conventional military campaigns by supporting a shutdown not only of basic services, but also of critical infrastructure from electricity plants to nuclear facilities.



Currently, China’s rhetoric and activities do not meet the level of violence found in the ‘little green men’ litmus test of the proxy war that Russia has allegedly waged in Ukraine. Nonetheless, enough parallels have been drawn by China’s own academics, engineers, military personnel and officials to suggest that China may transform this model and craft it into a more penetrating and persistent campaign.

Beyond the terrestrial and maritime implications of this methodology, confrontation in cyberspace poses new challenges for how analysts define and confront hybrid warfare. Arguments emanating from China on how it is being targeted with propaganda and destabilizing influences from cyberspace and civil society are often a mirror image of what is being alleged by Russia.

Both find the US ‘dark hand’ (黑手) to be manipulating public sentiment and conditions on the ground, whether on Ukraine or the South China Sea. Given their solidarity and concerns over this ‘interference’ (干涉) in their own domestic and regional spheres, it should not come as a surprise if China’s own tactics and responses increasingly fall along similar lines to those of Russia. Moving beyond appreciation of Russia’s willingness to stand up to the USA, Chinese adaptation to Russia’s alleged tactics and strategy on hybrid warfare is likely to increase.



Dr Lora Saalman is a Senior Researcher within SIPRI’s Armament and Disarmament and Conflict, Peace and Security research areas.