Lessons from China’s Cyberattack Strategy Can Help CISOs Better Manage Threats, Report Says

Chinese government-sponsored cyberattacks pose a challenge to U.S. national security interests at home and abroad, but threat analysts and chief information security officers can better prepare for these cyber threats by understanding the patterns in Beijing’s cyber operations, according to a report from Booz Allen Hamilton released on Wednesday. 

The report, “Same Cloak, More Dagger: Decoding How the People's Republic of China Uses Cyberattacks,” analyzed more than a dozen Chinese-sponsored cyberattacks over the past decade to help identify how, when and why the People’s Republic of China—or PRC—employs its cyber capabilities. Booz Allen Hamilton found that the PRC primarily uses cyberattacks to advance its so-called “core interests,” which the report defined as “security, sovereignty and development.” 

“Ultimately, advancing these interests serves to sustain the legitimacy and continuity of the Chinese Communist Party,” the report said. 

By using a variety of PRC organizations and state-aligned actors to carry out its cyber activities, the Chinese government targets countries, organizations and people—including “U.S. critical infrastructure organizations and countless companies with global interests”—that threaten its identified core interests. 

The likelihood of these entities experiencing a PRC-backed cyberattack increases, the report said, when factors such as location, sector and actions are considered. Countries where China lacks a clear power advantage, politically significant sectors and political organizations—such as the semiconductor sector and anti-corruption groups—and entities involved in combating PRC online censorship and propaganda are all at an increased risk of being impacted by cyberattacks.

As the report noted in its review of Chinese-sponsored cyberattacks over the past decade, the PRC’s primary tactics include distributed denial-of-service attacks; the defacement of websites and “digital signage;” the breaching of industrial control systems, such as those in the energy and power sectors; and the more rarely employed use of ransomware. These attacks have, in part, targeted the pro-democracy movement in Hong Kong, helped to reinforce China’s claims in the South China Sea and targeted “resistant politicians” in Taiwan.

“Beijing’s intensifying pressure on Taiwan, in particular, greatly raises the likelihood of cyberattacks disrupting critical supply chains,” the report said, noting that growing concerns about a Chinese invasion of the country should help guide risk management efforts. 

One of the report’s authors, who asked not to be identified given the sensitive nature of the topic, told Nextgov that it’s important for CISOs and threat analysts—particularly those in high risk sectors and entities—to be proactive in shoring up their cyber defenses.

“Organizations should start preparing now for this growing threat,” the author added. “It’s important to understand these threats before they reach the fore.”

The report recommended that CISOs use lessons garnered from the past decade of examined PRC cyberattacks to strengthen their approach to risk management. Some of the report’s suggested steps include having CISOs perform a full-scale review of their supply chain resilience; conduct executive-level wargames “based on observed and plausible escalatory forms of attack operations by PRC;” strengthen their information sharing capabilities with other organizations and federal agencies; and audit or review their security controls for threat activity. 

These steps are critical, the report said, for CISOs to ward off both cyber attacks and other breaches or intrusions that could be used to advance China’s interests or demonstrate its cyber capabilities. 

As was noted in the report, the PRC “infiltrated American natural gas pipeline operators in response to the U.S. strategic reorientation to the Indo-Pacific” in 2011 and 2012, but there was never any indication that these breaches were used to disrupt natural gas pipeline operations. The author noted, however, that this was the PRC signaling it had the capability to do so if it desired, and another sign that organizations should be more vigilant in their cyber defense efforts. 

“If there’s any sort of lesson from this, it might be that China has shown you can think about cyberspace and cybersecurity in a much broader sense as information security,” the author said. “Yes, it’s important at a very tactical level to secure networks and to make sure networks don’t go down, but sometimes it’s not the size of the disruption, it’s the message that’s sent by the disruption.”

Booz Allen Hamilton’s report came out the same day as the release of President Joe Biden’s national security strategy, which in part highlighted the need to outcompete China and counter its influence campaigns around the world.

“More capable competitors and new strategies of threatening behavior below and above the traditional threshold of conflict mean we cannot afford to rely solely on conventional forces and nuclear deterrence,” the Biden administration’s national security strategy said in part. “Our defense strategy must sustain and strengthen deterrence, with the PRC as our pacing challenge.”