Cyberspectives: Fiona Cunningham On China And Cybersecurity

interview with Fiona Cunningham
Thursday, April 25, 2019

In this episode, Stanford researcher Fiona Cunningham discusses cybersecurity in relation to China, addressing areas including military strategy and computer technology in the context of China’s overall strategic and geopolitical goals.

About the guest: 
Fiona Cunningham is currently a postdoctoral fellow at the Center for International Security and Cooperation at Stanford. Her research lies at the intersection of technology and conflict, with a particular focus on China. She completed a PhD in September 2018 from the Department of Political Science at MIT. She has also worked at the Belfer Center for Science and International Affairs at the Kennedy School of Government. Prior to her doctoral studies, she earned a Bachelor of Arts in politics and international relations from the University of New South Wales as well as a Bachelor of Laws from the University of Sydney. In fall 2019 she will join the faculty of the Department of Political Science at George Washington University.


(the text below has been condensed and edited for clarity).

John Villasenor: Before we talk about cyber specifically, I think it would be helpful to hear a bit of background on China's military capabilities generally including any notable trends that you foresee shaping what you've referred to as the “levers of influence” within the Chinese military in the next few years.

Fiona Cunningham: I think it helps to have a little bit of background about how China has been thinking about its military and the kinds of contingencies that they might need to prepare for in the future. And this starts with China at the end of the Cold War where they stop thinking about dealing with the US or a Soviet invasion and started to think about what kinds of local wars they might need to fight on their periphery. But then the Gulf War came along, and like many other countries, this really shocked the Chinese military into thinking more about its conventional military inferiority. And that was highlighted again in the way that the United States performed in the case of both conflicts in Afghanistan and Iraq.

So that really highlighted China's need to build up and compensate as best it could for its conventional military inferiority. Then, of course, the Taiwan Straits Crisis happens in 1995, 96 and that becomes the central contingency that Chinese leaders and military planners are kind of thinking about. So looking at that set of contingencies and problems, China has been investing in its conventional military power for, I would say, the last three decades, but has really started to put money into that, I think, in about 1999, 2000. And the investments in hardware and improving the kinds of weapons and platforms China had is starting to just come to fruition in the last five to 10 years. This has led to recognition, I think, within the Chinese military, that hardware isn't enough and it needed a command structure that would allow it to actually make use of advanced conventional military capabilities.

A major trend with the Chinese military in recent years has been a major military reform effort implemented by the current chairman of the Chinese Communist Party, Xi Jinping, at the end of 2015 and start of 2016. The main thrust of this was to implement a command structure that would enable China to carry out joint operations in a more similar manner to the United States. So the ground forces, which had always been really dominant, had their position reduced. The missile forces were upgraded to a full service and China put in place this new organization called the Strategic Support Force.

Looking forward, some of the trends that we're likely to see is a new doctrine for this new organizational structure as well as investments in the kind of information support capabilities in space and cyber for the Chinese military going forward. I also think the PLA is starting to think a lot more about how it can operate far beyond China's shores.

John Villasenor: How do you see cyber capabilities, both offensive and defensive, as fitting into China's military strategy?

Fiona Cunningham: I think China has looked at cyber capabilities as something that provides support for its war fighters, that can be used for offense, that can be used to defend its own networks, as well as embracing this idea of information or cyber deterrence. So that's the ability to hold another country's important strategic networks at risk—and risk as a way of gaining some coercive leverage over them. And this is a consistent thing for China since about the early 2000s, when they started investing in those capabilities.                        

There's been a change in how China has thought about its cyber military posture of the place of cyber capabilities within its military strategy. Because initially, in the early 2000s, it tasked its war fighters with developing offensive cyber capabilities, in particular, the ability to exploit other country's networks, and surveil what they were doing, without a lot of oversight or coordination across different aspects of the People's Liberation Army. So there were all kinds of new units who were in this business. But as their capabilities matured by about 2012, the People's Liberation Army started to look to reform its cyber strategy.

And I think one of the most important drivers of that was a growing sense of vulnerability of both the military as well as civilian society within China to cyber attacks. So the country obviously had embraced the Internet fairly significantly in the 10 years from when China first started developing military cyber capabilities. They were also starting to see coordination problems that were hampering the use of cyber capabilities within the People's Liberation Army and somewhat neglected cyber defenses. So since 2004, there's been a lot more emphasis on information security in the People's Liberation Army. They consolidated offense and surveillance into this new branch of the People's Liberation Army, called the Strategic Support Force, but left, interestingly enough, the defense of both military networks as well as civilian networks outside of that organization. So there've been some changes in how China's implemented its cyber strategy in recent years.

John Villasenor: In the most recent Party Congress, which was the 19th Party Congress, Chinese President, Xi Jinping stated that the goal is for China to become a “science and technology superpower.” How do you see cyber as fitting into that overall goal?

Fiona Cunningham: I did a year of fieldwork within China in 2015, 16. And every time I asked about Chinese military cyber capabilities, I was reminded of the fact that cyber is not just about the military, but there are all these other security and diplomatic and economic aspects to it from China’s perspective. So I think the view from Beijing and the view from China, more broadly, is definitely this idea that military cyber capabilities are situated within this much broader ecosystem that cuts across so many issue areas within China.

That said, I think in terms of this goal of China looking to become a science and technology superpower, I think for cyber space as well as more broadly for China, there's always a mix of security as well as opportunity in driving these sorts of goals towards becoming a superpower or achieving cybersecurity. So I guess how I see cyber fitting into this goal of a science and technology superpower is a model for a prosperous China going forward. Perhaps it’s also part of a vision for how China might be able to move away from its export driven model of economic growth that has propelled it to such wealth in the past couple of decades. But there's obviously a sense within China that it needs to come up with alternative methods of growing and moving forward. And so being a science and technology superpower, investing in innovation in that space, definitely I think is one source of economic growth for China and cyberspace is definitely an important part of that.

The second sort of aspect of being a science and technology superpower though also comes from a sense of insecurity that China has had from needing to borrow science and technology from other countries who were leading in that space.

John Villasenor: In the last couple of years, we've seen a pretty concerted effort by China to reduce its reliance on non-Chinese technologies. Do you see that effort as accelerating or slowing down, particularly in relation to cyber? Do you think that also applies to cyber? So for example, instead of relying on having commercial sector companies in China rely on commercial cyber security products developed in places like the United States, do you anticipate an intentional effort in China to build a homegrown commercial cybersecurity ecosystem?

Fiona Cunningham: I think this is a really interesting set of questions and obviously really consequential for the US and the US tech industry . . . and unfortunately, I'm a little pessimistic in this space because I think China's interest in self-reliance and its homegrown ecosystem is going to be accelerating in the future, rather than slowing down. But a bit of context is helpful here too because I think certainly the Chinese military has observed that one could be controlled by others at critical times if you relied on foreign produced hardware and software in the information space. I think 2000 is the first reference I've seen to it. And so it's long been a concern for China that relying upon things that other countries produce introduces vulnerabilities for the country, especially given the nature of cyber technology and information technology.

That said though, I don't think this was really a serious concern and a policy priority for Chinese leaders to address that vulnerability coming from foreign produced technology products until about 2013. And the reason for that is, one might guess, Edward Snowden's revelations about the way in which the NSA had made use of US produced hardware and software to increase intelligence collection efforts. And so I think this really freaked out, frankly, Chinese leaders and propelled them to actually take policy actions to reduce China's reliance on foreign produced hardware and software. So you see it a little bit in some speeches on needing to propel indigenous innovation in China that Xi Jinping was starting to give from about 2013, and culminated with China's most recent five year plan, which put a lot of emphasis on indigenous innovation and technology substitution.

I think also the US-led efforts to get Huawei off the 5G networks of a lot of countries in the West are likely to reinforce the Chinese views that if they try to build a homegrown infrastructure, other countries are doing the same. So they're not running against the grain of what global cyber security trends look like.

John Villasenor: Of course, campaigning for the 2020 election is heating up and will continue to do so over the coming months and until the election itself. The Russian attempts to influence the 2016 election have gotten a lot of attention, not only here in the United States, but also abroad. What do you think the Chinese government's view is of this whole issue and do you think that China might at some point choose to use its cyber methods to try to influence elections either in the United States or elsewhere?

Fiona Cunningham: So I think this is a great question and it's a really interesting one to contemplate from China's perspective. And I think some of the Chinese views of this election meddling on the part of Russia are a little bit counterintuitive, I think, because I think a lot of western experts have worried that China would look at what Russia did and think, “Wow, this is like a great model of something that we can think about doing, too,” given that China's relationship with the United States is sometimes fairly tense. But I did go and look at what Chinese experts were thinking and saying about this 2016 election meddling on Russia's part. And they were actually kind of upset, which surprised me, but I guess I was happy to be surprised by that finding. They're really concerned that this kind of meddling in another country's political affairs using cyberspace, could become a norm of global behavior.

And of course, they were thinking about China being a victim of this kind of activity, rather than taking inspiration from what Russia had done, as a sort of, “Wow, this is great instrument of influence within international affairs.” And obviously, this is only a small section of the Chinese policy community and one that's outward facing, and there might be others within Chinese government who do think that this is a useful model. But I think it's heartening to see that they're more concerned than inspired by Russian actions. That said though, if we look at some of the things China has been doing, there is some evidence that some other western scholars have picked up about China trying out some of the Russian type cyber techniques, in particular, in Taiwan, and certainly reports of them surveilling political parties, and I think it was in Cambodia or one of the other Southeast Asian countries in recent years.

And sort of an open question as to whether or not the activities in Taiwan is because Taiwan is special or because China would think about doing this to less powerful countries, but perhaps not a country that could meddle in its own affairs in retaliation, such as the United States or Russia.