Beijing's cyber attacks are rooted in military strategy, says one of America's foremost experts. The best way to combat them is for the U.S. to go on the cyber offensive too.
Timothy L. Thomas By DAVID FEITHFort Leavenworth, Kan.
For several years, Washington has treated China as the Lord Voldemort of geopolitics—the foe who must not be named, lest all economic and diplomatic hell break loose. That policy seemed to be ending in recent weeks, and Timothy Thomas thinks it's about time.
The clearest sign of change came in a March 11 speech by Tom Donilon, President Obama's national security adviser, who condemned "cyber intrusions emanating from China on an unprecedented scale" and declared that "the international community cannot tolerate such activity from any country." Chinese cyber aggression poses risks "to international trade, to the reputation of Chinese industry and to our overall relations," Mr. Donilon said, and Beijing must stop it.
"Why did we wait so long?" wonders Mr. Thomas as we sit in the U.S. Army's Foreign Military Studies Office, where the 64-year-old retired lieutenant colonel has studied Chinese cyber strategy for two decades. More than enough evidence accumulated long ago, he says, for the U.S. to say to Beijing and its denials of responsibility, "Folks, you don't have a leg to stand on, sorry."
U.S. targets of suspected Chinese cyber attacks include news organizations (this newspaper, the New York Times, Bloomberg), tech firms (Google, GOOG -1.06% Adobe, ADBE +2.00% Yahoo YHOO -0.26% ), multinationals (Coca-Cola, KO +0.55% Dow Chemical DOW +0.19% ), defense contractors (Lockheed Martin, LMT +2.17% Northrop Grumman NOC +0.36% ), federal departments (Homeland Security, State, Energy, Commerce), senior officials (Hillary Clinton, Adm. Mike Mullen), nuclear-weapons labs (Los Alamos, Oak Ridge) and just about every other node of American commerce, infrastructure or authority. Identities of confidential sources, hide-outs of human-rights dissidents, negotiation strategies of major corporations, classified avionics of the F-35 fighter jet, the ins and outs of America's power grid: Hackers probe for all this, extracting secrets and possibly laying groundwork for acts of sabotage.
China's aggression has so far persisted, Mr. Thomas says, because "it makes perfect sense to them." The U.S. has difficulty defending its cyber systems, the relatively new realm of cyber isn't subject to international norms, and years of intrusions have provoked little American response. "I think they're willing to take the risk right now because they believe that we can't do anything to them," he says. "You have to change the playing field for them, and if you don't, they're not going to change. They're going to continue to rip off every bit of information they can."
Not that he expects Beijing to back down lightly. On the contrary, Mr. Thomas points to the literature of the People's Liberation Army to demonstrate that China's cyber strategy has deep—even ancient—roots.
The essence of China's thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu's "The Art of War" about 2,500 years ago. The concept's English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as "the strategically advantageous posture before a battle."
"When I do reconnaissance activities of your [cyber] system," Mr. Thomas explains of China's thinking, "I'm looking for your vulnerabilities. I'm establishing a strategic advantage that enables me to 'win victory before the first battle' "—another classic concept, this one from the "36 Stratagems" of Chinese lore. "I've established the playing field. I have 'prepped the battlefield,' to put it in the U.S. lexicon."
Or, as Chinese Gen. Dai Qingmin wrote in his 2002 book, "Direct Information Warfare": "Computer network reconnaissance is the prerequisite for seizing victory in warfare. It helps to choose opportune moments, places and measures for attack." Says Mr. Thomas: "He's telling you right there—10 years ago—that if we're going to win, we have to do recon."
A 1999 book by two Chinese colonels put it more aggressively (albeit in a sentence as verbose as it is apocalyptic): "If the attacking side secretly musters large amounts of capital without the enemy nations being aware of this at all and launches a sneak attack against its financial markets," wrote Qiao Liang and Wang Xiangsui, "then, after causing a financial crisis, buries a computer virus and hacker detachment in the opponent's computer system in advance, while at the same time carrying out a network attack against the enemy so that the civilian electricity network, traffic dispatching network, financial transaction network, telephone communications network, and mass media network are completely paralyzed, this will cause the enemy nation to fall into social panic, street riots, and a political crisis." No kidding.
This vision from 1999 reads like an outline of the report published last month by Mandiant, a private-security firm, about "Unit 61398," a Shanghai-based Chinese military team that since 2006 has mounted cyber assaults to steal terabytes of codes and other information from U.S. assets. Among the targets of Unit 61398 was Telvent Canada, which provides remote-access software for more than 60% of the oil and gas pipelines in North America and Latin America.
Unit 61398 is said to engage in "spearphishing," whereby would-be cyber intruders send emails with links and attachments that, if clicked, install malware on target computers. Lesser hackers might spearphish while posing as Nigerian princes, but Unit 61398 developed sophisticated ways, including colloquial language, to mimic corporate and governmental interoffice emails.
Spearphishing, too, draws on traditional Chinese stratagems: "The Chinese strive to impel opponents to follow a line of reasoning that they (the Chinese) craft," Mr. Thomas wrote in 2007. With this kind of asymmetric approach, he says, "anybody can become an unsuspecting accomplice."
In this context Mr. Thomas mentions a cartoon published last year in Army magazine in which one Chinese general says to another: "To hell with 'The Art of War,' I say we hack into their infrastructure." Good for a chuckle, perhaps, but Mr. Thomas warns against taking the message seriously. China's hacking is in fact "a manifestation of 'The Art of War,' " he says, and if the U.S. military doesn't realize that, it "can make mistakes. . . . You have to stay with their line of thought if you're going to try to think like them."
"Boy," he later laments, "we need a lot more Chinese speakers in this country"—a point underscored by the fact that he isn't one himself. He reads Chinese military texts in translation, some published by the U.S. government's Open Source Center and some he has found himself. He stumbled upon Gen. Dai's "Direct Information Warfare" on a trip several years ago to Shanghai, when an associate led him (and an interpreter) to an unmarked military bookstore on the top floor of a building on the outskirts of town. "I could tell when I walked in that the people behind the cash register were stunned I was there," he recalls. In public bookstores, he says, material addressing Chinese national security is often marked "not for foreign sale" on the inside cover.
The Ohio native does speak Russian, having focused most of his military service (from West Point graduation in 1973 until 1993) on the Soviet Union. That language skill still comes in handy, and not just because Russia is suspected of having carried out cyber assaults against Estonia in 2007 and Georgia in 2008.
Look at the Mandiant report's map of Chinese cyber intrusions (at least those tied to Unit 61398): Russia is untouched. "That's a huge area. . . . I really would wonder why they're after South Africa, the U.A.E. and Singapore but not Russia. And Luxembourg. They went after Luxembourg but not Russia?" Together with Iran, he argues, China and Russia make up "not the axis of evil but the axis of cyber."
So what is to be done? Security firms are working to harden networks against hackers, and members of Congress are promoting legislation to let the government work more closely with Internet service providers without opening up the companies to lawsuits or infringing on civil liberties. Washington could challenge Chinese cyber espionage with targeted economic sanctions. Meanwhile, there is much talk about establishing international standards for cyber space, but it is unclear what that would mean—which probably explains why top officials in Washington and Beijing have both endorsed the idea.
None of this seems promising to Mr. Thomas, who stresses building deterrence through offensive capabilities, such as the 13 new teams at U.S. Cyber Command. The implication is that the best defense is a good offense.
And doesn't that suggest, in turn, that the U.S. and China are headed toward a dynamic of mutually assured cyber destruction? "It seems like it," he says.
It's heartening to hear, then, that Chinese military literature isn't uniformly aggressive toward America. This includes writings about the "China Dream," which posits that China will overtake the U.S. economically and militarily by midcentury—and which has been adopted as the signature cause of new President Xi Jinping.
"They give you both versions," says Mr. Thomas. "They give you a model that says, 'There will be no way we'll ever fight [the U.S.], we'll work on cooperation.' A chapter later, 'There could be a time where if pushed hard enough, we'll have to do something and there will be a battle.' "
But what about the argument that the U.S. is shedding crocodile tears? America (and Israel) were almost certainly behind the most successful known cyber attack to date: the Stuxnet virus that impeded Iran's uranium-enrichment program. There might be some comfort in knowing that the U.S. is doing unto China what China is doing unto the U.S., says Mr. Thomas, but "we don't seem as intrusive as the other side." That is illustrated especially, he says, by China's state-sponsored commercial espionage. He frequently hears complaints from U.S. firms dealing with Chinese counterparts who know their secrets, adding that "I don't think people really get the security briefing of just how invasive it is."
Then there's the argument that all this is overblown because no cyber attack has ever killed anyone. Mr. Thomas responds, somewhat impatiently: "If I had access to your bank account, would you worry? If I had access to your home security system, would you worry? If I have access to the pipes coming into your house? Not just your security system but your gas, your electric—and you're the Pentagon?"
He adds: "Maybe nobody's been killed yet, but I don't want you having the ability to hold me hostage. I don't want that. I don't want you to be able to blackmail me at any point in time that you want." He cites the Chinese colonels' vision, back in 1999, of "social panic" and "street riots." "I wonder what would happen if none of us could withdraw money out of our banks. I watched the Russians when the crash came and they stood in line and . . . they had nothing."
Mr. Feith is an assistant editorial features editor at the Journal.
A version of this article appeared March 30, 2013, on page A11 in the U.S. edition of The Wall Street Journal, with the headline: Why China Is Reading Your Email.