Everything, Everywhere, All at Once? Cyberspace Operations and Chinese Strategy

China-watchers are worried about war. A dangerous mix of regional and domestic politics is pushing the great powers towards conflict, they say, despite the enormous risks to both sides. Making matters worse are concerns that China may use new technologies to strike directly at the United States. In last month’s Annual Threat Assessment, for instance, the director of national intelligence highlighted the danger that China could use cyberspace against soldiers and civilians alike. “If Beijing believed that a major conflict with the United States were imminent,” it concluded, “it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.”

Wartime operations against infrastructure would represent a major expansion for China, which is best known for spying in cyberspace. U.S. officials have repeatedly raised the alarm about China’s digital espionage, and their warnings seem increasingly prescient after startling data breaches against states, firms, and individuals. In addition to stealing secrets about other countries’ capabilities and intentions — the traditional secrets sought by intelligence agencies — China may also seek to steal industrial knowledge that helps it reverse engineer new technologies, or to collect huge amounts of data to feed its artificial intelligence research. Whatever its purposes, it is clear that Beijing views cyberspace as essential for modern espionage.

The Chinese leadership also views cyberspace as critical in the event of conflict. Its military doctrine stresses the need for rapidly seizing the initiative and controlling what it calls “systems confrontation.” Doing so would allow it to inject confusion into its enemy’s operations and make it harder to organize a response. U.S. leaders might be discouraged from fighting if they did not believe that their forces would have a clear view of the battlespace. Attacks on information systems, combined with a precise and lethal volley from a new suite of “anti-access” weapons, might deter Washington from coming to the aid of its regional allies and partners. From Beijing’s perspective, cyberspace operations in theater are key to enable quick and decisive victory at a reasonably low cost.

And according to recent testimony, China is now operating in ways that suggest a much more aggressive strategic approach. Instead of focusing on U.S. and partner military networks in East Asia, it is attempting to penetrate infrastructure in the United States. Nightmares come next. Officials worry that unleashing malware against civilian targets could threaten national security while also producing catastrophic social and economic effects. When asked by Congress to imagine a Chinese offensive, Cybersecurity and Infrastructure Security Agency Director Jen Easterly imagined the worst: “Telecommunications going down — People start getting sick from polluted water. Trains get derailed. This is truly an everything, everywhere, all at once scenario.”

These are startling comments. U.S. officials seem clearly convinced that China can target military information systems and civilian infrastructure in the event of war. Less clear, however, is whether China can translate cyberspace operations into strategic success. What is possible at the operational level may fizzle as a strategic tool.

Turn Up the Fog Machine

Wartime operations against military networks are undoubtedly appealing to Chinese military planners, whose doctrine stresses dominating the competition for information. Rather than facing U.S. conventional forces in pitched battles, information attacks can hobble their communications and inject confusion and doubt into their effort. Reducing U.S. military confidence in its response to Chinese aggression might encourage U.S. political leaders to avoid the fight altogether.

At first glance, cyberspace seems ideal for efforts against U.S. communications and data management. The U.S. military asks a lot from its information systems, given that it envisions fighting across vast distances in multiple warfighting domains. Information must move quickly and in large volume to many organizations. Because this requires an interconnected architecture, it carries multiple points of vulnerability. This is good news for potential Chinese operators looking for a way in. Cyberspace intrusions might also appeal to Beijing because they can be conducted from afar, reducing the danger of discovery and making it easier to obscure their origins.

Given all this, it is not hard to understand why cyberspace operations against U.S. military targets are so seductive. In theory, Chinese operations could target U.S. and allied military forces anonymously from a safe distance, targeting a growing attack surface in order to inject friction into organizations that are increasingly reliant on the digital domain. Battlefield awareness and reliable communications would be at grave risk.

But there are limits to what China can expect from counter-network cyberspace operations. Successful malware intrusions require elaborate efforts at concealment, but meaningful effects require a large organizational infrastructure for intelligence gathering, target acquisition, exploit development, and execution. These requirements work at cross-purposes. Concealment is most likely when states limit the number of personnel involved and resources invested. Such limitations, however, make it very difficult to attack sophisticated adversaries.

Those adversaries, meanwhile, will have reason to be on guard. Peacetime cyberspace operations are more likely to succeed because the victims are not focused on a single threat. States monitor a range of possible adversaries, who may choose to focus on one or more targets. Indeed, warnings about the growing “attack surface” available to malicious adversaries (foreign intelligence services, foreign militaries, and organized criminals) attest to the variety of unseen peacetime dangers. Defenders may find it difficult to prioritize their efforts against nation-state military rivals who might act against them in a hypothetical future war when there are pressing threats to other private and public targets. In crises and war, however, it is fair to assume that states will be fully alert to the activities of their enemy. In addition, wartime combatants have powerful incentives to increase the security of communication networks and deploy redundant information systems to improve resiliency after the shooting starts. And routine cybersecurity measures that may be overlooked in peacetime are likely to receive attention as conflict draws near. Imminent violence inspires vigilance among defenders, making cyberspace breakthroughs extremely difficult.

It is unclear whether Chinese officers are aware of these difficulties. Their ongoing doctrinal zeal for information operations suggests not. That said, U.S. officials now seem to believe that China’s recent activities indicate a different theory of victory.

Social Distortion

Compartmented military networks are closed systems with extensive security precautions in place to prevent unauthorized entry. Hackers are more likely to succeed against public-facing business networks than against hardened military targets. But civilian infrastructure is apparently much more vulnerable. This is not surprising, given its geographic scope and complexity, or the fact that most of the associated machinery predates the cyberspace era. Policymakers and engineers have repeatedly emphasized these vulnerabilities, warning that infrastructure presents an extremely tempting target to would-be saboteurs.

Moreover, the threat to infrastructure is psychological as much as physical. During her congressional testimony last month, Easterly referred to “social panic … at a massive scale” as multiple simultaneous infrastructure attacks played out in a hypothetical war. Possible attacks on electricity, water, and the financial system are particularly unnerving. What should we expect if war leads to darkened cities full of terrified citizens who cannot trust the water supply and who have no access to their own funds? To concerned officials, we can expect a war in which American society slides into panic, despite the fact that military activities are half a world away.

Fears of social breakdown as a result of cyberspace operations are nothing new, of course, but they have received more attention in recent years. The Cyberspace Solarium Commission Report, published in 2020, began with a “Warning from Tomorrow” about a desolate Washington in the aftermath of a catastrophic attack. Among other horrors are tent cities around the city where people choose to live, even though public authorities tell them it is safe to return to their homes. People will stop trusting their infrastructure, we are told, after it has been compromised.

Perhaps China’s leadership believes that it can exploit these post-apocalyptic fears to coerce the United States in the event of war. Perhaps it believes that it can compel U.S. leaders to back down by making cyber threats against U.S. infrastructure — or by going forward with attacks. Indeed, Chinese leaders may suspect that the only way to pressure the leaders of a democratic country is by imposing costs on the people living there. How better to disabuse U.S. citizens from the idea that they can safely support military action in East Asia without incurring any real risk? Such attacks might convince them not to fight so far from home.

The expansion of targets from military networks to civilian infrastructure is akin to the expansion of strategic bombing in World War II. The United States entered that conflict with a vision of airpower built around an appealing economic logic. Precise bombing raids against Germany’s vital industrial nodes would cause its economy to falter. The interlocking nature of modern industrial economies, moreover, meant that a limited amount of bombing would have outsized effects on Germany’s ability to sustain its war machine. But the experience of wartime revealed hard truths: Maps were insufficient, bombs were inaccurate, and air defenses were lethal. While never giving up the dream of precision, later American bombing raids used huge numbers of aircraft to cover large industrial areas.

In a similar fashion, it is possible that Chinese military planners suspect that pinpoint cyberspace operations against hardened military networks will not be enough. If they cannot obstruct U.S. military movements through cyber attacks, perhaps they can coerce U.S. policymakers by sowing dissent among ordinary Americans. Such thinking would explain the growing interest in prepositioning malware on civilian infrastructure.

Yet such efforts may prove disappointing. The theory of victory underlying cyber operations against infrastructure is straightforward: Disruption of social and economic life in the United States will lead to pressure on policymakers to back away from conflict in Asia. Civilians won’t tolerate the pain, and pressure from below will cause politicians to remove U.S. forces. Several questionable assumptions are built into this strategy. One is that cyberspace operations will prove as devastating as officials fear. It is true that infrastructure networks offer a large attack surface to would-be attackers, but in cyberspace the actual consequences are often hard to predict in advance. A related assumption is that U.S. infrastructure providers will not be able to restore service quickly, even with government assistance. This is possible, to be sure, but the increasing U.S. focus on resilience suggests that there is serious attention to what might occur the day after.

Unless China is able to cause extraordinary and lasting damage to infrastructure, there is little reason to believe that this will serve as a useful coercive tool. Under these conditions Americans are much more likely to form opinions about the war based on the real killing and dying in the theater itself. And even if China is able to grab Americans’ attention via cyber operations against infrastructure, the public reaction might prove counterproductive. Rather than clamoring for a settlement, the public might demand revenge.

Learning the Hard Way?

Strategists pay close attention when new technologies open up the possibility of fighting in new domains. Such moments lead to speculation that key innovations will enable fundamental changes in warfighting that make overwhelming victory possible. The advent of blue-water sailing vessels aroused hopes of dramatic naval victories that would give adversaries no choice but to surrender. The emergence of powered flight led to dreams that bombers alone might determine the outcome of future wars. In both cases, painful wartime lessons revealed the limits of novel weapons and platforms, however innovative.

Something similar may be playing out in cyberspace today. Notions of “cyberwar” imply an antiseptic style of fighting, where victory and defeat depend more on savvy information campaigns than on military violence. For reasons described above, this is understandably appealing, especially for those who bear the responsibility of ordering soldiers into conflict. Yet the limits of offensive cyberspace operations are becoming clearer, and states are spending more on defense. Russia’s disappointing performance in Ukraine also suggests that cyberspace operations, while potentially important in the context of a broader campaign, are relatively limited as standalone strategic tools.

Cyberspace will surely play an important role in possible future great-power war, given the ubiquity of digital communications and automated systems among the great powers. But if the track record of other technological breakthroughs is any guide, then offensive cyberspace operations are unlikely to prove decisive. Chinese strategists may not have come to this conclusion. It is possible that they attribute Russia’s failure to other causes and still trust that their approach to the domain is correct. If so, then the real test of their belief will only come in the opening round of conflict. And if the reality of wartime cyberspace operations proves to be less than advertised, then China might find itself stuck in a long war with no easy exit.

Joshua Rovner is an associate professor in the School of International Service at American University.

Image: 131st Bomb Wing