Published by The Lawfare Institute
in Cooperation With
In 2015, news broke that Chinese hackers had breached computer networks at the U.S. Office of Personnel Management, exposing the personal data of millions of government employees. In response, the White House took the initiative to improve government network security through a variety of measures. Among other actions, the White House Office of Management and Budget called for all government websites to have implemented HTTPS by the end of 2016. HTTPS, an acronym for Hyper-Text Transfer Protocol (Secure), ensures that the visitor’s connection to a website remains confidential, that the website is “authentic”— meaning that it is the website visitors thought they were logging into—and that the data between the visitor and the website has not been modified. HTTPS implementation on a website is not a panacea to fend off malicious cyberattacks, but it makes the widespread tracking and interception of browsing traffic more difficult. Likewise, while it is not clear whether a lack of HTTPS on government systems played a role in the Office of Personnel Management breach, implementing HTTPS eliminated a security flaw that could have been exploited by future hackers.
Ironically, while the U.S. government pushed to get HTTPS in place after a high-profile cyberattack by China, HTTPS is rarely used within China itself. HTTPS traffic that uses both TLS1.3—the newest version of Transport Layer Security, which provides secure communication between web browsers and servers and the specific content visited on a website—and ESNI—Encrypted Server Name Indication, which prevents third parties from seeing what websites a user visits—is blocked entirely in the country. The Chinese government imposed the ban because TLS1.3, when run via ESNI, makes it difficult for Chinese censors to see what sites a user is visiting and thereby reduces the government’s information control capabilities. Even foreign platforms such as the BBC or Wikipedia were banned as soon as they migrated to HTTPS.
Yet the Chinese government’s efforts to disincentivize encryption—to allow for censorship and surveillance—have created an online environment where even websites that carry sensitive government, health and commercial data remain unencrypted. This leaves them open to exploitation by intelligence agencies and cybercriminals.
Today, a majority of internet browsing is conducted over HTTPS on desktop computers, and more than 2 billion people use end-to-end encryption to communicate securely. Former national security officials, such as former Defense Secretary Ash Carter and former CIA and National Security Agency Director Michael Hayden, have defended strong encryption as in the interests of national security, reasoning that any weakness in encryption will be inevitably exploited by criminals or foreign governments.
There has been some pushback. Western governments have welcomed the weakening of encryption to facilitate criminal investigations by law enforcement. Only recently, members of the Five Eyes intelligence alliance (Australia, Canada, New Zealand, the U.K. and the U.S.), along with India and Japan, called upon tech companies to give governments access to end-to-end encrypted content. Australia has been the most active in this space, passing a law that obliges companies to introduce backdoors for the Australian government. But despite these initiatives, encryption remains widespread in most democracies, increasing resilience against malicious attacks and exploitations.
Encryption has met greater resistance in China. The government’s encryption regulations and implementation thereof are among the most restrictive in the world, giving the government full access to all encrypted content within its domestic territory. Article 31 of China’s Cryptography Law allows the State Cryptography Administration to inspect and have access to encrypted systems. This law applies to all sectors, including social media companies such as WeChat, which are required (and able) to turn over all user data, since messages are not end-to-end encrypted. In the financial sector, Trustwave SpiderLabs, a cybersecurity consultancy, revealed how a backdoor was present in the tax software a Chinese bank required its customers to install to pay local taxes. The malware, dubbed Golden Spy, has certain traits of a coordinated nation-state cyber operation, and was developed by the Beijing-based Aisino Corporation, which serves as a major contractor to the Chinese national tax authorities. While Trustwave SpiderLabs does not attribute the operation to any actor, the backdoor might be the Chinese authorities’ tool to inspect company networks in accordance with the Cryptography Law. In short, the regulatory environment in China allows for intrusive technical surveillance of internet traffic and data at rest. The country’s internet ecosystem is tailored to monitor all relevant financial, political, social and economic data to preserve domestic stability online and offline, by stifling any dissent online before it can spill offline.
Limiting HTTPS usage and encryption more broadly is important to China’s surveillance apparatus and gives leaders crucial insight into online networks. When data is transmitted unencrypted, government authorities can gauge the political sentiment of their populace at any time and they can allow content that praises the Chinese Communist Party (CCP) while blocking content that is critical of it.
However, this emphasis on intrusive surveillance and the circumvention of encryption comes with a trade-off. Just as pundits and national security officials have argued that undermining encryption would endanger cybersecurity and national security, the extent to which China has discouraged encryption within its territory may come with a weakening of its cyber defense capabilities.
The question of how China’s information control infrastructure potentially affects its cyber defense capabilities has received limited attention. Robert Sheldon, for instance, has maintained that, in China, the dedication of large resources toward operating a censorship infrastructure and managing its content divests a finite pool of skilled human resources that could otherwise take on roles in cyber defense or offense.
China’s pervasive surveillance infrastructure, enabled by weak or sometimes nonexistent encryption, has also left much data in China exposed to manipulation and spying. I performed a search across various government and industry sectors to gauge which websites relevant to Chinese national security do or do not deploy HTTPS on their login section.
Many websites and login portals pertaining to government services, critical national infrastructure or social media platforms have not implemented HTTPS yet. The websites are thereby prone to be manipulated and impersonated by third parties, and sensitive user data communicated with the website can be intercepted more easily by foreign intelligence agencies. This leaves national security officials, intelligence/military personnel, patients and banking customers exposed to all of these risks.
Organizations that are affected include the People’s Liberation Army Navy, the People’s Public Security University of China, the Chinese Central Government’s Network, the Ministry of Foreign Affairs, the United Front Work Department of the CCP’s Central Committee, Beijing Hospital, China United Airlines, Bank of Jilin, Renren (social media platform) and People’s Daily (newspaper).
It is worth noting that some of the Chinese-based websites do deploy HTTPS. Others again embed HTTPS content in the HTTP page, but this is insufficient as someone could conduct (Wo)-Man-In-The-Middle-Attacks and replace the “authentic” login page with another “fake” one. (More details on specific sites lacking HTTPS are available at the end of this piece.)
There may be many reasons why the current state of website security, and cyber defense capabilities more broadly, in China is dire. One explanation may be that authorities and private companies that run the websites have been unaware of their bad security practices. Another reason may be that while private industry and nongovernmental organizations have pushed for HTTPS implementation in the West, similar movements may not have taken place in China. Yet another cause for weakened cybersecurity and defense capabilities may be the government’s intentional weakening of encryption and security practices to enable China’s information controls apparatus.
Information controls (performed through surveillance, censorship, inducing of self-censorship and strategic information dissemination) have economic and human rights implications. Both China and many Western countries rely heavily on surveillance and the shaping of discourse to control information within their territories. However, democracies diverge in their information control practices by limiting the amount of censorship and inducing self-censorship in their populations.
Overly repressive information controls have not hindered China’s digital economy from expanding, but some commentators argue that restricting the free flow of information has stifled growth, as seen within the live-streaming industry. Pervasive information control has had more direct effects when it comes to human rights and has left ethnic minorities and political dissidents alike exposed to the arbitrariness of the ruling party.
While the economic and human rights implications of information control have been researched more extensively, their effect on cyber defense capabilities has not been analyzed sufficiently. Such an analysis is overdue and is critical in order to have informed engagements with China in cyberspace.
Policymakers need to be aware that successful competition in cyberspace depends on having intrinsic knowledge of the consequences a democratic or authoritarian mode of government has for a country’s cyber defense. Western leaders have for a long time prioritized security of physical infrastructure. This might translate into better cyber defense capabilities, but it leaves those governments open to information operations. At the same time, more authoritarian-leaning countries may have comparative advantages when it comes to defending against information operations but at the cost of perhaps being more vulnerable to cyber network attack and exploitation. Authoritarian governments may tolerate this compromise on security due to their prioritization of surveillance and censorship practices.
These diverging emphases on different aspects of cybersecurity by democratic and authoritarian governments are not new. However, Western governments have put too much emphasis on the vulnerability of democracies to information operations, and not enough attention has been dedicated to the vulnerability of authoritarian regimes in their cyber defenses. It is crucial for democratic governments to assess the impact of information controls and regime security considerations in authoritarian-leaning countries for their day-to-day cyber operations.
Different information control regimes not only influence the adoption of encryption but also affect the wider internet infrastructure in a country. This raises the question of how the Great Firewall (China’s censorship and surveillance project) or SORM (System for Operative Investigative Activities—Russia’s online surveillance system) could be used for defense purposes or be taken advantage of by the offense during potential hostile activities. The Great Firewall’s infrastructure, for instance, has been already used for offensive purposes abroad, in a distributed denial-of-service attack dubbed the Great Cannon.
For a long time, China may have preferred to focus on its offensive instead of defensive cyber capabilities. The People’s Liberation Army has already tilted its thinking in this direction by emphasizing the need for stronger cyber defense capabilities. Perhaps a broader rethinking should take place within China to give greater freedom and anonymity to internet users by increasing genuine cybersecurity without government backdoors and insight into all networks.
But drastic institutional reform, including implementing ubiquitous encryption, is unlikely to occur given that adopting strong encryption more widely would weaken the government’s insight into its citizens’ opinions and lessen its ability to manipulate and deny content domestically. This would mean a fundamental challenge to the information control apparatus that has cemented the ruling class in power. If China keeps up the status quo, however, doing so may come at the expense of its cyber defense capabilities—and benefit competing powers in their cyber operations for years to come.
Government, Military, Police
- PLA Navy
- People's Public Security University of China. The university trains elite police officers and is ranked as China's best police academy.
- The Supreme People's Procuratorate of the People's Republic of China. This is the highest national level agency responsible for both prosecution and investigation.
- Ministry of Justice
- The Chinese Central Government's Web Portal
- Civil Service Examination Registration System of the Ministry of Foreign Affairs
- Xinjiang Uygur Autonomous Region People's Government Network
- United Front Work Deparmtent of CPC Central Committee. The department aims to influence high-level individuals and organizations inside and outside China.
- Shanghai United Front Work Department
- Communist Party Member Network of the CPC Central Organizational Department. The department controls staffing positions within the Communist Party of China.
- Ministry of Finance Bill Supervision Center. The Ministry's platform for businesses.
- Tianjin Public Security Bureau
- National Social Insurance Public Service Platform
- State Administration for Market Regulation
- National Archives Administration of China
- Ministry of Agriculture and Rural Affairs
- General Administration of Customs
- State Cryptography Administration Beijing
- China National Intellectual Property Administration
- Ministry of Water Resources
- Hong Kong and Macao Affairs Office of the State Council
- China Academy of Engineering Physics
- China Meteorological Association
- National Food and Strategic Reserves Administration
- China United Airlines. China United Airlines used to be part of the People's Liberation Army Air Force
- Air Changan
- Urumqi Air
- Renren. In 2018 Renren claimed to have 31 million monthly unique logins.