Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
In November 2021, the U.S.-China Economic Security Review Commission published its annual report to Congress. The Commission addressed several key areas in the report including the Chinese Communist Party’s (CCP) ambitions in the wake of its centennial; its technological and economic aspirations; China’s growing influence in Latin America; Beijing’s increasing control over its corporate sector; China’s military capabilities, among other topics. One of these included China’s burgeoning use of its cyber capabilities as a state tool supporting its political, military, and economic well-being.
The use of cyber capabilities to conduct disruptive and destructive attacks looms large in Western thought, and Beijing is no different, as evidenced in their writings, in which they see cyber-attacks as both a complementary facet of kinetic attacks as well as an independent force to achieve specific objectives. The Commission’s report highlights cyber capabilities as part of China’s strategy to reclaim Taiwan via coercive measures. Indeed, several Chinese authoritative sources cite the capability of cyber as an instrumental weapon, especially when harmonized with other capabilities. But the true threat from China is not from these cyber-attacks meant to disrupt or destroy networks or operations, but a threat derived from “soft power” sources. These include but are not limited to legal channels, international standards-setting, influence campaigns, and propaganda, all of which can create a considerable impact in a non-destructive way.
China’s view of cyber now extends past the typical OSI model layers that have long dominated hacker culture, to include the actual data or information that traverses the digital domain. Yes, these physical and technical layers remain an important facilitator as their integration into all facets of society is crucial to developing a country’s economy, contributing to social stability, and an ability to engage in global matters. Because of this global integration, its utility is without question because the architectural component of the Internet needs to continue to operate efficiently. As a result, Beijing strives for technical independence from foreign developers and suppliers. Self-sufficiency to guard against outside influences is paramount, as it protects China from the very types of activities that it engages in (e.g., cyber espionage, influence campaigns, propaganda). But where networked technology infrastructure is foundational, information and data sit at the top of the pyramid.
For Beijing to achieve global leadership in an interconnected world, it needs to be able to put a barrier between China and outside forces. The Commission’s report highlights such areas that deserve to be looked at and understood by policymakers because they point to China’s ascendency not from force or coercion but via channels available to any nation. One of these areas of import is the legal front, where China has made headway in strengthening its “digital boundaries” via a series of laws that have been passed or are under review. China has been known to engage in “legal warfare” – a type of aggression that uses legal means to constrain an adversary. During peacetime, legal warfare attempts to influence audiences to give legitimacy to China’s actions.
The passing of draconian domestic legislation is often viewed as a form of internal authoritarianism, a way to keep the population monitored and in check and, in turn, preserve the regime’s power. By their very nature, laws give certain issues the veneer of thoughtfulness, reason, and the rule of law. China has been aggressively drafting and enacting legislation to help in this regard. As an economic power, Beijing knows that it must be open to outside businesses working with and in China. Over the past several years, China has drawn up new laws or reinforced those already on the books.
In 2021, six pieces of legislation were either introduced or went into effect addressing data security, personal information protection, data transfer, and data management mandates for organizations (foreign or indigenous) associated with critical infrastructure organizations. And these are in addition to China’s 2017 Overseas Non-Governmental Organizations Law, 2017 Cybersecurity Law, and 2015 National Security Law (which ostensibly initiated Beijing’s efforts to dictate the management of data by foreign entities).
Collectively, these laws reinforce China’s belief that as a cyber sovereign nation, it has complete control over its portion of cyberspace to include all the data and networks therein. As such, they are subject to the laws of China over all else, including international law. This not only helps bolster Beijing’s cyber security readiness but demonstrates their belief that cybersecurity and national security are inextricably intertwined. While other nations may also have this belief system, they have invariably fallen short in marrying these two security concepts. Beijing is putting into practice what it believes.
When seen through the prism of data, China sees information as the instrumental component to control. This is not surprising, as authoritarian regimes are always conscious of information seeking to disrupt the social fabric or criticize the established order. But the data these laws address are not just words on a page. It is the legal framework for any data, any entity – particularly foreign – creates, processes, stores, or transmits in “Chinese cyberspace”. The potential impacts of these data laws stretch well beyond the more familiar issues of and framing around human rights and domestic surveillance. While these laws certainly facilitate these types of activities, they play into a larger plan for Beijing to become the global leader that influences all things “Internet” – from governance to setting standards, to helping codify cyber norms of state behavior in cyberspace. Even if it fails in being the most influential state in these areas, the legal environment in China guarantees foreign organizations will have to comply if they want to operate in the Chinese economy. Per China’s data transfer regulations, in addition to requiring companies to report how much and what type of “important” data is transferred abroad, there are no limitations on what personal information the government can collect. The potential to disrupt foreign business operations is very high and now appears legal in China.
China’s goal has been to ascend to the position of a global leader. For a while, it adopted a peaceful rise approach so as not to cause consternation in the world about how it achieves this goal. Since Xi became president, China’s tactics have changed, becoming more aggressive regardless of international pressure. In fact, China appears almost purposeful in constraining relations with other global leaders to include the United States, Europe, India, and the United Kingdom. This maneuvering comes at a time when China is celebrating its centennial, Xi has firmly entrenched himself as the leader for the foreseeable future, and China arguably is in its strongest geopolitical position in modern memory. Per the Commission’s report, the CCP markets its centennial by preparing for a “decades-long confrontation with the United States.” This should serve as a wake-up call for the United States.
China is not obfuscating its intent. Beijing is taking advantage of the current geopolitical environment, where China’s influence has left an indelible imprint. Lingering COVID complications, supply chain issues, and climate change are all integrated into the China question, with increasing strategic implications. Beijing’s recent focus on control of its internal affairs, as well as how foreign organizations will operate in China, suggests that Beijing thinks the time is right to assert itself on the global stage, particularly as the United States appears overwhelmed by domestic strife and pandemic woes. Controlling data is tantamount to preserving Beijing’s status, which may help explain why there are so few destructive cyber-attacks attributed to China. Cyber weaponry is about projecting power, showing force, not maintaining it. And while the United States may have considerable cyber weaponry at its disposal, its inability to understand the magnitude that information plays in cyber conflict continues to hinder its ability to match China.
All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at OODAloop.com and during our monthly OODA Network meetings and Salons.
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast
About the Author
Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence