China has a cyberspace campaign plan. Does Washington?

Ransomware payments are estimated to have cost U.S. companies more than $1 billion in 2021, according to the Treasury Department . But that staggering figure pales in comparison to the hundreds of billions of dollars worth of intellectual property China steals from American businesses each year.

Over the course of 18 months starting in June 2017, one Chinese scientist alone stole proprietary information worth $1 billion from his employer. The scale of China’s global hacking operations makes Beijing a formidable opponent. But it is the tactics that Chinese hackers employ — penetrating supply chains and the ecosystem behind the digital economy — that provide Beijing with exponentially greater opportunities to undermine the U.S. economy and our security.

The U.S.-China Economic and Security Review Commission cautioned in its 2022 annual report that over the past decade, “China has engaged in a massive buildup of its cyber capabilities.” China’s cyberoperations are “more stealthy, agile, and dangerous,” the report warned, as Beijing has increasingly relied on “third-party compromise to infiltrate victims’ networks.” Rather than develop dozens of different battle plans to attack individual victims, Chinese hackers compromise one IT service provider and piggyback on that vendor’s access to infect “hundreds of direct and thousands of indirect clients,” as Microsoft explained in its 2022 annual Digital Defense report. Beijing penetrates “telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations,” the U.S. intelligence community concluded in April 2021.

This is not a new strategy for Beijing.

During Operation Cloud Hopper, which began in 2014, Chinese hackers compromised managed service providers to penetrate hundreds of companies worldwide, across numerous industries. In 2017, suspected Chinese cyberactors compromised a popular computer program, inserted a backdoor into a software update, and gained access to the more than 2 million machines that downloaded the malicious patch. They then selected 40 affected IT companies, including Samsung, Sony, Intel, and Fujitsu, for follow-on intrusions. In 2021, hackers working for China’s Ministry of State Security exploited vulnerabilities in Microsoft Exchange Server to compromise tens of thousands of individual servers worldwide. The White House called the operation “irresponsible and destabilizing.” Beijing likely viewed it as fruitful and rewarding.

In mid-November, security researchers revealed yet another Chinese operation: State-backed hackers attacked a certificate authority — an organization that provides digital verification for websites, services, and applications. Compromising a certificate authority allowed the hackers to more easily impersonate trusted websites, hide malware, and intercept encrypted data. With each of these operations, China revealed its strategy — if only Washington were paying attention.

China prioritizes widespread infiltration through supply chain compromise rather than blunt spear phishing or exploitation of an individual target. Supply chain attacks have exceptional value because they enable persistent access, sustained collection, and tailored operations. They reflect a broader shift from a “target-centric” strategy toward a “capability-centric” strategy, through which Beijing can pursue multiple objectives at once. These include economic espionage, economic coercion, critical-infrastructure disruption, and the accumulation of personally identifiable information.

Collectively, these objectives combine to facilitate China’s cyberenabled economic warfare. It’s an approach we detailed in a report earlier this fall on the strategies of America’s cyber adversaries. Beijing is seeking not just to promote its interests but also to diminish the influence of the U.S. and other free-market democracies. Beijing hopes to use this cyberenabled economic warfare to “win without fighting,” according to a long-established Chinese strategic doctrine.

To combat China’s efforts to weaken the U.S. economy and security, Washington will need to recognize and fight this challenge. Measures to date have fallen short. Sanctioning individual Chinese hackers has limited effect if those who profit from cyberenabled intellectual property theft are not also punished. Promoting cyber hygiene is laudable but wholly insufficient if the U.S. continues to permit Chinese technology providers to equip U.S. communications infrastructure. America’s export controls may have some effect. Unless Washington can convince its partners to impose similar controls, however, China will circumvent them, coercing and persuading America’s other trading partners to provide access to technology the U.S. seeks to restrict.

The task for the Biden administration and Congress is to develop effective countermeasures to thwart Chinese cyberoperations and undercut Beijing’s investment in strategic technologies. Washington must also relentlessly impose costs on Chinese actors who perpetrate and benefit from this cyberenabled economic warfare.

Since President Barack Obama and Chinese leader Xi Jinping first held a summit on cyberenabled intellectual property theft in 2015, policymakers on both sides of the aisle have come to recognize that Chinese cybercapabilities pose a significant long-term threat to U.S. national security and prosperity. Recognizing the threat is the first step to confronting it, but without an understanding of how the enemy operates and a robust battle plan to win the cyberenabled economic war, Washington won’t.