State, PLA and Private Companies’ Collaboration
China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defence, and evaluate the cybersecurity of a particular product or service. Nineteen of China’s 34 provinces are building, or have built, such facilities.
Their purposes span from academic to national defence. In short, the presence of these facilities suggests a concerted effort on the part of the government, in partnership with industry and academia, to advance technological research and upskill its cybersecurity workforce—more evidence that China has entered near-peer status in the cyber domain.
A report titled “Downrange: A Survey of China’s Cyber Ranges”, by the Center for Security and Emerging Technology, published in September 2022, examines some of China’s 19 facilities that have demonstrable ties to the military or security services.
China’s investment in cyber ranges is in line with what is known about other efforts to bolster the country’s hacking and cybersecurity capabilities. As these facilities mature, network defenders who find themselves in the crosshairs of China’s hacking teams may be subject to attacks that have been rehearsed, tested, and sometimes practiced on replicas of their own networks.
Important Findings
This report finds:
1. China’s cyber ranges facilitate joint exercises between the People’s Liberation Army (PLA) and civilians. One competition hosted each year in Chengdu aims to replicate the North Atlantic Treaty Organization’s (NATO) Locked Shields exercise. Teams include representatives from the military, private cybersecurity firms, and critical infrastructure operators. Separately, a defence state-owned enterprise (SOE) makes a “comprehensive space scenario range” available to civilians at an annual cybersecurity competition. Each of these examples demonstrates China’s implementation of military-civil fusion in the cyber domain.
2. Some cyber ranges allow hackers to practice attacking and defending critical infrastructure systems. Some ranges provide users with training on industrial control systems within the cyber range; one of which purportedly engages in “national offensive and defensive exercises.” The Office of the U.S. Director of National Intelligence’s 2022 unclassified annual threat assessment found that China was “almost certainly […] capable of launching cyberattacks that would disrupt critical infrastructure services.” These ranges could allow rehearsals and testing of these types of attacks in the future.
3. Peng Cheng Laboratory in southern China is using a supercomputer to research artificial intelligence’s (AI) application to cybersecurity. The lab’s partners include the National University of Defense Technology, China’s Key Laboratory of Science and Technology for National Defense, and Shanghai Jiao Tong University, a university with ties to military hacking teams. The lab has quickly earned the respect of longtime experts in China’s cybersecurity community.
Ranges Enhance Chinese Defence
China’s cybersecurity posture will be enhanced by the use of cyber ranges in several ways. First, China’s critical infrastructure, massive data troves, and government agencies will be better defended. Cybersecurity teams with years of experience and hours of practice on a range will be better able to defend against a variety of threats. Second, China’s attacks are likely to increase in efficacy and capability. While there are no indications to date that China has launched a physically destructive or disruptive cyberattack against another country’s critical infrastructure, the ranges covered in this report suggest such a lack of action may be based in policy rather than from a lack of capabilities. Besides making attacks on industrial control systems more feasible, other types of attacks will improve as well. For example, hacking teams have more opportunities to try new tactics, techniques, and procedures.
Components of Cyber Ranges
Cyber ranges can help these agencies provide the experiential learning that hackers need. A set of virtual machines—software that creates a computer within a computer— comprise most cyber ranges. Because virtual machines are cheap software to license, a cyber range can quickly grow in size but with little additional cost. The operator can design the range to his or her needs, specifying how the machines are connected, what operating system they use, and even the range’s defences. The best cyber ranges aim to simulate real computer networks. Few achieve this high standard, and for most users “close” is good enough. The best government-funded cyber ranges can simulate millions of connections.
But cyber ranges do not only let users learn new tools, they also let them practice. Offensive teams that hope to damage or impair physical systems with precision often need to rehearse. Attacking an electrical substation or gas pipeline requires deep knowledge about the target. A cyber range built to emulate that target can help attackers make sure that they are on the right path. Industrial networks can be recreated from stolen data; AI may even help attackers understand how to attack these systems.
Background and Recent Policies
The Chinese Academy of Sciences (CAS) established China’s first national cyber range in 2010. That was China’s first publicly-acknowledged, government-led effort to establish such a facility. Some of China’s best universities, military hacking teams, and private cybersecurity firms likely already had access to cyber ranges.
Cyber ranges within China featured prominently in 2021 in two important ways. First, the Ministry of Industry and Information Technology began soliciting public opinions on the drafted Three-Year Action Plan for the High-Quality Development of the Cybersecurity Industry (2021-2023) in July 2021. MIIT policymakers called on the government and industry to build “AI security cyber ranges,” promote research on cyber ranges, use cyber ranges for training, and invest in cyber ranges that can be used to train defenders of China’s futuristic smart cities. MIIT frequently allocates money for research on cyber ranges, including allotments to research partnerships between universities and the PLA Strategic Support Force—the service branch responsible for computer network operations and space systems.
China issued its second policy addressing cyber ranges a few months later in October 2021. The National Industrial Information Security Development Research Center, a research institute of the MIIT, published a document whose contents were only summarized publicly. In the policy document, titled “Industrial Cyber Range Platform Technology Capability Evaluation Criteria”, policymakers lay out the standards that China’s Industrial Control System cyber ranges should aspire to meet. Available summaries reference standards from companies such as Dragos, KPMG, EY, and Deloitte. What little information is publicly available stresses the close connection between industrial security and China’s future as an automated manufacturing powerhouse.
Private Sector Participation
China, like many countries, has a robust market for cyber range providers. Private sector companies sell services to universities so cybersecurity students can practice their skills. Some companies specialize in supporting critical infrastructure operators, helping electrical grid operators learn how to defend their networks. And still some companies focus on training other private sector employees. Similarly, it is well known that China’s premier military university for hackers—the PLA Information Engineering University—has a cyber range.
Potential Cyber Range Uses in China
There are a number of potential uses of cyber ranges. The following have been observed in China:
● Training on new tools and techniques in a controlled environment.
● Practicing attacking and defending industrial control systems.
● Evaluating product cybersecurity—smart cars, Internet of Things (IoT) devices, etc.
● Evaluating the efficacy of cybersecurity/antivirus products. Such evaluations can determine whether the products will detect new attack methodologies or malware. These evaluations can also help attackers evade a target’s defences. China’s military has been observed purchasing such systems.
● Recreating networks to allow defenders to practice defending those systems and attackers to practice attacking targeted systems.
● Planning attacks using attack graphs, which recreate a network and determine which pathways to a target are least likely to pique the interest of defenders. Some researchers are using an AI technique, reinforcement learning, to determine and optimize these attack paths.
● Replicating smart-city networks for defenders to practice protecting internet- connected infrastructure and surveillance systems.
Conclusion
The development of China’s cyber ranges highlights how its military-civil fusion strategy is applied to the cyber domain, leveraging academic institutions, companies and government labs/entities to work toward a central goal. These ranges not only provide the opportunity for civilian organizations and the military to practice their skills together, but they also consistently engage in national security related research in areas such as applying machine learning frameworks to software vulnerability discovery, applying AI to cyberattack and defence, and developing attack and defence methodologies for industrial control systems.
The growth of China’s cyber ranges is not accidental. Central policymakers signalled their interest in cyber ranges for education, training, AI development, and testing in China’s most recent development plan for the cybersecurity sector. Consequently, municipal and provincial governments funded the development of cyber ranges with sometimes significant subsidies in alignment with Beijing’s political mandate. Other cyber ranges included in the appendix receive similar funding across China. The decentralized approach to investment supports innovation by provincial governments and increases opportunities for cooperation and collaboration between the military and civilians.
Cyber ranges are key to training the next generation of talent to defend, and potentially attack, critical infrastructure. China—through the development of its ranges—is providing a venue for testing and exercising the tools and techniques to attack and defend critical infrastructure while developing the technical talent to execute these operations. Although no cybersecurity firms or governments have yet attributed a disruptive or destructive attack on industrial control systems to China, this report on its cyber ranges demonstrates that the PLA has the capabilities to do active research in this area and could be postured to conduct such attacks in the future. New research on Chinese procurement records and research publications shows Chinese interest in procuring the capabilities for such destructive attacks, following the 2015 attack on Ukraine’s electrical grid. China’s interest in having that capability is likely driving those requests.
As new cyber range capabilities develop and mature, the lessons learned from their use will provide more policy options to Beijing. Competition among states for influence and power in China’s near-abroad will continue to shape Beijing’s policy in the region. Besides positive incentives that induce cooperation, such as trade deals, disincentives—like potentially learning that Beijing has implanted destructive malware on your country’s electrical grids—bolster China’s ability to compel other countries.
Although the time and place of future cyber operations is hard to predict, the scope and scale of China’s operational capabilities is growing. Investment precedes capabilities, and China has invested.
Based on “Downrange: A Survey of China’s Cyber Ranges”, A report by Center for Security and Emerging Technology, 2022
