China’s military modernisation since the start of the twenty-first century has been nothing short of astonishing. In little over three decades, it has built thousands of modern combat aircraft, created a fearsome arsenal of missiles, and fielded the world’s largest navy, radically changing Australia’s strategic circumstances. But amid all the discussion of air power, rocketry, and maritime power, there is a more silent but nonetheless critical element of its modernisation: China’s cyberwarfare capabilities.
In a networked world where everything from banking to missile telemetry is supported by cyberspace, capability in this domain is a critical enabler for all other kinds of national power. Moreover, cyber operations are the only kinds of attacks from which Australia’s geography provides no natural defence.
China’s cyber capabilities are sophisticated and bolstered by an interesting combination of state-employed hackers and civilian researchers. The former are contracted by the government. The latter openly participate in international “bug bounty” programs (which reward ethical hackers for finding and reporting security vulnerabilities in an organisation's systems) and identify “zero-day vulnerabilities” for foreign companies including Google and Microsoft.
Civilian researchers hone their skills by supporting international corporations: between 2017 and 2023, 27% of vulnerabilities submitted to bug bounty program run by Apple, Google Android, and Microsoft came from Chinese researchers. Until 2018, these researchers also participated and excelled in international hacking contests such as Pwn2Own in Vancouver. China established a domestic version of this competition, the Tianfu Cup, held in Chengdu.
This allows China to produce elite researchers who can test their skills in a competitive environment while also ensuring a tight grasp on the research and the researchers. In 2021, China implemented legislation which requires researchers to inform the government of any security vulnerabilities they find within 48 hours of discovery. The government is under no obligation to reveal these vulnerabilities and so has effectively created a stockpile of exploits which could be used in any number of cyber operations.
This is a robust pipeline, enabling world-leading research into cyber operations while ensuring that the primary beneficiary of such research is the Chinese government.
The People’s Liberation Army Cyberspace Force (CSF), which has only existed in its current form since April 2024, occupies an interesting place in this ecosystem. The CSF conducts cyber espionage and targeting and attack functions, mainly against military targets rather than civilian ones. It appears that responsibility for cyber operations against civilian targets is more the purview of intelligence organisations such as the Ministry of State Security and the Ministry of Public Security, including the curious public-private partnership it has struck with Chinese cyber researchers.
China’s cyber capabilities are sophisticated and bolstered by an interesting combination of state-employed hackers and civilian researchers.
In the event of or lead up to a conflict with a foreign adversary, Chinese cyber actors would undoubtedly seek to undermine both the general confidence in government and military operations, and the ability for those operations to be conducted at all. This has invited comparisons between likely Chinese cyber strategy and strategic bombing during the Second World War.
The NotPetya ransomware attack in 2017 illustrates the disruption that cyber-attacks can cause. In June of that year, Russia planted malware in Ukrainian systems using a series of unpatched vulnerabilities in Windows operating systems. The attack paralysed businesses across Ukraine, as well as multinational corporations such as Maersk (many of whose ports around the world were at a standstill), the UK’s National Health Service and FedEx. It also caused Windows-based sensors monitoring radiation at Chernobyl to shut down.
This attack caused some $10 billion of damage around the world and was indiscriminate in execution. Targeted attacks could be just as impactful, if not more so, as the famous Stuxnet worm demonstrated in 2010 when it destroyed one-fifth of Iran’s nuclear centrifuges.
Publicly identified Chinese cyberattacks have not been on the scale of NotPetya, but that attack occurred during a conflict. In addition to cyber espionage that, until its discovery, compromised at least 141 companies, a Chinese hacking group known as Volt Typhoon has been detected using “living off the land” techniques (where attackers use legitimate, pre-installed systems rather than malware to carry out attacks) within critical infrastructure systems in Guam.
That this intrusion was detected could be interpreted as Chinese hackers not being able to circumvent US defences. But it could also be just one of potentially many other intrusions that have gone undetected. It is highly likely that China will deploy similar tactics against Australia in the future, if it is not actively doing so already.
These kinds of disruptive cyber operations have an important place in Chinese strategic thinking. At the highest and most destructive level, China would use cyber-attacks to, in the words of one Chinese research paper, “paralyze the social information network, thereby causing chaos in the national economic system and triggering social unrest and unrest.”
When we consider the damage caused in Australia in recent years by data breaches from cyber espionage, or even unplanned network outages which have led to mass economic disruption and preventable deaths, we should also imagine such disruptions occurring at larger scale and in coordination with other forms of military coercion. This is one of the key threats Australian policymakers must now contend with.
