Writings on Chinese cyber operations tend to focus on cyber espionage and the stealing of state secrets for China’s military modernisation. Comparatively in discussions of cyber operations, cyber coercion and Chinese cyber coercion are infrequently mentioned. This has to do with the ambiguity surrounding the definition of cyber coercion and the challenges of attribution.
Chinese cyber coercion is understood as a subset of what is known as weishe. Weishe is, in direct English translation, understood as “deterrence”, but is conceptually understood as a combination of compellence and deterrence. In theory, cyber coercion thus operates by compelling actors through cyber operations to produce an effect called deterrence wherein actors are deterred from decisions that are harmful to China’s interest. This role of compellence in cyber deterrence is made clearer when contrasted to the cyber deterrence strategies discussed so far in the United States and the United Kingdom. The use of cyber deterrence in the respective countries appears mostly in reference to a retaliation to a cyber-attack or in building domestic resilience to make an attack costly. In contrast, in the Chinese context, compellence and deterrence are one, the role of compellence is encouraged, and a cyber–attack does not seem to be a prerequisite to the use of cyber deterrence.
The theoretical understanding of weishe, however, is imperfect in practice. Whether deterrence is truly a component of weishe is subject to disagreement and is debated amongst Chinese analysts. If this is the case, then what lens should be used to analyse potential Chinese cyber coercion?
Observed practice of cyber coercion may be a more helpful lens than its theoretical counterpart. Observed practice can include the combination of vague threats, an implied actor, and an implicit desired behaviour. In a greater layer of complexity, consistency across the elements’ contents is not necessary. For instance, cyber coercion may include explicit threats, an implied actor, and an explicit desired behaviour. Therefore, observed practice captures a more detailed variation of what is understood as cyber coercion—something which is illustrated in the following three cases.
The cyberattacks against South Korea in 2017 illustrate one of the clearer cases of Chinese cyber-coercion, specifically cyber-enabled economic coercion. It also demonstrates the use of cyber deterrence to deter a country from choosing a political decision that is judged as harmful to China’s security. On February 7, 2016, officials from the United States and South Korea announced discussions on deploying Terminal High Altitude Area Defence missile defence system (THAAD). Beijing, however, disapproved of the X-band AN/TYP-2 band radar system which would allow for approximately a 3,000 miles detection range. This would mean potential US military monitoring of activity in China and the undermining of China’s nuclear deterrence.
In correspondence to the announcement of THAAD, there were reported increases in cyber intrusions. In the first half of 2017, there were over 6,000 cyber intrusions from China against the South Korean Foreign Ministry’s servers which was an increase from the 4,600 in 2016. Furthermore, Lotte Group, a South Korean-Japanese conglomerate was also attacked. Chinese internet protocol addresses took parts of Lotte Group’s storefront offline for several days, and Chinese e-commerce sites stopped co-operation with Lotte. This has been connected to Lotte Group permitting the South Korean government to use its golf course to deploy THAAD. South Korea did end up agreeing to limitations on THAAD, but it is difficult to say whether this was uniquely due to the cyber impacts because of the presence of other coercive levers. For instance, the Chinese government shut nearly all of Lotte’s physical stores in China. Cyber coercion, however, does signal great displeasure, and the intentions can be perceived as the use of compellence to deter further plans regarding THAAD.
Whilst the THAAD case outlines more clearly what happened and who the suspect is, other potential cases do not. Cyber operations in Hong Kong and India demonstrate cases of an explicit threat, an implied desire, and an implied actor.
Over the course of Xi Jinping’s rule, a tighter grip has been imposed on Hong Kong and protests have become more dangerous to participate in. Joshua Wong and Agnes Chow, who were the faces of Hong Kong’s protests against the Chinese Communist Party’s grip, are now imprisoned. The 2019-2020 Anti-Extradition Law Amendment Bill Movement, which was a series of movements against the Extradition Bill, coincided with the emergence of HKLeaks—a doxing website which appeared in late August 2019. The website doxes anti-government protestors, revealing people’s personal identifiable information (PII) such as headshot, social media handles, phone numbers and their misdeeds. The threat is explicit in that it threatens an individual’s privacy and makes the struggle for a freer Hong Kong even more costly. There have even been instances of malicious targeting. In one case, a doxed female reporter from Apple Daily, a Hong Kong tabloid known to criticise the Chinese Communist Party, started receiving threatening calls.
The argument that China is behind this is difficult to build, although there are very subtle implications behind HKLeaks that tie it to state-sponsored actors and potentially to the Chinese state. Aside from China’s interest in Hong Kong, looking at who or what HKLeaks is connected to is informative. HKLeaks has been linked to social media accounts similar to those taken down for being fake accounts linked to state-backed actors, which were also used as a tactic in disinformation campaigns against Taiwan. Some information of who the state could be is found in anecdotal evidence. According to an alleged victim of HKLeaks, they gave a “fake address I’ve never given to anyone” to Chinese police at the Hong-Kong and China border when returning from a business trip from mainland China. His address afterwards appeared on HKLeaks. Whilst the link between cause and effect is unclear, these disparate points of evidence could arguably form a weakly implied Chinese state as actor.
HKLeaks is also positively viewed and engaged by the Chinese state. For instance, the official Weibo account of China’s state-owned TV network, “published a video showcasing the HKLeaks website, and urged followers to ‘act together’ and ‘tear off the masks of the rioters’”. This post was then shared by “the Weibo accounts of local Chinese police, local media outlets, branches of Chinese Communist Youth League, and others.” Again, the actor cannot be established, but there is certainly a perception of an implied actor, an implied (or explicit, depending on one’s perception) desire to stop the protests and the threat of the violation of privacy and potential harm to the individual. This arguably forms a cyber coercion, rendered perhaps more threatening by the ambiguity on how members are being doxed and by not knowing the exact actor.
The case of the Mumbai power outage in October 2020 is a similar case where there is implied Chinese involvement. However, connections to the Chinese state around this topic is slightly clearer and less speculative. Speculation of China’s involvement is found across Foreign Affairs, NY Times, and The Diplomat, and domestically amongst Indian officials. The main source of information, however, is from a report by Recorded Future, a private cybersecurity company. On February 28 2021, Recorded Future published a report which demonstrated a connection between Red Echo, a Chinese state-sponsored group, and the installation of malware into civilian infrastructure such as “electric power organisations, seaports, and railways.” This cyber intrusion is thought to connect with the border conflict occurring at the time and has led to speculation about the connection to the Mumbai power outage. According to retired cyber expert Lt. Gen. D.S. Hooda, the power outage has acted as a signal from China to indicate “that we can and we have the capability to do this in times of a crisis.” Such a signal draws parallel to the cyber intrusions concerning South Korea and THAAD.
All three cases demonstrate the inherent limitations in analysing cyber coercion (as deterrence through compellence.) Even if China is implied from political context and from malware, building a case to clearly identify the Chinese State’s direct involvement is difficult to build without clear attribution. Nevertheless, if China is definitively involved, the utility of being an implied actor may be helpful with information operations elsewhere wherein appearing benign is used to gather support of the country. The case of Mumbai and South Korea also bring up interesting questions for compellence and deterrence, with China potentially being seen to blur the two. Cyber coercion overall remains somewhat enigmatic. The ambiguity is likely advantageous for the actor(s) behind the acts of cyber coercion. Ambiguity helps reduce chances of liability, which permits for a more peaceful (less conflict inducing) approach to manipulating and shaping another state to one’s desires.
Orlanda Gill is a MA National Security Studies student and a mentee of Young China Watchers. Her interests include the technology-security nexus, East Asian security, and the integration of both interests.
You can find her on Twitter at @orlanda_gill.