Three Scenarios for Understanding Changing PLA Activity in Cyberspace

Publication: China Brief Volume: 15 Issue: 23

The Ministry of State Security under Geng Huichang may be in charge of an expanded economic cyber-espionage capability.

At the end of November, Chinese President Xi Jinping chaired a three-day Central Military Commission (CMC) forum on wide-ranging reform in the Chinese People’s Liberation Army (PLA), hosting senior military officers from the four general departments and other major work units. The outcomes heralded in Chinese press included reorganization of military regions, creation of a separate headquarters for the ground forces, and streamlining of the CMC in addition to the promised cuts of 300,000 troops (PLA Daily, November 28; China Daily, November 28). Although the Chinese military’s role in cyberspace went unmentioned, this planned rationalizing of the PLA’s management and activities raises questions about the future of the PLA involvement in economic espionage—an activity that does little to directly prepare the PLA to “fight and win wars” and compromises Beijing’s efforts to “[safeguard] national security and developmental interests” (State Council Information Office, May 26).

Official sources are silent on Chinese economic espionage, apart from denials such as Ministry of Foreign Affairs spokeswoman Hua Chunying’s latest denunciation of those who pedal “unfounded accusations” about Beijing’s theft of intellectual property (Ministry of Foreign Affairs, December 2). Some rumors in China suggest the PLA’s computer network operations units will be consolidated under a single command—a move that seems more credible in light of recent organizational reform announcements (Bloomberg, October 22). Recent press reports quote U.S. officials stating that the PLA signals intelligence organization, the Third Department of the General Staff Department (3PLA), is moving out of the economic espionage business following the U.S. indictments of PLA officers in 2014 and the cybersecurity agreement emerging out of Xi Jinping’s state visit (Financial Times, December 1; Washington Post, November 30).

Drawing firm conclusions about what is taking place is difficult. Some information security analysts familiar with Chinese intrusion sets are less optimistic about 3PLA’s movement out of stealing economic secrets to support Chinese companies, or changes to Chinese behavior in cyberspace (Associated Press, October 19). In this situation, it is worth sketching out several possibilities that might explain the reported changes in PLA computer network operations. The following sections will paint three plausible scenarios, all of which start with the assumption that the PLA is changing, if not necessarily curtailing, its hacking of purely commercial/economic targets.

Scenario 1 – Best Case Scenario: PLA Moving Out of Economic Espionage

The best case is that U.S. pressure and publicity have combined with Xi’s military reform and anti-corruption drives in the PLA to spur a shift in behavior. Since Xi Jinping assumed the leadership in November 2012, he has pushed a two-pronged approach to modernizing the PLA and resolving the contradictions between the PLA’s responsibilities and its capabilities—known by the CMC-endorsed moniker “Two Incompatibles” (两个不相适应) (PLA Daily, November 29). First, Xi has taken a direct role in guiding military modernization through the creation of a leading small group, overlapping in responsibilities but separate from the Central Military Commission, focused on defining future reforms rather than delegating this function to the General Staff Department as Hu Jintao had done (China Brief, March 20, 2014; China Brief, November 30, 2011). Second, Xi’s has overseen a PLA anti-corruption drive to encourage a “good workstyle” that has run in parallel to Wang Qishan’s campaign elsewhere in the Chinese Communist Party (CCP) (Xinhua, July 30; Xinhua, December 13, 2014; China Brief, August 23, 2013).

In this scenario, the PLA’s computer network operations done on and off the clock against commercial entities would be substantially cut-back, because the PLA could not justify them as either preparation of the battlespace or helping the PLA win wars. The use of military facilities and training to help Chinese private and state-owned enterprises or the pet corporate projects of local party officials gain competitive advantages benefits the individuals involved but not necessarily the PLA as an institution. Relatedly, the PLA has been reasserting influence over the intelligence apparatus to reclaim intelligence resources that previously had been directed to support national decision makers rather than military operations (China Brief, November 5, 2012).

Most beneficially, this outcome would demonstrate the value of the indirect approach Washington adopted on this issue, one previously employed in efforts to curb Chinese proliferation related to weapons of mass destruction. By never naming the Chinese leadership themselves as culpable and suggesting that the offending activity may be the work of “bad apples” at lower levels, the United States has left room for Beijing to maneuver and distance itself from the practice of economic espionage.

Injecting some skepticism into this “best case,” however, is warranted, because of the importance of dual-use technologies to Chinese military modernization (China Brief, February 21, 2012).The question would be whether attempting to get inside the networks of defense industry companies or those companies producing dual-use parts would constitute economic espionage. At least as Washington has defined it, gaining access to defense technologies to anticipate adversary capabilities would still be acceptable since the intent was not commercial advantage.

Scenario 2 – PLA Divestiture 2.0: Cutting Back on For-Profit Freelancing, Using Stricter Control

In 1998, Jiang Zemin ordered the PLA to divest itself of much of the commercial empire it had created since the beginning of the Reform Era. Beginning in the 1980s, the Chinese leadership led by Deng Xiaoping placed military modernization at the bottom of their list of policy priorities, converting much of the defense industrial base to civilian use. The PLA was encouraged to engage the market, and budget stagnation meant that the PLA budget was not fully funded. The profits of these commercial endeavors also went into commander’s pockets, leading to some wide-ranging corruption scandals in the mid- and late-1990s. The divestiture order did not remove the PLA entirely from the commercial world, but it limited PLA commercial activities to support activities directly relevant to PLA maintenance in garrison, such as spousal support and on-base services. [1]

The most important step the PLA may have taken was to rein in its soldiers who had been freelancing for companies and local party officials with commercial stakes. This divestiture would represent a major reduction in financial opportunities, and it would take time to implement. The PLA signals intelligence apparatus is a far-flung operation with elements sitting inside 3PLA bureaus and military region technical reconnaissance bureaus across the country. [2] Local military commands also have been one of the major sources of the PLA’s corruption problem, and, if endowed with useful capabilities, cyber militias could an addition source of problems for the PLA in controlling freelancing, as they provide an easy avenue for civilian technical talent to interface with local commanders. One sign that this is occurring would be occasional flare-ups against reform, such as the PLA Daily article suggesting some of Xi’s reforms under consideration undermined social cohesion and could affect stability (South China Morning Post, November 19).

Under this scenario, the PLA are intended to rein in soldiers and contractors from conducting operations that are not tied directly to specific needs for military intelligence, defense industry, or national-level policymakers. Limiting computer network operations requirements to those tied to specific information requirements could cut back PLA hacking substantially. In this scenario, outside observers probably would see a drop over time in the military’s activity as policy and operational guidance is conceived and promulgated, including an inevitable period where uncertainty by low-level actors about the precise boundaries of the new limits frequently pushes decisions about operations back up the chain of command. Economic espionage originating with the PLA would be reduced, but not eliminated, though some Western commercial sectors with military applications could become the target of even more focused attacks

Scenario 3 – Worst Case: Shifting Responsibilities to the More Skilled

The indictments issued by the U.S. Department of Justice as well as the publicity generated over time in reports by U.S. cybersecurity companies could have demonstrated conclusively to the Chinese leadership that the PLA effort to support Chinese companies was hopelessly compromised. Unlike Edward Snowden’s revelations of U.S. cyber espionage policy and targets, these cybersecurity reports provided detailed forensic information that traced back to individual PLA officers at their keyboards. Even if not all military hacking was sanctioned, the freelancing served Beijing’s goals for economic growth, building internationally competitive companies, and gaining access to potentially useful strategic information about international commercial competition. This would not be the first time that the growth imperative would create unintended incentives for government behavior not entirely in Beijing’s interests (China Brief, July 29, 2011; China Brief, May 9, 2007). Consequently, even though the Chinese leadership still values computer network operations for supporting Chinese firms, they may have ordered the PLA out of the economic espionage business and designated the Ministry of State Security (MSS) as the lead.

Two reasons might justify the emergence of the MSS as the Chinese lead in economic espionage, especially in cyberspace. First, the ministry has thus far avoided public exposure and scrutiny in large part due to what global information security analysts see as superior tradecraft. Second, Xi Jinping appears to have a strong political grip on the MSS after several vice ministers were ousted for corruption and inappropriate political activity linked to former security chief Zhou Yongkang and more amenable officials with strong anti-corruption credentials were installed in their stead (Jinghua Shibao, January 17; The National Interest, January 20; South China Morning Post, October 8; Xinhua, February 2, 2013).

In this scenario, the joint affirmation made after Xi’s state visit to the United States in September was a hollow one. The statement clearly Beijing accepting the basic U.S. premise that using state intelligence resources to support companies was wrong: “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors” (U.S. Office of the President, September 25; Xinhua, September 26). Chinese behavior in this scenario simply shifts responsibility to the organizations best suited to perform the mission and the best natural linkages to Chinese firms poised to benefit from the ill-gotten riches provided by ministry hackers. Importantly, the MSS is better positioned with its clandestine infrastructure to find useful contractors who can act with deniability and expendable scapegoats who can be arrested to appease foreign governments as Beijing has done recently for perpetrators of the U.S. Office of Personnel Management breach (Xinhua, December 2).


These scenarios for what is occurring in China, all credible in their own right, suggest that foreign analysts should exercise caution against over-interpreting or rushing to judgement about what the PLA might be doing in cyberspace. Because the PLA is still the armed wing of a political party in a state that defines the preservation of its party-army-state as a core interest, for the PLA, defending and supporting CCP interests takes primacy over defending a national interest divorced from the Party’s. Observers then, should keep two things in mind: first, China’s leadership still holds an expansive view of national or state security that places preservation of the system at the core (China Brief, November 16). An important piece of that system is that the party guides the economy. Second, the PLA’s role has never been purely to carry out military operations, and the Political Work Guidelines revised in 2003 and again in 2010 reemphasized the role of the military in shaping the political, non-military aspects of China’s security environment. Most notable among the PLA missions is the “dis-integration” (瓦解) of enemy forces in a non-military context. The Gutian Conference of 1929—where Xi Jinping notably convened a conference in 2014—criticized those who believed the PLA’s role was simply to fight the party’s enemies. One of the mistaken ideas in the party was “the purely military viewpoint,” and the conference report opined those who held this view “think that the task of the Red Army like that of the [Kuomintang] army, is merely to fight. They do not understand that the Chinese Red Army is an armed body for carrying out the political tasks of the revolution.” [3] The logical extension in today’s world and the context of cyberspace means that PLA intelligence capabilities may not necessarily be confined to assisting the Chinese military in “winning local informatized wars.”

Multiple explanations exist for the changes some information security analysts are describing in cyberspace. U.S. pressure, Chinese military modernization and reform, party and military anti-corruption campaigns, as well as changes within the intelligence system inside China all might impact PLA computer network operations in complementary ways that are difficult to separate from one another. The implications of each scenario are very different, and, if related PLA reforms that will not be completed until 2020 and the evolving intelligence landscape, then change should be the natural state, not clear lines of authority and activity.


1. Thomas Bickford, “The People’s Liberation Army and Its Changing Economic Roles: Implications for Civil-Military Relations,” in Nan Li, ed., Chinese Civil-Military Relations: The Transformation of the People’s Liberation Army (New York: Routledge, 2006), 148–163.

2. Mark A. Stokes, Jenny Lin and L.C. Russell Hsiao, The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure, Project 2049 Institute, November 11, 2011 <>.

3. Mao Zedong, “On Correcting Mistaken Ideas in the Party,” December 1929, English translation available at <>.