11

CYBER-WARRIORS OF THE PLA

Seen from the air, Pine Gap Base, south of Alice Springs, offers a view of satellite dishes and white domes no different from those of any ordinary satellite station. But in fact this is the jewel in the West’s crown of technological espionage against China. Situated in the red land at the heart of Australia, it is marked on tourist maps as a “forbidden zone”. The local telephone directory lists it as a “joint defence facility” with various social and medical centres. Built in 1966, the station is run jointly by the Australian ASD/DSD (the signals directorate) and the American NSA, and operates a major aspect of electronic warfare—the large-scale interception and interpretation of communications signals. In the world of signals intelligence, it has become customary to use the American abbreviation SIGINT.

This huge Australian station was originally set up at the time of the Cultural Revolution and the US war in Vietnam. Sixty years later, thanks to the development of new technologies, it has increased its operations tenfold. Pine Gap now records Chinese army communications in real time, as well as those of their North Korean and Vietnamese counterparts. A former employee of the Australian technical services told me in Canberra, “It’s a network of underground tunnels where nearly 800 Australian and American technicians and analysts work. They are directly connected to the NSA HQ in Fort Meade, Maryland. Then Group B in charge of Asia interprets this information.”

Nor is this interception centre isolated. It is complemented by a group of stations run in Australia by the Navy, the ASD (Australian Signals Directorate, formerly DSD), and other special services. Faced by the “Asia challenge”, the New Zealand Government Communications Security Bureau has also joined the group. Together, these agencies forged an alliance with the NSA, the Canadians, and Britain’s GCHQ, the largest Western intercept agency after the NSA.  GCHQ began deploying its “big ears” technology in Hong Kong in 1947, with a station at Little Sai Wan with 140 Australian technicians; another at Tai Mo Shan in the New Territories; and one at Stanley Fort, on the Chung Hom Kok Peninsula, operated by the Royal Air Force and the DSD.

However, the British services had dismantled these stations in order to stop them being “cannibalized” by the PLA3, in charge of Chinese SIGINT, after the handover of the colony in 1997.1 This was when GCHQ planted bugs in the British High Commission, within the consulate nicknamed “Fort Alamo”. Similarly, the Australian DSD set up a listening cell in its Hong Kong consulate in direct communication with the Watsonia power plant near Melbourne. Just before the Chinese flag replaced the Union Jack in Hong Kong, the British had also embedded hundreds of bugging devices in the offices at the Prince of Wales Barracks, now PLA headquarters.

After the 1993 abandonment of Operation KITTIWAKE, run out of the Stanley Fort satellite station, it came under the management of the DSD/ASD, which has since run it from another station in Geraldton, Western Australia. It still performs the same functions: telemetry of Chinese missile ballistic tests, launch of satellites and recovery of satellite data collecting photographic information (PHOTINT), electronic information (ELINT), and other intelligence on China.

As part of the US–Canadian–British–Australian–New Zealand eavesdropping alliance, in place since the beginning of the Cold War, these operations came under the ECHELON system, which hit the headlines in Europe with the fear that “Big Brother” was intruding into the lives of ordinary citizens, listening in on their private telephone conversations and exploiting information mined from their electronic communications.

But in the middle of the Australian desert, technicians had no qualms about monitoring China night and day. The PRC is considered to be an unscrupulous dictatorship, and its military development and economic aggression is of great concern. Alice Springs is a good place from which to monitor the country. This small town, where tourists are as likely to encounter spy engineers as Aboriginal people, has a strong tradition of both communication and interception. The topography of the site lends itself to it.

In 1870 Charles Todd, who gave his name to the Todd River, founded a telegraphic station that connected Adelaide on the south coast to Darwin on the north coast, and well beyond—to the rest of the British Empire, including Hong Kong and the British settlements in Tianjin and Shanghai.2 In the Victorian era, Chinese gold diggers from Fujian arrived here, as indicated by the name Chinaman’s Creek, located on the road leaving Alice Springs in the direction of the ASD–NSA secret station. Today’s subjects of ASIO surveillance are more recent arrivals: the dynamic Chinese immigrant community assumed to harbour some “deep-water fish”, Guoanbu secret agents on a mission to recruit Chinese-origin engineers and linguists, baiting them with reminders that they are part of the large Chinese diaspora, the Huaqiao.

The location of the base was also chosen because of technical considerations, according to James Bamford, an expert on the history of the NSA: in the 1960s, a satellite could intercept unencrypted data and send it straight to the base, thus avoiding the risk of a Soviet spy ship in turn intercepting the communication and discovering what intelligence had been stolen. Back then, the Chinese themselves did not have the technical capacity to play this game, though it would not be long coming. Since Alice Springs is miles from anywhere, located right in the middle of Australia, patrolling spy ships were too far from the signal to identify the “footprint”, as it is called. Engineers at Pine Gap could then encrypt the intercepted material and send it, via another satellite, to the NSA headquarters in Fort Meade.3

In the aftermath of Gough Whitlam’s Labor Party election victory in 1972, followed by Australia’s diplomatic recognition of the PRC, the CIA was convinced that the authorities in Canberra would decide to close Pine Gap. This would have been a disaster for the Anglo-American intelligence community. Theodore Shackley, head of the East Asian Division at the CIA, even went so far as to encourage various destabilization operations against the Australian government, similar to those attempted in Britain against the Harold Wilson government.4 In Western democracies, the secret services respect the government and the constitution—so long as their own prerogatives remain unquestioned. One suspects that some of their heads might prefer to live with the Chinese system: at least in Beijing, the secret services are in power, hand in glove with the party and the army.

Ultimately, however, Pine Gap continued to function and to prove its utility in the secret war: Canberra was informed about the 1975 invasion of East Timor by the Indonesians and was able to see right through the Chinese army’s communications. Even if it failed to break the codes, it was able to study any significant stream of communication. The proof came on 17  February 1979, when Pine Gap was the first to know about the Chinese invasion of Vietnam led by General Yang Dezhi, the former commander of Chinese “volunteers” during the Korean War. Chinese communications were being scrambled by Soviet ships, since Moscow had signed a defence agreement with Hanoi the previous year. The offensive, aimed at taking the Vietnamese “from behind” while launching a blitzkrieg on Cambodia and capturing several thousand Chinese Khmer Rouge advisors, resulted in a blistering thrashing for the PLA.  As we saw in Chapter 4, this was a humiliation for Deng Xiaoping, back in power after his woes during the Cultural Revolution. But Deng, as always, bounced back: it was by learning from this setback that he came to propose the major reform of the PLA in his era, starting with its intelligence and electronic warfare services. The rest is history.

The Oxford caught in a storm, and Operation Oyster

China’s electronic surveillance was also carried out through operations of proximity. The Americans sent very daring means of reconnaissance and interception out towards the PRC.  By the time the Pine Gap SIGINT base was built in 1966, the NSA was also using spy ships, such as the USS Oxford (AGTR-1), loaded with antennae and 11,000 tonnes capable of doing 11 knots, when it was not docked at Yokosuka in Japan. With 250 officers and men on board, it was sent out into the China Sea to track the turmoil of the Cultural Revolution by intercepting party and army communications. But the USS Oxford suddenly found itself in the eye of a typhoon, being propelled towards the Chinese coast. Perhaps there really is a god who watches over spies! By some miracle, the ship was driven back towards the open sea, where it drifted towards safety in Taiwan, having been on the very brink of either running aground or being captured—as indeed another spy ship was, two years later, in January 1968, when the USS Pueblo was taken by North Korea. The capture of the Oxford would have been to the delight of the Chinese, who were desperate to “cannibalize” such a ship—to take it entirely apart and study every detail to improve their own system. In the case of the Pueblo, the US had been double crossed by the Soviets, who had already obtained the secrets of the NSA’s operation from their mutual friend Kim Il-sung.5

In 1967, the game was equally close: the USS Banner, the same type of ship as the Pueblo, was not far from Shanghai, just 25 nautical miles from Zhoushan Island, in international waters, when it found itself surrounded by fishing boats: “I had the impression that they were going to try to tow me or something similar,” the captain, Major Charles Clark, later said. “They were only about five metres away. Two of the fishing boats had larger guns than ours, but although our guns were smaller, I thought we had the option of fighting them off.”6 Eventually, however, the Chinese forces were ordered to give up what was legally an act of piracy, and the US spy ship was allowed to reach Japan without a shot being fired. The Americans were also using other, less risky means to listen in on China, co-administering terrestrial wiretapping stations with the Japanese, South Koreans and Taiwanese.7

But back to Australia. There is another straightforward way for the West to intercept Chinese communications: listening in on Beijing’s embassy in Canberra. I went to the Australian capital in late 2006 to study the electronic warfare between the Chinese and their opponents. There I met the internationally renowned Professor Desmond Ball at the Strategic and Defence Studies Centre, Australian National University. He told me bluntly: “In our opinion, the [PLA3] has not installed a major listening station in the embassy in Canberra, because we can’t see any satellite dishes or bundles of antennae. It is more likely the case that the Chinese community serves as the eyes and ears of Madame Fu Yi.8

The day after we met, on my way to Coronation Drive, I noticed that the British High Commission is located just one small street away from the Chinese embassy. The former has an impressive display of antennae, and the GCHQ team, posted there under diplomatic cover, was unashamedly intercepting the communications of their honourable neighbours. It is obviously easier to do this in Canberra than in Beijing, where Chinese counterintelligence—the Guoanbu, in charge of embassy surveillance—has built tall buildings around the foreign embassies grouped together in the Dongzhimen district to block listening systems, as well as a microwave tower for capturing British communications.9

In Canberra, although they were unable to intercept all external communications, Australian services did discover another trick when the Chinese embassy changed buildings in 1990. Assisted by thirty technicians from the NSA, the Australian Secret Intelligence Service—codenamed OYSTER—managed to embed bugs within the new embassy. However, after an Australian newspaper got wind of the affair, it took all the diplomatic skills of the head of ASIS to dissuade it from publishing the story, which would have been hugely damaging both for the intelligence services and for Canberra diplomats. It was a wasted effort, for Time magazine in the US revealed that Ambassador Shi Chunlai’s embassy was riddled with bugs. Unsurprisingly, this type of operation has become increasingly frequent since the Chinese overtook the Russians in espionage in the first decade of this century.

China on the counterattack

In the 1990s, Deng Xiaoping, Yang Shangkun (who had been accused of placing listening devices in Mao’s offices during the Cultural Revolution) and Jiang Zemin pushed for the establishment of what was then almost the most powerful electronic espionage structure in the world, second only to the Americans.

This immense Chinese listening realm was not built from scratch. As early as the 1930s, when Zhou Enlai was leading the secret war in Shanghai against Kuomintang nationalists, his former comrade from Paris, Deng Xiaoping, was overseeing the establishment of technical units in communist bases in southern China. Their friend Nie Rongzhen, who had been in charge of liaison between militants in Paris ten years earlier, was commissioned to set up a secret radio post in Hong Kong, with wireless links to the Comintern in Harbin and Vladivostok. At the same time, another comrade from their Paris days, the future head of the party’s secret services Li Kenong, was responsible for infiltrating the nationalists’ radio systems.

It should come as no surprise, therefore, that in November 2006 the PLA feted the memory of this first communications school, that of its predecessor, the Chinese Workers and Peasants Red Army. In March 1933, Deng Xiaoping chose its location, Pingshangang, in Ruijin province. Nowadays, young SIGINT technicians and apprentice PLA radio operators come to pay homage at this historic site. What they are told during this pilgrimage is breathtaking: in the space of just a few months, 2,100 linkage systems were established that radiated out through the whole of China, communist and non-communist; the CCP’s long march to power owes much to the long-obscured war of radio communication.

After the communist victory, Li Kenong became head of the party’s secret service, the Social Affairs Department (SAD), in 1950. He was also serving as PLA deputy chief of staff, which meant that he was overseeing both major sectors of intelligence at the time: the PLA2, in charge of military espionage, and the PLA3, in charge of military SIGINT.10 The system has barely changed today: in July 2007, while I was in Beijing, General Chen Xiaogong, son of a friend of Zhou Enlai, was appointed to this important Chinese intelligence post.11 There was one difference, however: another, small section, the 4th Department (Si Bu or PLA4) was added in the late 1980s, covering the more recently developed sector of electronic warfare, and sharing with the PLA3 the immense responsibility of cyber-warfare, waged on a new battlefield of which Mao Zedong could never have dreamt: the internet.

***

From his top-secret headquarters in Xionghongqi, in the north-western Beijing suburb of Haidian—named for its ponds, which date back to the Ming dynasty—General Qiu Rulin could contemplate his empire, established in 1950, where 20,000 technicians were at work. His PLA3 was primarily responsible for the interception of foreign army communications, but it had also considerably developed the field of Chinese military research and development.

Nearby, the Xibeiwang district was home to the PLA3’s largest communications interception station, just one base among dozens whose goal was to collect and decode all signals emitted from Russia, the primarily Muslim former Soviet republics, India, both Koreas, and China’s two “priority opponents”, Taiwan and Japan—not to mention its main enemy, the United States.

According to specialists who have been able to seize a large number of satellite photos, each military region—Beijing, Shenyang, Chengdu, Guangzhou, Lanzhou, Jinan and Nanjing—has its own station. These PLA3 stations are organized according to their targets: the Chengdu station, for example, monitors Tibet and India, while the Shenyang station monitors Korea and Japan.12 The other sites are located in north-east China, near Jilemutu and Kinghathu Lake; on the south coast near Shanghai; and in the military districts of Fujian and Canton, which are constantly mobilized against Taiwan. There are also stations situated near Kunming (north of Vietnam and Myanmar), as well as in Lingshui, on the southern tip of Hainan Island in southern China. The Lingshui base expanded in 1995 to cover the South China Sea, the Philippines and Vietnam, which is also monitored by stations dotted all the way along the border. In the 1980s, further stations were set up on two small islands in the Paracelsus archipelago. In addition to the Kashi and Lop Nor stations, two more were established in Xinjiang: the Dingyuanchen base, focused on Russia and the primarily Muslim former Soviet republics, is distinct from the Changli base, near the provincial capital Ürümqi, which intercepts satellite communications.

As Desmond Ball argued as far back as 1995, “China has by far the most extensive network of SIGINT intelligence of any Asia-Pacific country”.13 Needless to say, barely ten years later, China had become one of the major players in SIGINT anywhere in the world, alongside the United States, the United Kingdom, and the Russian Federation.14

The PLA3 shares with the PLA2 the management of a group of institutions and training schools where students of both departments receive training. The largest of these is the PLA Institute of Foreign Languages in Luoyang, under the administrative control of the PLA3. Technicians and cadets must complete linguistic internships not only abroad—perhaps truly as innocent students of the language and literature of linguistically interesting countries—but also in remote areas of China, Mongolia and Xinjiang, where listening posts are located, and where it is important both to know the local dialects and to learn to withstand the harsh mountain climate.

The PLA4 was transferred in 1991 from PLA3 headquarters at Xionghongqi to Tayuan, near the Summer Palace in Beijing. It is now much bigger. There is a straightforward reason for this: the PLA4, responsible for electronic warfare, carries out cyber-war operations with the aid of naval and air capacity, including new reconnaissance planes—specifically, Chinese AWACS planes of Russian origin, and Ilyushin II-76 airlifters equipped with (since 1997) an Israeli-made airborne early warning system.

On 1  April 2001, the service received an unexpected gift, when Chinese fighters forced a US navy spy plane to land on Hainan Island in southern China, leading to a standoff between Washington and Beijing. This was the first capture of its kind since the forcing down of CIA planes in the 1950s. EP-3E, code-named “Peter Rabbit”, intercepted voice communications and radar signals on the mainland. The PLA took the plane to pieces in order to copy all its devices, and its technical departments managed to unlock all the secrets of the data-coding system, nicknamed “Proforma”, on the border between intelligence and cyber-warfare.

The leader of the PLA4 at the time, General Dai Qingmin, could only rejoice. He is often considered one of the architects of cyber-warfare, who, along with other theorists, spearheaded its modernization, creating the concept of a “people’s war in the era of information technology”. This, to put it simply, includes electronic attacks aimed at camouflaging ongoing military operations; weakening the enemy’s early warning system; scrambling communications; and blocking and paralyzing any attempts by the enemy to respond, in order to trick them wherever they turn. The PLA had reached a real turning point in its theory in the early 1990s, when it moved from a defensive posture to undertaking offensive operations in the realm of electronic warfare, in concert with the regional units of the PLA3 in the three armies of land, air and sea.

In order to be able to adapt constantly and modernize their systems where necessary, these departments are service providers for major spying structures located in foreign countries—not only the PLA2, but also the Liaison Service of the PLA Political Department (Zhengzhi Lianluobu) and the multiple research institutes, branches and front companies that have been created by “intelligence vacuum cleaner” structures like COSTIND.

The Chinese also sell on their technology in some of these fields, primarily to Middle Eastern and other Asian countries. The Chinese Electronics Import-Export Company (CEIEC) is responsible for these sales. As we shall see, around the turn of the millennium, the PLA3 and PLA4 began to cross a new threshold in the intelligence war, entering the online battlefield and becoming the principal country implementing wartime measures in cyberspace.

A helping hand from the CIA and BND

Before their launch into cyber-warfare, the Chinese had an extraordinary training school. It was the very people they were fighting against, the Americans, who came to their rescue. In 1979, the Chinese, as we have seen, were taken by surprise by Ayatollah Khomeini’s Iranian revolution, just as the Americans were. The Americans lost their base in Mashhad, a large radio station run with the British, which intercepted communications from the USSR.  From this shared blow emerged an unexpected “friendly” intelligence collaboration. As early as April 1979, US intelligence services received the green light from Jimmy Carter to negotiate with Deng Xiaoping on possible collaboration in this area.

The Anglo-American interception base was closed and its workers redeployed elsewhere. Admiral Stansfield Turner, head of the CIA, travelled incognito to Beijing, even going so far as to wear a false moustache so as not to be spotted by KGB agents.15 In May 1979, Deng let it be understood by US senators that he would agree to install “big ears”, on the condition that only Chinese engineers be responsible for the installation, even if intelligence was to be shared. Negotiations continued, despite an angry dispute that flared up. On the eve of the US presidential elections, Cao Guisheng—the same secret agent who had disastrously declared the invincibility of the Khmer Rouge the previous year, and who had since become first secretary in the political section of China’s Washington embassy—announced that Carter was certain to be re-elected.16 The Chinese took their hopes in this matter for reality, much preferring to see Democrats—Carter, the Clintons—in the White House, generally the rulers of less hawkish administrations that would give Beijing’s services more opportunities for penetration and advantageous negotiations. But it was Ronald Reagan, the former film actor and an FBI informer during the McCarthy witch-hunt of the 1950s, who was elected president in late 1980.

Yet Deng Xiaoping would have been wrong to despair. Reagan’s arrival at the White House in January 1981, and the promotion of his friend Bill Casey to head of the CIA, actually strengthened the process of Sino-American cooperation: it turned out that the Chinese shared an obsession with the two conservatives. Both sides were hoping to trigger the collapse of the Soviet Union, particularly because, at the end of 1979, the Red Army had invaded Afghanistan. Geng Biao, the head of Chinese defence, finalized the agreement. Ten years previously, he had been appointed by Zhou Enlai as head of the CCP’s International Liaison Department. He was a consummate intelligence specialist.

In a conversation about China’s collaboration with the West, Desmond Ball told me, “Admiral Bob Inman, the NSA director who became number two at the CIA, whom I knew well at the time, brought in Chinese technicians to train them while we were building listening posts with the NSA in the furthest reaches of China.” This was around the time of the Afghanistan war, when the CIA and the Chinese services were already working together to arm the Mujahedin. The dispatch of the first Chinese technicians to the United States was undertaken with the utmost discretion by David Gries, the CIA station chief in Beijing, who had learned Mandarin at the Taichung Language School in Taiwan, formerly the main base of the struggle against the mainland communists.17

Under the codenames SAUGUS and SAUCEPAN, the Qitai and Korla stations in Xinjiang were built by the CIA Science & Technology Directorate, with technical materials provided by the CIA and NSA’s Office of SIGINT Operations, and managed jointly with the Chinese for a decade. Originally these stations were required to perform telemetry tests on missile trials—to ensure that the SALT-2 arms control agreements were being respected, with supporting documentation—as well as on rocket launches and even nuclear tests near the Aral Sea. Subsequently, SIGINT’s function has been extended to other communications intelligence and electronic SIGINT missions (COMINT and ELINT).

West German technicians from the BND, Helmut Kohl’s federal secret service, began taking part in these operations after negotiations to that end, which began immediately after the appointment of the first BND resident in Beijing, Reinhart Dietrich, in 1982. In the aftermath of the events of Tiananmen in June 1989, in protest against the massacre of students and as part of a stealth embargo, the Americans decided to withdraw from the management of stations in China itself, opening one instead in Outer Mongolia, which was more politically correct.

The West Germans were alone in what was called Operation PAMIR, with the BND even expanding its presence. Better still, the training of Taiwanese engineers, for which it was responsible as part of the division of labour between allies, was cancelled. From now on, technicians from the PLA2 and PLA3 came to Munich to undergo training, at both the BND school of communications and the nearby Söcking listening station co-run with the West German military. At the time, the BND maintained relations only with the PLA general staff’s departments. This was because the PLA2 head, General Xiong Guangkai, had special expertise in German affairs, having formerly been an attaché at the embassy in West Germany with his wife Shou Ruili, who was a scientific attaché. In the aftermath of the Tiananmen massacre, about fifty Chinese researchers had landed in West Germany for technical training. The problem was that a number of these agents were taking advantage of their leisure time to expand their networks across the country, contacting state-level branches of West German counterintelligence (the Bundesverfaßungsschutz) for information on Chinese dissident refugees.

Operation PAMIR, based in the mountains of Xinjiang, occasionally went through positively acrobatic contortions. There were one-off missions during which Chinese fighter planes made furtive incursions into Soviet airspace to test the reactions of their prey; these allowed BND technicians from PAMIR stations to record and analyze “enemy” communications. It was all the more interesting an exercise because, since it was run from Europe, it did not provoke a reaction from the Red Army. Mired in the war in Afghanistan, it simply sent spy missions to stations beyond the Chinese border. For this, it had to appeal for help to Afghan state security, the WAD, founded by the pro-Soviet president Mohammed Najibullah, which had around 70,000 agents.

“Dr  Najibullah commissioned the WAD to set up intelligence and infiltration operations against the BND station in the mountains. I interviewed a former WAD captain operating in Tajikistan,” explained Erich Schmidt-Eenboom, a historian of the BND, when we met at his research centre near Munich. “He told me that some agents had managed to rummage through the station’s rubbish bins, which were carelessly left outside, before their contents were destroyed, and deduced that the Germans were not content to be working against the Soviet Union and Afghanistan and were also spying on Chinese telecommunications.”18

Blinded by their hatred of the Soviet system, the Western powers were cooperating with the Chinese in other parts of the world beyond the Russian borderlands—for example, in Angola against pro-Soviet guerrillas, and in Cambodia, delivering weapons to the defeated Khmer Rouge, all the while allowing Beijing to continue pushing its pawns further out into the world.

The PLA3 exports its wiretaps

The PLA3 equally managed to export its eavesdropping systems to areas of political influence where the PRC had alliances with other authoritarian regimes. There was, as we have seen, an apparatus in their embassy in Belgrade, razed by the Americans via NATO in 1999. Similarly, in 2003, during the American invasion of Iraq, the Chinese had SIGINT systems in Baghdad, which remained in place until the defeat of Saddam Hussein. This explains why the Chinese embassy in Baghdad was mysteriously pillaged after the city’s fall in April that year, as diplomatic personnel fled to Jordan, and thieves removed electronic equipment and computers.

On the PRC’s own borders, the Chinese were most in tune with the regimes of Laos and Myanmar. The SIGINT station in Hop Hau, Laos, in use since the 1960s, was modernized and expanded in 1995. Similarly, in the early 1990s, Chinese technicians built a SIGINT station on the island of Grande Coco, 50 kilometres north of India’s Andaman Islands. This enabled them to monitor the Straits of Malacca, through which thousands of ships pass, as well as Indian missile-testing in the Bay of Bengal. Soon afterwards, the Chinese installed half a dozen coastal stations in Myanmar.

But they did not only set up antennae to spy on the major regional powers and their neighbours. In 1997, they provided the Myanmar dictatorship—whose leader, General Khin Nyunt, was also the head of the secret services—with SIGINT-equipped vehicles, allowing Khin to intercept the communications of minority guerrilla movements fighting the military junta, such as the United Wa State Army, ensconced along the border of China’s Yunnan province.19

Fake-real oceanographic ships

In the early 1980s, as part of the “Four Modernizations”, Deng Xiaoping wanted to revive the “maritime spirit” of ancient China—hardly surprising for a Hakka man steeped in travel and trade. When he appointed Ye Fei in 1979 as the navy’s political and military leader, everyone wondered why he was entrusting this position to someone who was not an experienced seaman. Ye Fei may have participated in the war against Japan alongside Deng, but his previous position had been minister of communications.

In fact, the one explains the other. Deng was specifically keen on modernization and development in the field of communications. The Chinese built information-gathering vessels which reported either to the PLA3 offices of the PLA coastal military regions or to central naval intelligence (Haijun Qingbaoju). This large network of wiretapping sea vessels also reported to the Department of Science and Technology within the defence ministry, run for several years by Wang Tongye and then by General Nie Li, a satellite and oceanographic intelligence specialist, who was also deputy head of COSTIND.  General Nie was a chip off the old block: she was the daughter of Nie Rongzhen, Zhou Enlai’s and Deng Xiaoping’s old friend and the long-time scientific patron of the defence development programme.

The programme made it possible to arm a flotilla of a dozen spy ships developed along the Russian model, and spread it out over the entire Asian region. These are often presented as oceanographic vessels belonging to the Beijing Academy of Sciences, and they may indeed undertake topographical surveys of (theoretically) an entirely peaceful nature. This was the case, for example, of the Yuanwang 1 and Yuanwang 2 spy ships, built in Shanghai, which were first sighted in 1980 in the Pacific Ocean, where they were tracking and analyzing the intercontinental ballistic missile launch. In 1986, Beijing launched Yuanwang 1, commanded by Captain Zhu Pengfei, describing it as a “190 metre detection and surveying vessel capable of travelling at a maximum of 20 nautical miles an hour and of detecting traces of space navigation devices, collecting data, performing checks and recovery, and so on.”20 It turns out that “and so on” covered a multitude of secrets!

One of these spy ships was operating off the coast of Hong Kong in 1993 and was also, according to British sources, interfering with GCHQ’s eavesdropping system. This was significant, for it was precisely at this time that the Stanley Fort base was being dismantled.21 Over the next decade a third Yuanwang ship, built after the other two, was frequently sighted in the seas off northern Taiwan. Hong Kong, Taiwan and the Spratley Islands—where the Chinese were installing a mini-wiretapping station—were frequent targets for these electronic information-gatherers. Other ships—such as the intelligence-dependent Xiangyang Hong 09, Xiangyang Hong 05 (SIGINT) in 1988, and Xiangyang Hong 10 (COMINT)—appeared to be preparing operations against Vietnam. From the beginning of the twenty-first century, this flotilla, supported by new ships, was making more and more daring voyages, including occasional short incursions into the territorial waters of two neighbouring countries whose response capacity they were testing: Taiwan and Japan.

Without attempting to draw up a comprehensive map or a detailed chronology of the operations, it is clear that there were three distinct episodes in this war of nerves, which were intensifying every year, as the Chinese navy expanded its area of navigation.22 Firstly, in May–June 2000, the Haibing, sailing north of the Sea of Japan and circling around the archipelago, passed through the Strait of Tsugaru, which is approved as an international strait for passing without restrictions, according to the law of the sea. It arrived in the Pacific at Honshu. According to the Japanese Self-Defence Forces, it was carrying out a military intelligence mission. Secondly, in April 2002, the Canton-based Xianyang 14 patrolled within Taiwan’s territorial waters. Finally, in July 2004, a Japanese P3-C aircraft spotted the oceanographic ship Nandiao 411 (“Song of the South”, a play on the double meaning t’iao or diao, both “to sing” and “to make intelligence”) in waters off Okinotorishima Island. This vessel, run by the South China Sea Fleet headquartered in Zhanjiang, Guangdong province, was seen sailing not far from the same island again in May 2005.

But by the early 2000s, the PLA had succeeded in further expanding its eavesdropping capabilities far beyond this kind of regional coastal navigation.

Spy ships in the South Pacific

As we know, France is a particularly favoured target of Chinese intelligence, which is known to have operators in the DOM-TOM, the French overseas departments and territories. This is particularly the case in locations where there is a Chinese community, such as in La Réunion and Polynesia, where supporters of Taiwan and the PRC compete for influence. The French DGSE is also well aware that the CCP’s International Liaison Department has often used Martinique and Guadeloupe as bases for its political intelligence activities in Africa, the Caribbean and Central America.

But the most spectacular operation of all took place in Polynesia. The services of the French senior defence clearance officer were concerned that Chinese ships such as Yuangwang and others in its class were making regular visits to the civilian port of Papeete, without authorization from the military authorities. Even though they figured most prominently in Commander Prezelin’s “bible” Les flottes de combat (Combat Fleets), the Chinese insisted that they belonged to the Beijing Academy of Sciences and were on purely oceanographic research missions. Of course, naval experts knew that their satellite dishes and antennae served quite another purpose, for example the monitoring of missiles launches. As early as May 1980, the Yuangwang 2 space observation structure, built in the Shanghai shipyards, had been seen tracking the firing of a Chinese ICBM in the Pacific. Its equipment said it all: a large rotating satellite dish for telemetry and remote control; a hemispherical dome containing optical tracking instruments; two small satellite dishes; laser-tracking equipment; two directional broadband radios for high-frequency transmissions, and last but not least a helicopter landing platform.23

The authorities knew perfectly well that these vessels were gathering intelligence, which they would then deliver to general communications interception missions; even just during stopovers, the devices would continue to function. They also knew that radio beacons were placed on Tahiti while the 400 sailors, engineers and technicians left the ship and spent time on land in the Chinese community—this mingling makes it difficult to be sure who really went back on board, and who remained on the island under cover.

The question was how to react. When the Yuangwang 2 docked at Tahiti for a six-day break on 18  May 2007, an announcement was made that the “research ship” was being hosted by the Chinese community and the newly appointed Chinese consul Chang Dongyue. “After a month at sea, the stopover is being put to use for cultural exchanges, for the crew to rest and the ship to be refuelled. A tour of the island is planned for today, with a sporting day at AS Dragon, followed by a convivial meal.”

In September 2007, the brand new Yuangwang 5, recently built in Shanghai, anchored at Papeete. This intelligence-gathering vessel was part of the large, growing electronic apparatus being built by the Chinese as part of the battle of interception and intelligence warfare.

Chinese “ears” in Cuba

In 1961, as a result of a dispute between the Soviet Union and Albania, the Chinese had seized four of the twelve Whiskey-class submarines docked in the Albanian port of Vlorë, which Khrushchev’s navy had been forced to sabotage and abandon. Four years later, an extraordinary fact had come to light: Italian intelligence announced to NATO that Chinese-controlled submarines were engaged in exercises in the Adriatic Sea—in other words, in the Mediterranean.

Forty years later, the Chinese began taking over other former Soviet bases in different parts of the world. A quite different diplomatic pattern emerged in Cuba in the aftermath of the Cold War, one that was of even greater concern to the US.  The Russians, now on good terms with the Chinese, decided to gift them their former sites in Castro’s Cuba, beginning with the Cienfuegos base where Chinese submarines were anchored, and Isla de la Juventud, where Chinese spy ships had been spotted. The largest transfer was the 70-square-kilometre Lourdes listening post, constructed in 1964 in the province of Havana. Previously home to 1,500 technicians and under the jurisdiction of the GRU, which had set it up, it is now run by the PLA3. Announcing its closure on 17  October 2001, Chief of Staff Anatoly Kvachin said that the annual lease was costing Moscow $200 million. “For this price, we could send twenty military satellites into space,” the Russian general explained.

Meanwhile, during a visit in early 1999, the Chinese defence minister Chi Haotian negotiated with the Cubans the establishment of a second station in Jeruco, 50 kilometres east of Lourdes, to eavesdrop on North American civil and military telecommunications. Raúl Castro, Fidel’s brother, nicknamed “El Chino”, was also facilitating the exchange of information between the Guoanbu and the Cuban service, the Dirección General de Inteligencia, headed by General Eduardo Delgado Rodríguez, from the joint-run Bejucal intelligence base.24 With the signing of this agreement, three Chinese-Cuban generals—members of the small Chinese community that had participated in the Cuban revolution—were particularly singled out for praise: Armando Choy, Gustavo Chui and Moisés Sío Wong, president of the Cuba-China Friendship Association.25

It had perhaps been a mistake on the part of the US to have broken their SIGINT alliance with the Chinese in 1990. The turning of the tables in the early 2000s was quite extraordinary. Time and again, I have been witness to the ways in which the Chinese manage to keep two irons in the fire at all times. They monitored the Soviets in cahoots first with the US, then with the West Germans. Now they were monitoring the United States using techniques learned from them, having been given the means to do so by the USSR.

At the same time, another battlefield was being developed—that of cyber warfare, whose potential was growing thanks to an invention of the US military during the Vietnam war: the internet.

Chinese internet

By 1993, the Chinese government was looking to develop an information infrastructure to accompany the country’s economic breakthrough. Prime Minister Zhu Rongji launched the “golden” projects: the Golden Bridge, a plan to computerize China’s economic infrastructure and its links with the worlds of science and technology; Golden Cards, a means of payment in the form of a credit card for 300 million Chinese; and Golden Customs, which was to streamline foreign trade.26

The success of these projects led to an announcement by the State Council of three further projects: Government Online, Online Business and Family Online. The problem was that these networks theoretically existed on the internet, with all the dangers that implied for an authoritarian state seeking to control not merely its citizens’ activities, but their very thoughts.

Afraid of the anarchy of the World Wide Web (Wan wei wang, 10,000 three-dimensional networks), in 1995 Jiang Zemin announced the launch of a central body to regulate business, while the Ministry of Telecommunications created a business network called ChinaNet. The following year, four state-dependent providers began offering global access: ChinaNet, using China Telecom’s infrastructure; ChinaGBN, with the same infrastructure but for the Ministry of Industry and Electronics; CERNET, for the State Committee for Education; and the CSTNet of the Chinese Academy of Sciences (formerly CASnet), both using their own infrastructure. At the same time, Zhang Ping, director of CBnet, began offering a subscription service for the China Business Information Network, with an archive of China Daily, and an internet connection.27

Without going into the technical details, it should be noted that, as early as 1998, the existence of private networks outside the monopoly of China Telecom began to be considered a problem for “national security”. Parallel networks, such as Unicom and China Netcom, were permitted. Despite the dangers posed by e-democracy, the Chinese government—whether the PLA, the CCP or the intelligence services—saw what there was to be gained from the internet. The field of propaganda was taken over in 2000 by an Office of Propaganda on the Internet. The Xinhua News Agency and PLA have developed very elaborate websites. The CCP Central Committee’s International Liaison Department developed a website, as did the China Institute for Contemporary International Relations (CICIR), the think-tank under the aegis of the Guoanbu’s 8th Bureau. Naturally, the Gonganbu, which is in charge of the police, also set up its own site, with regional differences and addresses enabling citizens to contact it directly. On all these sites, the Chinese pages contain far more information than those in English. There are some amusing contradictions to be found: the pages on Tsinghua University’s website devoted to the history of intelligence and to Li Kenong, former head of the party’s special services, have been heavily redacted in translation.

Fearing leaks of information useful to officials and researchers but prohibited to citizens and more importantly foreigners, the idea of creating a national intranet, parallel to the open internet, began to gain traction. As early as 1996, the China Internet Company was working on the idea of a virtual Great Wall, a closed-circuit China Wide Web that would guarantee a high level of security.28

The Guoanbu, in charge of spying operations abroad, was of course active in the new realm of digital security. In June 2001, its leading IT specialist, He Dequan, gave a special conference on the subject to members of the State Council, including Prime Minister Zhu Rongji, who explained at the end of the presentation that “the government will further increase the development of the digital industry. But at the same time, the relevant government departments are exploring ways to boost the development of technology to ensure intelligence security”.

In fact, in terms of technical developments, the Chinese launched their fibre-optic communication programme as early as 1998, as part of their global cyber-warfare strategy, which was considered highly effective in dealing with attempted intrusions. For example, the Beijing military region uses a vast fibre-optic “military information highway”, rendering the type of interception carried out by stations like Pine Gap almost impossible.

An army of cyber-warriors

The Chinese have been able to develop such inviolable encryption and undetectable transmissions on their highly-regulated “internet” because their services are in a engaged a global battle of intrusion, hacking, spam bombing, and virus infection of foreign websites and databanks.

Welcoming the German chancellor Angela Merkel to Beijing on 27  August 2007, Prime Minister Wen Jiabao expressed his regrets that hackers had attacked computers in the German Chancellery and several ministries in recent months. Trying not to lose face, Wen—known for his reforming and conciliatory spirit towards the West—had to acknowledge an unavoidable fact: the publication that same day of a special issue of Der Spiegel, whose entire front page was devoted to a dossier about Chinese espionage against Germany, in which it was claimed that the PLA had launched a computer intrusion programme using Trojan horses. Der Spiegel claimed that the Chinese were transmitting spyware via a Windows PowerPoint folder. This was just the tip of the iceberg. Thousands of private companies and government departments, including the police and the military, had been attacked by PLA cyber-warriors over the past eight years.

Merkel—who grew up in East Germany and studied at the Karl Marx University in Leipzig, just like the head of the Chinese secret services, Luo Gan—understood the double language of the communist system, as she had been quick to point out to the Beijing leadership in September 2007, while still agreeing to commercial activity with the Chinese. Meanwhile, the British, American and Italian intelligence services also claimed that ministries in their countries were being targeted by the PLA.  The US claimed that several incursions had been carried out against the Pentagon. In early 1999, a Trojan horse (in the form of PICTURE.EXE or MANAGER.EXE) had circumnavigated the globe, attacking primarily AOL’s subscriber computing systems, before returning to China with its looted data.29 In Asia, too, several intelligence agencies complained about the spread of such attacks in Japan, Taiwan, South Korea and India.

Perhaps the most disturbing examples of combined attacks are those carried out against Japan, which I wrote about for Sapio magazine in Tokyo in 2005. A first wave of attacks occurred on 15  April 2005, when several companies, including Mitsubishi and Sony’s China subsidiary, were targeted. Other companies preferred not to make their cases public for economic reasons, stating only that they were used to these kinds of computer attacks, and that they were protected by their firewalls.

That morning, the heads of the two companies, as well as employees of Kumamoto University, arrived at work to discover anti-Japanese messages and the red Chinese flag embedded on their respective websites. More seriously, it was discovered that the Ministry of Foreign Affairs (Gaimusho) and the Japanese Defence Agency, which had been similarly attacked the previous summer, were once again the target of attacks that included being bombarded by spam and being sent viruses and Trojans, apparently by internet users furious with the way Japanese textbooks present the Sino-Japanese War. According to police experts, the Chinese cyber-warfare system was using so-called “rebound bases”, which made it impossible to identify for certain the sources of the attacks, notably in the case of websites based in countries with large Chinese communities, such as Vancouver and Toronto.

The political nature of these attacks was familiar to the Japanese. In January 2000, several ministries had been attacked after statements made by politicians denying the reality of the 1937 massacre in Nanjing by the imperial army, in which 150,000 people (or 300,000 according to the Chinese) were killed. In each case, attacks involving systems to erase databases originated in China, and were then rerouted via internet service providers abroad.

The PLA’s cyber-warriors, who were behind these operations, had begun their attacks in 1999. A taskforce was set up at the request of the Central Military Commission involving half a dozen services specialized in computer warfare. These were the PLA2, then led by General Luo Yudong; the Communications Department (Tongxin Bu), led by General Xu Xiaoyan; the PLA3 led by Qiu Rulin; the defence ministry’s Department of Technological Intelligence; the Institute of Military Science’s Department of Special Technologies, nicknamed “Department 553”; and the 10th and 13th Bureaus of the Guoanbu, responsible for communications. The taskforce was led by Xie Guang, deputy minister of COSTIND, who was one of the principal theoreticians of cyber-war.30

Trained technicians were needed, too. General Si Laiyi was charged with setting up the PLA University of Science and Technology, which involved the merger of a number of telecommunications research institutions to train cadres in cyber-warfare (Xinxi Zhanzheng). This involved a thorough practical and theoretical training, using books such as Qiao Liang and Wang Xiangsui’s Unrestricted Warfare and various Western books including Wars in Cyberspace by the French journalist Jean Guisnel, which was published in Chinese in 2000.31

After they graduated, cadets and technicians of all ranks moved into action, taking part in internal simulations of war games and in real attacks such as those carried out against Japan and against the German Chancellery in 2007. But during the same period they also faced another invisible army actively fighting against China: the Hong Kong Blondes.

The Hong Kong Blondes

Blondie Wong’s entire life had been marked by violence. As a child, at the tail end of the Cultural Revolution, he had witnessed the murder of his father at the hands of the Red Guards. In 1989, as a student in Europe, he had watched the Tiananmen massacre unfold on television. He felt an unquenchable hatred for the Zhongnanhai elite, who returned the sentiment. In the summer of 1999, a team of Guoanbu “cleaners” was sent to Saint-Nazaire in Brittany, to assassinate him.

This unusual exile was one of the principal figures behind the “Hong Kong Blondes”, a group of highly trained cyber-dissidents involved in viral attacks against Chinese army computer systems. Luckily for Blondie Wong, by the time the “cleaners” set out to try and “service” him, he was no longer in the west of France, if indeed he ever had been—he was nothing if not a master of disinformation and fake news. He may have been warned to leave for Canada, where he would remain under armed guard.

The Hong Kong Blondes were a group of obsessive hackers who proved that, with a computer, it was possible to defeat a huge system designed to control an entire national population. For the PLA and its huge empire of cyber-warriors, the boot was now firmly on the other foot. Since 1989, the Blondes had been circulating stories on the internet to create a smokescreen for their continued attacks on government networks, even after the handover of the region to the PRC—rather daring, bearing in mind that the Chinese special services had now taken control of the Hong Kong police. The hackers were threatening communist installations in the name of human rights. They were said to be around fifty computer engineers, both within China and abroad, some in high-ranking positions of power, who vowed to avenge the massacre of their friends and relations at Tiananmen Square.

This was one of the strengths of their strategy: Zhongnanhai and the security services simply did not believe it was possible to hack their systems from within. Like the famous dissident Fang Lizhi, who was smuggled out of China by the Americans in June 1990, Blondie Wong was an astrophysicist, and well versed in many of the scientific programmes that had been developed at the request of Deng Xiaoping and, later, Jiang Zemin.

Guoanbu agents flew out to Vancouver and Toronto to continue their pursuit. Again they discovered that Wong had already left, with a female member of the group, Lemon Li, who had been imprisoned and later exiled for a period in Paris. It was in fact she who had settled in Saint-Nazaire, not Wong. They had made for India. “This was no coincidence,” a specialist in telecommunications and cyber-war, not fond of the Hong Kong Blondes, told me in Beijing. “They must have been under the protection of the Indian services, which were much more advanced than we were in this area. Their secret service, the RAW, and the Indian army, were having fun with these frenetic war games against China.”

A subsidiary of the Hong Kong Blondes, called the “Yellow Pages”, decided to intensify their attacks on China’s communications infrastructure, and on the multinationals helping Beijing both to strengthen their anti-hacker protection and to use the internet to spy on the population. The only true blonde in this mysterious group was a woman called Tracey Kinchen, a former MI5 technician who was helping the Blondes and the Yellow Pages. The implication here was that MI5 was also in on the game, helping the group to conduct small-scale cyber-guerrilla attacks against a numerically superior army, by focusing attacks on its weak points.32 Because Kinchen was apparently active in Hong Kong, the local security services conducted an investigation, but failed to identify her. Some investigators even went so far as to claim that the Blondes did not really exist. According to certain US sources, they had relocated to Bangkok.

The Blondes had begun with a campaign sending personalized emails to leaders of the PLA and various organisms that were part of the Chinese military-industrial lobby. Nothing too nasty, but it had been enough to alert military security, which failed to explain how so many email addresses and intranet mailboxes had fallen into the group’s hands. Then the Blondes had downloaded confidential codes, including information on satellite guidance, which was rather more ingenious. In the process, they carried out targeted attacks by erasing databases, followed by disinformation campaigns and bombarding websites to make them freeze—displaying denial of service messages—just as the PLA’s cyber-warriors were doing to other sites.

Today, armies and security services in every industrialized country, as well as large private companies, are used to these kinds of attacks, but at the time—the dawn of the internet era, which began around 1995 in Asia—the PLA3’s laboratories could not believe their eyes. It was even claimed that the Blondes were able to install codes to monitor and send warning signs to Chinese computers. In 1999, 228 cyber-attacks were launched from Hong Kong, according to Lo Yik Kee, head of the new Computer Crime Section of the Hong Kong police’s commercial crime bureau, set up in early 2000, whose first task was identifying the cybercafés from which the attacks on the PLA were being launched. Never short of statistics from the other side of the Bamboo Curtain, the Gonganbu in turn denounced 72,000 attacks, of which 200 had hit their targets.

Meanwhile, Tracey Kinchen, the MI5 operative, was discovered to be living in Bangkok by a journalist, but she kept her cool: “Blondie Wong and the Hong Kong Blondes would never want to hurt anyone. They follow Gandhi’s and Martin Luther King’s worldview of non-violence.”33

In spite of Kinchen’s protestations, the Chinese were convinced that this was a large-scale sabotage campaign that had been going on since 1998, when one of their communication satellites had been hacked. To prevent further attacks, in autumn 1999 the PLA organized an anti-hacker war game. The scenario was that “black intruders” (Heike, which sounds like “hacker”), had managed to hack the CCP’s websites and hijack their content.34 Soon, under the leadership of Chen Zhili—the education minister and Jiang Zemin’s Shanghai-born mistress—the Guoanbu, Gonganbu and propaganda service began mobilizing their resources at Shenzhen University, to refine a system of filtering and tracking the email inboxes of Chinese students abroad.35

Monitoring internet users

While undertaking multiple intrusions into external networks, the Chinese secret services had also been given a mission to organize a vast system of control of the Chinese population, starting with the younger generations who were now surfing the internet while increasingly avoiding cybercafés.

In 1995, at the point when the internet really began to take off in East Asia, there were only a few thousand academics who wanted to maintain links with foreign colleagues. They were obliged to register with the Ministry of Posts and Telecommunications, which controlled the China-Pack link to the World Wide Web. Initially, control was vested in the State Council’s Information Office, headed by Zeng Jianhui, a propaganda specialist and international editor at the Xinhua News Agency. After having investigated closely Singapore’s methods of controlling the internet, in 1996 Zeng was replaced by the former ambassador to Great Britain, now deputy minister of information, Ma Yuzhen.

Ten years later, a highly sophisticated surveillance system had been set up. For example, the Public Information Bureau (PIB) of the Office of Public Security (Gonganju) in Lhasa had developed a system to control all internet users. It is probably no coincidence that Tibet serves as a laboratory for computer surveillance techniques, ahead of extending these methods to other parts of China. From early 2004, both Chinese and Tibetan residents of Lhasa seeking to access the internet in cybercafés received a registration number with a password, which they could use to surf sites or exchange emails. The user was then able to buy an inexpensive “navigation map”, on condition that they fill in a “citizen identification form” (shenfen zheng).

These cards were distributed by the PIB, which was headed by “Luobu Donzhu” (whose Tibetan name was Norbu Dondrub). The PIB was also responsible for licensing cybercafés. The avowed goal of this service was “to fight internet crime”, but its sister agency, the Guoanbu’s Lhasa office, charged with counterintelligence operations against India, also intended to monitor coded emails that might be exchanged between Tibetan resistance networks and the Dalai Lama’s Research and Analysis Centre in Dharamsala.

This monitoring system appeared to be very effective, since it required the individual user to register rather than the computer system used. The smooth functioning of this repression went so well behind the virtual Great Wall that it made sense to exploit the complacent help of any external systems ready to make a deal with the CCP in exchange for a commercial leg-up into the much-coveted Chinese market.

Cyber-dissidents were imprisoned, with the help of foreign accomplices of the Chinese state apparatus such as the search engine Yahoo, which provided the Gonganbu with the emails and IP addresses of people who went on to be arrested. The most famous case to date is that of Wang Xiaoning, sentenced in September 2003 to ten years in prison—and two of losing his civil rights—for “inciting the subversion of state power”. He had been behind email newsletters advocating a democratic opening up of China. Similarly, Shi Tao, editor of an economics newspaper based in southern China, was sentenced in April 2005 to ten years in prison, for allegedly leaking state secrets by posting online a Chinese government statement to the media, forbidding any marking of the anniversary of the Tiananmen crackdown. In 2007, Reporters Without Borders counted over fifty online reporters imprisoned in the laogai, the Chinese gulag.

Between 2002 and 2004, several tens of thousands of the PRC’s 110,000 officially registered internet cafés were closed down. The rest were obliged to equip themselves with software for monitoring and bookmarking the URLs visited by customers, which then blocked those that were prohibited. Between 30,000 and 40,000 operatives from security agencies were responsible for monitoring internet traffic, while the number of internet users doubled in three years, increasing from 80 million internet users in 2004 to 162 million in 2007.

The two security ministries, the Gonganbu and Guoanbu, recruited talented computer scientists, including IT graduates from US universities. They were obliged to offer them excellent salaries to keep them from going into the private sector. They also recruited the occasional genius hacker, just as the Western counterintelligence agencies were doing. This was the case of one of the stars of Chinese internet security, an ex-hacker recruited in Shanghai in 2003.36 The Guoanbu was particularly interested in foreigners, whether those suspected of espionage or simply journalists, diplomats and most particularly businessmen and traders whose emails and email attachments might contain important commercial secrets. These foreigners would frequently be asked for their passport before being assigned a computer in a cybercafé or the business centre of their hotel, in order to keep track of their online activity. As an internet specialist in Beijing explained to me, new teams were created and others greatly expanded in time for the 2008 Olympics.

The Golden Shield

With the public launch of the Golden Shield (jindun) programme in April 2006, the Gonganbu further expanded its surveillance methods, which were under the technical direction of the computer scientist Fang Binxing, head of the Beijing University of Posts and Telecommunications.37 The Gonganbu was congratulating itself on being able to root out websites that threatened China, thanks to the 640,000 computers in the Golden Shield network, organized into twenty-three systems across China (with the exceptions of Hong Kong and Macao). Its system was so advanced that the Gonganbu was also able to solve crimes online and thus reduce the crime rate, by better controlling internet users.

The Golden Shield, which cost $10 million, was a kind of giant intranet run by the Chinese security services, allowing them to block some sites, spy on others, and monitor users. Its innovation lay in the programming of keyword filtering in Chinese cyberspace, which triggered surveillance, automatic blocking of communications, or both. It was a system similar to what the American NSA had developed with the ECHELON network and its “dictionaries”, which could sample conversations in which pre-programmed words appear. The difference was that, with a few exceptions such as violent Islamist sites, the blocking of websites, blogs or chatrooms was not the very purpose of the ECHELON operation.

In China, a semantic analysis of a thousand forbidden keywords reveals the concerns of power and the fantasies of the Gonganbu, at this time under Meng Jianzhu. At the top of the list were the “Great Poisons”: 20% of the words were to do with the Falun Gong movement, 15% to do with Tibet, Taiwan and Xinjiang. Another 15% were related to Chinese leaders and their families (including security chiefs Zeng Qinghong and Luo Gan, as well as historical figures like Deng Xiaoping, Mao Zedong and his wife Jiang Qing); 15% to do with politics and corruption, with the word “democracy” considered just as subversive as “dictatorship”, even if it is a word specific to the proletariat; 10% concerned the police and national security; 10% were the names of dissidents and political exiles (including Chai Ling, face of the 1989 Tiananmen student movement, who had spent time as a refugee in Paris); and 15% were words about sex: night club, orgy, porn video, and so on.

But the Chinese language being what it is—a sequence of syllabary phonemes presented in characters that can give rise to various interpretations—the Gonganbu computer park also managed to ban official texts and comments about them that included words such as “National Security” (Guojia anquan). In the end, only economic expressions were able to slip through the cracks.

Commonly used and even mythical words like Dragon-Tiger-Leopard, (Long Hu Bao) when joined together, become suspect—this is the title of a Hong Kong erotic magazine, as well known as Playboy (itself a forbidden word). The expression “a band of pigeons” (ge pai) was held to be a covert attack on the communist leadership. Even worse for the authorities, an expression like “the great law” (dafa) had to be permanently censored, because it refers to the principles of Falun Gong.

Without a doubt, the Golden Shield procedure became less and less effective in tracking “counterrevolutionary criminals”. Even were computers really able to scan the entire Chinese computer system, young people on the internet use thousands of common words related to everyday life and slang to encode their intimate conversations, which are already naturally very figurative and allegorical in Chinese characters. Soon, the Gonganbu had to revise its Orwellian programme, whose linguistic-political and psychological consequences were already obstructing the system.

In 2004 the authorities had published draconian guidelines for sending text messages, entitled Self-Discipline Rules Regarding the Content of Text Messages, to prevent the dissemination of pornographic, fraudulent or illegal messages. Similar instructions were prominently displayed in cybercafés. SMS had played a significant role during the country’s SARS outbreak the previous year, and the security services were planning to block a number of words including “Tiananmen” as they approached the anniversary of the 1989 student massacre.

The problem was that internet usage in the PRC was on a exceptionally massive scale, given a population of over 1.3 billion. China Mobile, the country’s largest provider of cell phone services, signed an agreement to participate in the tracking of unacceptable text messages. Nonetheless, even with the best intercept system in the world, in 2003 the Gonganbu and the various interception services of the PLA can only have processed 220 billion text messages, or 55  per  cent of all that year’s traffic—a real headache for special services analysts.

The PLA intensifies its cyber-warfare

In 2009–12, the Hu Jintao era was coming to an end, moving towards Xi Jinping’s replacement of Hu first as general secretary in 2012, then as president in 2013. During these transition years, the already expanded intelligence services of the PLA went through a significant period of technological growth, including satellites, communications interception, drones, submarines, and oceanographic vessel intelligence-gathering. The development of Chinese SIGINT interception bases in Africa was testimony to this, alongside the development of an African presence in Beijing, in partnership with Chinese telephone equipment manufacturers. This project was not limited to economic relationships, contrary to what the Chinese might have wanted us to believe.

This was the thesis posited by Didier Huguenin, a French researcher specializing in Chinese information manoeuvres in Africa. His Master’s dissertation on economic intelligence states, “It is worth drawing attention to a particularly strong interest in electromagnetic intelligence (ELINT, SIGINT), as evidenced by the setting up under cover of assistance to local services of an interception centre and appropriate equipment. This was particularly the case in Djibouti, Mali, the DRC and Zimbabwe.”38

There had definitely been an increase in the duplication of structures, between those reporting to the actual general staff (the PLA2, PLA3 and PLA4) and those who reported to the General Political Department (including military security and the International Liaison Department). In the summer of 2007, the choice of General Chen Xiaogong to oversee the sector as deputy chief of staff was not insignificant, since he was a strategist specializing in relations with the United States who had experience on the ground in Afghanistan and Pakistan. The PLA3 and PLA4, as well as the formal Communications Department, had been attracting a good deal of attention, because—as we know—Western, Indian, Korean, Taiwanese and Japanese agencies suspected them of being behind a series of cyber-attacks targeting websites around the world. And of course these services were also responding with their own counter-intrusion operations. Thus the PLA’s intelligence services had no choice but to adapt.

The perfect illustration of this extension of the field of combat was the appointment in spring 2009 of General Yang Hui as head of the PLA2. Prior to this he had been deputy director of the PLA3, with a solid technical background in communications interception and cyber-warfare. Some experts went so far as to claim that his appointment was part of the cyber-warfare strategy lobby’s wholesale takeover of military intelligence.

Be that as it may, faced with the intensification of the cyber-war, several other powers, primarily neighbouring Asian countries, set up new services to counter the Chinese threat. This was the case in April 2008 for India, after websites and databases linked to its foreign ministry were attacked by Chinese hackers, identified through Indian counterintelligence’s analysis of IP addresses. Even more seriously, the computer systems of the Indian National Security Council, headed by Mayankote Kelath Narayanan, had been hacked.

Narayanan was given the task of commissioning an audit of the National Technological Research Organization (NTRO), the Indian equivalent of the NSA, which worked closely with the RAW and the Indian army’s special services, as well as the economic intelligence body responsible for raising awareness within private companies under constant attack by the Chinese in 2007–8. The conclusion these analysts arrived at could just as well be applied to all the other countries falling prey to these attacks: it was vital to create a cyber-warfare counterstrike force, namely a coordinated structure of cooperating services—in India’s case, this would include the NTRO, the Army Cyber Security Establishment and the Economic Intelligence Bureau.39

India’s experience was of concern to two other major regions also being specifically targeted by Chinese cyber warriors: North America and Europe. At this point, virtually every individual on the planet ought to have begun feeling concerned: in 2009, once again, the Chinese hacking apparatus had infiltrated a messaging system, in this instance belonging to Google, which drew attention to the activities of the PLA’s intelligence-gathering laboratories. Indeed, leaving aside the commercial dispute that made it clear to the Chinese that Google wanted to topple the Chinese internet provider Baidu and its affiliates, the US security services were convinced that civilian agencies and groups of ghost hackers alone would not have been able to penetrate Gmail’s encryption without the help of specialist units, brought in by the PLA3. This led a French specialist to conclude: “This was not just a commercial battle, but a ‘dry run’ for a cyberwar, conducted by the PLA3. Not one aspect of this war escaped them.”40

It also explained why one of these operational divisions—Chengdu’s Bureau of Technical Reconnaissance (BRT3), covering operations against Xinjiang, Tibet and north-east India—was congratulated by the army for the “exceptional qualities of its work in the field of computerization, information-gathering in a hostile environment, and its research supporting academic structures and other ministries that work to protect state secrets.” Meanwhile, there were also attacks being carried out in the other direction: Ji Guilin, editor-in-chief of the Chinese defence ministry’s new website, launched in August 2009, complained just six months later that the United States had already carried out some 230 million attacks against the site (www.mod.gov.cn).

But the emerging war of communications was not only a battle of cutting-edge computer technology; it was simultaneously being fought in the shadows, by individuals finding their own ways to penetrate the enemy system. This became evident in the case of a Chinese network that was dismantled in Louisiana, which gave the FBI and others a clear idea of the Chinese secret services’ new MO and intensive use of the internet for sending encrypted messages.

A bit of background: in early February 2008, the FBI published the conclusions of a lengthy investigation into Kuo Tai Shen, a Chinese-American from Taiwan, Kang Yuxin, his female liaison and a Chinese citizen, and Gregg Bergersen, the US agent they had recruited, who was a specialist arms dealer to Taiwan at the Defense Security Cooperation Agency in Arlington, Virginia. Some of the more noteworthy aspects of this case included the use of a furniture shop in a town called Houma as the network’s cover, and the recruitment of a Taiwanese operative, which was becoming more and more frequent thanks to the United Front Work Department—the CCP’s special service for rallying Chinese in the diaspora to Beijing’s cause. The new Taiwanese president at this time, Ma Ying-jeou, was favourable to the idea of a rapprochement with Beijing.

The other unusual aspect of the affair was the massive use of inboxes hosted by Bellsouth.net, Hotmail and Gmail.41 Thanks to them, Ms Kang had been able to correspond with “Mr  X”, a Chinese intelligence officer who was based first in Canton and then in Hong Kong. Kuo, the network manager, also received emails telling him to call certain numbers, which subsequently revealed the role of the Chinese services using Hutchicity, an internet provider based in Hong Kong. The FBI also noted that, during their exchanges, Kuo and “Mr  X” had used a coding system purchased commercially in February 2007, PGP Desktop Home 9.5 for Windows—but then discussed its use on the phone! The description of the investigation gives as much information about the workings of the FBI, in liaison with the US Pacific Command intelligence service, as about the methods the Chinese were using. For example, it tells us that on 4  June, “Mr  X” used FedEx to send Kuo a new internet address for sending secret information obtained through Bergersen and transferred via encrypted attachments. This detail suggests not only the use of countless wiretaps, but also the interception of emails and conversations in Hong Kong, undoubtedly with the help of both the local NSA branch in the US consulate and Britain’s GCHQ, which continued to have a presence in its former colony.

***

The services in Beijing did not appreciate the fact that their activities were being unveiled. This was evident in the fury of the Chinese authorities in November 2009, after global security corporation Northrop Grumman’s publication of an analysis of China’s cyber-warfare techniques. Packed with information provided by the American intelligence community (although officially provided by the private sector), the report pointed the finger at certain specialist departments of the PLA general staff—the PLA2, PLA3 and PLA4.

Most importantly, for the first time, groups of hackers were formally identified as having links with Chinese security services. Some were shown to have been involved in attacks against foreign governments, including the group Hack4.com, which targeted French embassies in China and in various English-speaking countries, including the United States and Canada in December 2008. This was a coordinated attack to “punish” President Nicolas Sarkozy, who had shaken hands with the Dalai Lama during a trip to Poland a month earlier. Though they chose not to publish their report for “diplomatic” reasons, the French special services had been able to detect the link between Hack4.com and the Guoanbu.

The Northrop Grumman report did not mince its words: these groups of hackers were linked not only to Guoanbu, but also to the 1st Research Bureau of the Gonganbu. In contrast, PLA3 preferred to call on graduates of cyber-warfare training academies. One case highlighted in the report particularly stood out: the Black Eagle Base, members of which had been arrested in Henan by the Gonganbu for hooliganism. Six months later, they had been released and went on to form the Black Eagle Honker Base, a group of hackers who began working for the presumably more pragmatic Guoanbu. This group, and several others, had links with the School of Information Security Engineering at Shanghai’s Jiao Tong University, whose dean, He Dequan, was the former head of the Guoanbu’s science and technology department. This made it clear that the Guoanbu was still active on all “underground fronts”, Yinbi zhanxian (荫庇 战线).