Executive Summary
China is rapidly building cyber ranges that allow cybersecurity teams to test new tools, practice attack and defense, and evaluate the cybersecurity of a particular product or service. Nineteen of China’s 34 provinces are building, or have built, such facilities. Their purposes span from academic to national defense. In short, the presence of these facilities suggests a concerted effort on the part of the government, in partnership with industry and academia, to advance technological research and upskill its cybersecurity workforce—more evidence that China has entered near-peer status in the cyber domain. This report examines five of these 19 facilities that have demonstrable ties to the military or security services. China’s investment in these facilities is in line with what is known about other efforts to bolster the country’s hacking and cybersecurity capabilities. As these facilities mature, network defenders who find themselves in the crosshairs of China’s hacking teams may be subject to attacks that have been rehearsed, tested, and sometimes practiced on replicas of their own networks.
This report finds:
- China’s cyber ranges facilitate joint exercises between the People’s Liberation Army (PLA) and civilians. One competition hosted each year in Chengdu aims to replicate the North Atlantic Treaty Organization’s (NATO) Locked Shields exercise. Teams include representatives from the military, private cybersecurity firms, and critical infrastructure operators. Separately, a defense state-owned enterprise (SOE) makes a “comprehensive space scenario range” available to civilians at an annual cybersecurity competition. Each of these examples demonstrates China’s implementation of military-civil fusion in the cyber domain.
- Some cyber ranges allow hackers to practice attacking and defending critical infrastructure systems. Two ranges covered in this report provide users with training on industrial control systems within the cyber range; one of which purportedly engages in “national offensive and defensive exercises.” The Office of the Director of National Intelligence’s 2022 unclassified annual threat assessment found that China was “almost certainly […] capable of launching cyber attacks that would disrupt critical infrastructure services.” These ranges could allow rehearsals and testing of these types of attacks in the future.
- Peng Cheng Laboratory in southern China is using a supercomputer to research artificial intelligence’s (AI) application to cybersecurity. The lab’s partners include the National University of Defense Technology, China’s Key Laboratory of Science and Technology for National Defense, and Shanghai Jiao Tong University, a university with ties to military hacking teams. The lab has quickly earned the respect of longtime experts in China’s cybersecurity community.
China’s cybersecurity posture will be enhanced by the use of cyber ranges in several ways. First, China’s critical infrastructure, massive data troves, and government agencies will be better defended. Cybersecurity teams with years of experience and hours of practice on a range will be better able to defend against a variety of threats. Second, China’s attacks are likely to increase in efficacy and capability. While there are no indications to date that China has launched a physically destructive or disruptive cyberattack against another country’s critical infrastructure, the ranges covered in this report suggest such a lack of action may be based in policy rather than from a lack of capabilities. Besides making attacks on industrial control systems more feasible, other types of attacks will improve as well. For example, hacking teams have more opportunities to try new tactics, techniques, and procedures.
The cyber ranges discussed in this report are important components of China’s cybersecurity talent pipeline. These ranges’ operators and partners should be monitored, as they include a coterie of offensive and defensive talent that governments must contend with. In considering its “defend forward” mission, the U.S. government should devote additional scrutiny to the cyber ranges with industrial control systems discussed in this report, as the offensive techniques and tools used on those networks could be deployed against U.S. systems in any future conflict. Technology analysts should monitor the research published by affiliates of these institutions, as these publications may illuminate the development of technologies of interest.