Confidential

Sample chapter from Roger Faligot’s Secret history of Chinese Spies

Copyright Nouveau Monde éditions

Chapter 12

The People's Liberation Army of cyberwarriors

Seen from the sky in December 2006, the dishes and white domes of Pine Gap
Base, south of Alice Springs, lend it the look of any ordinary satellite station. In
reality, however, it is the crown jewel of the eavesdropping technology employed
by western intelligence to spy on China.

Tourist maps for this region of red Aboriginal lands in the heart of Australia
indicate that it is an off-limits zone, while the local telephone directory lists the
social and medical departments of a 'Joint Defence Facility'. The name itself
suggests that this is not an all-Australian enterprise, and for good reason;
administered by Australia's Defence Signals Directorate (DSD) and the US
National Security Agency (NSA), the station was built in 1966 to intercept and
interpret large scale communication signals – an important part of electronic
warfare. The intelligence community habitually describes this activity as SIGINT,
an American abbreviation for Signals Intelligence.

When this major station first began operating, China was in the throes of Mao
Zedong Cultural Revolution and the US was deep in the Vietnam War. Now, 40
years on, new technologies have seen a significant development in its activities.
Pine Gap records in real time the communications of not only the Chinese army
but also those of the armies of North Korea and Vietnam.

"Almost 800 Australian and American technicians and analysts work in the
interlacing, subterranean bunkers there," explained a former Australian
intelligence technician who I met in Canberra before travelling to Alice Springs.
 "They are in direct contact with NSA headquarters at Fort Meade, in Maryland.
The information is interpreted by Group B, in charge of Asia operations."

Pine Gap is not an isolated interception station, but is in fact complemented by

a series of other Australian stations managed by the Royal Australian Navy by the
DSD and other special services. The Asia operations also involve New Zealand's
Government Communications Security Bureau. Together, these agencies have
forged an alliance with the NSA and Canadian intelligence services, and with their
former British tutors at Government Communications Headquarters, better known
as GCHQ (and which is the second-largest interception agency for Western
intelligence, after the NSA).

It was in 1947 when GCHQ set up 'giant ears' to eavesdrop on China from
bases in Hong Kong. These were made up of a station at Little Sai Wan, which
employed 140 Australian technicians, another at Tai Mo Shan, in the New
Territories, and a third which was a satellite station called Fort Stanley, situated
on the Chun Hom Kok peninsula and managed by Britain's Royal Air Force and
Australia's DSD.

Before Hong Kong was handed over to Chinese rule in 19971, the British
dismantled the stations to avoid them falling into the hands of the 'cannibals' of
the Third Department of the People's Liberation Army, China's own SIGINT corps,
otherwise known as the San Bu. In the process, GCHQ set up smaller 'ears' at the
British High Commission housed in a consular building dubbed 'Fort Alamo'.
Australia, meanwhile, set up a separate interception unit also at its consulate in
Hong Kong, which was linked up to the Watsonia base near Melbourne.

The icing on the cake came with the planting, shortly before the Union Jack
was replaced by the Red Flag over Hong Kong, of hundreds of bugs and other

1
Li Kenong's Diaochabu succeeded in infiltrating its Cambridge-educated secret agent
John Tsang within the Little Sai Wan station in Hong Kong (run by GCHQ and the DSD), until
he was finally unmasked in 1961. See: Roger Faligot, Rémi Kauffer, Kang Sheng, op.cit. and
also Duncan Campbell, The Spies Who Spend What they like, in The New Statesman, 16
May, 1980.
 listening devices within the Prince of Wales military barracks which would soon be
transformed into the local headquarters of the People's Liberation Army (PLA).

When Operation KITTIWAKE, led by the Fort Stanley satellite station, was
abandoned in 1993, it was retrieved by the DSD which ran it out of the Geraldton
satellite station in Western Australia. The mission remained the same, including
telemetric analysis of Chinese ballistic missile tests, satellite launching, reception
of information from satellites performing photographic intelligence (PHOTINT),
electronic intelligence (ELINT) and other intelligence gathering over China.

Thus, as part of an eavesdropping pact among English-speaking countries

which was established at the start of the Cold War, these activities come under
the system known as ECHELON, a subject of controversy in Europe because of
its Big Brother capability of intrusion into the lives of ordinary citizens whose
intimate telephone conversations, fax messages or email correspondence can be
tapped into.

But here, in the middle of the Australian desert, the technicians entertain no
moral dilemmas about their job; Red China, regarded as an unscrupulous
dictatorship, set on a threatening path of military development and with an
aggressive economy, is under surveillance night and day. Alice Springs is a site of
choice for specialists. This small town, where tourists mingle both with aborigines
and, unwittingly, intelligence engineers, has a long tradition in communications
and interception for the local topography lends itself to the tasks.

In 1870 a telegraph station was built here by Charles Todd, who gave his name
to the nearby river. The station relayed the towns of Adelaide, on the southern
seaboard, and Darwin, on the northern coast, from where they were linked with
the rest of the British Empire through Hong Kong and other British stations based
in Tianjin and Shanghai2.

2
See Doris Blackwell, Douglas Lockwood, Alice…on the line, Outback Books, Alice
Springs, 2001.
 It was during these same Victorian years that Chinese gold-diggers from
Fujian came to Alice Springs, as illustrated by a place known as
Chinaman's Creek which lies just outside the town on the road leading to
the DSD-NSA secret station. But it is the newly-arrived Chinese who today
interest the Australian Security Intelligence Organization (ASIO), a counter-
espionage agency which is convinced that within the wave of dynamic
immigration lurk some 'deep-sea fish', or chendi yu – agents of the
Guoanbu, the Chinese secret services. They are responsible for turning
around and recruiting engineers or linguists of Chinese origin with
sentimental appeals to their allegiance by reminding them that at heart they
belong to the great community of Chinese people overseas, the Huaqiao.

According to the US journalist and author James Bamford, who has

written a historical account of NSA activities, it was above all a technical
reason that made Pine Gap a key part of Western SIGINT operations. In
the 1960s, a spy satellite intercepted non-encrypted information which it
relayed directly to Pine Gap, avoiding the risk that Soviet spy-trawlers might
access the contents - which would have alerted Moscow to what had been
'stolen'. At the time, the Chinese did not have the technical know-how to
play in the same league, although it would be only a matter of time before
they acquired it. Because Alice Springs is such an isolated spot, sited in the
middle of the vast country and continent that is Australia, the patrolling spy-
trawlers were too far away to pick up the 'footprint' of the signal. Back at
Pine Gap, the information was in turn encrypted and sent back up to
another satellite which then relayed it on to the NSA base at Fort Meade3.

Soon after the 1972 election victory in Australia of Gough Whitlam's

Labor Party, and following the decision to open diplomatic relations with
China, the CIA became convinced that Canberra would move to close

3
James Bamford, Body of Secrets, How America’s NSA and Britain’s GCHQ Eavesdrop
on the world, Arrow, London, 2002.
 down Pine Gap – which would have been a proper catastrophe for the
Anglo-American intelligence community. The head of the CIA's East Asia
Division, Theodore Shackley, even went as far as encouraging several
operations aimed at destabilising Whitlam's government, along the same
lines as those practiced against the Labour government of British Prime
Minister Harold Wilson4. Within democracies, the secret services respect
the system and the constitution as long as their prerogatives are not
challenged; some of their chiefs would prefer to live with the Chinese
system, for in Beijing at least the intelligence services are in power,
alongside the party and the army.

In the end, Pine Gap survived the threat, and proved to the Australian
government its worth in the secret war; it was thanks to Pine Gap that
Canberra was alerted to the 1975 Indonesian invasion of East Timor, and
was able to see through the communications of the Chinese army (if not
being able to break the codes, at least to study the large-scale flow of the
communications). Proof of this came on February 17, 1979, when Pine Gap
was the first of any source to detect the Chinese invasion of Vietnam, led
by General Yang Dezhi, former commander of the Chinese "volunteers" in
the Korean War.

During the Sino-Vietnamese conflict, Chinese communications were

jammed by Soviet spy-boats, following a defence pact signed between
Moscow and Hanoi the previous year. The Chinese offensive was aimed at
surprising 'from behind' the Vietnamese who had launched a blitzkrieg on
Cambodia, capturing several thousand Chinese advisors to the Khmer
Rouge. But the Chinese attack on Vietnam ended in an embarrassing and
bloody failure for the PLA and for Deng Xiaoping, back in power after his
difficulties during the Cultural Revolution. But 'chubby' Deng had the talent

4
Brian Toohey, William Pinwill, OYSTER, The Story of the Australian Secret Intelligence
Service, Mandarin Australia, Melbourne, 1990.
for bouncing back from adversity and, drawing upon the lessons of the
debacle in Vietnam, he proposed a wide-ranging reform of the PLA,
beginning with its intelligence and electronic warfare services.

Rough seas hit the Oxford and 'Oyster' operations

Local operations also play a part in electronic surveillance of China,

which the US targets with quite audacious methods of reconnaissance and
interception (note the case of the EP3 spy plane incident detailed in
Chapter 8). When the Pine Gap SIGINT base was built in 1966, the NSA
also used spy boats such as the USS Oxford (code-named AGTR-1), a
vessel bristling with antennae, displacing 11,000 tons and capable of 11
knots – when it wasn't anchored at Yokosuka in Japan. With 250 officers
and crew, it was often patrolling the South China Sea, observing the
turbulence of the Cultural Revolution by intercepting communications by the
Chinese Communist Party and the PLA. In 1966 the USS Oxford was
caught in a typhoon while on patrol and almost driven onto the Chinese
coast; by miracle it was finally washed back out to sea and was eventually
able to limp to shelter in Taiwan. It was a narrow escape from shipwreck for
the Oxford, which had been close to finding itself captured like the USS
Pueblo would be, two years later in January 1968, when it was intercepted
at sea by the North Korean military. Had the Chinese been able to capture
the Oxford, they would have dismantled every aspect of the vessel to both
study enemy spying technology and to adapt some of the technology for
their own use. The opportunity would have had all the more significance
because in the case of the Pueblo, China was beaten to the mark by the
USSR. Moscow subsequently obtained from North Korean Communist
leader Kim Il-sung, an ally of both the USSR and China, NSA intelligence
 secrets revealed after scrutiny of the dismantled vessel5.

One year earlier, in 1967, US intelligence was involved in another close

shave with the Chinese; the USS Banner, a vessel of the same type as the
Pueblo, was in international waters at 25 nautical miles from Zhoushan
Island, close to Shanghai, when it was encircled by fishing boats. "I had the
impression they were trying to take me under tow, or something similar,"
later explained the skipper of the Banner, Lieutenant Commander Charles
Clark. "They came as close as five yards. Two of the boats had bigger guns
than we did but I thought that, even though our guns were smaller, we had
the possibility of repelling them6." In the end, the Chinese militia received
an order not to proceed with an act of piracy and the American spy boat
was able to return to Japan without opposition.

But of course, the US also employs other, less risky methods, encircling
China with ground listening stations jointly operated with Japan, South
Korea and Taiwan7.

To return to Australia; another simple manner with which to intercept

communications is to eavesdrop the Chinese embassy in Canberra. I went
to the Australian capital for research on electronic warfare between the
Chinese and their adversaries. There I met with Professor Desmond Ball, at
the Australian National University's Strategic and Defence Studies Centre,
whose work enjoys international renown. "In our opinion the Third
Department (San Bu) has not set up an important listening station in the
Canberra embassy, because there are no dishes or bunches of antennae

5
In the summer of 2007 the Pueblo continued to be a subject of negotiation. With grand
magnanimity, Kim Jong-il suggested the vessel might be handed back to the US in exchange
for concessions over North Korea's nuclear programme.
6
cit. in Bruce Swanson, Le 8ème voyage du Dragon, Histoire de la Marine chinoise, Plon,
Paris, 1982. Translation from the original 'Eighth Voyage of the Dragon: A History of China's
Seapower' published by Naval Institute Press.
7
For more information on the Japanese system, see : Roger Faligot, Naisho, Enquête au
cœur des services secrets japonais, La Découverte, Paris, 1997.
 to be seen," Professor Ball told me. "The eyes and ears of Mrs Fu Yi, the
ambassador, are more to be found within the Chinese community 8."

Heading for Coronation Drive the next day, I noticed that just one, narrow
street separates the British High Commission from the Chinese Embassy.
As always, the British have a flourishing collection of antennae, and the
GCHQ team present here under diplomatic cover happily intercept the
communications of their honourable neighbours. It is obviously easier to do
so in Canberra than in Beijing. There, Chinese counter espionage – the
Guoanbu tasked with embassy surveillance – has constructed large
buildings which surround the foreign embassies, all grouped together in
Beijing's Dongzhimen quarter, and which complicates the operation of
embassies' listening equipment. The Guoanbu, meanwhile, has built a
micro-wave tower to capture communications emanating from the
embassies9.

In Canberra, for want of being able to externally intercept all

communications, the Australian intelligence services devised another
means of interception when the Chinese diplomatic mission changed
address in 1990. With the help of 30-odd NSA technicians, the Australian
Secret Intelligence Service (ASIS) – code-named Oyster – bugged the new
embassy. One Australian newspaper picked up scent of the operation, and
it took all the diplomatic skills of the head of ASIS to dissuade them from
publishing a story. The damage would have hit not only the secret services
but also Australian foreign diplomacy. But the efforts to hide the operation
were eventually to no avail, for Chinese ambassador Shi Chunlai would
later learn how the embassy had been bugged from a report in Time
Magazine. As could only be expected, this type of action is increasingly

8
Interview with Desmond Ball, Canberra, December 2006.
9
The system is detailed by a former agent of Canada's Communication Security
Establishment (CSE). See: Mike Frost, Michel Gratton, Spyworld Doubleday, Canada, 1994.
frequent ever since the Chinese overtook the spying skills of the former
USSR.

The schooling of Chinese intelligence

Whether a question of sweet revenge or not, it was during the 1990s that
Chinese presidents Deng Xiaoping, Yang Shangkun (who was accused of
planting bugs in the offices of Chairman Mao during the Cultural
Revolution) and Jiang Zemin all encouraged the creation in their country of
the most powerful electronic surveillance system second only (for now, but
how much longer?) to that of the United States.

The huge empire of Chinese listening services wasn't built from scratch.
As of the 1930s, when Zhou Enlai led the secret war against the
Kuomintang nationalists in Shanghai, Deng Xiaoping (Zou Enlai's comrade
during their time together in Paris), supervised the training of technical units
in communist bases in southern China. Their friend Nie Rongzhen, the
'telegraphist' from the City of Light 10 years earlier, was responsible for
setting up a clandestine radio network in Hong Kong, creating wireless
liaison with the Comintern in Kharbine and Vladivostok. At the same time,
Li Kenong - another former 'Parisian' who would later become head of the
Chinese Communist Party's secret services, organised the infiltration of the
radio services operated by the communists' rivals, the Kuomintang.

It is therefore of no surprise that, in November 2006, the PLA

commemorated the first school of communications established by its
predecessor, the Chinese Workers' and Peasants' Red Army. It was Deng
 Xiaoping who, in March 1933, chose the site for the school, at
Pingshangang in the province of Ruijin. Even now, the young Chinese
SIGINT technicians and the PLA's apprentice radio operators travel in
reverential pilgrimage to this historic site. What they learn during such trips
is astounding; when the school was running, and over a period of just a few
months, 2,100 liaison systems were established in a star-like network
across White and Red China, this long-obscured radio-electric
communications warfare greatly contributing to success of the communists'
Long March to power.

Once the Chinese Communist Party (CCP) reached power, in 1950, Li

Kenong (aka 'the smiling Buddha') was head of the party's secret service,
the Department of Social Affairs. But he was at the same time also joint
chief of General Staff of the PLA. It is under this last title that the man in
dark glasses oversaw the two major intelligence sectors, the Second
Department (Er Bu), in charge of military espionage, and the Third
Department (San Bu) 10.

Right up to now, the system has hardly changed; when I was in Beijing in
July 2007, General Chen Xiaogong, the son of a friend of Zhou Enlai, was
in turn nominated to this mighty post of Chinese intelligence11. The one
difference is the creation of an additional agency, the Fourth Department
(Si Bu), set up two decades ago to cover new aspects of electronic warfare,
sharing with the Third Department the huge responsibility for the war in
cyberspace. The Internet is a new battlefield on a scale that Mao Zedong
could never even have imagined.

10
Several major intelligence figures succeeded one another in this post. We have already
dealt with several of them, while others figure at the end of this book in the section of mini-
biographies. But to note some of the most prestigious: General Kong Yuan, General Xu Xin,
General Xiong Guangkai, General Chen Xiaogong.
11
See the article on his nomination in Intelligence Online, 23 August, 2007.
 General Qiu Rulin contemplates his empire from within his top-secret
Xionghongqi headquarters in Haidian, a district in the north-west suburbs of
Beijing named after ponds dating from the period of the Ming emperors.
Established in 1950, counting among its staff some 20,000 technicians, the
general's Third Department (San Bu) of the PLA is responsible first and
foremost for the interception of communications by foreign armies. But it
has also considerably increased activities of research and development.

Not far from the general's HQ, another Beijing quarter called Xibeiwang
houses the San Bu's largest communications interception station. But even
this is just one of many dozens of bases dedicated to gathering and
decoding all signals emanating from the Russian Federation as well as
Muslim, formerly Soviet, republics, along with India and south-east Asia,
North and South Korea, the two 'priority enemies' that are Taiwan and
Japan and, last but not least, the 'principle enemy' that is the United States.

According to specialists who have examined numerous satellite pictures,

each Chinese region contains Third Department stations (Beijing,
Shenyang, Chengdu, Canton, Lanzhou, Jinan and Nanking). The stations
have a geographical function; for example, that of Chengdu watches over
Tibet and India, while that of Shenyang covers Korea and Japan.

Other sites are found close to Jilemutu and Lake Kinghathu in north-east
China and on the southern seaboard close to Shanghai and the military
Fujian and Cantonese districts which are on constant alert with Taiwan. Yet
more stations exist in Kunming, north of Vietnam and Myanmar (formerly
Burma), as well as in Lingshui, at the tip of the large southern Chinese
island of Hainan. In 1995 the capacity of the Lingshui base was increased
to cover the South China Sea, the Philippines and Vietnam, the latter being
also targeted by a string of bases close to its border with China and, since
the 1980s, by two others established on the Paracels Islands. In addition to
stations at Kashi and Lop Nor, two others have been set up in the Xinjiang
region of western China; of these, the facility in Dingyuanchen is aimed at
Russia and Muslim former Soviet republics while that in Changli, close to
the Xinjiang capital of Urumqi, is aimed at intercepting satellite
communications.

All of which moved Desmond Ball to comment in 1995 that "China has by
far the widest SIGINT operations of any country in the Asia-Pacific
region."12 It was thus only to be expected that ten years later China had
already caught up with the world's big players in SIGINT, namely the United
States, Great Britain and the Russian Federation.

Together, the San Bu and the Second Department (in charge of

intelligence) share the use of a number of institutions and schools for the
training of staff from both agencies. The most important of these is the
PLA's Institute of Foreign Languages in Luoyang, administered by the San
Bu. The technicians and officer cadets are not only required to engage in
linguistic courses abroad (at times disguised as being regular arts or
languages students in those countries of interest), but also to travel to far-
flung corners of China where SIGINT bases are sited, like Mongolia or
Xinjiang, in order to master local dialects and to accustom themselves to
the tough mountain climates.

Among the many bodies dedicated to military communications and their

interception also figures the PLA's Department of Communications, headed
by General Xu Xiaoyan. He is responsible for liaison between the Central
Military Commission (staff headquarters) and various other units, as well as
ensuring the protection of certain highly sensitive government telephone
lines.

12
Desmond Ball, Signals Intelligence in China, Jane’s Intelligence Review, August 1995.
 In 1991, the Fourth Department (Si Bu) was transferred from
Xionghongqi, where San Bu headquarters are based, to Tayuan, close to
the Summer Palace in Beijing. It was a demonstration of its growth in
importance. There was a simple reason for this; as a department
responsible for electronic warfare it carries out information warfare
activities, employing naval and aerial means such as new spy planes,
notably Chinese AWACS aircraft of Russian origin. Since 1997, these
Ilyushin II-76 planes are operating with Israeli-made Airborne Early
Warning (AEW) systems13.

The boss of the Fourth Department, General Dai Qingmin, is often

presented as the master of information warfare, meaning that he has
modernised, along with a few other theoreticians, "the war of the people in
the era of information technology." Put simply, this involves launching
electronic attacks to camouflage ongoing military operations, damaging an
enemy's airborne early warning alert, communications jamming and the
neutralising and paralysing of an enemy's means of retaliation; it is the art
of fooling one's enemy in every conceivable (and deceivable) manner.

A veritable ground shift occurred in the early 1990s when PLA strategy
switched from a defensive stance to the adoption of an offensive drive in
electronic warfare - in concert with regional San Bu units across the three
military wings that are the army, air force and navy.

In order to constantly adapt and modernise their systems, the Third and
Fourth Departments are service providers for the major espionage
agencies operating abroad. These include the Second Department, the
PLA's Liaison Department (Lianluobu) - part of the Political Department -

13
Chapter Seven details Jiang Zemin's plan for the development of intelligence activities.
and numerous research institutes and front companies created by the
Commission of Science, Technology and Industry for National Defence
(COSTIND).

None of which stops the Chinese from also selling part of their
technology to other countries, preferentially to allies in Asia and the Middle-
East, through the conduit of the China National Electronics Import and
Export Corporation (CEIEC). We will soon see how, with the turn of the new
millennium, the Third and Fourth Departments moved up to a higher level in
information warfare, entering the virtual battlefield of the Internet and
becoming the top player as regards putting to use its cyberspace war tools.

SIGINT interception stations in China (Source : Desmond Ball)

When the CIA and Germany's BND helped the Chinese

 Before they embarked upon information warfare, the Chinese were
offered an extraordinary training school, run by the very enemy they had
been fighting for so long; this unexpected and amicable collaboration was
created by joint mistakes made by the Chinese and US intelligence
services. As we have already seen, the 1979 Islamic Revolution in Iran, led
by Ayatollah Khomeini, took China by surprise. Just as it did the US, which
in the process lost its major interception base at Mashad, a radio electrical
station it ran with the British to eavesdrop on the USSR. American reaction
was swift; in April 1979 the then-US President Jimmy Carter gave his
agreement for negotiations to begin with Deng Xiaoping for the setting up of
a joint-cooperation project to build listening bases aimed at the USSR. The
world turns, and the 'Big Ears' in one spot fold only to spread out again in
yet another…

CIA director Admiral Stansfield Turner travelled to Beijing amid such

secrecy that he even wore a false moustache so as to not to be recognised
by any lurking KGB agents14. In May 1979, it was Deng in person who told
US senators that he would allow the setting up of interception stations in
China on the condition that they would be run only by Chinese engineers;
more negotiations followed.

Ronald Reagan's arrival in the White House in 1980, and with it the
appointment as CIA director of his friend Bill Casey, served to strengthen
the moves for cooperation because of the obsession they shared in
common with the Chinese; that of provoking the fall of the Soviet Union.
The negotiations were finalised by Geng Biao, China's defence chief who
was nominated to the job ten years earlier by Zhou Enlai - then head of the
Chinese Communist Party's International Liaison Department and a

14
Bob Woodward, Veil: The Secret Wars of the CIA, 1981-1987, Simon & Schuster, New
York, 1987. In this book, the celebrated Washington Post reporter explains how the Soviet
authorities would have been astounded had they known the extent of Sino-American
intelligence cooperation – and which was not limited to listening stations (p.386).
 specialist in intelligence.

"Admiral Bob Inman, previously director of the NSA who became No2 in
the CIA and who I knew well at that time, brought Chinese technicians over
for training while the listening stations were built with the NSA along the
Chinese border," remembers Desmond Ball. We were discussing China's
collaboration with the West, in particular how the CIA and the Chinese
secret service had already worked together to arm the mujahideen during
the anti-Soviet Afghan War.

The transfer of Chinese technicians to the US for training was supervised

by the CIA's Beijing bureau chief David Gries. He was a fluent mandarin
speaker, thanks to his time at the Taichung school of languages in Taiwan,
which just a short while earlier had been the principal base for the battle
against the continental Reds15.

Under the code names SAUGUS and SAUCEPAN, the listening stations
at Qitai and Korla, in Xinjiang, were built under management of the CIA's
Science and Technology Directorate. Technical equipment was supplied by
the NSA and the CIA's Office of SIGINT operations (OSO). In the end, the
stations were jointly managed with the Chinese over the period of a
decade. The original brief for the stations was to practice telemetric
monitoring of both Soviet missile trials (part of the observance of the SALT-
2 arms limitation agreements) and rocket launching in central Asia close to
the Aral Sea – as well as possible nuclear trials. Latterly, their SIGINT
activities were widened to include other communications intelligence
gathering missions (COMINT and ELINT).

15
His successor as head of the CIA station, Keith Riggin, is interestingly head of a
consultancy company called Pamir Resources & Consulting, Inc. The SIGINT operation was
baptised 'PAMIR'.
 There was yet another, quite novel, side to the operations; technicians
from West Germany's federal intelligence service, the
Bundesnachrichtendienst, (BND), took part in the collaborative missions,
following negotiations initiated after the BND's first permanent Beijing
bureau chief, Herr Reinhart Dietrich, was set up in his post in 1982. In
protest at the massacre of student demonstrators during the June 1989
Tiananmen Square protests, the US decided to pull out of its manning
missions in the China listening stations; they opened others in the more
politically correct site of Outer Mongolia.

The West Germans, now left alone in what had been dubbed Operation
PAMIR, soon increased the importance of their own role. With the
cancellation of any further training of Taiwanese engineers (an activity that
was part of an original agreement for work task division between allies), it
was the technicians of the PLA's Second and Third Departments who now
travelled to Munich to be trained. They were assigned to the BND's school
of communications and to the listening station near Söcking, jointly run with
the West German army, the Bundeswehr. At this time, the BND was in
relations only with the Department structures within the PLA's staff
headquarters, and this because the Chinese military attaché in Germany
was none other than the head of the second Department, General Xiong
Guangkai.

The arrival, immediately after the events of Tiananmen Square, of some

50-odd Chinese specialists in West Germany for technical training was to
lead to an embarrassing problem; some of the group used their free time to
travel in search of information on Chinese dissidents living as refugees in
the country, even contacting the regional Länder bureaux of German
counter-intelligence, the Bundesverfassungschutz, in the hope of finding
their details.
 Back in the mountains of Xinjiang, Operation PAMIR was to witness
some acrobatic twists. Chinese fighter planes occasionally crossed
deliberately into Soviet airspace to test reaction capacities; the BND
technicians of the PAMIR listening stations would record and analyse their
'opponent's' communications. Such operations were of all the more interest
because the Soviets never reacted to similar missions carried out in
Europe.

While the USSR was entrenched in the war in Afghanistan, it organised

spying missions against the listening stations just across the Chinese
border. For these it called upon the resources of the Afghan State security
services (WAD), a 70,000-strong force founded by the pro-Soviet Afghan
President Mohammad Najibullah.

"Dr. Najibullah ordered the WAD to mount intelligence and infiltration

operations against the BND station in the mountains," explained Erich
Schmidt-Eenboom, a German investigative journalist and renowned
authority on the activities of the BND, who I met at his impressive
documentation centre close to Munich. "I interviewed a former WAD captain
who operated in Tajikistan. He told me that (WAD) agents succeeded in
examining the dustbins at the station, negligently left outside before their
contents were destroyed, and they concluded that the Germans didn't stop
at spying against the Soviet Union and Afghanistan, but also spied upon
Chinese telecommunications. 16"

Blinded by their hate of the Soviet system, Western powers cooperated

with the Chinese in other world theatres, such as against the pro-Soviet

16
Conversation with Erich Schmidt-Eenboom, 14 August, 2007. This former Bundeswher
officer is the author of a history of the BND, Schnüffler ohne Nase, Der BND, ECON Verlag,
Düsseldorf 1994. For more on the organisation and history of the Afghan services, KHAD
and WAD, see Volume Two of our history of world intelligence: Roger Faligot, Rémi Kauffer,
Les maîtres espions, De la guerre froide à nos jours, (prefaced by Alexandre de Marenches),
Robert Laffont/Gérard de Villiers, 1994.
guerrilla forces in Angola, or in Cambodia in operations to supply weapons
to the ousted Khmer Rouges, all the while leaving Beijing free to move its
pawns in concentric zones.

The San Bu farms out its listening stations

The San Bu also succeeded in exporting its listening bases into zones
where it enjoyed political influence and allegiance, in the main within
dictatorships. Thus it was that such a base had been set up in the heart of
the Chinese embassy in Belgrade. It was the reason for its destruction in
1999 in a US bombing raid during the NATO offensive against Serbia.
Similarly, a SIGINT base operated out of the Chinese embassy in Baghdad
until the US-led invasion of Iraq. The embassy was mysteriously looted in
April 2003, after its personnel had fled to Jordan, when electronic and
computer equipment was stolen.

In the regions closer to China, it is with the ruling regimes of Laos and
Myanmar (formerly Burma) that the Chinese have established best
relations. The SIGINT base at Hop Hau, in Laos, which began operating in
the 1960s was modernised to cover a wider area in 1995. Similarly, in the
early 1990s, Chinese technicians built a SIGINT base on the Myanmar
island of Great Coco, 50 kilometres (30 miles) north of India's Andaman
Islands. It allowed surveillance of the Malacca Straits through which pass
thousands of vessels, as well as tracking Indian missile trials in the Bay of
Bengal. Following on this, the Chinese set up another half dozen bases
along the Myanmar coast.
 But they didn't stop at setting up fixed-mast bases to spy upon the larger
regional powers and their neighbours. In 1997 they supplied the Myanmar
junta, then headed by the secret services chief General Khin Nyunt, with
mobile SIGINT units set up in vehicles, giving the Myanmar military the
chance to intercept communications by the guerrilla forces of the United
Wa State Army, a minority group fighting the junta and positioned along the
frontier with the Chinese province of Yunnan17.

Spying under cover of oceanography

Under the framework of the Four Modernisations programme during the

early 1980s, Deng Xiaoping decided to re-launch the 'maritime spirit' of
ancient China; this was nothing surprising for someone belonging to the
Hakka, a people with a long history of travel and commerce. But his
nomination in 1979 of Ye Fei to the post of political and military head of the
Chinese Navy was met with disbelief by many, who wondered how he
could have appointed a man without any knowledge of the sea. Although
Ye Fei had fought alongside Deng in the war against Japan, his previous
post was that of minister of communications.

But one thing explains the other; the 'little helmsman' wanted to lead a
modernisation and development in the field of communications. Thus the
Chinese embarked upon building ships for information-gathering, the
vessels placed under the authority of either the San Bu offices within
coastal military regions or that of the navy's central intelligence service, the
Haijun Qingbaoju. This large network of maritime listening posts is also
dependent upon the defence ministry's Department of Science and
Technology, which was for years headed by Wang Tongye and General
Nie Li, a specialist in satellite and oceanographic intelligence and vice-

17
Desmond Ball, Burma’s Military Secrets – Signals Intelligence (SIGINT) from 1941 to
Cyber Warfare, White Lotus Press, Bangkok, 1998.
 minister of COSTIND. General Nie Li is none other than the daughter of Nie
Rongzhen, the 'Parisian telegraphist', friend of both Deng Xiaoping and
Zhou Enlai and himself a long-time head of the scientific development
programme of China's defence systems.

The programme saw the building of a dozen-strong fleet of spy ships

which, copied on the Russian model, were spread out across the Asia
zone. They are often presented as being oceanographic vessels belonging
to the Chinese Academy of Sciences. Indeed, they do carry out
topographical studies of a seemingly pacific nature. This is for example the
case of the Shanghai-built spy ships Yuanwang 1 and Yuanwang 2. They
were observed for the first time in 1980, in the Pacific Ocean where they
followed and analysed the launch of intercontinental missiles (ICBMs). In
1986 Beijing officially described the Yuanwang 1, captained by Zhu
Pengfei, as "a detection and survey vessel, 190 metres long with a top
speed of 20 knots, capable of detecting the trace of space navigation
apparatus, to record information, to carry out verification and recovery,
etc."18 The final "etc" is one that hides many a secret!

According to British sources, the presence of one of these spy ships

coasting off Hong Kong in 1993 caused communications interference with
GCHQ. The importance of this is that it happened just as Fort Stanley had
begun to be dismantled19. One decade later, a third and more recently built
Yuanwang regularly rides the sea north of Taiwan. Electronic intelligence
gatherers congregate around Hong Kong and Taiwan but also the Spratley
Islands, where the Chinese set up a small listening post. Others, such as
the ships belonging to the intelligence department, appeared to be destined
for operations against Vietnam; the Xiangyang Hong 09, the Xiangyang

18
Beijing Information, 13 January 1986. See also an article by Yu Qingtian, Deux villes
scientifiques flottantes, in La Chine en construction, May1987.
19
The Far Eastern Economic Review, 3 August, 1993.
 Hong 05 (SIGINT) in 1988 as well as the Xiangyang Hong 10 (COMINT).
From the beginning of the new millennium, this fleet, accompanied by other
new vessels, carried out ever more daring missions, including some brief
incursions into the territorial waters of China's neighbours Taiwan and
Japan in an effort to test their reactions.

Without listing an exhaustive cartographic or chronological list of these

operations, the following relates to three small episodes in this war of
nerves which, by all accounts, increases in intensity every year as China's
Chiefs of Staff widen their area of navigation20.

May-June 2000: the Haibing navigated the northern sector of the Sea of
Japan before carrying out a circular tour of the archipelago, passing through the
Tsugaru Strait (recognised by international maritime law as a free passage to all
international ships) and entered the Pacific Ocean upon passing Honshu Island.
According to Japanese Self-Defence Forces the vessel was on a military
intelligence mission.

- April 2002: the Xiangyang 14, based in Canton, entered Taiwanese

territorial waters.

- July 2004: the Nandiao 411 (the vessel's name formerly signifies 'song
of the south' but its Chinese pronunciation allows a double-entendre, the
other meaning being 'to carry out intelligence') is localised by a Japanese
P3-C plane close to the island of Okinotorishima. The Chinese ship, part of
the South China Sea fleet based at Zhanjiang, in the Province of Canton,
returned to the same spot in May 2005.

20
Note here the following vessels: Xing Fengshan (V856), Beidiao N°841, and the Yanha
519 which was modified and relaunched as the Yanha 723. For detailed descriptions, see:
Bernard Prézelin, Les flottes de combat.
 But with the beginning of the 21st Century, the PLA succeeded in
widening the realm of its maritime listening posts well beyond such regional
coasting missions - by implanting itself in Cuba.

China sets up its 'ears' in Cuba

In 1961, during the quarrel between the USSR and Albania, 12 Soviet
navy Whiskey-class submarines were scuttled and abandoned by their
crews in the Albanian port of Vlorë. China negotiated possession of four of
the submarines. Italian intelligence services informed NATO four years later
that the same submarines, crewed by Chinese sailors, were carrying out
exercises in the Adriatic (tantamount to the Mediterranean).

A more diplomatic, but for the US doubly worrying, Chinese expansion

occurred at the end of the cold war, in Cuba. The Russians, now on more
friendly terms with China, decided to hand over to Beijing their prize former
bases on the island; these included Cienfuegos, which became a haven for
Chinese submarines, and Pine Island, where Chinese spy ships have been
seen anchored. But the most important base handed to the Chinese by the
Russians was the SIGINT facility at Lourdes, in the province of Havana.
Created in 1974 and run by the GRU, Russian military intelligence, it is now
operated by the San Bu. Furthermore, during the 1999 visit to Cuba by
China's defence minister Chi Haotian, Beijing successfully negotiated for
the creation of a second SIGINT base. The new facility, at Jeruco, some 50
kilometres (30 miles) east of Lourdes, is dedicated to eavesdropping on
civil and military telecommunications across the continent of North America.
There was more to come; Fidel Castro's brother Raúl Castro, nick-named
'El Chino', was instrumental in facilitating intelligence swapping between
China's Guoanbu and Cuban intelligence, (the Dirección General de
 Inteligencia headed by General Eduardo Delgado Rodriguez), with a base
jointly operated by the two services at Bejucal21.

In recognition of these good relations, the Cuban regime promoted to the

top of the island's military tree three generals of Chinese origin (all had
fought alongside the Castro brothers and Che Guevara); these were
Armando Choy, Gustavo Chui and Moisés Sío Wong (the latter also
president of a China-Cuba friendship society22).

Perhaps the US had been mistaken to cut off its SIGINT alliance with
China in 1990. On many occasions I have been struck by the history of the
turning and swapping of such alliances, in which the Chinese show an
astonishing capacity to always keep two irons in the fire; they keep tabs on
the Soviets through the Americans, then the Germans, and they keep tabs
on the Americans using the very techniques the US has taught them - but
using Soviet facilities.

During this same period another battle field was developing, that of
information warfare, a hand-down from what was initially an invention of the
US army developed during the Vietnam war: the Internet.

China and the challenge of the Internet

In 1993 the Chinese government decided to develop an information

infrastructure capable of accompanying the country's economic boom.
Prime Minister Zhu Rongji launched a series of 'Gold' projects. The Golden
Bridge was the plan to computerize China's economic infrastructure and its

21
See Intelligence Online, N°529, 25 August 2006.
22
The Asociación de Amistad Cubano-China. See: Nuestra historia aún se está
escribiendo, La historia de tres generales cubano-chinos en la revolución cubana – Armando
Choy, Gustavo Chui, Moisés Sío Wong, (Published by Mary-Alice Waters) Pathfinder Press,
New York, 2005.
 links with the fields of science and technology. Golden Cards was a plan to
distribute a credit card system of payment to 300 million Chinese, and
Golden Customs was yet another plan to streamline foreign trading23.

Following on the success of these computerization projects, the State

Council announced the launching of three more; Government online,
Enterprise Online and Family Online. The inherent problem for Beijing was
that these networks were theoretically bound to the Internet, with all the
'dangers' that that posed to an authoritarian state which sought to control
the movement and even the ideas of its citizens.

Fearing the anarchy of the World Wide Web, (or Wan Wei Wang in
Chinese, meaning 'ten thousand three-dimensional networks'), Jiang
Zemin's team created in 1995 a special central regulation agency, while the
post and telecommunications ministry set up a commercial network called
ChinaNet. The following year four state-controlled access providers offered
global internet access; ChinaNet, with a China Telecom infrastructure;
ChinaGBN, using the same infrastructure but dedicated to serve the
ministry of industry and electronics; CERNET, which served the State
Education Commission and CSTNet, attributed to the Chinese Academy of
Sciences were both given their own, separate infrastructures. During this
same period, CBnet director Zhang Ping offered a subscription to the China
Business Information Network, with an archive system for the China Daily,
and connection to the internet24.

Without entering into the technical detail of the matter, suffice it to say
that as of 1998 national security considerations were threatened by the

23
Details of this operation and many others feature in a thesis by second lieutenant
Sébastien Manzoni, L’infrastructure nationale de l’information en République populaire de
Chine – une illusion de liberté, written under the supervision of Catherine Sarlandie de la
Robertie, Social and Political Sciences Division, Ecole Spéciale militaire de St-Cyr, école
militaire interarmes, école militaire du corps technique et adiministratif, June 2003.
24
Correspondence between the author and Zhang Ping (Beijing, 10 November 1994).
existence of any private networks outside the monopoly of China Telecom.
Nevertheless, parallel networks such as Unicom and China Netcom were
allowed to operate. Despite the danger posed by the 'e-democracy', the
Chinese government (including the PLA, the Communist party and the
intelligence services) saw an opportunity with the Internet. Propaganda
operations were handed over to an 'Internet Propaganda Bureau' as of
2000, while the New China News Agency and the PLA developed quite
elaborate websites. The central committee's International Liaison
Department (ILD), a major political intelligence service, created its own
website as did also the China Institute of Contemporary International
Relations (CICIR) which, as already mentioned, is run by the 8th Bureau of
state security, the Guoanbu. Naturally, the Public Security Bureau, which
controls the police, also created its own website with sections dedicated
regional information and address details allowing citizens to contact local
authorities directly.

On all of these sites the URL pages in Chinese are by far richer in
information than those pages in English, resulting in interesting differences.
An example is the censorship of the English-language pages on a site run
by the University of Tsinghua, in the History section telling the story of
Chinese intelligence and the role of Li Kenong, the former head of the
CCP's special services25.

The Chinese authorities were fearful of the possibility opened up by the

Internet that information useful to researchers or civil servants - but which
was prohibited to the public – could now leak out. Thus came the idea of
creating a national intranet, in parallel to the internet. As of 1996, the China
Internet Company began devising a virtual Great Wall in the form of a high-

25
http://history.54tsinghua.cn/9-12-1-12.htm
 security, China-wide web operating within a closed circuit26.

State security, the Guoanbu, responsible for espionage missions abroad,

played its part in efforts to ensure protection and control of information
technology (IT). In June, 2001, the agency's principle IT specialist, He
Dequan, delivered a special conference to the members of the State
Commission. Including Prime Minister Zhu Rongji, who afterwards
announced: "The government will further increase development of the
information industry. At the same time, government departments concerned
will study the means to amplify development of the technology involved so
as to ensure information security."

In fact, on the technical front of information warfare, the Chinese had in

1998 launched a programme of fibre optic communications, which they
judged to be more effective for fighting off intrusions. Thus the military
district of Beijing uses a large scale optical fibre 'military information
highway', rendering pretty much impossible any enemy interception of its
communications from bases such as that in Alice Springs.

If the Chinese have worked upon all these different ways of controlling
and protecting their use of the Internet, with impregnable encryption and
undetectable transmissions, their special services are also engaged in a
worldwide offensive of intrusion, hacking and bombarding spam and
viruses against foreign websites and data banks.

An army of cyberwarriors

Welcoming German chancellor Angela Merkel to Beijing on August 27, 2007,

26
These studies were handed down to a provincial organisation, the Sichuan Zhongcheng
Network Development Company Ltd. see Manzoni, L’infrastructure nationale, op.cit. p.72.
her Chinese counterpart Wen Jiaobao expressed his sorrow upon learning that
computer systems in her chancellery and others in a number of German ministries
had recently been the target of hackers.

In an attempt not to lose face, the Chinese prime minister, recognised as

a reformer with a conciliatory approach to the West, had to address the
obvious; that very same August day the German weekly magazine der
Spiegel had published a special edition with a front page story about
Chinese intelligence operations against Germany. It reported that the PLA
had launched a computer intrusion operation using Trojan Horse
programmes – spy ware which lies hidden in computer systems and which
can be activated at will without alerting the 'host' computer operator. Der
Spiegel notably mentioned the use of spy programmes which were sent in
the form of Windows PowerPoint systems. But this was just the tip of the
iceberg. Several thousand private companies and government structures,
including the police and armed services, had been the target of PLA
cyberwarrior attacks over an eight-year period.

Brought up in the former West Germany, Frau Merkel is well aware of the
double talk common to communist regimes. But is that enough to explain
why it is only Germany which has shown the courage to raise the problem
with China's leaders - while doing business with them?

Numerous Asian intelligence services have complained about the

generalisation of similar Chinese cyber attacks, targeting Japan, Taiwan,
South Korea and India. Even the US has been affected, with several cyber
attacks against Pentagon systems. At the beginning of 1999, a Trojan
Horse using PICTURE.EXE and MANAGER.EXE was observed bouncing
around the world, principally targeting computer systems of America Online
 (AOL) users and sending the stolen information back to China27.

Perhaps the most worrying of all these different attacks was that against
Japan, about which I published my own investigation in the Tokyo
magazine Sapio in 2005. A first wave of attacks occurred on April 15,
2005, when the Mitsubishi Corporation and a Chinese subsidiary of Sony
were targeted. Other companies preferred, for economic reasons, not to
divulge that they too were attacked, commenting when asked that they
were used to computer system intrusions but that their firewalls afforded
protection.

On that April morning company executives, and even the authorities of

Japan's Kumamoto University, arrived at work to discover anti-Japanese
messages, and even the red, yellow-starred Chinese flag, encrusted onto
their websites. Worse still, it was then revealed that Japan's ministry of
foreign affairs (Gaimusho) and the country's Defense Agency, which had
already been victims of similar attacks during the summer of 2004, were
now again targeted with waves of spam, viruses and Trojan Horses. They
were supposedly sent by web users furious at the manner in which
Japanese school books described the circumstances of the Sino-Japanese
war.

According to police specialists, however, Chinese cyberwar systems use

what are called 'bouncers' which disguise the real origin of the attack as it
spreads around the web. This is notably the case of websites based in
countries with large Chinese communities, such as Canada (in particular its
cities of Vancouver and Toronto).

Even earlier, in January 2000, several Japanese ministries were the

27
See article by Michel Alberganti, Le dernier virus informatique envoie son butin en
Chine,published in Le Monde, 16 January 1999.
 target of cyber attacks following declarations by a number of the country's
politicians denying that Japan's Imperial Army was involved in the 1937
massacre of Chinese in Nanking (the then capital of China occupied by
Japanese forces). In all these cases, the attacks involving systems to wipe
out data banks were found to have originated in China, from where they
were re-routed via foreign Internet Service Providers (ISP's).

The PLA, which led the operations, first went on the offensive in 1999.
On the initiative of the Central Military Commission, a task force was set up
at the end of the last century, essentially made up of the six services
specialised in this theatre of information warfare. These included the PLA's
Second Department (Er Bu), who's then head was General Luo Yudong;
the Department of Communications (Tongxin Bu), led by General Xu
Xiaoyan; the PLA's Third Department (San Bu), headed by Qiu Rulin; the
ministry of defence's Department of technological intelligence; the Institute
of Military Sciences' Department of special technologies, otherwise known
as 'Department 553, and the 10th and 13th Bureaux (communications) of
State security (Guoanbu). The task force was led by Xie Guang, vice-
minister of COSTIND and one of the China's cyberwarfare theoreticians28.

General Si Laiyi was given the job of setting up the PLA's University of
science and techniques, in order to train and develop highly-skilled
technicians and several telecommunications research institutes were
merged together to produce these cyberwar cadres (Xinxi Zhanzheng).
Their very thorough practical and theoretical instruction studies use
manuals such as 'Unrestricted warfare' by Colonel Qiao Liang and Colonel
Wang Xiangsui, and Western publications like 'War in cyberspace' by
French journalist Jean Guisnel and which was translated into Chinese in

28
According to Indian sources, the task force in 1999 also included the following: General
Fu Quanyou, chief of PLA General Staff, and generals Yuan Banggen, Wang Pufeng, Wang
Baocun, Shen Weiguang, Wang Xiaodong, Qi Jianguo, Liang Zhenxing, Yang Minqing, Dai
Qingmin, Leng Bingling, Wang Yulin and Zhao Wenxiang.
 2000 by New China Publishers29.

Once they have qualified, these officer cadets and technicians of all
grades go into battle playing internal wargames or carrying out very real
attacks like those just described against Japan or, later, Germany. But back
in the early days, they were faced with another 'invisible army' as an
enemy, one which was actively retaliating against China's offensives and
which was known as 'the Hong Kong Blondes".

The Hong Kong Blondes

Everything in Blondie Wong's life was violent. As a child, at the end of

the Cultural Revolution, he witnessed the murder of his father at the hands
of Red Guards. While a student in Europe in 1989 he watched coverage of
the Tiananmen Square massacre and vowed his inextinguishable hatred
against the leaders of the Zhongnanhai. The feeling, to coin a phrase, was
mutual.

Ten years later, during the summer of 1999, a team of Guoanbu hitmen
was sent to Saint-Nazaire, in France's Brittany region, to kill him. Beijing
wanted him wiped out because he was one of the leaders of the so-called
'Hong Kong Blondes', a group of extremely skilled 'cyber dissidents' who
were leading attacks against the computer systems of the Chinese army.
Blondie Wong was no longer in western France - if indeed he ever had
been - when the hit men arrived. Wong is a master of disinformation and
spin. A rumour had it that he had left for Canada, where he was living
under armed guard.

29
Jean Guisnel, Guerres dans le cyberespace, Services secrets et internet, La
découverte/Poche, Paris, 1997. In Chinese: Jang.Jinei’er (Jean Guisnel), Huliangwang
shangde jiandiezhan, translated by Xu Jianmei, Xinhua Chubanshe,
 The Hong Kong Blondes were a group of hackers who proved it was
possible to defeat China's enormous computerized mechanism for
controlling its population. For the PLA and its huge empire of cyberwarriors,
it was a case of the biter being bit.

Ever since their establishment in 1989, the 'Blondes' ran a rumour mill on
the Internet in such a way as to cover their tracks, succeeding in continuing
their attacks on Chinese government networks even after the handing over
of Hong Kong; this was particularly daring given, as I have detailed, how
the Chinese special services had taken control and place of the local
police.

The 'Blondes' are hackers who threaten communist installations in the

name of human rights. Legend has it that they are made up of some 50-odd
engineers, outside but also inside China, some of them highly placed and
dedicated to avenging the souls of their relations killed on Tiananmen
Square.

It is even one of the strong points of their organisation; neither the

Zhongnanhai nor the security services could have imagined it possible to
break into their systems from within. Just like the famous dissident Fang
Lizhi (mentioned earlier and who left China under US protection in 1990),
Blondie Wong is an astrophysicist and therefore well versed in the details of
numerous scientific programmes initiated on the orders of Deng Xiaoping
and, later, Jiang Zemin.

The Guoanbu took their chase to Vancouver, then onto Toronto. There
they learnt that Wong had already fled to India with a woman member of
the group, Lemon Li. She had lived in exile in Paris after a period of
imprisonment in China, and it was in fact Lemon Li who had, at one time,
settled in Saint-Nazaire.

"It was no accident," was the comment of a Chinese telecommunications

and cyberwarfare specialist who I met in Beijing in June 2007, and who has
no affection for the Hong Kong Blondes. "They must be protected by the
Indian services which are much more skilled than we are in this field," he
added. "India's foreign intelligence, the RAW, and the Indian army enjoy
playing frenzied wargames against China."

A subsidiary group of the Hong Kong Blondes, nick-named 'The Yellow

Pages', decided to intensify attacks against both Chinese communications
infrastructures and also those multinational companies helping Beijing to
reinforce its anti-hacker protection systems and to spy on its entire
population via the Internet.

It is said that the only true blonde in this ghost-like grouping is a former
technician from Britain's MI5, Tracey Kinchen, who helped both the Blondes
and the Yellow Pages. It is but a small step, on the basis of this, to imagine
that the British Intelligence Service is involved in assisting the dissidents
with their small-scale, guerrilla cyberwarfare attacks against the weaker
units of a numerically superior army.

The Chinese security services in Hong Kong, where Tracey is said to

have once worked, were unable to discover anything about her. Some
investigators even claim that the 'Blondes' are a phoney tale, while
American sources suggest they may have re-formed in Bangkok.

The 'Blondes' began by sending personal emails to leaders of the PLA

and agencies belonging to the Chinese military and industrial lobby. While
this hardly put the Chinese state in jeopardy, the fact that they had gained
access to specific email and intranet addresses left military security agents
 baffled and on alert.

Next they moved the threat of their actions up a notch into altogether
more sensitive territory - downloading confidential codes, including
information on satellite guidance. They then sprung a series of attacks to
wipe out specific databases, launching disinformation campaigns and
bombarding websites until they froze (DoS or Denial of Service) in precisely
the same sort of attack as those carried out by the PLA's cyberwarriors.

Nowadays, the armed forces, security services and large private

corporations of every major industrialised power are used to such attacks.
But at the beginning of the Internet age, as of 1995, the Laboratories of the
PLA's Third Department could hardly believe what they were seeing.

It is even said that the Hong Kong Blondes were able to install codes so
as to carry out surveillance or put the Chinese computer systems on alert.
According to Lo Yik Kee, head of Hong Kong's police computer crime
squad, there were 228 cyber attacks against China in 1999 which
originated in the former British colony. Set up at the beginning of 2000, the
squad initially centred its attention on identifying the cybercafés from where
the attacks against the PLA originated. Meanwhile, the Gonganbu, never
shy to provide statistics behind the bamboo curtain, numbered attacks over
this period at 72,000, of which 200 were successful.

When a journalist found Tracey Kinchen in Bangkok, the MI5 spy gave a
very zen account of the group's activities; Blondie Wong and the Hong
Kong Blondes, she suggested, wished no harm on anyone. They followed
the non-violent principles of Mahatma Gandhi and Martin Luther King30.

30
An interview by Anthony C. LoBaido, correspondent for WorldNetDaily. The article
reports that the Blondes received assistance from US engineer staff at Cal Tech as well as
MIT, Baylor, Texas A&M, West Point, Liberty Baptist and even the Air Force Academy in
 The Chinese, however, saw it as nothing other a very involved sabotage
campaign, ever since a cyber attack against one of their communications
satellites in 1998.

Another example of the hacking campaign against the Chinese occurred

on April 26, 1999. The PLA's central command centre for the Canton region
was paralysed between 5.30 am and 10.30pm after a virus attack upon its
computer systems. It effectively blacked out all communications with the
forces under its command, including the South China Sea fleet, strategic
missile launching units of the 2nd Artillery and more than 80 other armed
services bases. The Nankin regional command was immediately ordered
on full alert by President Jiang Zemin, while information warfare specialists
and other technical services were scrambled to repair the damaged
computer systems.

In autumn 1999, the PLA organised a wargame against hackers in an

exercise to help prepare itself against further attacks. The scenario of the
exercise was an attack by 'black intruders' (pronounced Heike, similar to
'hacker') on the Chinese Communist Party's websites and the stealing of
their contents31. Soon, under the auspices of the Minister of Education
Chen Zhili (Jiang Zemin's Shanghai mistress), the Guoanbu, the
Gonganbu, and the propaganda services, a system developed at the
University of Shenzhen would allow the identification and filtering of email
addresses of Chinese students living abroad32.

Spinning a web of surveillance

Colorado. This no doubt explains Chinese claims that the CIA are behind the attacks.
31
Zhanshibao
32
Mingbao, 27 February 1999.
 Along with organising numerous intrusions into foreign Internet networks,
the Chinese secret services were also given the mission of organising a
vast system for controlling the Chinese population, in particular the young
generation who enjoy surfing the net but increasingly avoid cybercafés to
do so.

In 1995, when use of the Internet had properly taken off in Japan and the
Sino-Corean world, there were in China just a few thousand academics
who wished to use the Internet to stay in contact with their foreign
colleagues. They were required to register with the ministry of post and
telecommunications, which ran the China-Pack link to the worldwide web.
At that time, initial control resided with the Information Bureau of the State
Council which was run by Zeng Jianhui, a propaganda specialist and
notably vice-president of the Xinhua News Agency. After having closely
studied Internet control methods in Singapore, he handed over his post in
1996 to Ma Yuzhen, vice-minister of information and a former Chinese
ambassador to the UK.

Ten years later a very elaborate surveillance system had been put in
place. A system controlling every user of the Internet was set up in Tibet
by the Public Information Bureau (PIB) belonging to the Lhasa Bureau of
Public Security (Gonganju) headed by 'Luobu Donzhu' (who's real, Tibetan
name is Norbu Dondrub). It was without doubt no coincidence that Tibet
was chosen as the first test laboratory for computer surveillance, before the
system could be widened to cover other regions of China.

At the beginning of 2004, the Chinese and Tibetan inhabitants of Lhasa

who wished to access the Internet in cybercafés were given a registered
number together with a password which they had to use, whether surfing
the net or exchanging email correspondence.
 Internet users could buy a relatively cheap 'navigation card' on the
condition that they filled out a 'Citizen Identification Card' (shenfen zhen).
The cards are distributed by the PIB which is also responsible for issuing
licences for cybercafés.

The mission of these technical services is "to fight Internet crime". But by
all accounts their fellow colleagues in the Lhasa section of the State
Security (Guoanbu) Bureau, responsible for offensive counter-espionage
operations against India, are also interested in monitoring possible coded
email correspondence between the Dalai Lama's Research and Analysis
Centre (RAC) in Dharamsala and Tibetan resistance networks.

The surveillance system appeared quite effective because it required the

registering of the individual who uses the Internet and no longer only that of
the computer used.

While the repression is organised within China, behind a virtual Great

Firewall, it operates with the help of foreign systems developed by those
who are happy to do deals with the Chinese Communist Party in return for
permission to set up business there.

The Chinese authorities have caught and imprisoned cyber dissidents

with the help of foreign organisations such as Yahoo, implicated in the
arrest of people using its search engine after the company handed over
their email and IP addresses to the Gonganbu. The most notorious cases
known to date include that of Wang Xiaoning, sentenced in September
2003 to ten years in prison and stripped of his civil rights for two years for
"incitement to subvert state power". He had published online material
distributed by email calling for the introduction of democracy in China.
Another is that of Shi Tao, journalist and editor of a business newspaper in
southern China, given a ten-year prison sentence in April 2005 for
 supposedly divulging state secrets; he had published on the web
instructions issued to the media by the Chinese authorities prohibiting them
from commemorating the anniversary of the Tiananmen Square prop-
democracy uprising. In 2007, the media rights watchdog organisation
Reporters sans Frontières said more than 50 reporters were incarcerated in
the Laogai, China's Gulag.

Between 2002 and 2004, several tens of thousands out of 110,000

officially licensed cybercafés were closed. The others were ordered to
equip themselves with a URL page surveillance system which monitors
internet users' activities while blocking access to nanned sites. Between
30,000 and 40,000 security agents are tasked with monitoring Internet
traffic, while the number of web users in China has doubled in three years,
rising from 80 million in 2004 to reach 162 million in 2007.

The two Security ministries, the Gonganbu and the Guoanbu, recruit
talented computer engineers, and these include students who have
specialised in Information Technology (IT) at US universities and who are
given substantial financial incentives to steer them away from the private
sector. Just like Western counter espionage agencies, they have also
succeeded in recruiting brilliant and repented hackers, like a young cyber
'pirate' recruited in Shanghai in 2003 and now one of Chinese security's
star technicians33.

Among the groups of surfers it targets, the Guoanbu shows a particular

interest in foreigners, whether they be suspected of espionage or are
simply journalists, diplomats or – in particular – businessmen and traders
whose emails and attached documents might reveal important economic
secrets.

33
Willy Wo-Lap Lam, Chinese Politicis in the Hu Jintao Era (New Leaders, New
Challenges), M.E.Sharpe, New York, 2006.
 Cybercafé managers often ask for their passports before assigning them
a computer which will then keep trace of their Internet path, just like hotel
computers. I was told by one Internet specialist I met in Beijing that the
capacity of surveillance units had been significantly increased for the
Olympic Games.

A Golden Shield against Internet 'abuse'

With its public launch of the Golden Shield (Jindun) programme in April
2006, the Ministry of Public Security (Gonganbu) enlarged its surveillance
methods even further. It boasted of being able to combat websites
dangerous to China thanks to a network of some 640,000 computers
working under 23 different systems across the country (with the exception
of Hong Kong and Macau). The system is so sophisticated that the
Gonganbu claimed it could solve online crime, thus reducing overall crime
rates by controlling Internet users.

Costing $10 million, the Golden Shield is a sort of giant intranet managed
by the Chinese security forces. They are able to block or spy on websites at
will, and to watch over web users. The novelty is that the Golden Shield
contains a programme to filter key words used in Chinese cyberspace,
setting off either surveillance action or an automatic block on
communications, or the two together. It is similar to the system developed
by the US National Security Agency for the ECHELON network, with its
'dictionaries' that allow for the tapping of conversations in which pre-
programmed words appear. The difference between the two systems is
that, with few exceptions, the end game under ECHELON is not to actually
block the URL pages, blogs or chatrooms of, for example, Islamic websites
promoting violence.

A semantic analysis of one million keywords prohibited in China reveals

both the concerns of the authorities and the fantasies of the public security
ministry headed by Zhou Yongkang. At the top of the list, 20% concern the
Falun Gong sect, while another 15% relate to Tibet, Taiwan and Xinjiang.
Another 15% concern Chinese leaders and their families (for example,
security chiefs Zeng Qinghong or Luo Gan as well as prestigious names
like Deng Xiaoping, Mao Zedong and his wife Jiang Qing). A further 15%
relate to politics and corruption, where the word 'democracy' is considered
equally as subversive as 'dictatorship' (even that of the proletariat). Some
10% relate to the police and national security, while another 10% concern
the names of dissidents and political exiles (such as Chai Ling, leader of
the Tiananmen Square uprising). Finally, the remaining 15% are dedicated
to sex, with particular attention paid to night clubs, swinging and porn
videos.

But because of the very nature of the Chinese language – a syllabary of

phonemes presented as ideograms which can incorporate several
meanings – the Gonganbu's computer network can even find itself
prohibiting official texts, or commentaries about official texts, if they carry
references to things like 'national security' (Guojia anquan). In the end, only
phrases relating to economic subjects can get through the barrier, although
not always.

Commonly used words, and even legendary ones, can become suspect
when placed together; Dragon-Tiger-Leopard (Long Hu Bao) is the title of a
Hong Kong erotic magazine publication as well known in the region as
Playboy, which is also another forbidden reference. Another example here
is the expression 'group of pigeons' (Ge Pai), which is categorised as
referring to a hidden attack on communist leaders. Yet worse for the
authorities is the expression 'the great law' (dafa) because of its reference
to principles of the Falun Gong.

The methods of the Golden Shield will without doubt prove to be ever
less effective in hunting 'counter-revolutionary criminals' – even when the
system is able to analyse the activities of every single computer in China.
This is primarily because younger generations use thousands of everyday
common words and slang as a code in their intimate conversations and
which in Chinese are by nature particularly rich in imagery. The Gonganbu
will be forced into modifying its Orwellian programme which is already
struggling to cope with the consequences of a grand linguistic confusion.

The operating problems for online censoring in a country of 1,300 million

people are clearly exceptional and were already placed in evidence in 2004
when the authorities attempted to exercise control of mobile phone text
messaging, (SMS). Then, they issued draconian instructions aimed at
stopping pornographic, fraudulent or illicit texts, set out in a publication
entitled Rules of self-discipline regarding the contents of Short Message
Services (similar instructions are posted in cybercafés). The previous year,
SMS correspondence played a significant role in public criticism of the
State's handling of the SARS epidemic. When the 15th anniversary of the
1989 student uprisings approached, the authorities moved to block words
like 'Tiananmen'.

China's largest mobile phone operator, China Mobile, signed up to an

agreement by which it would help to hunt down offending SMS
correspondence. But by dreaming up the most effective interception system
in the world, the Gonganbu and the various PLA security services had
already in 2003 found themselves confronted with the numbing task of
 sifting through 220 billion text messages – an amount equal to 55% of total
SMS traffic worldwide!

Essential vocabulary of Chinese net surfers and cyberwarriors.

Information highway
Xinxi gaosu gonglu, 'a high-speed road for information'
信息高速公路
connection
shang wang 'to connect to the network' 上网
Cyberwar
Xinxi zhanzheng 信息战争
Computer offence
Shuzi huafanzui 'digital crime' 数字化犯罪
Email
Dianzi youjian电子邮件
A more popular term, for reasons of pronunciation,
is yi meir (meaning 'little sister') : 伊妹儿
Spying on the Net
Hulianwang shangde jiandiezhan 'War of spies on the Net'
互联上网的间谍战
Hacker, computer pirate
Heike 'black host', 'black intruder' 黑客
World Wide Web WWW
Wan wei wang 'ten thousand three-dimensional networks' 万维网

Ends.