Chinese State-Backed Hacking


Time to level the playing field and breach the ‘Great Firewall’

Michael Shoebridge

More than 30 countries across Europe, North America and the Indo-Pacific in July 2021 joined in revealing and condemning the Chinese Ministry of State Security’s work with Chinese cyber hackers and cybercriminals to hack companies, governments and other organizations globally, stealing valuable intellectual property and conducting ransomware attacks.

The grouping included Japan, the United States and, through NATO, 28 European nations, as well as Australia, Canada and New Zealand.

Far from being an issue involving only Beijing and Washington as part of strategic competition between two great powers, this behavior from the Chinese state shows that China poses a systemic challenge to all open societies. It’s not a surprise that this large and growing group of governments is working more closely together to face it. It’s the same grouping we saw coming together on China at the G-7-plus meetings in Cornwall, England, in June 2021.

Chinese state actions and the government’s cooperation with China’s criminal hacker “ecosystem” are damaging and flagrant. That’s not news. So, what do we do?

We need to start by realizing that this is not just a case of Chinese authorities tolerating cybercriminals operating out of China. The Chinese government is working with and through its criminal cyber community to advance its interests and damage others — corporations and governments alike. That damage is to every one of the countries that spoke out in July 2021 and to companies operating in their economies.

There are four big messages out of this for governments and companies.

The first is to take in the implications of this deeply malign, damaging behavior of the Chinese state, which professes peaceful intent and an abhorrence of interfering in other jurisdictions, and to think through the specific risks and damage that can result. This is a board- and CEO-level issue for every Australian company, for example.

Japan Aerospace Exploration Agency staff members run a safety check at the Institute of Space and Astronautical Science in Sagamihara near Tokyo. Hackers linked to the Chinese military launched cyberattacks in 2021 on hundreds of Japanese companies and research organizations, including the space agency. THE ASSOCIATED PRESS

The second is for governments and companies to tighten their cybersecurity by implementing the detailed set of mitigating measures the U.S. and partner cybersecurity agencies set out in support of the July 2021 joint statement. Three big things to do are: getting software patches up to date to remove vulnerabilities; increasing internal system monitoring to spot malicious and suspicious activity inside networks; and using antivirus software along with a domain reputation service (to spot activity coming from malicious or suspicious sources before it compromises systems).

These steps will make it harder for China’s Ministry of State Security and the cybercriminal outfits it works with to penetrate and compromise systems internationally.

The last two messages are arguably much more challenging and more important.

The global attacks were about China hacking into foreign digital technology — in this case, Microsoft Exchange systems used in much of the advanced world — with the attackers looking for valuable information as well as vulnerabilities in how companies’ and governments’ critical digital systems work. That’s a bad problem to have.

But consider the enormous additional vulnerabilities that any government, critical infrastructure operator or government agency faces by using Chinese-sourced digital technology. The Ministry of State Security doesn’t need a hacker network to get into these systems. As the Australian Strategic Policy Institute’s series of reports on the expansion of China’s tech giants shows, the ministry can go straight through the front door, accessing and using data produced by the normal business operations of Chinese digital systems and, when it needs to, compelling the secret cooperation of Chinese vendors and operators.

That gives companies and governments a sobering risk to factor in when making decisions about digital technology and software adoption, along with the usual business-case elements of cost, performance and ease of implementation.

National 5G and digitization initiatives, along with specific critical and digital infrastructure decisions — whether on transport, communications, public health or e-commerce — must now take account of not just the risk of hacking, but the risk of inherent compromise of digital supplier and operating organizations.

The U.S. Justice Department charged five Chinese citizens in September 2020 with hacks targeting more than 100 companies and institutions in the United States and abroad, including video game companies, universities and telecommunications providers. THE ASSOCIATED PRESS

The last big message from this wholesale Chinese hacking enterprise is that it’s time to stop accepting that open economies and societies are somehow uniquely vulnerable and that all we can do is make ourselves harder targets, soak up these Chinese (and Russian — remember Solar Winds) attacks and express concern.

More targeted indictments and asset freezes on Chinese officials — such as leaders and operatives in the Ministry of State Security — and charges against Chinese cybercriminals will help. Stronger corruption laws in more countries, including Australia, must be part of the answer. But that won’t be a big enough deterrent by itself.

In light of the systemic challenge that China under Chinese Communist Party (CCP) General Secretary
Xi Jinping poses, it’s time to give Beijing some home games and homework to do.

China’s digital ecosystem is messy, patchy and vulnerable. It requires legions of humans to keep spotting gaps and fixing seams, as well as to operate and police. Plus, we know how vulnerable the CCP regime feels to anything but well-chewed, censored information reaching the 1.3 billion Chinese citizens who are not party members.

Listening to Xi’s CCP centenary speech in July 2021 reminded anyone who had forgotten that a central thought he and other CCP leaders have every day is the need to continue to struggle to stay in power. So, ensuring only the “correct line” is provided in China’s information space is a continuing huge priority for Xi.

The same is true, strikingly, for President Vladimir Putin in Russia, whose recently released national security strategy sees the “home front” as the most dangerous and critical one for him to control to stay in power, given the threat of foreign ideas and information that challenge his narratives. While commentary has been about Russia’s use of cyber and disinformation power against others, the vulnerabilities in Russia’s cyber and information space worry Putin more than most other threats. Xi seems to suffer the same anxieties, as did his predecessors.

The governments that are routinely targeted by Beijing can work together and independently to stand up China-focused outfits with missions like Radio Free Europe, creating and using capable digital-era approaches to routinely breach the Chinese government’s “Great Firewall.” This can provide sources of external information and commentary, as well as footage of Chinese security thugs beating up Hongkongers and operating arbitrary interrogation centers, of the People’s Liberation Army massacring Chinese students in Tiananmen Square in 1989 and of eyewitness testimony about the graphic mass abuses Chinese officials are committing against Uyghur Muslims every day.

Some healthy doses of China’s history, including the mass deaths Mao Zedong inflicted on China’s people through his Great Leap Forward, will contest the propaganda-driven, aggressive nationalism Xi and his leadership colleagues stoke.

This will provide a partial antidote for the historically ridiculous notions that all China’s troubles have been inflicted by evil foreigners, and that the party is the Chinese people’s benevolent protector. The contrast with the stage-managed happy, dancing Uyghurs and the silence and denials of other CCP abuses will be confronting and jarring to Chinese citizens and amplify the power of this external information.

We know there’s an appetite for this kind of information — and for discussion within mainland China and with people in places such as Taiwan and elsewhere — from the example of the short-lived Clubhouse app, where this kind of conversation happened before Chinese censors banned it in early 2021.

While we’re thinking through how to demonstrate to the Chinese government its own vulnerabilities as part of stronger deterrence, it would be useful to ensure that Beijing understands it has myriad critical infrastructure and digital vulnerabilities.

Having Beijing know the practical reality of this and be anxious about vulnerabilities that it doesn’t know about, but which capable governments might, could be the kind of tangible constraint Xi and his colleagues best understand. This is a future for cyber deterrence.

This coordinated response from the democracies hopefully ends the approach whereby governments, including in Canberra, would say nothing publicly about extensive Chinese state cyber intrusions while pretending that wider relations with Beijing could progress as normal.

There can be no return to a trusting “win–win” relationship with Beijing at the same time as we are being spied on and robbed blind by its hackers.

The nasty implications of this most recent exposure of Chinese state and criminal cooperation are much wider than just providing more work for cybersecurity professionals and concerned foreign affairs departments. It’s a further step along the path of growing international cooperation to deal with the systemic challenge of China. And it’s time to show that the digital playing field isn’t all tilted in Beijing’s favor.  

Michael Shoebridge is director of the Australian Strategic Policy Institute’s (ASPI’s) defense, strategy and national security program. This article was originally published July 20, 2021, in the ASPI’s online forum, The Strategist. It has been edited to fit FORUM’s format.

Leave a Reply

Your email address will not be published. Required fields are marked *