More than 30 countries across Europe, North America and Asia yesterday joined in revealing and condemning the Chinese government’s Ministry of State Security’s work with Chinese cyber hackers and cybercriminals to hack companies, governments and other organisations globally, stealing valuable intellectual property and even conducting ransomware attacks.
Far from being an issue involving only Beijing and Washington as part of strategic competition between two great powers, this behaviour from the Chinese state shows that China poses a systemic challenge to all open societies. So it’s not a surprise that this large and growing group of governments is working more closely together to face it. They’re the same grouping we saw coming together on China at the G7-plus meetings in Cornwall last month.
Chinese state actions and the government’s cooperation with China’s criminal hacker ‘ecosystem’ are damaging and flagrant. That’s not new news. So, what do we do?
We need to start by realising that this is not just a case of Chinese authorities tolerating cybercriminals operating out of China. The Chinese government is working with and through its criminal cyber community to advance its own interests and damage others—corporations and governments alike. That damage is to every one of the countries that spoke out yesterday and to companies operating in their economies.
There are four big messages out of this for governments and companies.
The first is to really take in the implications of this deeply malign, damaging behaviour of the Chinese state, which professes peaceful intent and an abhorrence of interfering in other jurisdictions, and think through the specific risks and damage that can result. This is a board- and CEO-level issue for every Australian company, for example.
The second is for governments and companies to actively tighten their cybersecurity by implementing the detailed set of mitigating measures the US and partner cybersecurity agencies set out in support of yesterday’s statement. Three big things to do are getting software patches up to date to remove vulnerabilities Chinese hackers can use; increasing the internal system monitoring that your organisation does to spot malicious and suspicious activity inside your network; and using anti-virus software along with a domain reputation service (to spot activity coming from malicious or suspicious sources before it compromises your company’s or agency’s systems).
These steps will make it harder for the Chinese government’s Ministry of State Security and the cybercriminal outfits they work with to successfully penetrate and compromise company and government systems internationally.
The last two messages are arguably much more challenging and more important.
These global attacks were about China hacking into foreign digital technology—in this case Microsoft Exchange systems used in much of the advanced world—with the Chinese attackers looking for valuable information and also vulnerabilities in how companies’ and governments’ critical digital systems work. That’s a bad problem to have.
But consider the enormous additional vulnerabilities that any government, critical infrastructure operator or government agency faces by using Chinese-sourced digital technology. The Ministry of State Security doesn’t need a hacker network to get into these systems. As ASPI’s series of reports on the expansion of China’s tech giants shows, it can go straight through the front door, accessing and using data produced by the normal business operations of Chinese digital systems and, when it needs to, compelling the secret cooperation of Chinese vendors and operators.
That gives company and government decisions about digital technology and software adoption a very sobering risk to factor in along with the usual business-case elements of cost, performance and ease of implementation.
National 5G and digitisation initiatives, along with specific critical and digital infrastructure decisions—whether on transport, communications, public health or e-commerce—must now take account of not just the risk of hacking, but the risk of inherent compromise of digital supplier and operating organisations.
The last big message from this wholesale Chinese hacking enterprise is that it’s time to stop accepting that our open economies and societies are somehow uniquely vulnerable and that all we can do is make ourselves harder targets, soak up these Chinese (and Russian—remember Solar Winds) attacks and express concern.
More targeted indictments and asset freezes on Chinese officials—like leaders and operatives in the Ministry of State Security—and charges against Chinese cybercriminals will help. Magnitsky-style laws in more countries, including Australia, must be part of the answer here. But that just won’t be a big enough deterrent by itself.
From here, given the systemic challenge that China under Xi Jinping is for many of us, it’s time to give Beijing some home games and homework to do.
China’s own digital ecosystem is messy, patchy and vulnerable. It requires legions of humans to keep spotting gaps and fixing seams, as well to operate and police. And we know how vulnerable the ruling Chinese Communist Party regime feels to anything but well-chewed, censored information reaching the 1.3 billion Chinese citizens who are not party members.
Listening to Xi’s CCP centenary speech reminded anyone who had forgotten that a central thought he and the other CCP leaders have every day is the need to continue to struggle to stay in power within China. So, ensuring only the ‘correct line’ is provided in China’s information space is a continuing huge priority for Xi.
The same is true, strikingly, for Vladimir Putin in Russia, whose recently released national security strategy sees the ‘home front’ as the most dangerous and critical one for him to control to stay in power, given the threat of foreign ideas and information that challenge his narratives. While commentary has been about Russia’s use of cyber and disinformation power against others, the vulnerabilities in Russia’s own cyber and information space worry Putin more than most other threats. Xi seems to suffer the same anxieties, as did his predecessors.
The governments that are routinely targeted by Beijing can work together and independently to stand up China-focused outfits with missions like Radio Free Europe, creating and using capable digital-era approaches to routinely breach the Chinese government’s ‘Great Firewall’. This can provide sources of external information and commentary, and also provide footage of Chinese security thugs beating up Hongkongers and operating arbitrary interrogation centres, of the People’s Liberation Army massacring Chinese students in Tiananmen Square in 1989, and of eyewitness testimony about the graphic mass abuses Chinese officials are committing against Chinese Uyghurs every day.
Some healthy doses of China’s own history, including the mass deaths Mao Zedong inflicted in Chinese people through his Great Leap Forward, will contest the propaganda-driven, aggressive nationalism Xi and his leadership colleagues stoke every day.
This will provide a partial antidote for the historically ridiculous notions that all China’s troubles have been inflicted by evil foreigners, and that the party is Chinese people’s benevolent protector. The contrast with the stage-managed happy, dancing Uyghurs and the silence and denials of other abuses committed by the CCP will be confronting and jarring to Chinese citizens and amplify the power of this external information.
We know there’s an appetite for this kind of information—and for discussion within mainland China and with people in places like Taiwan and elsewhere—from the example of the short-lived Clubhouse app, where exactly this kind of conversation happened before Chinese censors banned it earlier this year.
And lastly, while we’re thinking through how to demonstrate to the Chinese government its own vulnerabilities as part of stronger deterrence, it’d be useful to ensure that Beijing understands it has myriad of its own critical infrastructure and digital vulnerabilities.
Having Beijing know the practical reality of this, and be anxious about vulnerabilities that it doesn’t know about but which other capable governments might, could be the kind of tangible constraint Xi and his colleagues best understand. This is a future for cyber deterrence.
This coordinated response from the democracies hopefully ends the approach whereby governments, including in Canberra, would say nothing publicly about extensive Chinese state cyber intrusions while pretending that wider relations with Beijing could progress as normal.
There can be no return to a trusting ‘win–win’ relationship with Beijing at the same time as we are being spied on and robbed blind by its hackers.
So, the nasty implications of this most recent exposure of Chinese state and criminal cooperation are much wider than just providing more work for cybersecurity professionals and concerned foreign affairs departments. It’s a further step along the path of growing international cooperation to deal with the systemic challenge of China. And it’s time to show that the digital playing field isn’t all tilted in Beijing’s favour.
Michael Shoebridge is director of ASPI’s defence, strategy and national security program.