Author: Dr Adrian Venables, TalTech Centre for Digital Forensics and Cyber Security senior researcher
Chinese industrial espionage
The COVID-19 pandemic and its reported origins as being from the city of Wuhan in China is just the latest incident that has focused the world’s attention on this communist state. Prior to the virus outbreak, the rising global influence of China, and in particular of its telecommunications company Huawei, was the subject of much debate. Research conducted in 2019 concluded that there were strong links between Huawei and the Chinese state and in particular its intelligence organisations. This relationship has influenced national decisions as to whether Huawei should be involved in programmes to install next generation 5G mobile networks. The Välisluureamet acknowledged this risk in their 2020 Annual report and many countries have already decided that Huawei should be not be involved. The US, Australia and New Zealand have banned the company from their communications networks over security concerns and the UK is reconsidering a previous decision to allow limited involvement.
The fears that Huawei, as a Chinese communications company with links to its government, may represent a security risk are well founded. China has a formidable reputation as being aggressively engaged in cyber espionage. Indeed, it is regarded as the originator of the majority of state sponsored of cyber attacks against the west. However, it should be noted that within the context of international law, espionage in peacetime is a grey area and is not explicitly addressed. This is because it is generally accepted that most nations undertake some form of spying and that it is a normal part of the national security process. The difference though with China is how the intelligence is exploited. Whereas state-sponsored espionage traditionally focuses on understanding the political landscape, critical infrastructure and military capabilities of adversaries with the information remaining within government, China adopts a very different practice. As well as the usual targets, Chinese intelligence organisations also seeks to acquire intellectual property and commercial secrets. Rather than keeping this information within government, it is instead passed on to its own national industries. Benefiting from the investment others have made in research and development and combined with cheap labour costs, China can then produce similar products at a lower price than its competitors. This relationship works both ways as China’s 2017 national security laws potentially compels its organisations and citizens to support, assist and cooperate with state intelligence work. This forms the basis for the lack of trust in companies such as Huawei, which was illustrated by its indictment for racketeering and stealing trade secrets by the US Justice Department in February 2020.
To understand why China is such a threat to the west’s technology companies it is necessary to appreciate its national strategy. The primary aim of China’s government is to maintain the rule of the Communist Party of China. The current regime was founded in 1949 after internal unrest initiated a revolution. To prevent another requires strict control of a compliant population. However, funding a totalitarian state is expensive, and in China’s case, very expensive, particularly when compared to its main international rival, the US. Ensuring the security of the world’s largest and most populous country takes considerable resources. China’s 22000Km border neighbours 14 countries with many historical disputes between them. Although in the past China has chosen to settle these issues, it has now adopted a more aggressive approach. Most recently this has included a border incursion into India that has mostly been unreported in the western media. China’s armed forces are formidable and expensive. They comprise over 2 million active and half a million reservists funded by a defence budget of $237 billion. Strict internal policing of 1.44 billion people reportedly costs an additional $9billion. The infamous Golden Shield programme that monitors all digital activity in the country has been reported as employing more than 2 million people with the first phase costing more than $1.6billion. State provided healthcare, education, housing and pensions adds to the costs that the government must raise to run the country. There is also an increasingly wealthy middle class wanting to benefit from the country’s industrial growth by consuming more and enjoying an expensive meat, rather than rice based diet. In comparison, the US has no border disputes, half the numbers in its armed forces, privatised healthcare and housing, and has a society already adapted for high levels of consumption.
Maintaining the security of China and the increasing demands of its people has been possible due to 30 years of annual economic growth in excess of 6%. However, with a population demanding more and a government anxious to retain power, China has adopted an increasingly aggressive policy to acquire what it needs to support its economy. This has included seizing the resource rich South China sea, buying agricultural land in Africa, and even acquiring Australian vineyards. When considering the pressing need to maintain internal stability, it can be seen that China has neither the time or resources to conduct its own technological research and development. Hence, it steals from others and the resulting products can then be sold back to the west to fuel China’s growth. This also means that although China’s policy may appear confrontational, it also needs a stable global economy for its export market. With the US the largest recipient of its manufactured goods, China has even bought over $1trillion dollars of its debt to enable the trade to continue.
Working with Chinese technology
Although working with Chinese companies and using their products represents a security threat, realistically it may not be possible to exclude them entirely. Together, Huawei and other companies represent a significant proportion of the technology market offering cost effective products – even if perhaps developed from the stolen research of others. It must also be remembered that familiar western brands often have components manufactured in China or are assembled there as part of a global supply chain. This even extends to military equipment and questions were raised when it was discovered that the US Department of Defence allowed Chinese built components to be included in the F-35 fighter programme. Due to the numbers of products involved, it is not possible to check each one for potential vulnerabilities that may facilitate espionage or have their performance compromised. Instead other risk based strategies must be considered. Prior to the UK’s decision to reconsider Huawei involvement in its 5G network, the company was to be limited to non-sensitive aspects such as antenna and base stations. This excluded ’core’ functions that handles more sensitive functions such as authenticating subscribers, routing and billing. This meant that Chinese components could be restricted to those aspects of the infrastructure that are harder to interfere with or that carry less valuable information.
Estonia’s future relationship with Chinese technology companies must be carefully considered. Decisions must be based on balancing security and economics and not swayed by lobbyists or Public Relations companies paid to promote them. To accurately determine which elements of the network could be supplied by high risk suppliers a total understanding of the system and its potential security vulnerabilities is required. It cannot be acceptable to totally outsource national critical information infrastructure projects to private, and in particular foreign, companies without close supervision. It is for this reason that we must develop its own domestic cyber security capabilities, undertaken by trusted personnel with the appropriate security clearances. This is particularly important for Estonia with an international reputation based on an advanced, secure and resilient digital society. Investment in the education and training of personnel with advanced skills cannot be regarded as optional. Neither is the funding of cybersecurity research to produce the levels of expertise needed to secure the next generation of new technology before it is introduced and not after. To achieve this, forward planning and proper funding must be an integral part of our government’s cybersecurity strategy.
The article was published in Edasi.org in July 2020.