Snapshot of a shadow war

The rapid escalation in the long-running conflict between Azerbaijan and Armenia which took place in late September 2020 has been shadowed by a battle across social media for control of the international narrative about the conflict. On Twitter, large numbers of accounts supporting both sides have been wading in on politicised hashtags linked to the conflict. Our findings indicate large-scale coordinated activity. While much of this behaviour is likely to be authentic, our analysis has also found a significant amount of suspicious and potentially inauthentic behaviour.

The goal of this research piece is to observe and document some of the early dynamics of the information battle playing out in parallel to the conflict on the ground and create a basis for further, more comprehensive research. This report is in no way intended to undermine the legitimacy of authentic social media conversations and debate taking place on all sides of the conflict.

Cultural erasure

Tracing the destruction of Uyghur and Islamic spaces in Xinjiang

This report is supported by a companion website, the Xinjiang Data Project.

What’s the problem?

The Chinese Government has embarked on a systematic and intentional campaign to rewrite the cultural heritage of the Xinjiang Uyghur Autonomous Region (XUAR). It’s seeking to erode and redefine the culture of the Uyghurs and other Turkic-speaking communities—stripping away any Islamic, transnational or autonomous elements—in order to render those indigenous cultural traditions subservient to the ‘Chinese nation’.

Using satellite imagery, we estimate that approximately 16,000 mosques in Xinjiang (65% of the total) have been destroyed or damaged as a result of government policies, mostly since 2017. An estimated 8,500 have been demolished outright, and, for the most part, the land on which those razed mosques once sat remains vacant. A further 30% of important Islamic sacred sites (shrines, cemeteries and pilgrimage routes, including many protected under Chinese law) have been demolished across Xinjiang, mostly since 2017, and an additional 28% have been damaged or altered in some way.

Alongside other coercive efforts to re-engineer Uyghur social and cultural life by transforming or eliminating Uyghurs’ language, music, homes and even diets,1 the Chinese Government’s policies are actively erasing and altering key elements of their tangible cultural heritage.

Many international organisations and foreign governments have turned a blind eye. The UN Educational, Scientific and Cultural Organization (UNESCO) and the International Council on Monuments and Sites (ICOMOS) have remained silent in the face of mounting evidence of cultural destruction in Xinjiang. Muslim-majority countries, in particular, have failed to challenge the Chinese Government over its efforts to domesticate, sinicise and separate Uyghur culture from the wider Islamic world.

What’s the solution?

The Chinese Government must abide by Article 4 of China’s Constitution and allow the indigenous communities of Xinjiang to preserve their own cultural heritage and uphold the freedom of religious belief outlined in Article 36. It must abide by the autonomous rights of minority communities to protect their own cultural heritage under the 1984 Law on Regional Ethnic Autonomy.

UNESCO and ICOMOS should immediately investigate the state of Uyghur and Islamic cultural heritage in Xinjiang and, if the Chinese Government is found to be in violation of the spirit of both organisations, it should be appropriately sanctioned.

Governments throughout the world must speak out and pressure the Chinese Government to end its campaign of cultural erasure in Xinjiang, and consider sanctions or even the boycotting of major cultural events held in China, including sporting events such as the 2022 Winter Olympic Games.

The UN must act on the September 2020 recommendation by a global coalition of 321 civil society groups from 60 countries to urgently create an independent international mechanism to address the Chinese Government’s human rights violations, including in Xinjiang.2

Executive summary

Under President Xi Jinping, the Chinese Communist Party (CCP) has adopted a more interventionist approach to nation building along China’s ethnic periphery. Indigenous non-Han cultures, which are considered backward, uncivilised and now potentially dangerous by CCP leaders, must yield to the Han normative centre in the name of an ostensibly unmarked ‘Chinese’ (中华) culture.3

The deliberate erasure of tangible elements of indigenous Uyghur and Islamic culture in Xinjiang appears to be a centrally driven yet locally implemented policy, the ultimate aim of which is the ‘sinicisation’ (中国化) of indigenous cultures, and ultimately, the complete ‘transformation’ (转化) of the Uyghur community’s thoughts and behaviour.

In work for this report, we sought to quantify the extent of the erasure and alteration of tangible indigenous cultural heritage in Xinjiang through the creation of two new datasets recording:

  • demolition of or damage to mosques; and
  • demolition of or damage to important religious–cultural sites, including shrines (mazars), cemeteries and pilgrimage routes.

With both the datasets, we sought to compare the situation before and after early 2017, when the Chinese Government embarked on its new campaign of repression and ‘re-education’ across Xinjiang.

Media and non-government organisation reports have unearthed individual examples of the deliberate destruction of mosques and culturally significant sites in recent years.4 Our analysis found that such destruction is likely to be more widespread than reported, and that an estimated one in three mosques in Xinjiang has been demolished, mostly since 2017.

This equates to roughly 8,450 mosques (±4%) destroyed across Xinjiang, and a further estimated 7,550 mosques (±3.95%) have been damaged or ‘rectified’ to remove Islamic-style architecture and symbols. Cultural destruction often masquerades as restoration or renovation work in Xinjiang. Despite repeated claims that Xinjiang has more than 24,000 mosques5 and that the Chinese Government is ‘committed to protecting its citizens’ freedom of religious belief while respecting and protecting religious cultures’,6 we estimate that there are currently fewer than 15,500 mosques in Xinjiang (including more than 7,500 that have been damaged to some extent). This is the lowest number since the Cultural Revolution, when fewer than 3,000 mosques remained (Figure 1).7

Figure 1: The number of mosques in the Xinjiang Uyghur Autonomous Region since its founding

Note: The estimates from our research are included as the 2020 datapoint. Mosques that have been damaged but not destroyed are shown in orange. Source: Li Xiaoxia (李晓霞), ‘Analysis on the quantity change and management policy of Xinjiang mosques’ (新疆清真寺的数量变化及管理政策分析), Sociology of Ethnicity (民族社会学研究通讯), vol. 164 (2018), p. 40, online; and ASPI analysis.

Mosques across Xinjiang were rebuilt following the Cultural Revolution, and some were significantly renovated between 2012 and 2016, including by the construction of Arab- and Islamic-style domes and minarets. However, immediately after, beginning in 2016, government authorities embarked on a systematic campaign to ‘rectify’ and in many cases outright demolish mosques.

Areas visited by large numbers of tourists are an exception to this trend in the rest of Xinjiang: in the regional capital, Urumqi, and in the city of Kashgar, almost all mosques remain structurally intact.

Most of the sites where mosques were demolished haven’t been rebuilt or repurposed and remain vacant. We present three case studies (on the renovation and demolition of mosques in northern Xinjiang, the land use of demolished mosques, and the destruction of the Grand Mosque of Kargilik) to highlight the impacts of this process of erasure.

Besides mosques, Chinese Government authorities have also desecrated important sacred shrines, cemeteries and pilgrimage sites. Our data and analysis suggest that 30% of those sacred sites have been demolished, mostly since 2017. An additional 27.8% have been damaged in some way. In total, 17.4% of sites protected under Chinese law have been destroyed, and 61.8% of unprotected sites have been damaged or destroyed. We present two case studies (the destruction of the ancient pilgrimage route of Ordam Mazar and of Aksu’s sacred cemeteries) to show in detail the impact on sacred spaces.

Methodology

The Chinese Government’s 2004 Economic Census identified more than 72,000 officially registered religious sites across China, including more than 24,000 mosques in Xinjiang.8 Given the lack of access to Xinjiang and the sheer number of sites, we used satellite imagery to build a new dataset of pre-2017 mosques and sacred sites.

We found the precise coordinates of more than 900 sites before the 2017 crackdown, including 533 mosques and 382 shrines and other sacred sites.

Each of those sites was then cross-referenced against recent (2019–2020) satellite imagery and categorised as destroyed, significantly damaged, slightly damaged or undamaged. In most cases, significant damage relates to part of the site being destroyed or to Islamic-style architecture (such as domes and minarets) being removed.

We then used a sample-based methodology to make statistically robust estimates of the region-wide rates of destruction by cross-referencing it to data from the 2004 Economic Census, by prefecture.9

For prefectures for which we had a sample of more than 2.5% of mosques, the prefecture-wide destruction and damage rates were extrapolated directly from the observed sites in our sample.

The rate of destruction in prefectures that were undersampled (having less than 2.5% of all mosques located) was estimated by averaging the observed prefectural rate of destruction and the region-wide rate (excluding the regional capital, Urumqi). We estimated the total number of mosques destroyed and damaged by combining those prefectural-level extrapolations.

This analysis is only able to determine demolition or other visible structural changes to the sites. Based on our sample, the razing of mosques appears to have been carried out broadly across Xinjiang, and neither urban nor rural mosques were more likely to be damaged or demolished.

Urumqi and the tourist city of Kashgar are outliers where most mosque buildings remain visibly intact.

Those cities are frequented by domestic and international visitors and serve to conceal the broader destruction of Uyghur culture while curating the image of Xinjiang as a site of ‘cultural integration’ and ‘inter-ethnic mingling’.10

For more details on how our calculations were done and how to access the raw data, see the appendix to this report.

Results and case studies

Mosques

In total, we located and analysed a sample of 533 mosques across Xinjiang, including 129 from Urumqi. Of those mosques, 170 were destroyed (31.9%), 175 were damaged (32.8%) and 188 remained undamaged (35.3%). Urumqi has only 1.4% of Xinjiang’s mosques, despite representing 24% of our sample, and was an outlier that showed lower rates of mosque demolition (17% versus an average of 36% in other prefectures). Of the 404 mosques we sampled in other parts of Xinjiang, 148 were destroyed (36.6%), 152 were damaged (37.6%) and 104 were undamaged (25.8%). Figure 2 summarises the percentages of sampled mosques destroyed or damaged, by prefecture.

Figure 2: Percentage of sampled mosques that are damaged or destroyed, by prefecture, XUAR

Note: Territorial borders shown on maps in this report do not indicate acceptance by ASPI, in general they attempt to show current territorial control and not claims from any country. Source: ASPI ICPC.

The destruction of mosques appears to be correlated with the value authorities place on a region’s tourist potential; for example, Urumqi has a low rate of demolition, followed by the major tourist sites like Kashgar.11 Yet, it should be noted, both cities have undergone and continue to undergo significant urban development, which has resulted in the demolition or ‘renovation’ of part of Kashgar’s old city and the Uyghur-dominated Tengritagh and Saybagh districts of Urumqi.12

Extrapolating those figures on a prefectural level from official statistics allowed us to estimate the full number of destroyed and damaged mosques in Xinjiang. We found that across the XUAR approximately 16,000 mosques have been damaged or destroyed and 8,450 have been entirely demolished. The 95% confidence range of our regional findings is ±4% for the estimates of demolished, destroyed and undamaged mosque numbers. The full prefectural breakdown is shown in Table 1 and Figure 3.

Table 1: Full results showing the prefectural breakdown of mosques in Xinjiang, our sampling data and our estimates of damaged numbers

Note: In this table XPCC refers to the Xinjiang Production and Construction Corps (Bingtuan), a government entity distinct to Xinjiang’s regional government that directly administers large areas of the XUAR. Source: ASPI ICPC.

Figure 3: The estimated number of mosques destroyed or damaged in each prefecture of the XUAR

Note: Red dots represent the estimated number of destroyed mosques, orange represents the estimated number of damaged mosques. The number written shows these two combined. For full details see Table 1. Source: ASPI ICPC.

Officials from the ruling Chinese Communist Party (CCP) have repeatedly claimed that Xinjiang has more than 24,000 mosques and cite that as evidence of the state’s respect for religious freedom.13

However, our analysis shows that in most prefectures a majority of mosques and other sites of Islamic worship are being destroyed or transformed in ways that erode their religious and cultural significance.

In June 2015, Yang Weiwei, a researcher at the official CCP school in the northern prefecture of Altay, clearly articulated one of the perceived threats that authorities believe mosques pose to social stability in Xinjiang.14 Without providing evidence, she asserted that ‘the number of mosques in Xinjiang far exceeds the needs of normal religious activities,’ and instead provide venues for separatists and extremists to proselytise. The Islamic faith of Uyghurs in southern Xinjiang, she claimed, is propelling society away from traditional secularism towards conservatism, and challenging CCP rule. ‘In southern Xinjiang, the capacities of the party’s grassroot organs are hampered, but the role of mosques [is] constantly being strengthened,’ she warned.15

Her report specifically recommended that mosques be demolished, saying that only one mosque should exist in each administrative unit, that their design should adhere to strict unified standards (implying the removal of Islamic and Arab architecture), and that their opening hours should be limited to a single day every week and holidays.16

That recommendation doesn’t appear to be restricted to Altay Prefecture. Our evidence suggests the demolition and ‘rectification’ of mosques is more severe in other prefectures in Xinjiang, 17 of which (out of the 19 that we recorded) have higher rates of mosque demolition than Altay.

Xinjiang’s latest ‘mosque rectification’ (清真寺整改) campaign, which was conducted under the guise of improving public services and safety, began in 2016 and gathered pace under the new Xinjiang Party Secretary, Chen Quanguo.17 Local authorities were responding in part to Xi Jinping’s call for the ‘sinification’ (中国化) and the ‘deradicalisation’ (去极端化) of religion in Xinjiang.18 The vast majority of mosques in our sample that remained undamaged had no existing visible Islamic architectural features and didn’t need modification to adhere to the strict standards set out by the regional ‘rectification’ campaign.

Additionally, media reports suggest that a number of mosques that remain physically intact (and therefore would be classified as undamaged in our dataset) have been secularised or converted into commercial or civic spaces, including cafe-bars19 and even public toilets.20 We aren’t able to quantify this practice using our methodology.

However, visitors to the region since 2017, who saw several still-standing mosques and spoke privately with ASPI, estimated that roughly 75% of the mosques still standing had either been padlocked shut and had no worshippers visiting at key prayer times or had been converted into other uses. A separate recent visitor to Kashgar city told us that ‘virtually all’ of the mosques in the ‘old city’ had been closed and that a limited number had been converted into cafes.

Although other religious minorities aren’t the focus of our report, we also checked several Christian churches and Buddhist temples across Xinjiang and found that none of those sampled had been damaged or destroyed. This contrasts with the high number of damaged and destroyed mosques across the region, along with the widespread ‘rectification’ of many religious sites in other parts of China.21

Case study: Northern Xinjiang’s renovations and demolitions

Our study of mosques in northern Xinjiang revealed a wave of renovations and reconstructions between 2012 and 2016, followed by a wave of demolitions from 2016 onwards. This sudden reversal coincided with significant national-level changes to religious policy and a crackdown on expressions of faith,22 suggesting a centrally driven policy directive rather than decisions by local officials.

We found evidence that most mosques in a number of prefectures had been standardised through the addition of a large central dome and minarets on each building’s corners before 2016. An example of four mosques that were standardised in the same way is shown below in figures 4 and 5. For example, the bottom-left mosque in the examples is a mosque in Shiho city (Wusu). A dome and minarets were added in mid-2015, but by mid-2018 the entire site had been demolished.

Figure 4: Four mosques in Northern Xinjiang, chosen at random from our database, showing their structure before renovation between 2012 and 2016

Note: Clockwise from top left their locations are in Dorbijin County (Emin – 46.522N, 83.648E), Qutubi County (Hutubi – 44.185N, 86.900E), Changji City (44.0544N, 87.2262E), Shiho city (Wusu – 44.431N, 84.672E). Source: Maxar via Google Earth

Figure 5: The same four mosques were significantly renovated between 2012 and 2016; all showed additions of a dome and two or four minarets

Source: Maxar via Google Earth.

However, following Xi Jinping’s April 2016 speech at the National Religious Work Conference in which he called for the sinicisation of Chinese religion,23 this renovation work appears to have been halted.

Then, following Chen Quanguo’s ascension as Xinjiang Party Secretary in late 2016, the renovations made to these mosques were reversed. In some cases this resulted in the newly built domes and minarets being removed; in most cases, it resulted in the demolition of the entire structure. Three of the four randomly chosen mosques shown above have been entirely demolished since 2016, and one has had its Islamic architecture removed (Figure 6).

Figure 6: The same four mosque sites, showing that three of them have been demolished entirely and that the fourth had its dome and minarets removed by 2018

Source: Maxar via Google Earth.

Case study: Land uses at the sites of demolished mosques

Of 187 destroyed mosques that we recorded, only 41 sites (22%) have been redeveloped for other purposes, according to the latest imagery available at the time of publication, in many cases nearly three years since demolition (figures 7, 8 and 9). The rest either remain bare ground (65%) or have been converted for agriculture or turned into roads or car parks (12%).

Most mosques that were demolished between 2017 and 2020 weren’t razed to make way for new buildings, but instead were simply demolished and left as vacant land.

Figure 7: A mosque in Hotan’s Karakash County, before and after 2017

Source: Maxar via Google Earth.

Figure 8: A mosque in Bayingol’s Lopnur (Yuli) County, before and after 2017

Source: Maxar via Google Earth.

Figure 9: A mosque in Chochek’s Shiho (Wusu) city, before and after 2017

Source: Maxar via Google Earth.

The vast majority of mosque demolitions have been targeted desecrations in which surrounding buildings have remained intact, but there are some examples in which a mosque has been retained while surrounding residential buildings have been razed (Figure 10). Eighty per cent of mosques in the latter category are in Urumqi.

Figure 10: A mosque in Urumqi’s Saybagh district that remained in 2019 following the demolition of the residential community that it had served

Source: Maxar via Google Earth.

Case study: The demolition and miniaturisation of Kargilik’s Grand Mosque

A bizarre trend that has occurred in a small number of damaged mosques is the demolition of the Islamic-styled gatehouse and its reconstruction at a miniaturised scale. These mosques are generally significant and historic sites afforded significant degrees of formal protection.

For example, the Grand Mosque in Kashgar’s historic Kargilik County (Yecheng) was built in 1540.

In the 2000s, it was designated as a Xinjiang regionally protected cultural heritage site—the second highest level of protection granted to historic relics. Figure 11 shows the mosque as it once appeared (probably during the 1990s).

Figure 11: Kargilik’s Grand Mosque gatehouse as it appeared in the late 20th century

Source: Anon, “Yecheng kagilik jame,” Mapio Net, nd., online.

The historic Islamic architecture is clear: large domes and crescent moons at the top, colourful tile mosaics typical of Central Asian mosques, and the Shahada (Islamic creed) above the entranceway.

The Islamic features remained on the mosque, although somewhat faded, until the 2017 crackdown (Figure 12).

Figure 12: Kargilik’s Grand Mosque gatehouse in the 2010s

Source: Anon, “Kargilik’s Jame Mosque,” Mapio Net, nd., online.

Following the crackdown, most of the mosaic artwork was painted over, the Arabic writing was removed, the crescent moon motif was removed or replaced, and a large government propaganda banner hung from the mosque. Figure 13 is a photo taken in September 2018 by a visiting tourist, shortly before the gatehouse was razed. The mosque has a large red banner saying ‘Love the party, love the country’ draped across the building and a sign where the Shahada used to sit saying that CCP members, government employees and students are prohibited from praying in the mosque, including during the Eid festival. Furthermore, the doors were also closed and seemingly padlocked.24

Figure 13: Kargilik’s Grand Mosque gatehouse in September 2018

Source: YY, “Kargilik Mosque (加满清真寺),” Flickr, 11 September 2018, online.

Shortly after this photo was taken, the historic entranceway was demolished. By April 2019, it had been poorly reconstructed at roughly a quarter the original size (figures 14 and 15). Originally, the entranceway was roughly 22 metres across; the reconstruction is only 6 metres across. Much of the original site has been replaced by construction for a new shopping mall.

Figure 14: Kargilik’s Grand Mosque gatehouse rebuilt at a smaller scale in 2019

Note: This image has been slightly manipulated to avoid revealing potentially identifiable information about the photographer, who privately shared this image with ASPI. No architectural features have been changed from the original image.

Figure 15: Satellite imagery showing Kargilik’s Grand Mosque in September 2018 and April 2019; red arrowhead points to the miniaturised gatehouse

Source: Maxar via Google Earth.

Although ‘miniaturisation’ was relatively rare across Xinjiang, it was noted in several significant mosques in Kashgar, including in Kargilik and Yarkant.

Sacred public sites

Scattered across Xinjiang’s vast open spaces are a number of sacred spaces. The region’s oases have supported lives and communities for centuries. Uyghurs and other Turkic communities in what the Uyghurs call Altishahr (ئالتە شەھەر ), or the ‘six cities’ in the south of Xinjiang, have followed Islam for over 1,000 years and have cultivated a unique fusion of Sunni fellowship and Sufi cultural and religious traditions.25

The mysticism that influences Uyghur Sufism draws on a cultural connection to land and the sacredness of place, in which holy sites (often the locations of purported miracles or the burial places of enlightened scholars, leaders, poets, saints, mullahs or sheiks) retain their sacrosanctity indefinitely.

For the devout, these sites are a source of healing, of introspection and of good fortune. The sites are an integral part of Uyghurs’ cultural history and connection to the land.26

Since 2017, as the state began systematically restricting personal expressions of Islamic culture and belief in Xinjiang, the sacred sites of Uyghur identity have been desecrated and destroyed in large numbers. Rian Thum notes that access to most mazar (shrine) sites had already been locked off to pilgrims and visitors over the past decade, and that their subsequent ‘destruction appears to have been an end in and of itself’.27

Across Xinjiang’s five southernmost prefectures, we located 349 sacred sites, 103 of which were formally registered as protected cultural heritage by the Chinese Government at various levels.28

Of all the significant and sacred spaces we examined, we found that 30% have been entirely demolished, including sites of famous pilgrimages. A further 27.8% have been damaged in some way (Figure 16).

Figure 16: The rates of damage to the various sacred and significant cultural sites surveyed in this report, by level of protection

Source: ASPI ICPC; the raw numbers are online.

Formal protection by the authorities has affected the rates of demolition: 51.4% of protected sites are undamaged, compared to only 38.2% of unprotected sites. Likewise, formally protected sites are about half as likely to have been entirely demolished than unprotected sites: 17.4% of formally protected sites were demolished outright, compared to 35.4% of unprotected sites.

We also found relatively high rates of destruction among nationally and regionally protected sacred sites: 16.7% of the nationally protected sites we examined had been destroyed, and 41.6% were damaged (totalling 58.3% damaged or destroyed). Likewise, 16% of sites protected at the Xinjiang regional level had been destroyed, and an additional 32% had been damaged in some way (totalling 48% damaged or destroyed).

However, formal protection neither applies to nor provides protection to the most significant sites.

Several of the most well-known and culturally significant sites, such as Imam Jafar Sadiq Mazar and Imam Asim Mazar, and potentially Ordam Mazar, that previously hosted major annual pilgrimages are offered no formal protection and have all been demolished by Chinese authorities since 2017.29

In many cases where significant graves remain, satellite imagery reveals that attached mosques and prayer halls have been demolished, apparently to deny access to and space for worshippers. Additionally, in many cases otherwise undamaged sites appear to have installed security checkpoints at the entrances or have been fully enclosed by walls, restricting access.

Case study: The destruction of Ordam Mazar

Ordam Mazar ( ئوردىخان پادىشاھىم , ‘Royal City Shrine’) was a small settlement of about 50 structures in the Great Bughra desert (Figure 17). Sitting midway between Kashgar and Yarkant it was surrounded by miles of desert and was commemorated as the place from which Islam spread across the region.

It marked the site where, in 998 AD, Ali Arslan Khan, the grandson of the first Islamic Uyghur king, died in a battle to conquer the Buddhist kingdom of Hotan. Ali Arslan’s martyrdom was marked by a festival every year, drawing Uyghur pilgrims from all over southern Xinjiang at the beginning of the 10th Islamic month of Muharram.30

Figure 17: A 2013 satellite image of Ordam Mazar

Source: Airbus via Google Earth.

Tens of thousands of people visited the site before the festival was outlawed in 1997,31 the year before the 1,000th anniversary of Arslan Khan’s death. Since then, the area has been locked down. The religious curators of the site have mostly been pushed away, and only one family remained at the shrine by 2013: the family of Qadir Shaykh (Figure 18). He was required to report all unauthorised visitors to authorities, and most devotees who visited in the years preceding 2017 did so in the middle of the night to avoid identification.32 Their worship would only be betrayed by the presence of a new flag of prayers tied to the bundle of sticks that is often used to mark a sacred site (tugh,تۇغ ).

Figure 18: A photo of Qadir Shaykh taken by a visiting tourist in 2008

Source: ‘Left-behind elderly in the depths of the desert, accompanied by a falcon when living alone’ (沙漠深处的留守老人独居时与猎鹰为伴), WeChat, 8 April 2015, online.33

The official closure of Ordam Mazar in 1997 was justified by the banning of illegal religious activities (非法宗教活动) and feudal superstition (封建迷信), which linked the mystic traditions of the Uyghur people to notions of backwardness and mental illness.34 Ordam Mazar and its connection to mystic expressions of Islamic faith became emblematic of the ‘Three Evils’ (三股势力) of terrorism, separatism and religious extremism. The alleged linkage propelled the Chinese Government’s crackdown in Xinjiang and provided ideological justification for the erasure and alteration of sacred indigenous sites.

Our analysis of satellite imagery found that, between 24 November and 24 December 2017, the entire site of Ordam was razed (Figure 19). The following autumn, Altun Rozam ( ئالتۇن روزام ), a shrine formed from a bundle of sticks and flags that lay 1.2 kilometres northwest of Ordam and marked the sand dune where Arslan Khan is said to have been killed in battle 1,020 years ago, was bulldozed (Figure 20).

The stone foundations have been covered by the sand, and now no sign of the sacred town remains.

The whereabouts of Qadir Shaykh and his family are unknown

Figure 19: Ordam Mazar in May 2018, showing the nearly complete destruction of the desert outpost

Source: Maxar via Google Earth.

Figure 20: Photo of what appears to be the cultural relic preservation marker for Ordam Mazar in 2013

Source: Rita@kashi weifeng, ‘Pathfinder to the Desert Holy Land: Ordam, a tomb of king’ (探路沙漠圣地–奥达木王陵), Douban, 22 May 2013, online.

Ordam marks the endpoint of a 15-day pilgrimage route, which for centuries connected sacred sites in and around the Great Bughra desert. All the pilgrimage stops on this route were also demolished in late 2017; including Häzriti Begim Mazar, which was a shrine marking the location where Häzriti Begim, the son of Rome’s emperor, died in battle alongside Arslan Khan.35

The remoteness of Ordam Mazar and other stops along this pilgrimage route is significant. Ordam is roughly 15 kilometres from the nearest cultivated area and 35 kilometres from the nearest county centre (Figure 21). Given the level of surveillance in Xinjiang, including new networks that have been built since the 2017 crackdown, the demolition of these pilgrimage sites was not necessary to prevent worshippers visiting them.

Likewise, considerable investment is needed to transport a demolition team across tens of kilometres of ungraded desert tracks, mostly crossing sand dunes. Therefore, this suggests that the demolition not only represents the curtailing of religious freedoms in Xinjiang, but also the deliberate severing of ties that Uyghurs have to their cultural heritage, history, landscape and identity.

Figure 21: A photo of part of Ordam town, showing the mosque, taken by a visiting tourist in 2017

Source: Mo de shijie (蓦的世界), ‘Exploring the mystery of Aodamu (Audang) Mazha’ (奥达木(奥当)麻扎探秘), Weixin, 25 March 2017, online.

Ordam’s demolition also marks the end of Dr Rahile Dawut’s public life. Dawut is an ethnographic scholar and an international expert on Xinjiang’s sacred sites. The New York Times described her as ‘one of the most revered academics from the Uyghur ethnic minority in far western China’,36 and her previous work on Ordam Mazar was funded by the Chinese Government and its academic grants.37

In December 2017, the same month that Ordam was demolished, Rahile Dawut went missing while trying to travel to Beijing for a conference. Her whereabouts remain unknown. Her family and relatives believe that she was forcibly ‘disappeared’ and arbitrarily detained somewhere in the vast network of more than 375 ‘re-education’ centres, detention camps and newly expanded prisons in Xinjiang.38

Her ‘crimes’ or ‘misdemeanours’ have never been made public. Dawut is one of at least 300 Uyghur intellectuals detained in Xinjiang since 2017.39

The demolition of Ordam Mazar and the disappearance of a world-renowned researcher of Uyghur sacred spaces highlights the extent that Xinjiang’s public spaces of faith and identity have been targeted and outlawed. This highly sacred site for the Uyghur people, which had fought back the desert and multiple rounds of conquest for over 1,000 years, has now been subsumed back into the desert.

Case study: The desecration of Aksu’s sacred cemetery

Near the Yéngichimen village in Toyboldi ( تويبولدى ) township, about a four-hour drive from Aksu city, lay the remains of Mulla Elem Shahyari ( شەھيارى ). Shahyari was a notable poet and Islamic leader around Aksu in the late 18th and early 19th centuries. In his youth, he studied Islamic oratory, and he eventually became a chief poet for the ming-begi (local chieftain, مىڭ بېگى ).40

He is known for his long poem, composed over 10 years, ‘Rose and Nightingale’ ( گۈل ۋە بۇلبۇل ). In 1814, after he died from illness in his home town at Toyboldi, his grave became a shrine. The grave was near the entrance of a 13-hectare cemetery, in the yard of the cemetery’s prayer hall (Figure 22).41

Figure 22: Yéngichimen cemetery in 2014 and 2019, showing its destruction

Source: Maxar via Google Earth.

As a child, Aziz Isa Elkun, a now-exiled Uyghur poet who grew up nearby, revered Shahyari’s shrine; the village considered Shahyari to be enlightened. During an interview with ASPI, Mr Elkun said: 

[Our] Islamic and Uyghur cultural identities … are intrinsically linked; therefore [we] regard [Shahyari’s] burial place as a holy place that connects the spirits of the generations past and today … [The] graveyard is a symbol of bonding for the Uyghurs spiritually, culturally and politically.42

With many of his fellow townspeople, he visited the grave of Shahyari every Friday and after religious holidays, praying in front of the tomb:

I read Mulla Elem Shahyari’s best known poem ‘Rose and Nightingale’ when I was a teenager … After reading his poetry, it inspired me to learn Uyghur classic literature and poetry. Since then, I started writing poems and had them published in local newspapers and journals.43

The last time he visited Shahyari’s shrine was the last time he returned home in February 2017. During that visit, the shrine was in serious disrepair, and the authorities were prohibiting locals from repairing the grave (Figure 23).

Figure 23: A photo of Mulla Elem Shahyari’s Mazar, taken in 2009

Source: Cultural Relics Bureau of Xinjiang Uyghur Autonomous Region (新疆维吾尔自治区文物局), Immovable cultural relics: Aksu area, volume 1 (不可移动的文物 阿克苏地区卷1). Urumqi: Xinjiang meishu shying, 2015, p. 537.

Mr Elkun left Xinjiang in 1999, but his family stayed behind, mostly living in Yéngichimen village. In 2017, Mr Elkun’s father, Dr Isa Abdulla, was laid to rest after a life in the vicinity of Shahyari’s shrine, within 150 metres of it in a cemetery plot prepared by the family several years previously (Figure 24). Unable to return home, or even contact his relatives without risking their punishment, Elkun was forced to mourn from afar, finding his father’s grave on satellite images.

Figure 24: Dr Isa Abdulla’s gravesite, before its demolition

Source: Matt Rivers, ‘More than 100 Uyghur graveyards demolished by Chinese authorities, satellite images show’, CNN, 3 January 2020, online.

However, less than nine months after his father’s death, local authorities in Aksu Prefecture began re-engineering the cemetery. In August 2018, lines of new numbered graves were constructed over a corner of the cemetery. According to official documents and state media reports, the numbered graves are referred to as ‘public welfare ecological cemetery graves’ (公益性生态公墓建设).

Chinese Government officials say that they’re ‘standardising’ and ‘civilising’ public cemeteries in the name of social stability, rural revitalisation and ecological protection while preventing ‘random burials’ and relocating old graves.44 The new graves would eventually cover 1.5 hectares of the old cemetery.

Dr Isa Abdulla’s grave is now unmarked, save for the number 47, and is now otherwise identical to dozens of white clay-brick graves in 39 identical rows (figures 25 and 26).45

Figure 25: Isa Abdullah’s wife and daughter mourn at his new grave in a Chinese state media propaganda report

Source: ‘By following CNN, we find how they make fake news about Xinjiang’, CGTN, 13 January 2020, online.

Figure 26: Toyboldi’s new ‘public welfare ecological cemetery’

Source: ‘By following CNN, we find how they make fake news about Xinjiang’, CGTN, 13 January 2020, online.

The new graves covered only slightly more than 10% of the original cemetery. In early February 2019, the remaining graves, spread over 11 hectares, were levelled, according to satellite imagery analysis.

None of the original graves remains. Although the garden of the mosque, where Shahyari’s shrine sat for hundreds of years, hasn’t been bulldozed, the shrine itself has been demolished.

In 2020, the site was visited by reporters from the Chinese state media outlet CGTN, who filmed the bulldozed and barren remains of the cemetery (Figure 27).46

Figure 27: The grounds of Yengichimen cemetery after being cleared of graves

Source: ‘By following CNN, we find how they make fake news about Xinjiang’, CGTN, 13 January 2020, online.

The CGTN report claimed that Dr Isa Abdullah’s family requested that his body be moved before the original gravesite was demolished. The mechanism of exhumation requests is unknown in this case.

However, a 2019 community notice posted at another to-be-bulldozed cemetery near Hotan gave relatives just three days to register and request the exhumation and relocation of their loved ones’ remains; otherwise, the remains would go unclaimed (Figure 28).47

Figure 28: Public notice of tomb relocation in Hotan

Note: This Uyghur notice states: ‘Notice of relocation of the tomb of Hotan Sultanim Mazar. To the people of the city: In accordance with the needs of our city’s urban development plan and the spirit of the legislation of the Ministry of Civil Affairs of the Autonomous Region on further standardisation of the management of burial places and cemeteries in our autonomous region, as well as the requirements for creating a comfortable environment for the general public, it is decided to relocate corpses from Sultanim Mazar into Imam Muskazim Mazar of the Hotan Prefecture. Therefore we ask the owners of the graves to register at Sultanim Mazar between 18 March 2019 to 20 March 2019. Any graves without registration will be considered as unclaimed graves and will be relocated automatically. A delayed response will be responsible for all the consequences. Please send this notification to others.’ Translation by ASPI.

Source: Bahram Sintash, Demolishing faith: the destruction and desecration of Uyghur mosques and shrines, Uyghur Human Rights Project, October 2019. online.

The policy of demolishing traditional cemeteries and replacing them with ‘public welfare ecological cemeteries’ has been widely adopted throughout Aksu Prefecture. Standardised management of cemetery grounds was adopted in June 2016, and ‘complete coverage’ of numbered clay graves was to be achieved by the end of 2019, according to local media reports.48

Of 26 rural shrine and cemetery complexes that we located in Aksu through satellite imagery analysis, 22 (85%) had had most or all of their graves demolished by 2020, and 15 (58%) of cemeteries had had traditional graves replaced with rows of clay-brick graves (Figure 29).49

Figure 29: Mardan Mugai, Deputy Secretary of Aksu Prefecture’s Party Committee, and other members of the local government standing beside a ‘public welfare ecological cemetery’ construction site

Source: ‘At the end of 2019, the Aksu area has basically achieved full coverage of the construction of public welfare ecological cemeteries’ (2019年底阿克苏地区基本实现公益性生态公墓建设全覆盖), Aksu News Network (阿克苏新闻网), 20 May 2016, online.

In a 2016 speech, the Deputy Secretary of Aksu Prefecture’s Party Committee, Mardan Mugai, called on government departments to ‘waste no time in guiding the masses … to change their customs’ and ‘abandon closed, backwards, conservative and ignorant customs’, 50 referring to traditional cemeteries and burial grounds in the prefecture, including sacred sites and shrines.

An August 2018 state media report claimed that the ‘rectification’ of traditional cemeteries had been implemented in 235 cemeteries across Aksu by the end of July and that the construction of 174 ‘public welfare ecological cemeteries’ had begun.51

Our evidence suggests that this policy has continued unabated since 2018 and that the number of cemeteries with graves demolished and new ‘ecological cemeteries’ built is likely to be roughly double the figure stated above.52

The demolition of spiritual sites in Xinjiang’s Aksu Prefecture represents the forcible severing of ties between Uyghur communities and their history and landscape. Aziz Isa Elkun characterised Shahyari’s shrine and the attached cemetery as the lifeblood of the village, saying, ‘The entire community was connected to that graveyard’ and that it was a place to pray.53

A Uyghur academic we spoke to while writing this report emphasised the importance of cemeteries to the public life and personal identity of Uyghurs and other non-Han nationalities in Xinjiang. The cemeteries, in their words, are ‘a material and symbolic representation of the collective claim to a place, a land and a homeland’.54

Major cemeteries ‘play a significant role in bonding the past and present’. For this individual, China’s new assault on cemeteries is more than the physical removal of sacred areas; it’s an attack on one of the last remaining aspects of Uyghur public life tolerated by Chinese authorities:

Arguably … until this campaign began, [cemeteries] had been the only part of Uyghur physical space, life and culture that hadn’t been tainted by large-scale CCP political imposition … In this sense, the demolition of cemeteries isn’t just an attack on Uyghurs’ claims to ancestral land … it is also a calculated effort to sever the emotional and blood ties to the past.55

Earlier this year, a spokesperson for China’s Foreign Ministry said, in response to concerns raised about the destruction of traditional cemeteries, that ‘Xinjiang fully respect[s] and guarantee[s] the freedom of all ethnic groups … to choose cemeteries, and funeral and burial methods.’56 However, widespread evidence collected by ASPI and other researchers, including satellite images and statements from officials in Xinjiang, shows that to be untrue, as traditional cemeteries are being subjected to a systematic campaign of desecration.

Background: sinicising Xinjiang under Xi Jinping

The Uyghurs and other Turkic minorities are no longer trusted with autonomy or their own cultural traditions but rather must actively embrace the cultural traditions and practices of their Han colonisers.57 This process of incorporation involves both the effacement of certain aspects of minority culture and the reshaping of local cultures and landscapes in order to more firmly stitch them into the national story.

The religious and foreign elements of non-Han cultures are viewed with particular suspicion by government officials.58 At the National Religious Work Conference in April 2016, Xi Jinping stressed the importance of fusing religious doctrines with Chinese culture and preventing foreign interference.

‘The ultimate goal [of religious work]’, the CCP’s top religious policy adviser Zhang Xunmou stated in 2019, ‘is to achieve its complete internal and external sinicisation.’59

In recent years, the Chinese Government has strengthened its control over religion, passing a revised set of regulations monitoring religion in 2017 and subsuming the state body managing religious affairs into the CCP’s United Front Work Department (UFWD) in 2018.60

Despite the fact that Xinjiang was designated a Uyghur autonomous region in 1955, Xinjiang is now spoken about as a location of ‘cultural integration’, where different peoples, religions, and cultures have long ‘coexisted’, ‘blended’ and, ultimately, fused together.61 This is despite the fact that Uyghurs and other Turkic or Muslim minorities made up roughly 59% of the XUAR’s population in 2018,62 and nearly 60% of Xinjiang’s 25 million residents practise some form of Islam.63

The Chinese state recognised the importance of documenting and protecting the ‘excellent traditional ethnic cultures’ (优秀传统民族文化) of Xinjiang in a 2018 government White Paper, but also stressed the need to ‘modernise’ and ‘localise’ the ethnic cultures while insisting that ‘Chinese culture’ is the ‘bond that unites various ethnic groups’.64 Foreign reporters on state-sponsored trips to Xinjiang are told Uyghurs are ‘immigrants’ to Xinjiang and that Islam was imposed on Uyghurs by foreigners.65

That ethos was outlined in a 2019 state media editorial by hardline public intellectual Ma Pinyan, who claims the various ethnic cultures of Xinjiang have been ‘nurtured’ in the ‘bosom’ and ‘fertile soil’ of Chinese civilisation and culture: ‘Without Chinese culture, the culture of any other ethnic group would be like a tree without roots and water.’66 In this telling, Xinjiang culture wasn’t synonymous with Islamic culture; rather, Uyghur culture, in particular, ‘originated from Chinese culture dominated by Confucianism’.67

In Xinjiang, officials have cracked down on ‘illegal’ or ‘abnormal’ religious practice among the Uyghurs and other Muslims since 2009, outlawing ‘illegal religious activities’ as they tightened controls over Islamic education, worship, fasting and veiling.68 Islamic-sounding names were banned,69 and ‘extremist’ religious materials (Qurans, prayer mats, CDs etc.) were confiscated70 and, in one case, appear to have been burned in public.71

In 2014, the former Executive Director of the UFWD,72 Zhu Weiqun, blamed ‘religious fanaticism’ (宗教狂热) for unrest in Xinjiang and called for ‘persisting with the trend towards secularisation’ within Xinjiang society in a state media interview.73 In 2017, the XUAR passed a comprehensive set of regulations to guide ‘deradicalisation’ work across Xinjiang—a set of rules that was revised in October 2018 to retrospectively authorise the mass detention of Uyghurs in ‘re-education’ camps.74

Xinjiang officials now warn against the ‘Halal-isation’ (清真泛化),75 ‘Muslim-isation’ (穆斯林化),76 and ‘Arab-isation’ (阿拉伯化)77 of religious practices in Xinjiang and seek to actively ‘rectify’ any practices, products, symbols and architectural styles deemed out of keeping with ‘Chinese tradition’.78

Tighter control over mosques and religious personnel is central to the plan to sinicise Islam in Xinjiang, as is the ‘rectifying’ of places of religious worship. Wang Jingfu, head of the Ethnic and Religious Affairs Committee in Kashgar city, told Radio Free Asia in 2016: 

We launched the rectification campaign with the purpose of protecting the safety of the worshippers because all the mosques were too old. We demolished nearly 70% of mosques in the city because there were more than enough mosques and some were unnecessary.79

Under the UFWD’s ‘four entrances campaign’ (‘四进’清真寺活动), mosques across Xinjiang are required to hang the national flag; post copies of the Chinese Constitution, laws and regulations; uphold core socialist values; and reflect ‘excellent traditional Chinese culture’.80 Architecturally, this involves the removal of Arabic calligraphy, minarets, domes and star-and-crescent and other symbols deemed ‘foreign’ and their replacement with traditional Chinese architectural elements.81

Finally, the control and sinicisation of Xinjiang also advances the state’s economic agenda through commodified and curated tourism and the promotion of Xinjiang as a key node in Xi Jinping’s Belt and Road Initiative.82

Cultural heritage and the role of UNESCO

The global bodies charged with the preservation of cultural heritage worldwide have been silent on cultural destruction in Xinjiang. The Chinese Government has worked closely with UNESCO after ratifying the UNESCO World Heritage Convention in 1985 to develop its capacities for preservation work.83

There’s been a sustained, top-down effort involving all levels of the Chinese Government to expand the formal recognition of Chinese cultural sites and intangible culture on the world stage and to deepen China’s involvement and influence in UNESCO,84 pre-dating, and assisted by, the US decision to reduce funding and withdraw from UNESCO in 2017.85 China’s representative, Qu Xing, is the organisation’s current Deputy Director-General.86

Evidence of those efforts came in 2019, when the total number of Chinese UNESCO World Heritage sites reached 55, making China the country with the most such sites.87 Cultural heritage is not only a soft-power asset for the Chinese state but also a tool of governance. Rachel Harris reminds us:

It can be used to control and manage tradition, cultural practices, and religion and to steer people’s memories, sense of place, and identities in particular ways, providing a softer and less visible way of rendering individuals governable.88

Two Uyghur cultural practices are listed on the UNESCO Intangible Cultural Heritage register: the 12 muqam,89 inscribed in 2005; and the mäshräp,90 inscribed in 2010.

However, both these diverse and rich cultural practices, which involve song, dance and storytelling, have been co-opted and politicised by the Chinese Government. Mäshräp has been stripped of its religious content and is now used to counter extremism,91 while muqam has been commodified, rewritten and secularised for safe consumption.92 Meanwhile, well-known Uyghur performers of traditional Uyghur music, such as Abdurehim Heyt and Sanubar Tursun, suddenly disappeared from public life in 2017 and 2018 before resurfacing under mysterious circumstances.93

UNESCO, which is an organisation founded to ‘promote the equal dignity of all cultures’ and ‘in response to a world war marked by racist and anti-semitic violence’,94 has made no public comment on the abuses perpetrated against Xinjiang’s minorities by the Chinese state.

Similarly, UNESCO’s advisory body dedicated to protecting ‘cultural heritage places’, the International Council on Monuments and Sites (ICOMOS), has been silent on the destruction of cultural heritage in Xinjiang while publicly condemning, for example, Turkey’s decision to ‘reverse the status of Hagia Sophia from a museum to a mosque’ in July 2020.95 In 2009, the US branch of ICOMOS publicly expressed concern about the demolition of much of the old city of Kashgar,96 but it’s been silent since then.

For over a decade, the World Monuments Fund, a New York based non-profit, has trained Chinese conservators and helped to fund the renovation of the Forbidden City and the Great Wall, while doing nothing to stop the wanton cultural destruction in Xinjiang.97

ASPI repeatedly sought comments from UNESCO and ICOMOS about their public position on Xinjiang and the Uyghurs but received no response.

These organisations must re-examine their mission. Their failure to investigate or comment on the destruction of indigenous culture in Xinjiang suggests their capture by or subservience to Beijing.

Conclusion and recommendations

The Chinese Government’s sinicisation policies in Xinjiang have led to the destruction of thousands of mosques and hundreds of sacred cultural sites. These acts of intentional desecration are also acts of cultural erasure. The physical landscape—its sacred sites and even more prosaic structures—holds the memories and identities of local community and ethnic groups. ‘Memory floats in the mind’, eminent historian R Stephen Humphreys remarked in 2002, ‘but it is fixed and secured by objects.’98

The Chinese Government’s destruction of cultural heritage aims to erase, replace and rewrite what it means to be Uyghur and to live in the XUAR. The state is intentionally recasting its Turkic and Muslim minorities in the image of the Han centre for the purposes of control, domination and profit.

The Chinese state has long sought to ‘transform’ and ‘civilise’ Xinjiang, but Xi Jinping and his lieutenants bring a new sense of urgency to this colonialist project. Under the guise of combating perceived ‘religious extremism’ and promoting ‘inter-ethnic mingling’, Chinese officials are slowly but systematically stripping away those elements of Uyghur culture they deem to be ‘foreign’, ‘backward’, ‘abnormal’ or simply out of sync with Han-centric norms. What remains is a Potemkin village: sites and performances for tourist consumption and propaganda junkets.

Unlike the international condemnation that followed the Taliban’s dynamiting of the Bamyan Buddhas in Afghanistan99 or the destruction of parts of Dubrovnik and Sarajevo following the collapse of Yugoslavia,100 China’s acts of cultural erasure in Xinjiang have been perhaps less dramatic and visible, yet arguably far more wide-ranging and impactful.

In the light of this report’s findings, ASPI recommends as follows:

  • The Chinese Government must abide by Article 4 of its own Constitution, allow the indigenous communities of Xinjiang to preserve their own cultural heritage and protect the freedom of religious belief outlined in Article 36, and not in ways that are defined and controlled by authorities who appear to have the opposite motive. It must uphold the autonomous rights of its non-Han communities to protect their own cultural relics and heritage under the 1984 Law on Regional Ethnic Autonomy and cease the demolition of significant cultural and religious sites in the XUAR.
  • UNESCO and ICOMOS should immediately investigate the state of indigenous cultural heritage in Xinjiang and, if the Chinese Government is found to be in violation of the spirit of both organisations, it should be appropriately sanctioned. Both organisations must make public statements on the cultural erasure in Xinjiang, drawing on our investigations and other existing research.
  • National governments should apply public pressure to UNESCO, ICOMOS and other conservation bodies if they fail to respond to Uyghur cultural destruction in Xinjiang.
  • International cultural and heritage organisations such as UNESCO and ICOMOS must shift from silence on cultural erasure in Xinjiang to a coordinated approach with the global human rights network, which is already engaged in bringing international pressure to bear on Chinese authorities in ways relevant to the missions of UNESCO and ICOMOS.
  • Governments throughout the world, including governments of developing and Muslim-majority countries, must speak out and pressure the Chinese Government to end its genocidal policies in Xinjiang, stop the deliberate destruction of indigenous cultural practices and tangible sites, and consider sanctions or even the boycotting of major cultural events held in China, including the 2022 Winter Olympics.

Appendix: Full methodology

For both datasets, the basic methodological aim was the creation of a new, unbiased, stratified dataset of locations of mosques and sacred sites before the 2017 crackdown. Those locations were then checked against recent satellite imagery to ascertain their current status.

Mosques

The Chinese Government’s 2004 Economic Census identified nearly 24,000 mosques in Xinjiang.101

Accordingly, it wouldn’t be feasible to manually examine every site and ascertain its current status following the 2017 crackdown. Therefore, in order to estimate the number of mosques damaged and destroyed in Xinjiang, we needed to build our own dataset of suitable sample sites and then extrapolate the results across the region.

For valid extrapolation, it was crucial to obtain a nearly random sample of Xinjiang’s mosques. Therefore, any previously created lists of demolished mosques needed to be completely ignored.

Instead, we needed to create a novel database free of any sampling bias. The most complete source of this data would be through official Chinese Government information; however, there are significant barriers to access to and use of that information.

The data from the 2004 Economic Census provided addresses for each of the nearly 24,000 mosque sites in Xinjiang;102 however, in many cases, the addresses are imprecise and couldn’t be clearly associated with physical buildings visible in the satellite imagery. Therefore, we used a combination of two different methods.

First, an aggregated database of 10,000,000+ points of interest (POIs) across China was obtained. The POIs primarily represented businesses, amenities or attractions located with high precision, largely for inclusion into national navigation and online map platforms. An example of the density and precision of the POIs is shown in Figure 30 as a screenshot of a map of part of the regional capital, Urumqi.

Figure 30: A map showing the full POI database consulted (not queried for mosque) across a neighbourhood in Urumqi

Source: ASPI ICPC.

The database was queried for the word ‘清真寺’ (mosque). That yielded 1,733 mosques nationwide, including 289 in Xinjiang. Of those, 16 were excluded due to their current status or location being unclear or due to being duplicate results, leaving 273.

A visual examination of the mosques found through this method showed varied results for the size and prominence of the mosques, along with their locations (rural or urban). Mosques in Urumqi were overrepresented compared with those in other prefectures. This bias was accounted for by the prefecture-based extrapolation explained below.

For purposes of comparison, the database was also queried for the terms ‘教堂’ (church) and ‘庙’ (temple). Those queries yielded 14 and eight results, respectively (representing 13.6% and 16.6% of all sites of those denominations in Xinjiang when compared to the 2004 Census). Of those, none had been damaged or demolished.103

Additionally, we conducted a systematic visual search of mosques using pre-2017 satellite imagery.

That was done by selecting three search locations for each county: one in the county centre, one in a randomly selected township centre and one in a randomly selected village.104 Each search point was expanded into a circle with a 2.5-kilometre radius to define a search area.

That resulted in 307 search areas. Mosques were found in approximately 70% of the areas; the 94 remaining search areas generally had inadequate satellite imagery to ascertain the location of the mosque, or had no clearly discernible mosque in the search area.105 Finally, duplicates were removed.

Later, we removed mosques for which recent satellite imagery was unavailable and the current status of which couldn’t be ascertained.106 That left a total of 192 mosques found through this method.

The dataset was completed using only pre-2017 imagery to avoid accidental bias towards demolished mosques (for example, through structures suspected to be mosques being ‘confirmed’ as mosques by their demolition).

Finally, a second POI database from AutoNavi was queried for mosques. That found an additional 73 mosques, of which 67 were unique and not duplicates of previously examined mosques.

Together, using these two methodologies and three datasets, we found a total of 533 unique mosques, representing 2.25% of the official total in the region. A map of all mosques in our pre-2017 dataset is included in Figure 31.

Figure 31: The distribution of mosques located as part of the pre-2017 dataset

Source ASPI ICPC.

Once we compiled the pre-2017 dataset of mosque locations, each one was then visually compared to recent satellite imagery (generally mid-2019 to 2020). We recorded its current status, changes since 2017 and, where available, date ranges for the demolition or removal of Islamic architecture.107 For undamaged sites, we recorded the date of the last available satellite imagery so that follow-up studies can be prioritised to look at the ‘oldest’ sites. We generally accessed satellite images via Google Earth; where Google Earth didn’t have sufficient satellite imagery, we used other commercial sources with 30–50-centimetre resolution.

In some cases, we based the distinction between ‘slightly damaged’ and ‘significantly damaged’ on an assessment of how important the removed features were to the mosque’s structure and aesthetics.

For example, a mosque with only a small dome that had been removed would be coded as slightly damaged, despite the fact that all Islamic architecture on the structure had been removed, as the dome wasn’t a significant element in the building’s earlier aesthetics.

Those results were then tabulated by prefecture and current status. Eleven prefectures had over 2.5% of their total mosques represented in our sample.

We performed statistical tests against the data to determine any predictive variables, including population density, distance from county centre, distance from prefectural city, percentage of minority population and latitude. None of those tests showed significant responses to rates of damage and demolition. The variables are available on request to researchers who want to explore potential correlations further.

Extrapolation for the total number of destroyed and damaged mosques across Xinjiang was done at the prefectural level, which accounted for the majority of variation within the sampled data. For the 11 prefectures that were represented by over 2.5% of their total mosques, we directly extrapolated using the sampled data; for example, in Urumqi, where 38% of mosques were sampled, 17% were destroyed, so we extrapolated that 17% of all mosques had been destroyed.

For the remaining prefectures with under 2.5% of all mosques sampled, the extrapolation was guided equally, using both the prefectural rates of destruction and the Xinjiang-wide rates (excluding Urumqi, an outlier in our sample and dramatically overrepresented). For example, if a prefecture with fewer than 2.5% of mosques sampled had 40% of all sampled mosques destroyed, but the Xinjiang-wide rate was only 30%,108 it would be extrapolated that 35% of all mosques had been destroyed in the prefecture.

Cultural sites

We analysed shrines and other sacred sites in a similar manner. We selected and located a total of 251 culturally significant sites from Xinjiang’s Cultural Heritage Bureau’s 30-volume Immovable cultural relics encyclopedia.109 Our efforts focused only on southern Xinjiang, where the Uyghur population is concentrated, and traditional Uyghur cultural influences are more pronounced.

We selected sites for inclusion based on their assessed cultural significance with assistance from a Uyghur analyst, and where possible then found the exact location of those sites. Additionally, we queried a separate 6,000,000-point POI database obtained from academic sources for the term 麻扎 (mazar, ‘shrine’). That resulted in 131 points in the examined prefectures that could be confidently linked to a suitable location, such as a cemetery complex, mosque or shrine structure.

The inclusion of those points was considered important owing to the bias against Islamic sites in China’s official protection of heritage and was designed to expand our dataset to include sacred sites that aren’t formally registered or protected and that therefore don’t appear in the volumes we consulted.

This dataset was then compared against recent satellite imagery in the same manner that mosques were, and the same values were recorded. No extrapolation was done with this dataset to quantify the total numbers of damaged and destroyed sites beyond our sample due to the lack of information on the number of sites before 2017.


Acknowledgements

The authors would like to thank our peer reviewers including Professor Rachel Harris, Dr Elise Anderson, Nicole Morgret, Michael Shoebridge, and an anonymous reviewer. We are grateful for the advice of Jacinta Holloway and Dr Lorenz Wendt on the statistical model for calculating the region-wide rates of damage from our samples. The artwork on the cover of the report was created by an artist who would rather stay anonymous, we thank them nonetheless. Please note that due to safety concerns, Tilla Hoja is a pseudonym. Finally, we would like to thank ASPI’s International Cyber Policy Centre Deputy Director Danielle Cave and Director Fergus Hanson for their support and guidance. ASPI was awarded a research grant from the US Department of State, which was used towards this report. More detail about that grant, and the research activities it supports, can be found here: https://xjdp.aspi.org.au/about/. The work of ASPI ICPC would not be possible without the support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre 

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on.

If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published September 2020.

ISSN 2209-9689 (online), ISSN 2209-9670 (print)

Funding for this report was provided by the US Department of State

  1. See, for example, Austin Ramzy, Chris Buckley, ‘“Absolutely no mercy”: leaked files expose how China organized mass detentions of Muslims’, New York Times, 16 November 2019, online; Bethany Allen-Ebrahimian, ‘Exposed: China’s operating manuals for mass internment and arrest by algorithm’, International Consortium of Investigative Journalists, 24 November 2019, online; James Leibold, ‘The spectre of insecurity: the CCP’s mass internment strategy in Xinjiang’, China Leadership Monitor, 1 March 2019, online; ‘“Eradicating ideological viruses”: China’s campaign of repression against Xinjiang’s Muslims’, Human Rights Watch, 9 September 2018, online; Adrian Zenz, ‘Sterilizations, IUDs, and mandatory birth control: the CCP’s campaign to suppress Uyghur birthrates in Xinjiang’, Jamestown Foundation, 21 July 2020, online. ↩︎
  2. ‘Global coalition urges UN to address China’s human rights abuses’, Human Rights Watch, 9 September 2020, online; ‘Global call for international human rights monitoring mechanisms on China’, Human Rights Watch, 9 September 2020, online. ↩︎
  3. James Leibold, ‘China’s ethnic policy under Xi Jinping’, Jamestown Foundation, 19 October 2015, online. For Xi, culture is the ‘blood vessels’ of the nation, in which Zhonghua (Chinese) culture is formed through a ‘grand national fusion’ that includes various minority nationalities but has the Han ethnic majority at its core. ‘Chinese civilisation’, Xi declared in September 2019, ‘possesses a uniquely embracive and absorbent character.’ See Xi Jinping (习近平), ‘Speech at the national awards ceremony for advancing national unity’ (在全国民族团结进步表彰大会上 的讲话), Xinhua Net (新华网), 27 September 2019. ↩︎
  4. Lily Kuo, ‘Revealed: new evidence of China’s mission to raze the mosques of Xinjiang’, The Guardian, 7 May 2019, online; ‘Two of three mosques in Xinjiang village razed amid campaign targeting Muslim holy sites’, Radio Free Asia, 11 August 2020, online; Nick Waters, ‘Are historic mosques in Xinjiang being destroyed?’, BellingCat, 5 April 2019, online; Bahram K Sintash, Demolishing faith: the destruction and desecration of Uyghur mosques and shrines, Uyghur Human Rights Project, October 2019. ↩︎
  5. Wang Qingyun, ‘Foreign Ministry refutes US “lies” about Tibet and Xinjiang regions’, China Daily, 31 December 2019, online; Liu Xin, Fan Lingzhi, ‘Xinjiang refutes latest set of lies’, China Global Times, 3 January 2020. ↩︎
  6. State Council Information Office (SCIO), ‘Cultural protection and development in Xinjiang’, PRC Government, November 2018, online. ↩︎
  7. Li Xiaoxia (李晓霞), ‘Analysis on the quantity change and management policy of Xinjiang mosques’ (新疆清真寺的数量变化及管理政策分 析), Sociology of Ethnicity (民族社会学研究通讯), vol. 164, 2018, online. ↩︎

Ensuring a trusted 5G ecosystem of vendors and technology

What’s the problem?

5G will be the next generation of mobile telecommunications.

There are differing views on how quickly it will become commonplace and exactly what form it will take, but it will ultimately transform much of what we do and how society functions. The trustworthiness, security and resilience of 5G networks will therefore be critical. A key part of this will be the partnerships that network operators form with vendors to provide and maintain the network infrastructure. There’s now a good understanding that 5G will underpin critical national infrastructure in a way that previous telecommunication technologies don’t, and that supply-chain trust and security are key national security issues.

Australia and some other countries have eliminated specific vendors from their 5G supply chains, but the space is globally contested and there is no consensus on what happens next. There is a need for a trusted ecosystem of vendors, which may also bring enormous opportunities for states, including Australia, to develop sovereign 5G capabilities and grow their 5G market. However, barriers to entry and a lack of consensus among key 5G stakeholders across the public and private sectors are holding up progress towards these goals.

What’s the solution?

It’s time to move on from debates about individual vendors to understand what a trusted ecosystem of 5G vendors and technology should consist of, what needs to be done to achieve that outcome and how we still manage the residual risks associated with vendors. Rather than looking at the trustworthiness of individual vendors as a binary yes/no decision at a particular point in time, policymakers and industry need to understand the spectrum of vendor risk and put in place measures to manage different levels of risk. The highest risk vendors can be excluded, but residual risks need to be understood and mitigated. The costs of insecure systems must be recognised and better explained.

Governments need to work together to build an environment that promotes a resilient supply chain with a plurality of trusted suppliers to avoid the risk of operators putting all their eggs in one basket.

If the security of one vendor is compromised, that shouldn’t compromise the whole network or all the networks. This will require initiatives to promote diversity and interoperability, including standards setting, testing and integration facilities, and regulation. If implemented correctly, this will not only improve cybersecurity but also provide an economic opportunity for industry. States need to find the most promising opportunities to develop key sovereign 5G capabilities, including in Australia, and take that same approach to other key enabling technologies in order to avoid similar supply-chain security challenges in the future. The window of opportunity is open now, so we need to lead by taking action now and encouraging other like-minded countries to follow and coordinate with us.

Introduction

5G is a subject that seems to come up in almost every discussion about the future of technology.

Numerous networks are already advertising 5G services, on the basis that they deploy new, more efficient 5G radios at the edge of the network. However, the real transformation, in which the major security implications arise, of a merged ‘core’ and ‘edge’ operating inside a cloud environment is yet to arrive. While there may be debates about how quickly the full 5G transformation will happen and what form it will take, there’s no doubt that it has the potential to transform much of what we do. As this technology becomes an integral part of our lives, the trustworthiness, security and resilience of 5G networks will become ever more critical. A key part of this is the suppliers who will build and maintain the network equipment, and this has led to numerous discussions about the trustworthiness of particular vendors and to some countries, including Australia, banning Chinese vendors such as Huawei and ZTE from their 5G network builds.

This paper aims to broaden the global discussion. Given that all 5G network operators will need to rely on vendor partnerships to build and operate their networks, what are the desired characteristics of the vendor ecosystem that supports operators and what practical policy options should be considered to help achieve that?

This paper is based on a review of existing global literature and interviews with key stakeholders from vendors, network operators and governments in Australia and overseas. The views of these stakeholders – across the public and private sectors – differed considerably in a range of areas. This, in itself, is a part of the problem– there is often not agreed consensus on key topics and therefore the right pathway forward.

This report begins with a review of what 5G is, the current state of technology and rollouts, and the implications and considerations for the cybersecurity of 5G networks, and then looks at the current vendor environment, market opportunities and barriers to entry and diversity, leading to recommendations for the way forward.

What is 5G?

New generations of mobile technology come along about every 10 years, driven by increasing volumes of data, increased variety of data and the rapid velocity of change in types of data usage. The 5th generation, or 5G, the latest one, is starting to be implemented now and will ultimately replace the 4G networks that began to appear in 2010. However, existing technologies will probably still be with us alongside 5G for many years to come. Change between each mobile generation is not always a step change, and there have been incremental updates between generations. In fact, the first mobile data devices, including the first iPhone, used a technology called GPRS, which was sometimes referred to as ‘2.5G’.

The internationally accepted technical standards are set by an organisation known as the 3rd Generation Partnership Project (3GPP1). As the name implies, this was originally for 3G mobile networks, but it’s taken the lead for 4G and 5G without an update of its name.

It’s generally accepted that true 5G networks require the implementation of at least R15 of the 3GPP standard.2 In simple terms, there are three key components of ‘real’ 5G:

  1. Faster mobile broadband speeds: This is generally the most common public perception of 5G—how many gigabits of speed can be provided to a mobile handset and hence how quickly you can download an ultra-HD movie to your phone. However, this is unlikely to be what delivers transformational change in how we use mobile devices; nor will it provide the revenues to justify the investment made by network operators.
  2. Ultra-reliable low-latency communications: These are needed for extremely time-sensitive and mission-critical applications, such as remote factory automation and so on. It’s even been suggested that this could enable remote robotic surgery in which a surgeon is able to get real-time feedback on how the patient reacts to steps taken and can reliably make changes that are implemented in real time.
  3. Massive machine-to-machine communications: 5G networks will enable a much greater density of transmitting and receiving devices, especially if they’re sending small amounts of data. This will enable large-scale monitoring, measuring and sensing applications in which large numbers of devices directly communicate with each other without human intervention—machine-to-machine communications. This is sometimes also referred to as the ‘internet of things’. While this is already starting to happen, 5G networks will enable exponential growth in the numbers of connected devices.

Other key features, depending on how networks are configured, can include ‘edge computing’, in which the equivalents of current cloud computing capabilities are brought closer to wireless devices to enable more rapid processing, and ‘network slicing’, in which different customers, applications, or both can have their own virtual slices of a common physical network.

In the underlying technology stack (see box), a key part of 5G network architecture is increased ‘virtualisation’, in which more and more functionality is implemented in software, including even the underlying network topology. This enables greater flexibility and agility in how they will be used, but also, as we shall see, brings greater complexity and potential security vulnerabilities.

It would be fair to say that no one really knows what 5G networks will be used for—including the service providers who will need to commercialise and monetise them. However, it’s certain that they’ll drive ever more usage and reliance on mobile data networks, and in particular more and more critical applications, transforming our way of life in ways not yet even imagined. Of course, this isn’t unusual for new technologies—remember that the worldwide explosion in SMS messaging since the late 1990s came from an obscure engineering feature included in the 2G mobile specifications that was intended for network service messages.

5G technology components

At the conceptual level, a telecoms network consists of:

  • a radio access network (RAN)—antennas and electronics that convert between the radio signals sent to and from wireless devices and the bits and bytes sent as signals on network cables and inside computer equipment
  • a core network that manages and carries the network traffic between the mobile devices and the other computer and network components, and also authenticates and provisions services to users
  • traditional ICT—routers, switches and servers that provide the data transport, storage, processing and logic.

Within each of these ‘black boxes’ are a huge number of electronic components, some of which are specialised for the functions of 5G, such as high-density antennas and signal processing, and some of which are more generic (Figure 1).

Figure 1: A 5G network

The overall user experience is delivered by applications and services that run across the top of these components: different bits of software may run on different components of the system but work together to provide a seamless experience for the user. One of the differences in moving to 5G is that more and more will be done in software, and in order to provide the full experience the application service provider will need to run specific software on more parts of the network.

For example, today a messaging service such as WhatsApp requires specialised software running on the end-user device and on the WhatsApp servers. Tomorrow, supporting remote surgical procedures via a 5G network may require software running on the radio access nodes and servers at the edge of the network to meet the response time requirements.

This virtualisation will enable greater service customisation, scale and optimisation. The standards even envisage ‘network slicing’, in which there may be a dedicated ‘slice’ across the whole system for a particular user group and application service—effectively, computational and network resources on every box reserved just for them.

Overview of current 5G technology maturity

Preparations for 5G by telecommunications network operators are proceeding at pace. At the end of 2019, it was estimated that 348 operators in 199 countries had announced plans to invest in 5G.3

However, implementation and take-up have been slow to date. Only 77 operators have deployed 5G technology, and 61 operators in 34 countries have launched services. Although only limited 5G-enabled devices are currently available, Ericsson estimates that there were 13 million users globally at the end of 2019, mostly driven by take-up in Korea and China.4 The same report forecasts an estimated 2.6 billion active 5G subscriptions by 2025, but even that pre-pandemic estimate would still be less than a third of all mobile subscriptions.

While a glance at advertising material might make you think that fully featured 5G networks are commonplace in many major countries, the advertising doesn’t tell you that those deployments are often only part of the overall 5G capability. Generally, operators have implemented radio interfaces that allow users to experience the faster mobile broadband speeds of 5G, but not other features.

Even the radio interfaces are generally not using the cloud-based radio processing included in the 5G standards. Almost all currently deployed networks are built on top of existing 3G/4G networks (referred to as ‘NSA’, or non-stand-alone), which has allowed rapid rollout. That means that, while 5G coverage may be limited (for example, to just parts of major cities in Australia), users can have a seamless experience when moving in and out of 5G coverage. Chinese mobile providers had previously announced plans to deploy a stand-alone (SA) 5G network in the last quarter of 2019, but appear to have settled for an initial NSA deployment.

A full 5G core and SA network architecture will be needed to enable the other key features, such as low latency and massive machine-to-machine communications, and hence many of the transformational and mission-critical applications. This will require significant new investment in an environment in which network operators have had low margins from their existing businesses, even before the pandemic. The last-minute decision by China Telecom to change its deployment from an SA network to NSA probably confirms the challenges in implementing SA networks and the immaturity of the technology. That said, we are seeing some evidence of SA deployments this year despite all the disruption, for example with Telstra claiming to have made their network “standalone-ready” in May 20205, but it’s clear that the full concepts and designs for true next-generation architectures and applications are still emerging.

5G standards and interoperability

Looking at the current 5G standards, it’s clear that there’s much to be defined. The current widely-implemented version of the 3GPP standard is R15, which really focuses on migration from 4G to 5G, and even for this operators have noted that different vendors have different approaches to the coexistence of the generations and to fallback from 5G to 4G when 5G isn’t available. The next version of the standard, R16, issued in July 2020, starts to look at specific use cases such as industrial internet of things applications and better power consumption, but we’ll need to wait for R17, the scope of which isn’t even confirmed yet, in order to define some of the more critical features.

A further complication is that the agreement of standards, once considered a very dry subject in which technical experts put their heads together and collaborate to get the best technical outcomes, has now become politicised. Some nation-states have realised that there are advantages in influencing choices towards areas where they have expertise and technical leadership. This can help provide ‘first mover’ advantage in implementation and can also often deliver value from existing patents in the form of royalties (from manufacturers that make standards-compliant products) that can be reinvested in R&D to maintain a leading position.

As an example, in May 2018, it appears that Chinese companies were pressured into backing a Huawei proposal over one from US rival Qualcomm, and Lenovo’s founder was forced to issue a statement denying the company had been unpatriotic and failed to back its compatriot in the final round of voting.6 This is hardly surprising, given that homegrown technologies are often a matter of national pride, and China has set an explicit goal of becoming ‘a standards-issuing country’.7 The rewards for success in influencing the standards can be immense, in the form of both tangible, monetary rewards (licensing fees can be worth several billions of dollars a year to a company) and the intangible—the ability to influence how technology is used (see, for example, recent proposals by Huawei to the International Telecommunication Union for a ‘New IP’ internet architecture, which some have seen as an attempt introduce new, authoritarian-friendly values8).

Therefore, standard setting has become a key to global power and influence, but Australia and other allies don’t appear to have recognised this and hence aren’t currently in a position to compete in this sphere.

Although 5G is based on an ‘open standard’ published by the 3GPP consortium there are still factors that work against easy interoperability. Apart from the usual engineering challenge that different engineers may interpret standards differently, the standards definition process may be being manipulated, and in any case lags well behind what vendors are developing and carriers are implementing. The challenges from immature technology and the standards processes are undoubtedly a factor driving carriers to prefer single-vendor end-to-end solutions.

Although 3GPP, a body dominated by carriers and vendors, has become the de facto leader in mobile network standards, it is only one of a number of potential bodies. There is a potential overlap with the International Telecommunications Union which is an international member state, treaty based organisation, and there are also other competing standards bodies such as ISO and ETSI. Making a choice about how and where to develop standards has became a matter of values and geopolitics, often at the expense of technology considerations.

Some carriers have recognised these challenges, in particular in relation to radio signalling and the problems of getting different base stations to work together, and have established their own initiatives, such as the OpenRAN venture under the Facebook-headed Telecom Infra Project. This initiative is intended to reduce the expense of providing internet and voice services by standardising the design and functionality of hardware and software in the RAN, increasing the number of companies that can supply components for the infrastructure that carries mobile traffic. There are a number of competing interests at play here: carriers and Facebook would like telecommunications in general to be cheaper; incumbents would prefer no increase in competition; and some states have interests in promoting national champions. Despite this, the OpenRAN initiative appears to be gathering momentum, with at least one global player, Nokia, recently committing to Open RAN interfaces9.

Another development has been the announcement by a number of global carriers, including Telstra, of the establishment of the 5G Future Forum, which intends to produce uniform interoperability specifications, develop public and private marketplaces to enhance access to technology and share global best practice.10

If these sorts of initiatives don’t succeed and the global 5G market ends up with different vendors dominant in different geographies, without clear standards and interoperability, there’s a very real risk of long-term incompatibilities that will undermine many of the potential benefits. After all, it’s happened before—in the 1990s, the major US carriers chose a technology called CDMA, while the rest of the world followed the GSM standard.11 The current lack of a major US network equipment vendor is probably at least partially due to that bifurcation—US companies concentrated on developing a technology that no one else used and ended up in a technical dead end.

5G and cybersecurity

Why is cybersecurity seen as so critical for 5G networks? Because 5G isn’t just the next natural stage in the evolution of wireless networks. 5G is about more than movie downloads. The likely applications and use cases will become critical to the functioning of governments, companies and society, including cyber-physical and safety-critical systems that will rely on the network. Not only do we need to be concerned about the confidentiality of data and users on the network, but we also need to consider the impacts of an attacker potentially compromising the availability and integrity of the systems, including the risks of the attacker being able to take down the whole network at once.

Australian and many other governments have already identified telecommunications networks as critical national infrastructure that’s essential to the effective functioning of society and therefore requiring additional regulation and attention, and it’s easy to understand why.12 In Australia in recent months, we’ve seen the chaos caused by outages of electronic payment (EFTPOS) systems for a few hours, making it impossible for people to buy basic items because they’re unused to carrying cash.13

Now imagine the impact of a smart city suddenly losing all traffic sensor data and the ability to control traffic lights. An attacker could cause major accidents by maliciously changing the data being sent to traffic lights. In fact, given some of the potential applications enabled by 5G, it could be possible to cause major disruption by more subtle changes. If applications such as remote driving of vehicles rely on ultra-low latency, what would happen if an attacker introduced a small delay to some or all network traffic?

The increasing importance of the network, combined with the increased risk that a cyber breach will cause major real-world consequences, means that the cybersecurity of 5G networks must be a critical consideration, planned and accounted for from the outset. Risk management approaches should also consider the more sensitive functions that are used by national security and law enforcement authorities, such as compliance with legislation on telecommunications interception and data retention, which may create additional security risks.

Building an understanding of 5G security requires integrating security and the 5G network architecture. Both suffer from a major skills gap in Australia14 and globally,15 so we would expect a major shortage of professionals with a detailed understanding of both, exacerbated by the fact that 5G architectures are complex and still evolving.

One example is the debates about the separation of the ‘core’ and ‘edge’ components of a 5G network. Can they be effectively segregated so that a threat in the edge can’t affect the core? Australian authorities say they can’t be effectively segregated, whereas UK authorities appear to be suggesting they can. Without getting involved in the details of the debate here, it’s likely that the true answer is that it depends on architectural choices and complex overall system-level interactions. Concepts such as network slicing will make this even more complex. End users are given effective control and exclusive use of an end-to-end slice of the network, and attention will need to be paid to the security safeguards required to minimise the risk of them escaping their own virtual slice and getting access to other parts of the network.

Vendor trust and security

The issue of vendor trust and security has been prominent in discussions about 5G security. Australia and the US have announced decisions to bar certain vendors, the UK has been formulating a compromise approach,16 (although this seems to be still evolving) and active debates in Europe are seemingly close to reaching a conclusion.

The risks from using a particular vendor can be many and varied. Much commentary on the subject talks about hardware ‘backdoors’ being inserted by a vendor at the factory,17 but that’s probably not the biggest issue. In fact, it’s probably an unhealthy focus that can drive the debate onto specific component manufacturers, when the bigger risks probably come higher up the technology stack.

A much more worrying vendor risk occurs when carriers are critically dependent on vendors for maintaining the quality of service and so give the vendors access to the live network for support and maintenance. The nature of 5G networks as ‘software defined everything’ also means that there are security risks throughout the network that can be hidden in the complexity of software—vulnerabilities that are deliberately introduced by the vendor, or that come from genuine errors and oversights.

Different vendors have different approaches to and cultures of security. The extent to which they use approaches such as secure software development, system integrity validation and third-party supplier checks can be a useful guide, as well as their approach to the reporting and patching of security issues.

However, the control and ownership of vendors, in particular those from nation-states in which companies may be subject to extrajudicial direction, has, to date, been the main criterion used to measure vendor risk.18 This should be broadened to consider all sources of risk. As well as foreign ownership and control, vendor threats can come from insiders, such as rogue employees, even in a vendor from a trusted country, and also depend on the quality of the security culture and secure-by-design approaches used by a vendor. This leads to a spectrum of vendor risk levels that can be used to guide appropriate treatments. 

We can sensibly decide to exclude very high risk vendors, but since no vendor will be zero-risk, other mitigation measures will be needed in addition. While, given the criticality of 5G networks, we should impose a high standard of cybersecurity control and risk management across the network even for the lowest risk vendors, additional measures may be needed for intermediate levels. It’s important that carriers understand these requirements and can factor the different security costs into their procurement decisions (so potentially avoiding the incentive to simply choose the cheapest supplier who isn’t excluded due to being very high risk).

Independent testing of vendor equipment may be of some use to assess and mitigate risk (see, for example the Huawei testing facility set up and used by the UK over the past few years), but it’s not just a matter of testing the product from the factory. For any software components, each new release will require retesting, and in a 5G world the software becomes the most critical layer. The public reports from the UK testing facility19 show a series of damning findings and a lack of any assurance that identified flaws are resolved effectively. This means that, at best, this approach can be only a small part of a broader strategy.

In some cases, architectural approaches can be used to mitigate the risk. For example, end-to-end encryption could be used to mitigate the risk that particular network equipment could have unnecessary access to user details and data on the network. However, if we look at the risk of an adversary seeking to completely disable a network, the vendor risk is much greater, as ultimately the end-to-end network works only if every component in the chain is working—RAN, core access and routing.

This means it isn’t just a matter of assessing and using a vendor with an acceptable level of risk. Any farmer will tell you to avoid monoculture—growing just one crop means that one disease can wipe you out overnight. Similarly, if a network is dependent on a single vendor and a vulnerability is found, the vendor becomes untrusted for some reason or the company collapses, the equipment will be almost impossible to replace, and entire networks can become at risk overnight.

Therefore, as well as vendor trust, we need to ensure vendor diversity and redundancy in design.

Operators need to have confidence that multiple vendors’ equipment can interoperate, and ideally have multiple vendors’ systems in service for each major function. This will provide resilience and options to reduce dependence on a particular vendor if circumstances change. In a given carrier’s network, there should be at least two vendors for each key equipment type, and across the market there should be four or more viable suppliers considered acceptable to use. These are bare minimums from a competition policy and resilience perspective; from a long-term resilience point of view, there should be as many vendors as possible, subject to ensuring that each has critical mass and is commercially sustainable in the long term.

The 5G vendor landscape

The dominant vendors in the 5G market are generally considered to be Huawei and ZTE from China, Nokia from Finland and Ericsson from Sweden. This is certainly the case in the 5G network equipment sector, although they have some competition from Samsung (Korea) for radio equipment and Cisco (US) for the network core. There’s more competition in the devices market and for switches and routers. The main market players are shown in Figure 2.

Figure 2: The main 5G players

Source: Adapted with permission from James A Lewis, How will 5G shape innovation and security: a primer, Center for Strategic and International Studies, Washington DC, 2018, 4, online.

Figure 2 shows that Chinese companies are major players in the network equipment market, but not (yet) runaway leaders. Ericsson and Huawei have very similar shares of the RAN equipment market, and Nokia isn’t far behind, and for the evolved packet core Ericsson leads Huawei. The US is also starting to have a presence among market leaders in the core network, where much of the future growth is expected. All three network equipment categories show very strong concentration: only two or three non-Chinese vendors in each category have any significant market share.

Considering the RAN in more detail, the OpenRAN initiative mentioned above is creating opportunities for new entrants. In January this year, O2, the Telefonica-owned UK mobile operator, announced plans to engage new UK- and US-based entrants, including Mavenir, DenseAir and WaveMobile, in an OpenRAN deployment.20 In November 2018, Vodafone revealed that it had issued a request for information covering tests for OpenRAN-compatible solutions and received responses from seven vendors, only one of which (Samsung) appears in the list above; the others were a mix of US, French and Indian companies. Vodafone then ran a request for quote process for the deployment of OpenRAN across 100,000 sites on its European networks.

Down at the component level, there’s greater diversity. For specialised radio components, such as small cell antenna arrays and power amplifiers, European and US companies dominate, and for specialised field-programmable gate arrays, which are essential for high-power embedded processing, there are really only two major manufacturers: Intel and Xilinx, which are both US companies.

This confirms that, if the US continues to enforce the listing of Huawei on the ‘Entity List’, and thus prohibit exports of US-made components to it, there would be serious impacts on Huawei’s ongoing manufacturing capability, at least in the short to medium term.

If we look further up the stack to the services and applications layer, that’s where many critical applications will be implemented, which also provides an opportunity to reduce dependence on the network equipment (for example through end-to-end encryption). The use cases and applications are only now being defined and implemented, so it’s too early to identify the key players in this space, but it will be an important one in which to understand vendor trust and act accordingly.
 

Market opportunities and barriers

The 5G infrastructure spend was US$784 million in 2019 and is forecast to be US$47.8 billion in 2027.21

This estimate didn’t account for the impact of Covid-19, which is likely to cause some delays and cutbacks, but the market over the next few years is still likely to be highly lucrative as a whole, although the accessible RAN market may be less so due to the high market share of low-cost Chinese vendors.

While a significant portion of the revenue will go to the established players noted above, there are still opportunities for new entrants to gain significant revenue, given that the development and building of fully featured 5G networks is still at an early stage.

Compared to earlier generations of mobile technology, 5G offers more opportunities for new entrants to the market. This is because in 5G architectures a significant number of functions become virtualised and are implemented in software. This opens up opportunities for software solution providers unconstrained by the costs and timescales of bespoke hardware development—especially if they can write efficient, fast and reliable code to implement mission-critical use cases. This world of ‘software defined everything’ means that innovative and potentially sovereign businesses have the opportunity to add trust and value at the software layer.

The RAN equipment market presents particular challenges—it traditionally requires specialist hardware for antennas, radio signal generation and reception, and signal processing. Significant investment and time are needed to develop new hardware for the new frequencies, higher speeds and more devices that 5G will need to support. However, the 5G architecture does mean that, even for radio processing that’s traditionally done using specialised hardware at the antenna site, signals can be digitised and processed in software at remote sites.

In other network equipment classes, there will still be barriers to entry. The established players can be expected to compete strongly to maintain market dominance. They’ll also use the immaturity of standards to persuade service providers that it’s lower risk to use a single end-to-end provider. From discussions with providers for this report, this could resonate, especially given consumers’ focus on service quality. Telecoms companies nowadays prefer to buy managed services from vendors rather than build and integrate systems themselves. This means that when there are service outages they have a ‘single throat to choke’ (their vendor’s), rather than having to referee finger-pointing between vendors. A shortage of systems engineering skills has also been identified as a major barrier to enabling telecoms companies to consider developing multivendor environments, along with the challenge of needing to develop expensive interoperability testing facilities.

The third area of opportunity is in developing and running applications and services across the network to implement 5G use cases. In this case, the market for software to implement new applications is wide open, given that the applications have often not even been defined, or in some cases probably not even imagined yet.22 However, we can still expect the leading network equipment vendors to compete strongly, given their obvious adjacency and the opportunity to grow their businesses. Revenue streams from network equipment sales, in addition to any state subsidies, can be used to fund major R&D budgets and aggressive pricing. Antidumping provisions are especially difficult to manage for software, given the low cost of production, and carriers will always have financial drivers to choose the cheapest option without necessarily paying heed to broader requirements for vendor diversity and risk management.

Established vendors, wherever they’re from, can be expected to promote the perceived benefits of their end-to-end integration, critical mass and established brand recognition. They may use their control of the platform to seek to set up trusted ecosystems (think of Apple iOS devices and the App Store) in the name of security and openness, while in practice setting up barriers to entry. We can also imagine groups of platform, software and hardware vendors from one country, with implicit or explicit encouragement from their government, looking to set up collective monopolies. Carriers will see advantages in single-vendor solutions, in reducing performance risks, reducing their requirements for system integration skills etc. The challenge will be to persuade major carriers to look at the broader risk landscape, to be willing to integrate multi-vendor solutions and to put faith in emerging companies for what would be expected to be a long-term investment.
 

Recommendations for developing the trusted vendor market

We’ve noted that there are significant opportunities for vendors from Australia and allied countries to develop critical technology. However, they face significant competition from established players with economies of scale, and in some cases direct or indirect foreign government support. Appropriate policy actions will be needed to overcome the barriers in order to open up genuine opportunity for a broader range of vendors and provide the diversity that we need to improve the security and resilience of our 5G ecosystem.

Take a graduated approach to risk assessment and mitigation

There is a need for appropriate market signals to encourage carriers to choose lower risk vendors. There’s already, in Australia and some other countries, an outright ban on very high risk vendors, but, given the spectrum of risk, regulation should also ensure that the increased security costs of choosing a higher risk option sit with the carrier, rather than, for example, national cyber authorities being responsible for extra costs as they seek to protect carrier networks against vendor threats and mitigate risk.

The Australian Cyber Security Centre should develop a comprehensive framework of recommended vendor risk ratings based on various factors. The ratings should be used to define mandated risk-mitigation actions based on risks, which could include tailored levels of isolation, control and monitoring of any access that vendors are given to live networks for support and maintenance purposes, along with limitations on offshore managed service provision and offshore data storage.

Another example could be ensuring that sensitive and critical functions (such as lawful interception and audit logging) are segregated and can be separately managed using highly trusted solutions independent of the main network equipment vendors.

Regulate competition

Competition and merger policy levers should also be used to ensure fair opportunity for new entrants by limiting consolidation, preventing cross-subsidies of existing major vendors when selling new capabilities, and perhaps even mandating major vendors to subcontract a portion of the work.

This could include identifying where companies may be receiving subsidies from nation-state governments, and whether trade and international agreements provide remedies to address unfair competition impacts.

These restrictions should apply to all existing major vendors, not just those from high-risk jurisdictions. It wouldn’t be an appropriate approach to just pick one or two ‘winners’ from the existing major European and US vendors—a rich, diverse, vendor pool is needed to ensure the long-term resilience of our 5G networks.

Expand industry development policy and invest in key technologies

We’ve seen that building 5G vendor diversity can also be an economic opportunity for Australia. Therefore, we should ensure that industry policy promotes this. While we have a strong start-up culture, we need to ensure that successful companies are able to scale up rapidly to credibly compete and serve the global market.

Regulatory barriers that prevent or slow scale-up should be identified and addressed, and action is also needed to address the problem of access to capital. The Australian Government should establish an investment fund that can fund key technologies critical to our national security. It could be modelled, for example, on the National Security Strategic Investment Fund set up by the UK.23 Its remit would probably be broader than the scope of this paper, but it could certainly help to support the scale-up of 5G technologies. Another model to consider could be the recent proposal from a group of US senators for a US$1.25 billion proposal to fund new R&D and a multilateral project fund for 5G technologies.24

Encourage a more open network equipment market

Given the desired objective of vendor diversity, we need to ensure that carriers have both the right incentives and the confidence to move away from the single-vendor environment. To assist this, the government should establish, fund and manage an independent test facility for 5G networks. This should be fully modular to allow the testing of different components from different vendors (as an example of how this can be done, see, for example, the Open 5G Core project25). As well as enabling interoperability testing, this would also enable security and vulnerability research and testing at the overall 5G system level, which we’ve noted is currently a poorly understood area. Potentially, this could be a joint undertaking with other allied countries, such as Canada and New Zealand, to reduce costs, but we caution that it should be ensured that Australia is a major contributor to this and hence able to use influence to achieve our own national security objectives.

Consideration should be given to mandating that network providers use multiple vendors for key components. This may be difficult to implement, and network providers may have concerns over the burden that it imposes. However, doing so would go a long way towards overcoming the possibility of ‘monoculture’ security risk. Other countries, such as the UK, have discussed going in a similar direction, and that may allow Australia to learn lessons from their experience and devise an appropriate approach for our circumstances.

We need to ensure active engagement with 3GPP on standards setting to avoid politicisation and ensure that choices that maximise overall security and resilience, and market opportunity for new entrants, are made. This will include the identification of the key use cases for priority development, seeking to avoid choices reliant on foreign patents, and preference for the best technical choices based on open standards and implementation. Current responsibility for such engagement is diffused among different organisations, so one organisation needs to be given the mandate and funding to lead this work.

We’ve noted the challenges with standards-setting bodies, so, if engagement there doesn’t prove effective, there may be a need for local regulations to mandate open interfaces for the most critical functions, especially where they’re needed to provide the option to segregate critical functions to be carried out by sovereign vendors. As an example, for lawful interception, open internal interfaces, referred to as X1, X2 and X3, would allow the administration of warrants and the intercepted data to be partitioned securely. Ideally, we could seek to align such regulations with those of other like-minded countries, but in the absence of agreement Australia may need to act alone in our own interest.

Address RAN equipment supply

Even though the RAN forms only one part of the overall 5G network, the small number of suppliers and its criticality to the overall availability of the network indicate that equipment supply should receive some focus from policy-makers. Although it does not seem likely to lead to security or diversity benefits in the short term, if the OpenRAN initiative gains more momentum it will also provide opportunities for new entrants. Australia should work with allies and other countries that do not have domestic suppliers or interests in promoting their national champions to encourage further adoption of the OpenRAN standard to allow more vendors into this marketplace using appropriate combinations of grants and incentives to carriers to encourage them to adopt this standard.

Invest for the future

Finally, action needs to be taken to prepare for the future to avoid a repetition of this situation with other emerging technologies. Australia needs to invest in developing and commercialising technologies for artificial intelligence, 6G, quantum computing and other emerging fields. In building the right skills pipeline, we should also address current perceived skills gaps. We need systems engineers who can design and build systems bringing together components and technologies from different companies.

Conclusions

5G networks are the next generational uplift in mobile communications technology. They’ll enable not only fast speeds but more reliable, low-latency communications and massive machine-to-machine communication, enabling new applications for which security will be critical. While there are significant identified risks to the privacy and confidentiality of data on the network, and the users, there are also risks from an adversary seeking to completely take down a communications network or compromise its integrity. There are a number of potential causes, but a significant one is trust in the vendors whose equipment is used. Various countries have made differing decisions on excluding specific vendors considered to be high risk, but the discussion needs to move on, as reliance on one or two ‘not high risk’ vendors will still create major security risks. Long-term security and resilience depend on a diverse vendor ecosystem.

Fortunately, the technology and rollout plans for ‘real’ 5G are still developing, so now’s the time to take appropriate action. We recommend that urgent action be taken to identify opportunities for developing new capabilities, the barriers to market entry, and policy actions to encourage new entrants and build a diverse 5G vendor ecosystem. Table 1 summarises our findings and recommendations.

Table 1: Findings and recommendations

We should seek to work in coordination with our allies and other like-minded countries for maximum impact. However, if we wait to first build global consensus it’s likely that we’ll miss the window of opportunity. Australia took the lead in making the decision to exclude the highest risk vendors and now needs to lead in taking the next set of actions required for the long-term security and stability of 5G infrastructure, and in parallel encourage others to work with us in this endeavour.


Acknowledgements

The author thanks those government and industry stakeholders who made themselves available for discussions and openly shared their thoughts and perspectives, and ASPI colleagues who provided constructive comments on this report. The author also thanks all anonymous peer reviewers for their feedback. No specific sponsorship was received to fund production of this report. The work of ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published September 2020. ISSN 2209-9689 (online), ISSN 2209-9670 (print)

Funding: No specific sponsorship was received to fund production of this report.

  1. For more information on 3GPP membership and activities, see About 3GPP home, 3GPP, 2020, online. ↩︎
  2. Release 15, 3GPP, 26 April 2019, online. ↩︎
  3. GSA market snapshot, January 2020. ↩︎
  4. Patrik Cerwall (ed.), Ericsson mobility report, Ericsson, November 2019, online. ↩︎
  5. https://www.itnews.com.au/news/telstra‑readies‑its‑mobile‑network‑for‑standalone‑5g‑use‑547609 ↩︎
  6. Ma Si, Cheng Yu, ‘Lenovo rebuts rumor it failed to back Huawei on 5G issues’, China Daily, 18 May 2018, online. ↩︎
  7. Lindsay Gorman, ‘The US needs to get in the standards game—with like‑minded democracies’, Lawfare, 2 April 2020, online. ↩︎
  8. Martin Joseph, ‘Inside China’s controversial mission to reinvent the internet’, FT, 28 March 2020, online (paywall). ↩︎
  9. https://www.techradar.com/au/news/nokia‑to‑integrate‑open‑ran‑in‑2020 ↩︎
  10. Jonathan Nally, ‘Telstra and other firms form 5G Future Forum’, Technology Decisions, 16 January 2020, online. ↩︎
  11. CDMA = code‑division multiple access; GSM = global system for mobile communications. ↩︎
  12. Critical Infrastructure Centre, Australian Government, online. ↩︎
  13. Shoba Rao, Nicole Pierre, ‘Australian consumers hit by EFTPOS outage’, News.com.au, 11 July 2019, online. ↩︎
  14. AustCyber, Australia’s Cyber Security Sector Competitiveness Plan 2019, 2019, online. ↩︎
  15. Kelly Hill, ‘5G deployment faces a skills gap’, RCR Wireless News, 4 April 2019, online. ↩︎
  16. UK Government, ‘Coronavirus (COVID‑19): what you need to do’, Gov.UK, 28 February 2020, online. ↩︎
  17. See, for example, Peter Bright, ‘Bloomberg alleges Huawei routers and network gear are backdoored’, ArsTechnica, 5 January 2019, online. ↩︎
  18. Scott Morrison, Mitch Fifield, ‘Government provides 5G security guidance to Australian carriers’, joint media release, 23 August 2018, online. ↩︎
  19. ‘Huawei cyber security evaluation centre oversight board: annual report 2019’ UK Cabinet Office, 28 March 2019, online. ↩︎
  20. Bevin Fletcher, ‘UK’s O2 taps non‑traditional vendors for O‑RAN project’, FierceWireless, 16 January 2020, online. ↩︎
  21. ‘5G Infrastructure Market by Communication Infrastructure, Core Network, Network Architecture, Operational Frequency, End User & Geography ‑ Global Forecast to 2027’, MarketsandMarkets, Oct 2019, online. ↩︎
  22. As an example, in the late 1990s some companies made huge revenues from developing software to send short service messages around 2G networks—which was ultimately used for the explosion in SMS communication. ↩︎
  23. ‘British Business Bank launches £85m National Security Strategic Investment Fund (NSSIF) Programme to support development of advanced dual‑use technologies’, news release, British Business Bank, 31 July 2018, online. ↩︎
  24. Mark R Warner, ‘National security senators introduce bipartisan legislation to develop 5G alternatives to Huawei’, press release, 14 January 2020, online. ↩︎
  25. https://www.open5gcore.org/ ↩︎

TikTok and WeChat

Curating and controlling global information flows

What’s the Problem?

While most major international social media networks remain banned from the Chinese market in the People’s Republic of China (PRC), Chinese social media companies are expanding overseas and building up large global audiences. Some of those networks—including WeChat and TikTok—pose challenges, including to freedom of expression, that governments around the world are struggling to deal with.

The Chinese ‘super-app’ WeChat, which is indispensable in China, has approximately 1.2 billion monthly active users1 worldwide, including 100 million installations outside of China.2 The app has become the long arm of the Chinese regime, extending the PRC’s techno-authoritarian reach into the lives of its citizens and non-citizens in the diaspora.3 WeChat users outside of China are increasingly finding themselves trapped in a mobile extension of the Great Firewall of China through which they’re subjected to surveillance, censorship and propaganda. This report also shows how Covid-19 has ushered in an expanded effort to covertly censor and control the public diplomacy communications of foreign governments on WeChat.

Newcomer TikTok, through its unparalleled growth in both Asian and Western markets, has a vastly larger and broader global audience of nearly 700 million as of July 2020.4 This report finds that TikTok engages in censorship on a range of political and social topics, while also demoting and suppressing content. Case studies in this report show how discussions related to LGBTQ+ issues, Xinjiang and protests currently occurring in the US, for example, are being affected by censorship and the curation and control of information. Leaked content moderation documents have previously revealed that TikTok has instructed “its moderators to censor videos that mention Tiananmen Square, Tibetan independence, or the banned religious group Falun Gong,” among other censorship rules.5

Both Tencent and ByteDance, the companies that own and operate WeChat and TikTok, respectively, are subject to China’s security, intelligence, counter-espionage and cybersecurity laws. Internal Chinese Communist Party (CCP) committees at both companies are in place to ensure that the party’s political goals are pursued alongside the companies’ commercial goals. ByteDance CEO Zhang Yiming has stated on the record that he will ensure his products serve to promote the CCP’s propaganda agenda.6

While most major international social media platforms have traditionally taken a cautious and public approach to content moderation, TikTok is the first globally popular social media network to take a heavy-handed approach to content moderation. Possessing and deploying the capability to covertly control information flows, across geographical regions, topics and languages, positions TikTok as a powerful political actor with a global reach.

What’s the solution?

The global expansion of Chinese social media networks continues to pose unique challenges to policymakers around the world. Thus far governments have tended to hold most major international social media networks and Chinese social media networks to different standards. It’s imperative that states move to a policy position where all social media and internet companies are being held to the same set of standards, regardless of their country of origin or ownership.

This report recommends (on page 50) that governments implement transparent user data privacy and user data protection frameworks that apply to all social media networks. If companies refuse to comply with such frameworks, they shouldn’t be allowed to operate. Independent audits of social media algorithms should be conducted. Social media companies should be transparent about the guidelines that human moderators use and what impact their decisions have on their algorithms. Governments should require that all social media platforms investigate and disclose information operations being conducted on their platforms by state and non-state actors. Disclosures should include publicly releasing datasets linked to those information campaigns.

Finally, all of these recommended actions would benefit from multilateral collaboration that includes participation from governments, the private sector and civil society actors. For example, independent audits of algorithms could be shared by multiple governments that are seeking the same outcomes of accountability and transparency; governments, social media companies and research institutes could share data on information operations; all stakeholders could share lessons learned on data frameworks.

Download the report

Download our full report here.


Acknowledgements

We would like to thank Danielle Cave and Fergus Hanson for their work on this project. We would also like to thank Michael Shoebridge, Dr Samantha Hoffman, Jordan Schneider, Elliott Zaagman and Greg Walton for their feedback on this report as well as Ed Moore for his invaluable help and advice. We would also like to thank anonymous technically-focused peer reviewers.

This project began in 2019 and in early 2020 ASPI was awarded a research grant from the US State Department for US$250k, which was used towards this report. The work of ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published September 2020.

ISSN 2209-9689 (online), ISSN 2209-9670 (print)

Funding for this report was provided by the US State Department.

The Chinese Communist Party’s coercive diplomacy

What’s the problem?

The Chinese Communist Party (CCP) is increasingly deploying coercive diplomacy against foreign governments and companies. Coercive diplomacy isn’t well understood, and countries and companies have struggled to develop an effective toolkit to push back against and resist it.

This report tracks the CCP’s use of coercive diplomacy over the past 10 years, recording 152 cases of coercive diplomacy affecting 27 countries as well as the European Union. The data shows that there’s been a sharp escalation in these tactics since 2018. The regions and countries that recorded the most instances of coercive diplomacy over the last decade include Europe, North America, Australia, New Zealand and East Asia.

The CCP’s coercive tactics can include economic measures (such as trade sanctions, investment restrictions, tourism bans and popular boycotts) and non-economic measures (such as arbitrary detention, restrictions on official travel and state-issued threats). These efforts seek to punish undesired behaviour and focus on issues including securing territorial claims, deploying Huawei’s 5G technology, suppressing minorities in Xinjiang, blocking the reception of the Dalai Lama and obscuring the handling of the Covid-19 pandemic.1

China is the largest trading partner for nearly two-thirds of the world’s countries, and its global economic importance gives it significant leverage.2 The impacts of coercive diplomacy are exacerbated by the growing dependency of foreign governments and companies on the Chinese market. The economic, business and security risks of that dependency are likely to increase if the CCP can continue to successfully use this form of coercion.

What’s the solution?

A coordinated and sustained international effort by foreign governments and companies is needed to counter this coercive diplomacy and uphold global stability. This can be achieved by the following means:

  • Increase global situational awareness about the widespread use of coercive diplomacy and the most effective strategies to counter it.
  • Respond via coordinated and joint pushback through multilateral forums and by building minilateral coalitions of states affected by the same coercive methods.
  • Five Eyes countries should consider adopting a collective economic security measure, analogous to Article 5 of the North Atlantic Treaty establishing NATO. Using their collective intelligence arrangements and by pulling in other partners, authoritative joint attributions could be made of any coercive measures levied against any of the members with collective economic and diplomatic measures taken in response.
  • Factor in the heightened risk of doing business and building economic relations with China, particularly with regard to trade flows, supply chains and market share.
  • Develop economic, foreign and trade protocols in collaboration with the business community on how best to respond to coercive methods applied to business. In cases of coordinated action against companies, the dispute should be elevated to a state-level discussion to prevent individual companies being picked off and capitulating.

Introduction

First, as a responsible major country, China stands upright with honour. We never strong-arm others, never seek supremacy, never withdraw from commitments, never bully others, and never complain. The word ‘coercion’ has nothing to do with China.
— Chinese Foreign Ministry spokesperson Hua Chunying, October 2019.3

The past three years have seen an escalation in the CCP’s political and strategic use of coercive measures to defend what it defines as China’s ‘core’ national interests.4 Those interests include preserving domestic stability, stimulating economic development, upholding territorial integrity and securing great power status.5 The CCP has made it clear that these interests are ‘non-negotiable bottom lines of Chinese foreign policy’.6 Elizabeth Economy, the Director for Asia Studies at the Council on Foreign Relations, explains that President Xi Jinping desires to ‘use China’s power to influence others and to establish the global rules of the game’ to protect and promote China’s national interests.7

Coercive diplomacy can be defined as ‘non-militarised coercion’ or ‘the use of threats of negative actions to force the target state to change behaviour’.8 This is in contrast with chequebook diplomacy, in which positive inducements and confidence-building measures in the forms of foreign assistance and promised investment are used by states, including the CCP, to reward countries.9 This carrot-and-stick approach reflects ‘a new level of assertiveness, confidence and ambition’ in the CCP’s foreign policy and economic diplomacy.10

Every country is concerned about protecting its interests and playing to its strengths. Larger states, such as the US and Russia, have applied pressure to smaller states to get what they want with varying levels of success.11 Nevertheless, the CCP’s approach is unique in that it rarely employs traditional methods of coercive diplomacy, which are regulated through the state’s official capacity.12 The CCP is instead arbitrarily imposing measures without officially acknowledging the link between the measures taken and the CCP’s interests, which allows for greater flexibility in escalating or de-escalating situations with less accountability and international oversight.13 This non-traditional type of coercive diplomacy therefore requires a very different set of policy tools and responses.

This research has documented 152 instances of CCP coercive diplomacy between 2010 and 2020 (Figure 1). Of those cases, 100 targeted foreign governments, while the remaining 52 cases targeted specific companies.

Figure 1: Cases of coercive diplomacy used by the CCP, by year, 2010 to 2019

Figure 1 shows a sharp increase in the number of recorded cases from 2018 onwards. Although it isn’t possible to show the full dataset for 2020, within the first eight months there were 34 recorded cases, which equates to more than half of the number recorded in 2019.

Coercive diplomacy from the CCP’s perspective

The CCP has been persistent in maintaining the narrative that its actions are proportionate to its pursuit of protecting core national interests. Most Chinese-language sources examined for this report indicate that, from the CCP’s perspective, coercive diplomacy is an instrument that’s either exclusively used by the West and to which the CCP objects,14 or is carried out by the general Chinese public and has nothing to do with the government.15

However, Chinese state-run think tanks and media organisations have explicitly encouraged the use of coercive diplomatic tactics against offending actors.16 Jian Jisong, an international law expert at the Zhongnan University of Economics and Law, writes that ‘China should liberate its thinking, and fully utilise the important tool of unilateral sanctions’.17 That sentiment is also reflected by the China Institute for Contemporary International Relations, a think tank closely associated with the Ministry of State Security, which states that ‘given the fact that our nation has increasing economic power, we should prudently use economic sanctions against those countries that … threaten our country’s national interests’.18

The CCP, particularly under the leadership of Xi Jinping, has made it increasingly clear that the party ‘leads everything’ and is in strict control of the country through its ‘ideology’ and ‘structural system’.19 This differs from liberal democracies in that China’s core national interests are closely centred on the CCP’s own self-defined political security. Any conduct by foreign states or companies perceived to breach these core national interests is therefore treated as a direct threat to the legitimacy and survival of the CCP (Figure 2).

Figure 2: Global Times tweet depicting Australia as a puppet of the US and issuing a warning against key Australian industries

Source: Global Times (@globaltimesnews), ‘Opinion: If #Australia provokes China more, China will fight it to the end to defend its core interests’, Twitter, 2:20 am, 9 July 2020, online.

Methodology

This report draws on English and Chinese open-source information from news articles, policy papers, academic research, company websites, social media posts, official government documents and statements made by politicians and business officials. This report attempted to gather as many examples of coercive diplomacy as could be identified through open-source materials over a 10-year period and the cases underwent external peer review by 27 experts from 16 different countries. However, various limitations in the methodology used and finite human and language resources mean that it’s certainly not exhaustive or comprehensive. The resulting database is a starting point and an indicator of practice rather than a complete record.

Coercive diplomacy, by design, is difficult to measure because it takes various forms, is defined differently across the literature and can represent different levels of state authoritativeness, particularly in cases involving nationalist responses. The underlying data for most of this report relies on direct or implied statements by senior CCP officials and authoritative Chinese state media, non-authoritative Chinese media, and perceptions of coercive diplomacy in foreign media reports (although in some circumstances non-Chinese sources may be restricted or controlled in part by governments to prevent any further deterioration in relations with the Chinese state). Where possible, this report supplements this data with analysis from academic sources and in-country experts during the peer review process. Those sources are used to connect the action that the CCP objects to and the resulting coercive measure, as the CCP doesn’t make the link explicit and tends to deny responsibility.

However, some examples are likely to have been missed in this dataset or incorrectly specified, as cases might be only partially reported, be reported in error or go entirely unreported. This report excluded some acts of coercion, such as coercion against civil society actors and individuals, unless there was a clear link to a state dispute. This report also excluded cases in which the measures were considered a normal or proportionate diplomatic response to state conduct and cases that amounted to ‘tit-for-tat’ measures. For example, coercive acts related to the US–China trade war and the diplomatic fallout from the India–China border clash aren’t counted in the dataset.

A single incident or dispute can generate multiple instances of coercive diplomacy, which affects the total number of cases recorded in this report. A single dispute might start with a verbal threat and be followed up by a tourist ban and then by some form of trade sanction. Because this report focuses on instances of coercion rather than individual disputes, the methodology used would count that as three different instances of coercion.

Categorising CCP coercion

Coercive diplomacy encompasses a broad range of tactics that can be applied either individually or collectively by the CCP against individual companies and governments. This report divides the methods of CCP coercive diplomacy into eight categories: arbitrary detention or execution, restrictions on official travel, investment restrictions, trade restrictions, tourism restrictions, popular boycotts, pressure on specific companies and state-issued threats.

Arbitrary detention or execution

The CCP has sought to use arbitrary indictments, detainments and executions of foreign nationals for coercive effect against governments ‘that are not willing to fall in line with [the CCP’s] narrative or to cooperate, according to its own terms’.20 Arbitrary detentions and executions often involve the imposition of enforced disappearances, unusual trial delays, harsh punishments, prolonged interrogations and lack of transparency to maximise the effects of coercion.21 The CCP is also known to reinstate Chinese citizenship to detainees to prevent them from being repatriated, placing even further pressure on the governments of their home countries.22

Restrictions on official travel

Restrictions on official travel involve exerting coercive leverage by downgrading bilateral relations, imposing sanctions on travel to China by foreign leaders and state delegations, or refusing to meet with foreign counterparts.23 Examples of restrictions on official travel that have previously been imposed by the CCP include refusals of entry into China and cancellations of high-level visits.24 This often subjects the targeted government to greater political pressure in its own country to repair or reset relations to the CCP’s advantage.

Investment restrictions

China’s emergence as a major global investor has enabled the CCP to impose restrictions on Chinese outbound and inbound investment activities, such as major trade deals, foreign direct investment, infrastructure projects and joint ventures.25 Those investment restrictions can lead to economic consequences unless the target state changes its stance to that demanded by the CCP.26 This method of coercive diplomacy is commonly used against developing countries in conjunction with chequebook diplomacy.

Trade restrictions

The CCP relies heavily on trade restrictions as a means of coercing states. This tactic involves concerted efforts to disrupt trade flows and restrict foreign access to the Chinese market through import and export restrictions.27 The restrictions can be facilitated through the selective use of international regulations, targeted customs inspections, licence denials, tariff increases or unofficial embargoes.28 Chinese authorities often give unrelated administrative or regulatory explanations for such moves, simply denying the punishment motive.

Tourism restrictions

With direct influence over the movements of its own citizens, the CCP has increasingly turned to tourism restrictions to coerce foreign governments. Given the size of China’s tourism market, the effects of Chinese tourism restrictions are often immediate and long-lasting. The CCP has blocked outbound tourism by issuing official travel warnings, suspending package tours organised through state-run travel agencies and banning permits for independent travellers.29 In other instances, the CCP has blocked inbound tourism by suspending visa waivers or limiting access to consular services.30

Popular boycotts

The CCP can retaliate against foreign governments without imposing direct legal or regulatory interventions by encouraging its citizens to engage in nationalistic popular boycott campaigns through state and social media (Figure 3).31 Popular boycotts can be distinguished from pressure on specific companies in that they focus on companies and industries from the target state more broadly as a means of punishing the state and influencing its public opinion. Popular boycotts aren’t always directly orchestrated by Chinese authorities but can still be encouraged through uncontrolled nationalist protests or negative coverage in state media.32 In the words of the Chinese Central Political and Legal Affairs Commission, ‘Chinese people’s anger is not just verbal but will translate into action.’33

The centralisation and comprehensive government control of media in China make it easier for the CCP to mobilise its extensive consumer base and amplify existing boycott campaigns to coerce other countries.34 Pál Nyíri from the Vrije Universiteit Amsterdam explains that ‘in a country that so tightly controls its online spheres, we can assume some degree of at least tacit support simply by the fact that such actions are allowed to continue on the Chinese web.’35

Figure 3: Chinese demonstrators staging a protest to boycott South Korean conglomerate Lotte Group in March 2017 after the heightening of diplomatic tensions between China, South Korea and the US over the Terminal High Altitude Area Defense (THAAD) anti-missile system

Source: AFP, ‘Chinese protest against South Korea’s Lotte’, The Straits Times, 5 March 2017, online.

Pressure on specific companies

Multiple foreign companies have been coerced by Chinese authorities and consumers into issuing public apologies and modifying business operations for supposedly ‘hurting the feelings of Chinese people’.36 Such objectionable actions include ‘mislabelling’ Chinese territories on marketing platforms, supporting pro-democracy movements and making references to politically sensitive issues, even if they weren’t originally targeted at the Chinese market.37 While this method of coercive diplomacy is similar to popular boycotts, the two methods can be distinguished in that individual companies are the target on these occasions, rather than foreign governments, although the effect can be to demonstrate strength to the country where the company is based. This method of coercive diplomacy leads to adverse economic impacts due to losses in sales, popular endorsement, brand reputation or market access to the mainland.38 For this research, cases were limited to those that had a geopolitical angle and were either explicitly encouraged by state media or were likely to have been tacitly supported (although discerning the latter category necessarily involved a degree of subjectivity).

State-issued threats

Chinese diplomats, embassies, and government ministries seek to use coercive diplomacy by releasing official statements threatening foreign governments.39 Most, if not all, such state-issued threats contain vague terminology such as ‘countermeasures’,40 ‘retaliation’,41 ‘inflict pain’,42 and ‘the right to further react’.43 Another source of state-issued threats is state-run media organisations. The Global Times, China Daily, Xinhua News and other outlets are often used as mouthpieces by the CCP to publish warnings through sensationalised English-language commentary aimed at the target state and the international community.44 Global Times editor-in-chief Hu Xijin has implied on numerous occasions that the Global Times reflects the views of Chinese authorities, stating that ‘they can’t speak willfully, but I can’ (Figure 4).45 State-issued threats are often used as a prelude to tougher coercive measures.

Figure 4: Tweets by Global Times editor-in-chief Hu Xijin sharing information about potential countermeasures by the CCP against the US

Key Findings

This research documents 152 instances of CCP coercive diplomacy between 2010 and 2020.

Of those cases, 100 targeted foreign governments (Figure 5), while the other 52 cases targeted foreign companies. Those two categories are analysed separately in this report.

Figure 5: Cases of coercive diplomacy used by the CCP against foreign governments, by category

The most common methods of coercive diplomacy against foreign governments

From the data gathered for this report, the most prominent and common methods of coercive diplomacy used by the CCP to target foreign governments are; state-issued threats (with 34 cases recorded between 2010 and 2020, over half of which were recorded in 2020 alone), trade restrictions (19 cases recorded) and tourism restrictions (17 cases recorded).

Of the 27 countries affected, Australia was subjected to the highest number of recorded cases (17 cases), followed by Canada (10 cases) and the United States (9 cases).

Geopolitical trends

The regions that recorded the most instances of coercive diplomacy were Europe; North America; Australia and New Zealand; and East Asia (South Korea, Japan, Taiwan), while countries in Africa, South America, the Pacific islands and the remaining parts of Asia recorded the smallest number of cases (Figure 6). There were no recorded cases of coercive diplomacy in Central America, Central Asia, and Russia during the relevant period. This divide bears many similarities to the divide between high-income and middle/low-income countries, as defined by the World Bank.46 

Figure 6: Cases of coercive diplomacy, by region

The most likely reason for this is that the political backers of the CCP are predominantly in the developing world. The CCP has had no reason to subject those countries to coercive diplomatic measures in the past 10 years. The CCP maintains a non-alliance policy, and its supporters aren’t a formal block.47 However, the recent opposing joint statements to the UN on the CCP’s treatment of Uyghurs and other minorities in Xinjiang provide a good demonstration of current affiliations.

As demonstrated in Figures 7 and 8, there’s no overlap between countries subjected to coercive diplomacy by the CCP and those supportive of the CCP’s persecution of minorities, with the exception of the Philippines. The CCP’s use of coercive diplomacy against the Philippines arose mainly from disputes over the South China Sea. However, since President Rodrigo Duterte publicly announced a foreign policy shift to China in 2016, no further coercive diplomacy cases against the Philippines have been recorded.48

Figure 7: Countries that have recorded cases of coercive diplomacy by the CCP between 2010 and 2020

Figure 8: Countries by their stance on the CCP’s treatment of Uyghurs and other minorities in Xinjiang

Another geopolitical trend is the impact of the Covid-19 pandemic on the CCP’s coercive diplomacy. The pandemic caused a world-wide lockdown that inhibited key forms of diplomatic and economic leverage for the CCP, particularly tourism restrictions (which included foreign students). This likely contributed to the rise in state-issued threats, of which over half of the 34 recorded cases from the last decade occurred after the CCP implemented the 23 January 2020 lockdown in Wuhan (see figure 9).

Figure 9: Cases of state-issued threats recorded before and after the Wuhan lockdown commenced

Threats were also a timely way for the CCP to combat the rise in criticism against its handling of the outbreak. Criticisms came mainly from Western European and Anglosphere countries, but countries such as Brazil also expressed criticism and were accordingly subjected to threats of countermeasures. The increase in state-issued threats in 2020 can also be linked to the CCP’s crackdown in Hong Kong, which prompted states around the world to take positions and actions the CCP disliked at a time when they had limited options to use other forms of coercive diplomacy.

After China started easing its lockdown restrictions, another key form of diplomatic leverage became China’s exports of medical supplies. In line with the above geopolitical analysis, the CCP ‘rapidly escalated’ medical and financial relief efforts to many countries in the developing world, particularly in Africa.49 With the much-needed medical supplies as ‘carrots’, the CCP was able to offer them with the expectation that the recipient countries wouldn’t criticise the CCP’s mishandling of the outbreak. The trade in medical supplies could also be used coercively in an attempt to influence state behaviour.

For example, in April 2020, the Netherlands angered the CCP by renaming the country’s diplomatic mission in Taiwan as ‘Netherlands Office Taipei’. In response, the state-run Global Times published an article that cited ‘Chinese netizens’ who called for the export of medical supplies to the Netherlands to cease and quoted an analyst who raised this move as a means for the CCP to send a warning to the Netherlands. This also worked as a warning to other states about the CCP’s willingness to use coercive measures, even in critical areas such as health care and during a global pandemic.50

Divide-and-conquer tactics

Each of the 100 recorded cases of coercive diplomacy involved the CCP acting unilaterally against an individual country. Although the response of countries to the coercive measures wasn’t always clear, where it was possible to discern the reaction, most countries made re-establishing good relations the priority. For example, the CCP enacted multiple coercive measures against Norway in 2010 in retaliation to the awarding of the Nobel Peace Prize to Chinese dissident Liu Xiaobo. After those measures were enacted, UN voting patterns showed closer alignment between China and Norway, and the Norwegian Government supported the admission of China as an observer in the Arctic Council in 2013 and refused to meet with the Dalai Lama for the first time in 2014 (although Norway, like many other countries, may have ceased those meetings in response to China’s general growing global clout, without the fallout from the awarding of the prize).51 The CCP’s actions succeeded in influencing Norway’s foreign policy, as the concessions required to appease the party were relatively minor (the same level of success mightn’t have been achieved had the required concession been bigger).52

This type of result seems likely only to license further coercion by the CCP against others. The CCP intentionally isolates countries in this way to retain comparative strength and ensure the effectiveness of its coercive methods. The CCP’s comparative strength would be significantly diminished if countries that have been subjected to similar coercive diplomatic tactics joined forces to counter them. Remarkably, countries have so far failed to band together to counter CCP coercion, even when that’s been manifestly in their interests. This may be due to a lack of awareness of the widespread use by the CCP of coercive diplomacy, a lack of strategic analysis by foreign ministries of the best way to counter such coercion, or both.

A notable example of this failure involved Canada and Australia. Just days following the arrest of Huawei executive Meng Wanzhou in Canada pursuant to the US–Canada extradition treaty, the CCP arbitrarily arrested Canadian citizens Michael Kovrig and Michael Spavor. It took three weeks before Australia released a statement expressing its ‘concerns’ over the Canadians’ detention.53 The statement fell short of condemning the CCP’s actions and didn’t call for the immediate release of the Canadians, despite two Australian citizens having been subjected to arbitrary detention the previous year and both of them still being detained.54 Australia’s delay in issuing the statement meant that Australia and Canada (as well as the EU and US) weren’t unified in their response to the CCP’s actions and therefore had little impact.

Further analysis on the most common methods of coercive diplomacy against foreign governments

State-issued threats

In addition to the Covid-19 pandemic significantly limiting other forms of coercive diplomacy available to the CCP in 2020 (discussed above) a likely reason for the high rate of state-issued threats is because they are the quickest and most cost-effective form of coercive diplomacy and carry the lowest risk to the CCP’s interests. Our research has found these can be enough, on their own, to coerce the target state into changing course if the state places limited political value on the source of the dispute55 (although threats were not enough to change behaviour if the stakes were high enough, as the in-depth case studies on pages 18–21 illustrate).

Trade restrictions

This report recorded 19 cases of trade restrictions between 2010 and 2020, over half of which occurred since 2018. In all recorded cases, the CCP never officially implemented official sanctions against the target state; instead, an unrelated official reason was provided (such as non-compliance with sanitation or labelling requirements) or no reason was given at all. There are strong indicators for each recorded case that the CCP’s measures were designed to thinly disguise the use of trade to punish and change the behaviour of target states.

For some issues, to be effective, the target state needs to be aware that the trade measures are being levied as punishment for a given action, so, while direct causal relationships aren’t made explicit by the CCP, the trade restrictions are made in such a way as to make the connection clear to the target state. For other issues, it can be useful to maintain greater ambiguity to put the target state off balance, not knowing exactly why the restrictions are happening but only that the CCP is displeased and that concessions in some form are needed. Both approaches help the CCP maintain its official stance that coercive diplomacy is exclusively employed by the West.56 By providing an unrelated official reason to disguise coercive diplomatic measures, the CCP is able to maintain plausible deniability, which offers some protection against countries raising the issue through international channels, such as the World Trade Organization.57

The recorded cases of trade restrictions also demonstrate that the CCP is highly selective in the commodities it targets in order to send a powerful message to target states whilst minimising any harm to its own interests.58 For example, the CCP imposed restrictions on Canadian meat imports in June 2019 in retaliation against the arrest of Huawei executive Meng Wanzhou. 59 However, the CCP retracted these restrictions just 5 months later despite the tensions over this issue persisting, after the effects of a swine fever outbreak continued to drive domestic pork prices unsustainably high.60 With China’s domestic supply not being expected to recover for two or three years (especially with the risk of further outbreaks) and inflation rates nearing an 8 year high as a result,61 it was ultimately in the CCP’s interests to make this concession.62 This case illustrates some of the constraints on the CCP’s use of economic coercion.

The CCP’s recent trade restrictions against Australian barley (which are widely interpreted to be retaliation for Australia pushing for an inquiry into the origins and handling of the Covid-19 outbreak) further illustrate how these measures are often ‘aligned with—or constrained by—market trends and conditions’.63 Of all the trade restriction cases recorded, the CCP’s measures imposed on barley stand out as seemingly having the biggest effect on China’s own trade practices, as Australian barley accounted for up to 80% of China’s barley imports in recent years.64 However, this in fact aligns with the CCP’s goal of self-sufficiency and import diversification.65 Furthermore, the restrictions coincided with a significant decline in China’s domestic demand for barley.66 Though the sanctions were ‘triggered’ by Australia’s call for the Covid-19 inquiry, the CCP wanted to employ them anyway due to the benefit that would provide to the Chinese domestic market.67 As argued by Scott Waldron from the University of Queensland, it is significant that the CCP has not imposed restrictions in relation to wool, given China buys approximately 75% of Australia’s wool exports.68

The selective use of trade restrictions simultaneously minimises impacts on Chinese consumers and businesses, while maintaining leverage against the target state. Severe disruption to all trade with a target state would not only negatively affect Chinese consumers and businesses but would also exhaust all leverage against the target state in one go and completely undermine the CCP’s narrative of plausible deniability. To date, the CCP has aimed to find a balance between punishing a country enough to make it change its behaviour and running the risk of damaging relations to the point at which the state no longer sees value in appeasing the CCP or at which the Chinese economy would be damaged. As demonstrated by the case studies, the CCP selects only individual commodities or services to target with restrictions. While targeted restrictions were in place, it was common for other sectors within the same state to experience an increase in Chinese trade. This was the case in Canada in 2019; after Canadian canola imports were blocked in China, Canadian wheat exporters experienced a rise in wheat imports into China.69 Similarly, in August 2020, trade between China and Australia was 4% higher than in the previous year, despite the constraints of the Covid-19 pandemic and a deterioration in bilateral relations.70

Tourism restrictions

Tourism restrictions are the third most common form of coercive diplomacy used to target foreign governments identified through this research. This report recorded 17 cases between 2010 and 2020, half of which occurred after 2018. China is the world’s largest outbound tourism market. It accounts for more than 20% of global tourism, and 150 million Chinese tourists travelled abroad and spent a combined total of US$277 billion in 2018.71 Subject to the long-term impacts of the Covid-19 pandemic on large-scale tourism, those figures are likely to continue to increase and further grow the importance of the Chinese tourist market, as only an estimated 10% of Chinese citizens hold passports.72

The CCP holds considerable influence over its outbound tourism market,73 which it has manipulated to promote foreign policy objectives. As demonstrated in the recorded cases, the CCP controls outbound tourism through issuing travel warnings and using its regulatory powers over travel agents to direct them to avoid selling package tours to a blacklisted country. The travel restrictions necessitated by the Covid-19 pandemic have not prevented the CCP from threatening tourism restrictions or issuing travel warnings. The lack of international travel at the time these warnings were issued highlights the fact that the measures are usually not in response to the reasons claimed by the CCP and are primarily used to coerce.

In-depth case studies

Norway, South Korea, Canada and Australia have each individually experienced the full spectrum of the CCP’s coercive diplomatic tactics. Despite obvious temporal and geographical differences among the following four case studies, the CCP’s actions followed a remarkably similar pattern.

In-Depth Case Study: Norway

In-Depth Case Study: South Korea

In-Depth Case Study: Canada

In-Depth Case Study: Australia

Coercive diplomacy against foreign companies

This report documents 52 cases of pressure applied by or at least encouraged by the CCP against foreign companies. In many of the recorded cases, the CCP applied pressure by inciting backlash from Chinese consumers, blocking websites or adding legal penalties. Even in cases in which the CCP can’t be directly linked to the backlash, it has arguably encouraged this consumer response by not censoring it. This is despite the backlash being overtly political and something that would ordinarily attract censorship in China if it were directed against anything contrary to the CCP’s interests.

The effectiveness of the CCP’s coercion against companies can be measured by the rate at which apologies were issued in response to the coercion. Of the cases recorded in this report, 82.7% of the companies issued apologies. Almost no companies had their own governments step up to help them respond (Figures 10, 11 and 12).

Figure 10: Percentages of companies that have issued apologies, complied with directions from Chinese state authorities, or both

Figure 11: An image portraying foreign brands being targeted by the Chinese social media platform Weibo

Source: Manya Koetse, ‘Hong Kong protests: Brand “witch hunt” takes over Chinese internet”’, BBC News, 15 August 2019, online.

Figure 12: An official apology by Italian luxury brand Versace was shared online after it received backlash for designing T-shirts that implied that Hong Kong and Macau are independent territories

Source: VERSACE (@Versace), ‘The Company apologizes for the design of its product and a recall of the t-shirt has been implemented in July’, Twitter, 7:36 pm, 11 August 2019, online.

The success of coercive measures against businesses largely stems from companies being profit-driven and having limited power relative to the world’s second largest economy. China’s consumer spending overtook the US’s for the first time in 2019,74 so companies are unlikely to risk losing access to that market. Targeting companies allows the CCP to achieve political ends while keeping the dispute at arm’s length from governments that would be better placed to push back. For example, in April 2018, the Chinese Civil Aviation Administration ordered 36 international airlines to remove all references from their websites that suggested Hong Kong, Taiwan and Macau were separate regions or risk having the company’s ‘serious dishonesty’ recorded and facing ‘disciplinary actions’.75 By July 2018, all 36 airlines, including British Airways, Japan Airlines, Lufthansa and Qantas, had modified their websites and other promotional material to reflect the CCP’s views. Delta Airlines went further and apologised for its listing, stating ‘We are fully committed to China and to our Chinese customers.’76 If the governments of the countries where the airlines were headquartered had instead banded together to counter the threat, the outcome would likely have been very different.

The emergence of a counter-coercion strategy

A number of foreign governments, including those of Australia, Canada, Japan, India, the UK and the US, are starting to call out the CCP’s coercive diplomacy as it happens and are working on ways to develop an effective counter-coercion strategy.77 For example, Australia set the foundations for a counter-coercion strategy back in June 2017 during the 16th Shangri-La Dialogue when then Prime Minister Malcolm Turnbull stated that ‘a coercive China would find its neighbours resenting demands they cede their autonomy and strategic space, and look to counterweight Beijing’s power by bolstering alliances and partnerships.’78 The Australian Government then enacted new national security and foreign interference legislation, citing ‘disturbing reports about Chinese influence’.79

Three years later, in June 2020, Prime Minister Scott Morrison formally declared that Australia won’t be intimidated by threats from the CCP and won’t trade its values in response to ‘coercion’.80 In August 2020, Morrison affirmed that Australia wants to ‘see international engagement framed by agreed rules and norms, not crude economic or political coercion’ in reference to the CCP and ‘will call it as we see it’.81

Another example was in August 2020 when the Five Eyes intelligence alliance issued a joint statement demonstrating grave concern over the disqualification of pro-democracy candidates in the Hong Kong Legislative Council elections and condemning the suppression of Hong Kong citizens’ rights and freedoms following the imposition of a new national security law by the CCP.82 The joint statement came after the CCP threatened countermeasures against all five member states for suspending extradition treaties and providing assistance to Hong Kong citizens.83 While counter-coercion strategies remain unclear for the rest of the world, they’re likely to increase in the future as the CCP continues with its coercive tactics.

Future challenges and recommendations

Coercive diplomacy is an important tool of Chinese foreign policy that the CCP will continue to use against foreign governments and companies, particularly in democratic countries. The CCP’s practice of coercive diplomacy is very broad in its targets, intentions, methods and levels of retaliation. Therefore, this report seeks to offer flexible policy options that can be implemented across different levels of society.

Recommendation 1: Increase global situational awareness about coercive diplomacy

The current failure of countries and companies to effectively deter coercive diplomacy suggests that there’s limited appreciation of its prevalence and limited discussion of effective countermeasures. Governments could remedy this by tasking their foreign ministries to track coercive diplomacy and use that data to identify potential coalitions, particularly in the areas of economic cooperation, trade liberalisation and technological development. Research institutions could also be encouraged to systematically track instances of coercive diplomacy.

Recommendation 2: Respond via coordinated and joint pushback

Responding to coercive threats in an individual capacity, whether as a state or as a company, will only work for the US, given China’s current size and heft. To be effective, governments need to counter the CCP’s divide-and-conquer tactics by pursuing coordinated and joint pushback through multilateral forums such as the G7, G10 and European Union and by building minilateral coalitions of countries affected by the same coercive methods. Those coalitions could be used to publicly call out examples of coercion in the same way that’s currently used to attribute cyberattacks, and follow that up with countermeasures. In many cases, it would be unethical and against core values to reciprocate with like-for-like countermeasures (for example, arbitrary arrests and executions), so countermeasures will need to target alternative areas, such as through joint statements, economic sanctions or official travel restrictions.

Recommendation 3: Establish a 5 Eyes collective economic security pact

The Five Eyes countries should consider adopting a collective economic security measure, analogous to Article 5 of the North Atlantic Treaty establishing NATO (“an armed attack against one or more of them in Europe or North America shall be considered an attack against them all”). Using their collective intelligence arrangements, the Five Eyes countries could make authoritative joint attributions of any coercive measures levied against any of the five members and take collective economic and diplomatic measures in retaliation. Such an arrangement could also involve an agreement to abstain from taking advantage of any coercive trade measures imposed by the CCP (for example, refusing to fill the shortfall created by banning Canadian pork). While this approach may be less attractive to the current US Administration it may be of interest to future administrations and would be highly effective in deterring the use of coercive diplomatic measures.

Recommendation 4: Develop protocols in collaboration with the business community to counter coercive measures targeting companies

Affected governments should work more closely with business groups to develop protocols on how to best respond to economic coercive methods applied by the CCP. The increasing risk of economic coercion by the party should be assessed as a structural matter in economic and trade policies, not just as isolated or unexpected acts in response to particular decisions and events. In cases of coordinated action against companies, the dispute should be elevated to a state-level discussion to prevent individual companies from being picked off and being forced to capitulate. In the case involving 36 global airlines, a more effective approach would have involved governments assuming the lead in responding to the ultimatum, working to form a global coalition of countries and their airlines that refused to be pressured, and countering the coercion by threatening reciprocal bans on access to their markets.

Recommendation 5: Factor in the heightened risk of doing business and building economic relations with China

As the CCP uses economic coercion more often, and more overtly, foreign companies with business operations in China need to factor in the increasing risk to trade flows, supply chains and market share. That risk is significant enough to warrant board-level attention and will no doubt be a standing topic in audit committees because of its bottom-line impact. This requires board-level involvement to protect shareholder value and is also likely to require companies to work more closely with their home government policymakers.

Appendix

Readers are encouraged to download the report PDF to access the extensive dataset which details cases of CCP coercive diplomacy targeting foreign governments and companies.


Acknowledgements

We would like to thank Danielle Cave, John Garnaut, Darren Lim and Michael Shoebridge for their feedback on this report. We would also like to thank all the experts from around the world that peer-reviewed the cases in the Appendix: Dr Altay Atli, Aakriti Bachhawat, Alexandre Dayant, Andreas Bøje Forsby, Dr Rudolf Furst, Bonnie Glaser, Dr Xue Gong, Dr Samantha Hoffman, Edcel John A. Ibarra, Daria Impiombato, Alex Joske, Prof. Sharad K Soni, Dr Huong Le Thu, Dr John Lee, David McDonough, Anna Michalski, Yuma Osaki, Lucrezia Poggetti, Dr Frans-Paul van der Putten, Dr Shelley Rigger, Dr Uma Shankar Prasad, Dr. Ana Soliz Landivar de Stange, Dr Tim Summers and Yun Sun. No specific sponsorship was received to fund production of this report. The work of ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on.

If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2020.

ISSN 2209-9689 (online), ISSN 2209-9670 (print)

No specific sponsorship was received to fund production of this report

  1. See data in Appendix for more details. ↩︎
  2. Alyssa Leng, Roland Rajah, ‘Chart of the week: global trade through a US–China lens’, The Interpreter, 18 December 2019, online. ↩︎
  3. Hua Chunying, ‘Foreign Ministry spokesperson Hua Chunying’s regular press conference on October 23, 2019’, Ministry of Foreign Affairs of the PRC, press conference, 23 October 2019, online. ↩︎
  4. Jinghao Zhou, ‘China’s core interests and dilemma in foreign policy practice’, Pacific Focus, 2019, 34(1):33. ↩︎
  5. Kathleen Hicks, Joseph Federici, Connor Akiyama, Hybrid CoE strategic analysis 18: China in the grey zone, European Centre of Excellence for Countering Hybrid Threats, 2019, 3. ↩︎
  6. Jinghan Zeng, Yuefan Xiao, Shaun Breslin, ‘Securing China’s core interests: the state of the debate in China’, International Affairs, 2015, 91(2):245. ↩︎
  7. Elizabeth Economy, The third revolution: Xi Jinping and the new Chinese state, Oxford University Press, New York, 2018, 187. ↩︎
  8. The origin of coercive diplomacy is deeply rooted in traditional security studies, in which earlier definitions involved the threat of future military force or the limited use of military force. See Alexander George, William Simons (eds), The limits of coercive diplomacy, Westview Press, Oxford, 1994; Daniel Byman, Matthew Waxman, The dynamics of coercion: American foreign policy and the limits of military might, Cambridge University Press, New York, 2002. While a widely accepted definition of coercive diplomacy hasn’t been established, this report has adopted the definition used by Ketian Zhang to reflect recent shifts towards a diplomatic strategy that’s more political and economical. See Ketian Zhang, ‘Chinese non-military coercion—tactics and rationale’, Brookings, 22 January 2019, online. ↩︎
  9. Graeme Dobell, China and Taiwan in the South Pacific: diplomatic chess versus Pacific political rugby, Center for the Study of the Chinese Southern Diaspora, 2007, 10. ↩︎
  10. Anne-Marie Brady, ‘China’s foreign propaganda machine’, Journal of Democracy, October 2015, 26(4):51–59. ↩︎
  11. Global Agenda Council on Geo-economics, The age of economic coercion: how geo-politics is disrupting supply chains, financial systems, energy markets, trade and the internet, World Economic Forum, 2016, 7, online. ↩︎
  12. Peter Harrell, Elizabeth Rosenberg, Edoardo Saravalle, China’s use of coercive economic measures, Center for a New American Security, 2018, 2. ↩︎
  13. Harrell et al., China’s use of coercive economic measures, 20. ↩︎

Strategic Vision 2020

Strategic Vision 2020: The ASPI Conference Series

As the world navigates through the stormy waters of a triple crisis: a global pandemic, a probable global depression, and sustained threats to the international rule of law. The urgent need is to find our strategic bearings, look beyond surface distractions and plan a path to security and stability. 

At a time when international travel is highly limited and large scale conference events are impossible, Strategic Vision 2020 provides access to the best international thinkers and policy makers.

In addition to the stellar line-up of thinkers and thought leaders, join ASPI’s Executive Director, Peter Jennings as he wraps up each weeks proceedings with ASPI analysts and guests. They reflect on the conversation and ponder the big strategic challenges going forward.

1. Australia’s future

Stan Grant in conversation with the Hon. John Howard OM AC and the Hon. Kim Beazley AC

2. Stepping up in the Pacific

Stan Grant in conversation with the Right Hon. Sir Rabbie Namaliu KCMG CSM

Hunting the phoenix

The Chinese Communist Party’s global search for technology and talent

NOTE: 

In Policy Brief Report No. 35 ‘Hunting the Phoenix’ by Alex Joske and published by the Australian Strategic Policy Institute, reference was made to Professor Wenlong Cheng, Professor and Director of Research, Chemical Engineering at Monash University. The author and the Australian Strategic Policy Institute accept Professor Cheng’s indication that he did not accept nor derive any benefit from the Thousand Talents Plan, or been involved in or contributed to China’s defence development. Further, the author and the Australian Strategic Policy Institute did not intend to imply that Professor Cheng had engaged in any discreditable conduct and if any reader understood the publication in that way, any such suggestion is withdrawn. The author and the Australian Strategic Policy Institute apologise to Professor Cheng for any hurt caused to him.

What’s the problem?

The Chinese Communist Party (CCP) uses talent-recruitment programs to gain technology from abroad through illegal or non-transparent means. According to official statistics, China’s talent-recruitment programs drew in almost 60,000 overseas professionals between 2008 and 2016. These efforts lack transparency; are widely associated with misconduct, intellectual property theft or espionage; contribute to the People’s Liberation Army’s modernisation; and facilitate human rights abuses.

They form a core part of the CCP’s efforts to build its own power by leveraging foreign technology and expertise. Over the long term, China’s recruitment of overseas talent could shift the balance of power between it and countries such as the US. Talent recruitment isn’t inherently problematic, but the scale, organisation and level of misconduct associated with CCP talent-recruitment programs sets them apart from efforts by other countries. These concerns underline the need for governments to do more to recognise and respond to CCP talent-recruitment activities.

The mechanisms of CCP talent recruitment are poorly understood. They’re much broader than the Thousand Talents Plan—the best known among more than 200 CCP talent-recruitment programs. Domestically, they involve creating favourable conditions for overseas scientists, regardless of ethnicity, to work in China.1 Those efforts are sometimes described by official sources as ‘building nests to attract phoenixes’.2

This report focuses on overseas talent-recruitment operations—how the CCP goes abroad to hunt or lure phoenixes. It studies, for the first time, 600 ‘overseas talent-recruitment stations’ that recruit and gather information on scientists. Overseas organisations, often linked to the CCP’s united front system and overlapping with its political influence efforts, are paid to run most of the stations.3
 

What’s the solution?

Responses to CCP talent-recruitment programs should increase awareness and the transparency of the programs.

Governments should coordinate with like-minded partners, study CCP talent-recruitment activity, increase transparency on external funding in universities and establish research integrity offices that monitor such activities. They should introduce greater funding to support the retention of talent and technology.

Security agencies should investigate illegal behaviour tied to foreign talent-recruitment activity.

Funding agencies should require grant recipients to fully disclose any participation in foreign talent-recruitment programs, investigate potential grant fraud and ensure compliance with funding agreements.

Research institutions should audit the extent of staff participation in foreign talent-recruitment programs. They should act on cases of misconduct, including undeclared external commitments, grant fraud and violations of intellectual property policies. They should examine and update policies as necessary. University staff should be briefed on foreign talent-recruitment programs and disclosure requirements.
 

Introduction

The party and the state respect the choices of those studying abroad. If you choose to return to China to work, we will open our arms to warmly welcome you. If you stay abroad, we will support you serving the country through various means.

—Xi Jinping, 2013 speech at the 100th anniversary of the founding of the Western Returned Scholars Association, which is run by the United Front Work Department.4

The CCP views technological development as fundamental to its ambitions. Its goal isn’t to achieve parity with other countries, but dominance and primacy. In 2018, General Secretary Xi Jinping urged the country’s scientists and engineers to ‘actively seize the commanding heights of technological competition and future development’.5 The Made in China 2025 industrial plan drew attention to the party’s long-held aspiration for self-sufficiency and indigenous innovation in core industries, in contrast to the more open and collaborative approach to science practised by democratic nations.6

The CCP treats talent recruitment as a form of technology transfer.7 Its efforts to influence and attract professionals are active globally and cover all developed nations. The Chinese Government claims that its talent-recruitment programs recruited as many as 60,000 overseas scientists and entrepreneurs between 2008 and 2016.8 The Chinese Government runs more than 200 talent-recruitment programs, of which the Thousand Talents Plan is only one (see Appendix 1).

The US is the main country targeted by these efforts and has been described by Chinese state media as ‘the largest “treasure trove” of technological talent’.9 In addition to the US, it’s likely that more than a thousand individuals have been recruited from each of the UK, Germany, Singapore, Canada, Japan, France and Australia since 2008.10

Future ASPI International Cyber Policy Centre research will detail Chinese Government talent- recruitment efforts in Australia. Past reports have identified a handful of Australian participants in China’s talent-recruitment programs, including senior and well-funded scientists, and around a dozen CCP-linked organisations promoting talent-recruitment work and technology transfer to China.11 However, the scale of those activities is far greater than has been appreciated in Australia.

China’s prodigious recruitment of overseas scientists will be key to its ambition to dominate future technologies and modernise its military. Participants in talent-recruitment programs also appear to be disproportionately represented among overseas scientists collaborating with the Chinese military. Many recruits work on dual-use technologies at Chinese institutions that are closely linked to the People’s Liberation Army.

These activities often exploit the high-trust and open scientific communities of developed countries. In 2015, Xi Jinping told a gathering of overseas Chinese scholars that the party would ‘support you serving the country through various means’.12 As detailed in Bill Hannas, James Mulvenon and Anna Puglisi’s 2013 book Chinese industrial espionage, those ‘various means’ have often included theft, espionage, fraud and dishonesty.13 The CCP hasn’t attempted to limit those behaviours. In fact, cases of misconduct associated with talent programs have ballooned in recent years. The secrecy of the programs has only been increasing.

The CCPs’ talent-recruitment efforts cover a spectrum of activity, from legal and overt activity to illegal and covert work (Figure 1). Like other countries, China often recruits scientists through fair means and standard recruitment practices. It gains technology and expertise from abroad through accepted channels such as research collaboration, joint laboratories and overseas training. However, overt forms of exchange may disguise misconduct and illegal activity. Collaboration and joint laboratories can be used to hide undeclared conflicts of commitment, and recruitment programs can encourage misconduct. Participants in talent-recruitment programs may also be obliged to influence engagement between their home institution and China. The Chinese Government appears to have rewarded some scientists caught stealing technology through talent-recruitment programs. In some cases, Chinese intelligence officers may have been involved in talent recruitment. Illustrating the covert side of talent recruitment, this report discusses cases of espionage or misconduct associated with talent recruitment and how the Chinese military benefits from it (Appendix 2).

Figure 1: The spectrum of the CCP’s technology transfer efforts

Talent-recruitment work has been emphasised by China’s central government since the 1980s and has greatly expanded during the past two decades.14 In 2003, the CCP established central bodies to oversee talent development, including the Central Coordinating Group on Talent Work ( 中 央 人才工作协调小组), which is administered by the Central Committee’s Organisation Department and includes representation from roughly two dozen agencies.15  In 2008, the party established the national Overseas High-level Talent Recruitment Work Group (海外高层次人才引进工作小组) to oversee the Thousand Talents Plan (see box).16 Local governments around China also regularly hold recruitment events at which overseas scientists are signed up to talent-recruitment schemes and funding initiatives.17 This demonstrates how talent-recruitment efforts are a high priority for the CCP, transcending any particular bureaucracy and carried out from the centre down to county governments.

The Overseas High-level Talent Recruitment Work Group

The Overseas High-level Talent Recruitment Work Group was established in 2008 to oversee the implementation of the Thousand Talents Plan. It’s administered by the Central Committee’s Organisation Department, which plays a coordinating role in talent recruitment work carried out by government and party agencies. Its members include the Ministry of Human Resources and Social Security, the Ministry of Education, the Ministry of Science and Technology, the People’s Bank of China, the State-owned Assets Supervision and Administration Commission, the Chinese Academy of Sciences, the United Front Work Department (UFWD) of the Central Committee of the CCP, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Finance, the Overseas Chinese Affairs Office (now part of the UFWD), the Chinese Academy of Engineering, the National Natural Science Foundation, the State Administration of Foreign Experts Affairs (now part of the Ministry of Science and Technology), the Communist Youth League of China and the China Association for Science and Technology.18

To illustrate the international reach of CCP talent recruitment, the ASPI International Cyber Policy Centre (ICPC) has created an original database of 600 overseas talent-recruitment stations. The operation of the stations is contracted out to organisations or individuals who are paid to recruit overseas scientists. They might not have a clear physical presence or might be co-located with the organisations contracted to run them (see box). This is a growing part of the CCP’s talent-recruitment infrastructure—providing on-the-ground support to the CCP’s efforts to identify and recruit experts from abroad—but it has never been analysed in detail before.

Features of overseas talent-recruitment stations

  • Overseas organisations or individuals contracted by the CCP to carry out talent-recruitment work
  • Often run by overseas united front groups
  • Tasked to collect information on and recruit overseas scientists
  • Promote scientific collaboration and exchanges with China
  • Organise trips by overseas scientists to China
  • Present across the developed world
  • May receive instructions to target individuals with access to particular technologies
  • Paid up to A$30,000 annually, plus bonus payments for each successful recruitment

The database was compiled using open-source online information from Chinese-language websites. Those sources included Chinese Government websites or media pages announcing the establishment of overseas recruitment stations and websites affiliated with overseas organisations running recruitment stations. We carried out keyword searches using various Chinese terms for talent-recruitment stations to identify their presence across the globe. An interactive version of the map of stations is in the online version of this report (Figure 2).

Figure 2: Overseas recruitment stations and their links back to China

Please click the map for the interactive database. Hover over data points for details on each recruitment station. Please note: stations are geo-located to City level (not street-level). 

Using examples and case studies of stations from around the world, this report also reveals the role of the united front system in talent-recruitment work. The united front system is a network of CCP-backed agencies and organisations working to expand the party’s United Front—a coalition of groups and individuals working towards the party’s goals. Many of those agencies and organisations run overseas recruitment stations. As detailed in the ASPI report The party speaks for you: foreign interference and the Chinese Communist Party, the system is widely known for its involvement in political influence work, but its contributions to technology transfer have attracted little attention.

Why China’s talent-recruitment programs raise concerns

China’s talent-recruitment programs are unlike efforts by Western governments to attract scientific talent. As two scholars involved in advising the CCP on talent recruitment wrote in 2013, ‘The Chinese government has been the most assertive government in the world in introducing policies targeted at triggering a reverse brain drain.’19 The flow of talent from China is still largely in the direction of the US.20 However, research from the Center for Security and Emerging Technology found that the proportion of Chinese STEM PhD graduates of US universities intending to stay in the US has declined over the past two decades.21 In May 2020, the US Government announced new restrictions on visas for scientists linked to the Chinese military.22

The widespread misconduct associated with CCP talent-recruitment programs sets them apart from efforts by other nations. For example, an investigation by the Texas A&M University system found more than 100 staff linked to China’s talent programs, but only five disclosed it despite employees being required to do so.23 That level of misconduct hasn’t been reported in other countries’ talent-recruitment efforts. The absence of any serious attempt by the Chinese Government or its universities to discourage theft as part of its recruitment programs amounts to a tacit endorsement of the programs’ use to facilitate espionage, misconduct and non-transparent technology transfers.

The extent of misconduct by selectees suggests that this is enabled or encouraged by agencies overseeing the programs. Agencies at the centre of China’s talent recruitment efforts have themselves been directly involved in illegal activity. For example, an official from China’s State Administration of Foreign Experts Affairs was involved in stealing US missile technology through the recruitment of a US scientist (see Noshir Gowadia case in Appendix 2).24

Talent recruitment programs have been used to incentivise and reward economic espionage. For example, in 2013, Zhao Huajun (赵华军), was imprisoned in the US after stealing vials of a cancer research compound, which he allegedly used to apply for sponsorship there.25 A month after Zhao was released from prison, he was recruited by the Zhejiang Chinese Medicine University through the Qianjiang Scholars (钱江学者) program.26 In another case, a Coca-Cola scientist allegedly conspired with a Chinese company to secure talent-recruitment program funding on the basis of stolen trade secrets.27

Talent-recruitment programs are also tied to research commercialisation. Applicants to the Thousand Talents Plan have the option to join as ‘entrepreneurs’ rather than as scientists, supporting companies they have established in China.28 The Thousand Talents Plan is supported by the Thousand Talents Plan Venture Capital Center (千人计划创投中心), which runs competitions to pair participants with start-up funding.29

Commercial activity by talent-recruitment program participants isn’t always disclosed, which often breaches university policies on intellectual property and commercialisation. One recruit from an Australian university set up a laboratory and an artificial intelligence (AI) company in China that later received funding linked to the Thousand Talents Plan Venture Capital Center, but reportedly didn’t disclose that to his Australian university, against existing university policies. The company later supplied surveillance technology to authorities in Xinjiang.30

US investigations of participants in talent-recruitment programs have led to an increase in the programs’ secrecy, rather than reforms to make them more transparent and accountable. In September 2018, the Chinese Government began removing references to the Thousand Talents Plan from the internet and ordering organisations to use more covert methods of recruitment.31 A leaked directive told those carrying out recruitment work for the plan to not use email when inviting potential recruits to China for interviews, and instead make contact by phone or fax under the guise of inviting them to a conference (Figure 3). ‘Written notices should not contain the words “Thousand Talents Plan”’, the document states. In 2018, the official website of the Thousand Talents Plan removed all news articles about the program, before going offline in 2020.32

Figure 3: A leaked notice from September 2018 ordering organisations to use more covert methods of recruiting Thousand Talents Plan participants

Highlighted text: ‘In order to further improve work guaranteeing the safety of overseas talent, work units should not use emails, and instead use phone or fax, when carrying out the interview process. [Candidates] should be notified under the name of inviting them to return to China to participate in an academic conference or forum. Written notices should not include the words “Thousand Talents Plan”.’

Source: ‘被美國盯上 傳中國引進人才不再提千人計畫’ [Targeted by the US, it’s rumoured that China will no longer mention the 1,000 Talent Plan], CNA.com, 5 October 2018, online.

CCP technology-transfer efforts are often flexible and encourage individuals to find ways to serve from overseas. Participants in the Thousand Talents Plan, for example, have the option to enter a ‘short-term’ version of the program that requires them to spend only two months in China each year.33 Some selectees establish joint laboratories between their home institutions and their Chinese employers, which could be a way to disguise conflicts of commitment where they have agreed to spend time working for both institutions.34 ‘This enables them to maintain multiple appointments at once, which may not be fully disclosed. This may mean that they’re effectively using time, resources and facilities paid for by their home institutions to benefit Chinese institutions.

Without residing in China, scientists can support collaboration with Chinese institutions, receive visiting Chinese scholars and students and align their research with China’s priorities. Steven X Ding (丁先春), a professor at the University of Duisburg in Germany who has also been affiliated with Tianjin University, was quoted describing this mentality when he worked as vice president of the University of Applied Science Lausitz:35

I manage scientific research at the university, which has more than 100 projects supervised by me—this is a ‘group advantage’. I can serve as a bridge between China and Germany for technological exchange … and I can make greater contributions than if I returned to China on my own. Foreign countries aren’t just advanced in their technologies, but also their management is more outstanding. Being in Germany I can introduce advanced technologies to China, assist communication, exchange and cooperation, and play a role as a window and a bridge [between China and Germany].36

The CCP’s talent-recruitment activities are also notable for their strategic implications. The deepening of ‘military–civil fusion’ (a CCP policy of leveraging the civilian sector to maximise military power) means that China’s research institutes and universities are increasingly involved in classified defence research, including the development of nuclear weapons.37 Chinese companies and universities are also working directly with public security agencies to support the oppression and surveillance of minorities through their development and production of surveillance technologies.38  Participants in talent-recruitment programs also appear to be disproportionately represented among overseas scientists collaborating with the Chinese military.39 Recruitment work by the People’s Liberation Army and state-owned defence conglomerates is described later in this report.

These structures behind talent-recruitment activity and their links to national initiatives show how it’s backed by the party’s leaders and high-level agencies and has clear objectives. This contradicts the theory that China employs a ‘thousand grains of sand’ approach to intelligence gathering or economic espionage, relying on uncoordinated waves of amateur ethnic-Chinese collectors to hoover up technology.40 Indeed, what may be one of the most egregious charges of misconduct related to a talent-recruitment program involves Harvard Professor Charles Lieber, a nanotechnologist with no Chinese heritage, who was arrested in 2020 for allegedly failing to disclose a US$50,000 monthly salary he received from a Chinese university as part of the Thousand Talents Plan.41 As shown by the case of Zheng Xiaoqing, who allegedly stole jet turbine technology from GE Aviation while joining the Thousand Talents Plan as part of a Jiangsu State Security Department operation, talent recruitment can at times involve professional intelligence officers (see Appendix 2).

In 2012, Peter Mattis, an expert on CCP intelligence activity, wrote that ‘The “grains of sand” concept focuses analytic attention on the [counter-intelligence] risk individuals pose rather than on government intelligence services.’42 In the case of talent-recruitment programs, interpreting them through the lens of a ‘grains of sand’ model would place greater emphasis on individuals involved in the programs while neglecting the mechanisms of talent recruitment activity used by the CCP. Talent-recruitment efforts are carried out with heavy involvement from the united front system and dedicated agencies such as the Ministry of Science and Technology’s State Administration of Foreign Experts Affairs.43

It isn’t an ethnic program with individual actors at its core—it’s a CCP program leveraging incentives as well as organised recruitment activity—yet it’s often framed by the party as serving the country’s ethno-nationalist rejuvenation.44

Recognising these features of CCP technology-transfer activity—such as its central and strategic guidance, implementation across various levels of the Chinese Government, high-rate of misconduct and reliance on overseas recruitment mechanisms—should be fundamental to any responses to the activity.45 Poorly executed, and sometimes misguided, attempts at investigating and prosecuting suspected cases of industrial espionage have helped build an image of both the problem and enforcement actions as being driven by racial factors rather than state direction.46

Talent-recruitment stations

Chinese Government and Party agencies from the national to the district level have established hundreds of ‘overseas talent recruitment workstations’ in countries with high-quality talent, cutting-edge industries and advanced technology.47 The stations are established in alignment with central guidance on talent-recruitment work and also adapt to the needs of the various Chinese Government organs establishing them. They’re run by overseas organisations, such as community associations, and are a key part of the CCP’s little-understood talent-recruitment infrastructure.

The stations work on behalf of the Chinese Government to spot and pursue talent abroad. Their importance is reflected in the fact that research for this report has uncovered 600 stations spread across technologically advanced countries (Figure 4).48 The increasingly covert nature of talent recruitment efforts means on-the-ground measures such as talent-recruitment stations should become more important.

The highest number of stations (146) was found in the United States. However, Germany, Australia, the United Kingdom, Canada, Japan, France and Singapore also each had many stations. This underscores the global reach of China’s talent-recruitment efforts and the high level of recruitment activity in those countries.

Figure 4: The top 10 countries hosting identified talent-recruitment stations

The stations often don’t have dedicated offices or staff. Instead, they’re contracted to local professional, community, student and business organisations, such as the Federation of Chinese Professionals in Europe.49 Such organisations already have established links inside Chinese communities and receive payments in return for spotting and recruiting talent, promoting research collaboration and hosting official delegations from China. The organisations are often linked to the CCP’s united front system and may be involved in mobilising their members to serve the party’s goals—whether cultural, political or technological. In at least two cases, talent-recruitment stations have been linked to alleged economic espionage.

Talent-recruitment stations have been established since at least 2006, and the number has grown substantially since 2015.50 The recent expansion may be related to policies associated with the 13th Five-Year Plan (2016–2020) that advocated strengthening talent-recruitment work ‘centred on important national needs’.51 Of the 600 stations identified in this report, more than 115 were established in 2018 alone (Figure 5).52

Figure 5: Talent recruitment stations established each year, 2008 to 2018

Note: Only stations with verified establishment dates are included.

Politics and talent recruitment intersecting in Canada

In July 2016, the Fujian Provincial Overseas Chinese Affairs Office, part of the united front system, sent representatives, including its director (pictured first from left in Figure 6), around the world to establish talent-recruitment stations.53 Four were established in Canada. John McCallum, a Canadian politician who resigned as ambassador to China in 2019 after urging the government to release Huawei CFO Meng Wanzhou, was pictured (second from right) at the opening of a station run by the Min Business Association of Canada (加拿大闽商总会).54 The association’s chairman, Wei Chengyi (魏成义, first from right), is a member of several organisations run by the UFWD in China and has been accused of running a lobbying group for the Chinese Consulate in Toronto.55

Figure 6: The opening ceremony

Source: ‘Fujian Overseas Chinese Affairs Office’s first batch of four overseas talent recruitment sites landed in Canada’, fjsen.com, 21 July 2016, online.

We obtained several talent-recruitment station contracts, contract templates and regulations that shine a light on the stations’ operations (Figure 7). They reveal that organisations hosting stations are paid an operating fee, receive bonuses for every individual they recruit and are often required to recruit a minimum number of people each year. Those organisations are also collecting data on foreign scientists and research projects. They organise talent-recruitment events, host and arrange visiting Chinese Government delegations and prepare trips to China for prospective recruits.56

Figure 7: A talent recruitment contract signed between the Human Resources and Social Security Bureau of Qingrong District in Chengdu and a Sino-German talent-exchange association

Source: ‘About this overseas talent workstation’, German-Chinese Senior Talent Exchange and Economic and Trade Cooperation Promotion Association, 12 July 2017, online.

Organisations running recruitment stations can receive as much as ¥200,000 (A$40,000) for each individual they recruit. In addition, they’re paid as much as ¥150,000 (A$30,000) a year for general operating costs.57

CCP talent-recruitment agencies gather large amounts of data on overseas scientists, and overseas talent-recruitment stations may be involved in this information-gathering work. Domestically, the Thousand Talents Think Tank (千人智库), which is affiliated with the UFWD, claims to hold data on 12 million overseas scientists, including 2.2 million ethnic Chinese scientists and engineers.58 In 2017, a Chinese think tank produced a database of 6.5 million scientists around the world, including 440,000 AI scientists, as a ‘treasure map’ for China’s development of AI technology and a resource for talent recruitment.59 Abroad, recruitment stations set up by Tianjin City are instructed to ‘grasp information on over 100 high-level talents and an equivalent amount of innovation projects’.60 Qingdao City’s overseas stations are required to collect and annually update data on at least 50 individuals at the level of ‘associate professor, researcher or company manager’ or higher.61 The Zhuhai City Association for Science and Technology tasks its overseas stations with ‘collecting information on overseas science and technology talents, technologies and projects through various channels’.62

Information about overseas technologies and scientists is used for targeted recruitment work that reflects the technological needs of Chinese institutions. For example, Shandong University’s overseas recruitment stations recommend experts ‘on the basis of the university’s needs for development, gradually building a talent database and recommending high-level talents or teams to the university in targeted way’.63 The Guangzhou Development Zone ‘fully takes advantage of talent databases held by their overseas talent workstations … attracting talents to the zone for innovation and entrepreneurship through exchange events and talks’.64

However, the 600 stations identified in this report are probably only a portion of the total number of stations established by the CCP. The real number may be several hundred greater. For example, we identified 90 stations established by the Jiangsu Provincial Government or local governments in the province, yet in 2017 the province’s Overseas Chinese Affairs Office—only one of many agencies in the province establishing overseas recruitment stations—stated that it had already established 121 stations.65

One hundred and seventy-one identified stations were established by united front agencies such as overseas Chinese affairs offices. For many other stations, it’s unclear which part of the bureaucracy established them, so the real number of stations established by the united front system is probably much greater. Similarly, the Qingdao UFWD describes how the city’s Organisation Department produced regulations on overseas talent-recruitment stations and the UFWD advised on their implementation and encouraged united front system agencies to carry them out.66 Universities, party organisation departments, state human resources and social affairs bureaus, state-backed scientific associations and foreign experts affairs bureaus also establish overseas-recruitment stations. None of them is an intelligence agency, but the networks and collection requirements of stations mean they could benefit China’s intelligence agencies.

Overseas talent-recruitment stations are typically run by local organisations, which are contracted to operate them for a period of several years. The local groups include hometown associations, business associations, professional organisations, alumni associations, technology-transfer and education companies and Chinese students and scholars associations (CSSAs) (see box). Local host organisations have often been established with support from, or built close relationships with, agencies such as China’s State Administration for Foreign Experts Affairs and the UFWD.67 Overseas operations of Chinese companies reportedly also host talent-recruitment stations.68 In one case, a station was reportedly established in the University College Dublin Confucius Institute.69

Chinese students and scholars associations involved in running talent recruitment stations

  • US: Greater New York Fujian Students and Scholars Association, University of Washington CSSA, North American Chinese Student Association, UC Davis CSSA
  • Australia: Victoria CSSA, Western Australia CSSA, New South Wales CSSA
  • UK: United Kingdom CSSA
  • Switzerland: Geneva CSSA
  • Italy: Chinese Students and Scholars Union in Italy
  • Czech Republic: Czech CSSA
  • Ireland: CSSA Ireland
  • Hungary: All-Hungary CSSA

Provincial, municipal and district governments are responsible for most talent recruitment, yet their activities are rarely discussed. Qingdao city alone claims that it recruited 1,500 people through its recruitment stations between 2009 and 2014.70 Out of 600 recruitment stations identified in this research, only 20 were established by national organisations, such as the UFWD’s Western Returned Scholars Association (WRSA) and Overseas Chinese Affairs Office.

Similarly, over 80% of talent-recruitment programs are run at the subnational level and may attract as many as seven times as many scientists as the national programs. Between 2008 and 2016, China’s Ministry of Human Resources and Social Security determined that roughly 53,900 scholars had been recruited from abroad by local governments. More than 7,000 scholars were recruited through the Thousand Talents Plan and Hundred Talents Plan (another national talent-recruitment program) over the same period.71

Case study: Zhejiang’s recruitment work in the United Kingdom

A 2018 CCP report on Zhejiang Province’s overseas talent-recruitment work mentioned that it had established 31 overseas recruitment stations. According to the report, Brunel University Professor Zhao Hua (赵华) from the UK is one of the scientists recruited through their efforts.72 Zhao is an expert in internal combustion engines who was recruited to Zhejiang Painier Technology (浙江 派尼尔科技公司), which produces ‘military and civilian-use high-powered outboard engines’.73

The partnership between Zhao and Zhejiang Painier Technology was formed with the help of a talent-recruitment station and reportedly attracted Ұ300 million (A$60 million) in investment.74 The Zhejiang UK Association (英国浙江联谊会) runs as many as four talent-recruitment stations and has recruited more than 100 experts for Zhejiang Province or cities in the province.75 They include a station for Jinhua, the city where Zhejiang Painier Technology is based, so it could have been the organisation that recruited Professor Zhao.76

The Zhejiang UK Association’s founding president is Lady Bates (or Li Xuelin, 李雪琳), the wife of Lord Bates, Minister of State for International Development from 2016 until January 2019.77 Accompanied by her husband, Lady Bates represented the association at the establishment of a recruitment station for Zhejiang Province’s Jinhua city in 2013 (Figure 8).78 She was a non-voting delegate to the peak meeting place of the CCP-led United Front—the Chinese People’s Political Consultative Conference (CPPCC)—and is a member of the UFWD-run China Overseas Friendship Association.79

Figure 8: Lord (first row, second from right) and Lady Bates (first row, centre)

Source: ‘英国浙江联谊会再次携手浙江——与金华市政府签署设立金华英国工作站协议’ [British Zhejiang Friendship Association joins hands with Zhejiang again—Signed an agreement with Jinhua Municipal Government for the establishment of Jinhua UK Workstation], ZJUKA, no date, online.

Counsellor Li Hui (李辉), a senior united front official from the Chinese Embassy in London, praised the association at the station’s founding.80 In particular, he noted Lady Bates’s use of her personal connections to arrange for the signing ceremony to be held in the Palace of Westminster.81

Talent-recruitment stations help arrange visits by Chinese delegations. For example, the Australian alumni association of Northwestern Polytechnical University (NWPU) became a recruitment station for the university and Xi’an City, where the university is located, in 2018.82 It arranged meetings between NWPU representatives and leading Australian-Chinese scientists and helped the university sign partnerships with them. Within a month, it claimed to have introduced five professors from universities in Melbourne to NWPU, although it’s unclear how many of them were eventually recruited by the university.83 NWPU specialises in aviation, space and naval technology as one of China’s ‘Seven Sons of National Defence’—the country’s leading defence universities.84 It’s been implicated in an effort to illegally export equipment for antisubmarine warfare from the US.85

Overseas talent-recruitment organisations also run competitions and recruitment events for the Chinese Government. For example, in 2017, the UFWD’s WRSA held competitions around the world, including in Paris, Sydney, London and San Francisco, in which scientists pitched projects in the hope of receiving funding from and appointments in China. The events were held with the help of 29 European, Singaporean, Japanese, Australian and North American united front groups for scientists.86 Organisations including the University of Technology Sydney CSSA and the Federation of Chinese Scholars in Australia (全澳华人专家学者联合会)—a peak body for Chinese-Australian professional associations that was set up under the Chinese Embassy’s guidance—have partnered with the Chinese Government to hold recruitment competitions tied to the Thousand Talents Plan.87 As described below, CSSAs have run recruitment events for Chinese military institutions and state-owned defence companies.

Talent recruitment in Japan

The All-Japan Federation of Overseas Chinese Professionals (中国留日同学会) is the leading united front group for ethnic Chinese scientists and engineers in Japan. It describes itself as having been established in 1998 under the direction of the UFWD and the UFWD’s WRSA, which is a dedicated body used by the department to interact with and influence scholars with overseas connections.88

Every president of the federation has also served as a council member of the WRSA or the China Overseas Friendship Association, which is another UFWD-run body.89 It runs at least eight talent-recruitment stations—organising talent-recruitment events in Japan and bringing scientists to talent-recruitment expos in China—and reportedly recruited 30 scientists for Fujian Province alone.90 Despite its involvement in the CCP’s technology-transfer efforts, it has partnered with the Japan Science and Technology Agency to run events.91 Former prime minister Hatoyama Yukio (鸠山由纪夫) attended the opening of a WRSA overseas liaison workstation run by the group—the first established by the WRSA (Figure 9).92

Figure 9: Former Japanese prime minister Hatoyama Yukio at the opening of a WRSA workstation

While raw numbers of recruited scientists are occasionally published, specific examples of scientists recruited by individual stations are difficult to find. In 2018, Weihai, a city in Shandong Province, released the names of 25 scientists recruited through stations in Japan and Eastern Europe.93 Among the recruits were medical researchers and AI specialists, including a Ukrainian scientist specialising in unmanned aerial vehicles who was recruited by Harbin Institute of Technology—one of China’s leading defence research universities.94

Case study: The Changzhou UFWD’s overseas network

The UFWD of Changzhou, a city between Shanghai and Nanjing, has established talent-recruitment stations around the world. The UFWD set up the stations alongside its establishment of hometown associations for ethnic Chinese in foreign countries. This illustrates the united front system’s integration of technology-transfer efforts and political and community influence work.

In October 2014, a delegation led by the Changzhou UFWD head Zhang Yue (张跃) travelled to Birmingham to oversee the founding of the UK Changzhou Association (英国常州联谊会). Zhang and the president of the UK Promotion of China Re-unification Society (全英华人华侨中国统一促进会) were appointed as the association’s honorary presidents.95 A united front official posted to the PRC Embassy in London also attended the event.96

The association immediately became an overseas talent-recruitment station for Changzhou and a branch of the Changzhou Overseas Friendship Association, which is headed by a leader of the Changzhou UFWD.97 According to a CCP media outlet, the association ‘is a window for external propaganda for Changzhou and a platform for talent recruitment’ (Figure 10).98

Figure 10: A plaque awarded by the Changzhou City Talent Work Leading Small Group Office to its ‘UK talent recruitment and knowledge introduction workstation’ in 2014

Three days later, the Changzhou UFWD delegation appeared in Paris for the founding of the France Changzhou Association (法国常州联谊会). Again, the Changzhou UFWD head was made honorary president and the association became a talent-recruitment station and a branch of the Changzhou Overseas Friendship Association. CCP media described it as ‘the second overseas work platform established by Changzhou’ under the leadership of Changzhou’s Overseas Chinese Federation, which is a united front agency.99

As detailed in a report published by the province’s overseas Chinese federation, these activities were part of the Changzhou united front system’s strategy of ‘actively guiding the construction of foreign overseas Chinese associations’.100 By 2018, when the report was published, the city had established associations in Australia, Canada, Singapore, the US and Hong Kong and was in the middle of establishing one in Macau. The founding of the Australian association was attended by a senior Changzhou UFWD official, Victorian Legislative Assembly member Hong Lim and Australian Chinese-language media mogul Tommy Jiang (姜兆庆).101

Economic espionage

The following two case studies demonstrate how talent-recruitment stations and their hosting organisations have been implicated in economic espionage and are often closely linked to the CCP’s united front system.

Case study: Cao Guangzhi

In March 2019, Tesla sued its former employee Cao Guangzhi (曹光植, Figure 11), alleging that he stole source code for its Autopilot features before taking it to a rival start-up, China’s Xiaopeng Motors.102

In July, he admitted to uploading the source code to his iCloud account but denies stealing any information.103 Tesla calls Autopilot the ‘crown jewel’ of its intellectual property portfolio and claims to have spent hundreds of millions of dollars over five years to develop it.104 Additional research on the subject of this ongoing legal case shows a pattern of cooperation between Cao and the CCP’s united front system on talent-recruitment work dating back to nearly a decade before the lawsuit.

Figure 11: Cao Guangzhi (far left) with other co-founders of the Association of Wenzhou PhDs USA

Source: ‘全美温州博士协会 “藏龙卧虎”,有古根海姆奖得主、苹果谷歌工程师···’ [The ‘Hidden Dragon and Crouching Tiger’ of the Wenzhou Doctors Association of the US; there are Guggenheim Award winners, Apple Google engineers…], WZRB, 14 April 2017, online.

When Cao submitted his doctoral thesis to Purdue University in 2009, he and three friends established the Association of Wenzhou PhDs USA (全美温州博士协会).105 All four hail from Wenzhou, a city south of Shanghai known for the hundreds of renowned mathematicians who were born there.106 From its inception, the association has worked closely with the PRC Government. A report from Wenzhou’s local newspaper claims that the Wenzhou Science and Technology Bureau, Overseas Chinese Affairs Office and Overseas Chinese Federation gave the group a list of US-based PhD students and graduates from the town, whom they then recruited as members.107 The head of the Wenzhou UFWD praised the association during a 2010 trip to America as ‘the first of its kind and highly significant’.108

The Association of Wenzhou PhDs USA carries out talent recruitment on behalf of the CCP. The year after its establishment, it signed an agreement with the UFWD of a county in Wenzhou to run a talent-recruitment station that gathers information on overseas scientists and carries out recruitment work.109 That year, it also arranged for 13 of its members to visit Wenzhou for meetings with talent-recruitment officials from organisations such as the local foreign experts affairs bureau 110 and with representatives of local companies. Several of the members also brought their research with them, presenting technologies such as a multispectral imaging tool.111

Within a few years of its founding, the association had built up a small but elite group of more than 100 members. By 2017, its members reportedly included Lin Jianhai (林建海), the Wenzhou-born secretary of the International Monetary Fund; engineers from Google, Apple, Amazon, Motorola and IBM; scholars at Harvard and Yale; and six US government employees.112 At least one of its members became a Zhejiang Province Thousand Talents Plan scholar through the group’s recommendation.113 It also helped Wenzhou University recruit a materials scientist from the US Government’s Argonne National Laboratory.114

Case study: Yang Chunlai

The case of Yang Chunlai (杨春来) offers a window into the overlap of the united front system and economic espionage. Yang was a computer programmer at CME Group, which manages derivatives and futures exchanges such as the Chicago Mercantile Exchange. Employed at CME Group since 2000, he was arrested by the Federal Bureau of Investigation (FBI) in July 2011.115 In 2015, he pleaded guilty to trade secrets theft for stealing CME Group source code in a scheme to set up a futures exchange company in China. He was sentenced to four years’ probation.116

Before his arrest, Yang played a central role in a united front group that promotes talent recruitment by, and technology transfer to, China: the Association of Chinese-American Scientists and Engineers (ACSE, 旅美中国科学家工程师专业人士协会). From 2005 to 2007 he was the group’s president, and then its chairman to 2009.117

ACSE is one of several hundred groups for ethnic Chinese professionals that are closely linked to the CCP.118 ACSE and its leaders frequently met with PRC officials, particularly those from united front agencies such as the Overseas Chinese Affairs Office (OCAO),119 the CPPCC and the All-Chinese Federation of Returned Overseas Chinese. At one event, the future director of the OCAO, Xu Yousheng (许又声), told ACSE:

There are many ways to serve the nation; you don’t have to return to China and start an enterprise. You can also return to China to teach or introduce advanced foreign technology and experience—this is a very good way to serve China.120

Yang was appointed to the OCAO’s expert advisory committee in 2008.121 In 2010, he also spoke about ACSE’s close relationship with the UFWD-run WRSA.122

Further illustrating these linkages, Yang visited Beijing for a ‘young overseas Chinese leaders’ training course run by the OCAO in May 2006. Speaking to the People’s Daily during the course, Yang said, ‘It’s not that those who stay abroad don’t love China; it’s the opposite. The longer one stays in foreign lands, the greater one’s understanding of the depth of homesickness.’123 Yang also spoke of the sensitivity of source code used by companies, work on which doesn’t get outsourced. However, he hinted at his eventual theft of code by saying: ‘Of course, even with things the way they are, everyone is still looking for suitable entrepreneurial opportunities to return to China’.124

In 2009, an ‘entrepreneurial opportunity’ may have presented itself when ACSE hosted a talent-recruitment event by a delegation from the city of Zhangjiagang (张家港).125 At the event, which Yang attended (Figure 12), ACSE signed a cooperation agreement with Zhangjiagang to ‘jointly build a Sino-US exchange platform and contribute to the development of the homeland’—potentially indicating the establishment of a talent-recruitment station or a similar arrangement.126

Figure 12: Yang Chunlai (rear, second from right) at the signing ceremony for ACSE’s partnership with Zhangjiagang

Yang later wrote a letter to the OCAO proposing the establishment of an electronic trading company led by him in Zhangjiagang and asking for the office’s support.127 In mid-2010, he emailed CME Group trade secrets to officials in Zhangjiagang and started setting up a company in China. By December, he began surreptitiously downloading source code from CME Group onto a removable hard drive.128 

Yang’s relationship with the OCAO probably facilitated and encouraged his attempt to steal trade secrets in order to establish a Chinese company that, according to his plea deal, would have become ‘a transfer station to China for advanced technologies companies around the world’.129

Yang’s activities appeared to go beyond promoting technology transfer; there are indications that he was also involved in political influence work. This reflects the united front system’s involvement in both technology transfer and political interference. At a 2007 OCAO-organised conference in Beijing, Yang said that he had been encouraged by CPPCC Vice Chairman and Zhi Gong Party Chairman Luo Haocai to actively participate in politics, which he described as ‘a whip telling overseas Chinese to integrate into mainstream society’. He added, ‘I estimate that [ACSE] can influence 500 votes’ in the 2008 US presidential election.130 Yang also befriended politicians, including one senator, who wrote a letter to the judge testifying to Yang’s good character.131 In his OCAO conference speech, he highlighted the appointment of Elaine Chao as US Secretary of Labor and her attendance at ACSE events.132

Talent recruitment and the Chinese military

Talent recruitment is also being directly carried out by the Chinese military. For example, the National University of Defense Technology (NUDT, the People’s Liberation Army’s premier science and technology university) has recruited at least four professors from abroad, including one University of New South Wales supercomputer expert, using the Thousand Talents Plan.133

Outside of formal talent-recruitment programs, NUDT has given guest professorships to numerous overseas scientists, For instance, Gao Wei (高唯), an expert in materials science at New Zealand’s University of Auckland, was awarded a distinguished guest professorship at NUDT in May 2014.134

Gao is closely involved in CCP talent-recruitment efforts. In 2016, he joined Chengdu University as a selectee of the Sichuan Provincial Thousand Talents Plan.135 Just a month before joining NUDT, he signed a partnership with the State Administration of Foreign Experts Affairs as president of the New Zealand Chinese Scientists Association (新西兰华人科学家协会).136 In 2018, the association agreed to run a talent-recruitment station for an industrial park in Shenzhen.137 He has reportedly served as a member of the overseas expert advisory committee to the united front system’s OCAO.138 In 2017, at one of the OCAO’s events, Gao expressed his desire to commercialise his research in China and said that ‘even though our bodies are overseas, we really wish to make our own contributions to [China’s] development’.139

The military’s recruitment of scientists is supported by the same network of overseas recruitment stations and CCP-linked organisations that are active in talent-recruitment work more generally.

Chinese military recruitment delegations have travelled around the world and worked with local united front groups to hold recruitment sessions. In 2014, the New South Wales Chinese Students and Scholars Association (NSW-CSSA, 新南威尔士州中国学生学者联谊会) held an overseas talent-recruitment event for NUDT and several military-linked civilian universities.140 The NSW-CSSA is a peak body for CSSAs and holds its annual general meetings in the Chinese Consulate in the presence of Chinese diplomats.141 In 2013, NUDT held a recruitment session in Zürich organised by the Chinese Association of Science and Technology in Switzerland (瑞士中国学人科技协会).142 A similar event was held in Madrid in 2016.143

The Chinese Academy of Engineering Physics (CAEP), which runs the military’s nuclear weapons program, is particularly active in recruiting overseas experts. By 2014, CAEP had recruited 57 scientists through the Thousand Talents Plan.144 It runs the Center for High Pressure Science and Technology Advanced Research in Beijing in part as a platform for recruiting overseas talent. The institute doesn’t mention its affiliation with CAEP on its English-language website, yet it’s run by a Taiwanese-American scientist who joined CAEP through the Thousand Talents Plan.145 So many scientists from the US’s Los Alamos National Laboratory (a nuclear weapons research facility) have been recruited to Chinese institutions that they’re reportedly known as the ‘Los Alamos club’.146

CAEP also holds overseas recruitment events. At a 2018 event in the UK, a CAEP representative noted the organisation’s intention to gain technology through talent recruitment, saying ‘our academy hopes that overseas students will bring some advanced technologies back, and join us to carry out research projects.’147

Chinese state-owned defence conglomerates are engaged in the same activities. China Electronics Technology Group Corporation (CETC), which specialises in developing military electronics, has been building its presence in Austria, where it opened the company’s European headquarters in 2016 and runs a joint laboratory with Graz University of Technology.148 As part of its expansion, it held a meeting of the European Overseas High-level Talent Association (欧洲海外高层次人才联谊会) in 2017 that was attended by dozens of scientists from across Europe. Later that year, CETC reportedly held similar meetings and recruitment sessions in Silicon Valley and Boston.149 In 2013, the head of CETC’s 38th Research Institute, which specialises in military-use electronics such as radar systems, visited Australia and met with a local united front group for scientists.150 Several members of the group from the University of Technology Sydney attended the meeting, and two years later the university signed a controversial $10 million partnership with CETC on technologies such as AI and big data.151

The Chinese Government’s primary manufacturer of ballistic missiles and satellites, China Aerospace Science and Technology Corporation, has held recruitment sessions in the US and UK through the help of local CSSAs.152

In addition to traditional defence institutions (military institutes and defence companies), China’s civilian universities are increasingly involved in defence research and have also recruited large numbers of overseas scientists. ASPI ICPC’s China Defence Universities Tracker has catalogued and analysed the implementation of military–civil fusion in the university sector.153 The policy of military–civil fusion has led to the establishment of more than 160 defence laboratories in Chinese universities, and such defence links are particularly common among leading Chinese universities that attract the greatest share of talent-recruitment program participants.154 Many recruits end up working in defence laboratories or on defence projects.155

Recommendations

The CCP’s use of talent-recruitment activity as a conduit for non-transparent technology transfer presents a substantial challenge to governments and research institutions. Many of those activities fly under the radar of traditional counterintelligence work, yet they can develop into espionage, interference and illegal or unethical behaviour.

While this phenomenon may still be poorly understood by many governments and universities, it can often be addressed by better enforcement of existing regulations. Much of the misconduct associated with talent-recruitment programs breaches existing laws, contracts and institutional policies. The fact that it nonetheless occurs at high levels points to a failure of compliance and enforcement mechanisms across research institutions and relevant government agencies. Governments and research institutions should therefore emphasise the need to build an understanding of CCP talent-recruitment work. They must also ensure that they enforce existing policies, while updating them as necessary. This report recommends the introduction of new policies to promote transparency and accountability and help manage conflicts of interest.

For governments

We recommend that governments around the world pursue the following measures:

  1. Task appropriate agencies to carry out a study of the extent and mechanisms of CCP talent-recruitment work, including any related misconduct, in their country.
  2. Ensure that law enforcement and security agencies are resourced and encouraged to investigate and act on related cases of theft, fraud and espionage.
  3. Explicitly prohibit government employees from joining foreign talent-recruitment programs.
  4. Introduce clear disclosure requirements for foreign funding and appointments of recipients of government-funded grants and assessors of grant applications.
  5. Ensure that funding agencies have effective mechanisms and resources to investigate compliance with grant agreements.
  6. Ensure that recipients of government research funding are required to disclose relevant staff participation in foreign talent-recruitment programs.
  7. Establish a public online database of all external funding received by public universities and their employees and require universities to submit and update data.
  8. Establish a national research integrity office that oversees publicly funded research institutions, produces reports for the government and public on research integrity issues, manages the public database of external funding in universities, and carries out investigations into research integrity.
  9. Brief universities and other research institutions about CCP talent-recruitment programs and any relevant government policies.
  10. Develop recommendations for universities and other research institutions to tackle talent-recruitment activity. This can draw on the Guidelines to counter foreign interference in the Australian university sector developed by a joint government and university sector taskforce on foreign interference.156
  11. Create an annual meeting of education, science and industry ministers from like-minded countries to deepen research collaboration within alliances, beyond existing military and intelligence research partnerships, and coordinate on issues such as technology and research security.
  12. Increase funding for the university sector and priority research areas, such as artificial intelligence, quantum science and energy storage, perhaps as part of the cooperation proposed above.
  13. Develop national strategies to commercialise research and build talent.

For research institutions

We recommend that research institutions such as universities pursue the following measures:

  1. Carry out a comprehensive and independent audit of participation in CCP talent-recruitment programs by staff.
  2. Ensure that there’s sufficient resourcing to implement and ensure compliance with policies on conflicts of interest, commercialisation, integrity and intellectual property.
  3. Fully investigate cases of fraud, misconduct or nondisclosure. These investigations should determine why existing systems failed to prevent misconduct and then discuss the findings with relevant government agencies.
  4. In conjunction with the government, brief staff on relevant policies on and precautions against CCP talent-recruitment programs.
  5. Strengthen existing staff travel databases to automatically flag conflicts with grant commitments and contracts.
  6. Update policies on intellectual property, commercialisation, research integrity, conflicts of interest and external appointments where necessary.

Participants in CCP talent-recruitment programs should be required to submit their contracts with the foreign institution (both English and Chinese versions) and fully disclose any remuneration.

Appendix

Two appendices accompany this report:

  • Appendix 1: Selected Chinese government talent-recruitment programs
  • Appendix 2: Cases and alleged cases of espionage, fraud and misconduct

Readers are encouraged to download the report to access the appendices.


Acknowledgements

I would like to thank Jichang Lulu, Lin Li, Elsa Kania, John Garnaut, Danielle Cave, Fergus Hanson, Michael Shoebridge and Peter Jennings for their support and feedback on this report. Lin Li helped compile the database of talent-recruitment stations. Alexandra Pascoe provided substantial help in researching and writing the case summaries in Appendix 2. Audrey Fritz and Emily Weinstein contributed valuable research on talent-recruitment programs. I would also like to thank anonymous peer reviewers who provided useful feedback on drafts of the report. The US Department of State provided ASPI with US$145.6k in funding, which was used towards this report.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2020. ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

  1. Those conditions include lucrative wages, the creation of tailored venture capital firms and dedicated technology parks. For an influential and detailed study of the domestic infrastructure of PRC technology-transfer efforts, as well as much of its overseas activities through the State Administration of Foreign Experts Affairs, in particular, see Bill Hannas, James Mulvenon, Anna Puglisi, Chinese industrial espionage: technology acquisition and military modernisation, Routledge, London and New York, 2013. ↩︎
  2. See, for example, ‘致公党江苏省委首届“引凤工程”成果丰硕’ [Zhigong Party Jiangsu Committee’s first ‘Attracting Phoenixes Project’ has bountiful results], Jiangsu Committee of the Zhigong Party, 2 January 2011, online; Tang Jingli [唐景莉], ‘筑巢引凤聚才智 国际协同谋创新’ [Building nests to attract phoenixes and gather talents and knowledge, international collaboration for innovation], Ministry of Education, 5 April 2012, online; ‘“筑巢引凤”聚人才 浙江举行 “人才强企”推介会’ [Building nests to attract phoenixes and gather talents, Zhejiang holds the ‘strong talent enterprises’ promotional event], Zhejiang Online, 18 July 2019, online. ↩︎
  3. See Alex Joske, The party speaks for you: foreign interference and the Chinese Communist Party’s united front system, ASPI, Canberra, June 2020, online. ↩︎
  4. Xi Jinping [习近平], ‘习 近平:在欧 美同学会成立100周年庆祝大会上的讲话’ [Xi Jinping: Speech at the celebration of the 100th anniversary of the founding of the Western Returned Scholars Association], Chinese Communist Party News, 21 October 2013, online. ↩︎
  5. ‘习近平:瞄准世界科技前沿引领科技发展方向抢占先机迎难而上建设世界科技强国’ [Xi Jinping: Set sights on the cutting-edge of world science and technology and guide the direction of technological development; seize this strategic opportunity and meet the challenge of building a strong country in terms of science and technology], Xinhua, 28 May 2018, online. ↩︎
  6. Elsa Kania, ‘Made in China 2025, explained’, The Diplomat, 2 February 2019, online; PRC State Council, ‘中国制造2025’ [Made in China 2025], www.gov.cn, 8 May 2015, online; China’s National Medium-Long Term Science and Technology Development Plan (2006–2020) highlighted the goal of indigenous innovation: online . ↩︎
  7. China’s 2017 State Council Plan on Building a National Technology Transfer System describes talent recruitment as a form of technology transfer. See State Council, ‘国家技术转移体系建设方案’ [Plan on Building a National Technology Transfer System], www.gov.cn, 15 September 2017, online. ↩︎
  8. ‘我国留学回国人员已达265.11万人’ [The number of Chinese returning from studying abroad has reached 2,651,100], Economic Daily, 12 April 2017, online. ↩︎
  9. ‘中国驻外使领馆:万流归海引人才 不遗余力架桥梁’ [PRC overseas mission: amid the flow of tens of thousands of talents returning to China, we do not spare energy in building bridges], www.gov.cn, 4 June 2014, online. ↩︎
  10. These estimates are based on the conservative assumption that 60,000 individuals have been recruited from abroad through CCP talent-recruitment programs since 2008. Data on 3,500 participants in the Thousand Talents Plan was used to estimate the proportion recruited from each country. ↩︎
  11. Clive Hamilton, Alex Joske, ‘United Front activities in Australia’, Parliamentary Joint Committee on Intelligence and Security, 2018, online; Ben Packham, ‘Security experts warn of military threat from Chinese marine project’, The Australian, 10 February 2020, online; Alex Joske, ‘The company with Aussie roots that’s helping build China’s surveillance state’, The Strategist, 26 August 2019, online; Ben Packham, ‘Professor, Chinese generals co-authored defence research’, The Australian, 31 July 2019, online; Geoff Wade, Twitter, 25 February 2020, online. ↩︎
  12. Xi Jinping [习近平], ‘习近平:在欧美同学会成立100周年庆祝大会上的讲话’ [Xi Jinping: Speech at the celebration of the 100th anniversary of the founding of the Western Returned Scholars Association]. ↩︎
  13. Hannas et al., Chinese industrial espionage: technology acquisition and military modernization. ↩︎
  14. ‘中央引进国外智力领导小组始末’ [The beginning and end of the Central Leading Small Group for Introducing Foreign Expertise], Baicheng County Party Building Online, 30 September 2019, online. ↩︎
  15. ‘中国人才工作的新进展’ [New progress in China’s talent work], China Online, 28 June 2005, online. ↩︎
  16. ‘中共中央办公厅转发《中央人才工作协调小组关于实施海外高层次人才引进计划的意见》的通知’ [Notice on the CCP General Office circulating ‘Recommendations of the Central Talent Work Coordination Small Group on implementing the overseas high-level talent recruitment plan’], China Talent Online, 20 June 2012, online. ↩︎
  17. ‘2003年全国人才工作会议以来我国人才发展纪实’ [Recording the country’s talent development since the 2003 National Talent Work Conference], People’s Daily. Many of these events, such as Liaoning Province’s China Overseas Scholar Innovation Summit (中国海外学子创业周) and Guangzhou’s Convention on Exchange of Overseas Talents and Guangzhou, were first held before 2003. ‘2018中国海外人才交流大会开幕’ [2018 Convention on Exchange of Overseas Talents], Western Returned Scholars Association (WRSA), 24 December 2018, online ; ‘海外学子创业周凸显品牌效应’ [The Overseas Scholar Entrepreneurship Week has a clear brand effect], Sina, 26 May 2010, online. ↩︎

Working smarter, not harder

Leveraging government procurement to improve cybersecurity and supply chains

What’s the problem?

Australian governments are the nation’s largest spenders on ICT, but they’re failing to maximise the leverage that market power gives them to drive improved cybersecurity and more secure supply chains. Government can harness its spending power to not only improve its own cybersecurity, but to drive better cybersecurity throughout the wider economy. However, current approaches are fragmented and having limited impact, so a concerted national effort is needed, underpinned by major strategic changes in approach.

What’s the solution?

The Australian Government and the state and territory governments should establish a single coherent set of security standards expected from suppliers. The standards need to be more than just a tick-the-box exercise to set a minimum standard—they should provide multiple levels through which suppliers can seek to progress by continuous improvement. In order to protect sensitive data, secure managed enclaves should be used to minimise exposure to the risks of individual suppliers’ ICT systems.

Procurement frameworks need to provide commercial incentives for suppliers to improve their security. In limited areas where there’s a compelling strategic benefit to Australia from building capability, those frameworks should also be linked to a sovereign capability framework to ensure that preference is given to Australian companies.

Introduction

It’s forecast that this year there will be more than two and a half times more connected devices than there are people.1 Securing those devices and networks is critical but increasingly challenging— in 2018–19, the Australian Cyber Security Centre (ACSC) responded to 2,164 incidents,2 while data from the ReportCyber network suggests that more broadly across Australia there are approximately 150 cybercrime incidents per day.3

The Australian Government allocated an average of $65 million per year to its cybersecurity strategy over the past four years, but that figure is dwarfed by broader federal government ICT procurement, and even more so by the combined ICT spend by the three levels of Australian government. The amount spent annually by the federal government alone has grown significantly from $5.9 billion in 2012–13 to almost $10 billion now.4 State and local governments are also big spenders on ICT: the NSW Government IT budget is over $3 billion per year.5

Such scale means that government ICT procurement has significant market power. This paper explores how that procurement could be leveraged as part of the updated cybersecurity strategy currently being prepared for the next four years. The paper starts by examining supply-chain risks and opportunities, before looking at the key barriers and challenges and suggesting how they could be addressed. This study is based on interviews with key stakeholders in government and industry and a review of openly available material on government procurement approaches. While the focus is on Australian Government procurement, state and local government procurement is considered where appropriate.

Supply-chain risks and opportunities

Supply chains are integral to cybersecurity. Almost all end users of ICT systems rely on hardware, software or services built or delivered by someone else. Where a supplier becomes a critical node in the supply chain, integral to a large part of the ICT ecosystem, security failures have the potential to generate major systemic cyber and operational risks. We rely on suppliers exercising due diligence in their development, management and operational activities to avoid deliberate or accidental compromise (see box).

Supply-chain assurance risks

The first priority for government ICT procurement should be to ensure the security of the supply chain. However, it’s clear that supply-chain assurance can mean different things to different people. Generally, it can be considered under three main themes, which aren’t mutually exclusive:

  • Trust in the supplier company or organisation: Who owns, controls or influences the supplier? For nationally sensitive cases, there may be a preference or mandate for Australian-based capabilities. For example, the Digital Transformation Agency hosting strategy sets standards for data sovereignty and facility ownership, not just when contracts are signed, but throughout the lives of contracts.6
  • Security of the supplier’s IT systems: What controls does the supplier have in its IT systems to protect data received from the government customer or generated as part of delivering the contract? This can become important when suppliers are given access to the customer’s IT systems even for limited purposes. One of the highest profile data breaches—the loss of 70 million credit card details by Target in the US in 2013—occurred through the compromise of the IT systems of one of Target’s refrigeration contractors, which had access to a supplier portal for submitting invoices.
  • Security of the products and services being delivered by the supplier: Assuring the ownership of a company and its internal IT doesn’t necessarily mean that the products and services delivered won’t have security vulnerabilities. That will depend on the supplier’s security design and the assurance applied in their delivery. For example, this is critically important when procuring cloud services—the security of any applications that are run ‘in the cloud’ depends on the security of those individual applications.

The problem is that, in a market economy, the market often doesn’t provide the right incentives to suppliers. No one buys telecommunications services based on security, and how many consumers even think about the security options provided by their internet-connected doorbell? Governments are reluctant to directly intervene in the market, due not only to the cost and complexity of doing so, but also the moral hazard created by taking responsibility for decision-making away from the private sector and creating the perception that government is responsible for any residual risk.

However, government does interact with the private sector through its very significant procurement activities. Its position as a major buyer potentially provides significant market power that could be used to address some of these challenges. In an environment in which resources for cybersecurity are very limited, this could have the advantage of leveraging other existing budgets for ICT procurement. Of course, the priority should be to ensure security for the direct purposes of the procurement, but government also has an opportunity to leverage its market power to provide for broader benefits to the Australian economy and society.

Setting security standards expected from its suppliers may help to lift standards across the board. Companies will be incentivised to lift their standards in order to qualify to do business with the government, and it will often be easier for them to apply those standards across their whole enterprises rather than just for their government contracts. One example from a parallel field is the implementation of quality management systems brought about by government departments mandating ISO 9001 certification for suppliers. That has encouraged companies to implement quality management systems and to have them regularly audited and certified. This has created a vibrant market for auditors and consultants to help with designing and implementing appropriate systems and benefited the companies’ other customers through better quality assurance of their products and services. In the construction industry, the government has gone even further: companies are obliged to comply with the requirements of the Code for the Tendering and Performance of Building Work 2016 across their businesses or risk being barred from bidding for federally funded projects.7

With the right approach, there’s a real opportunity to stimulate innovation and new developments. If government can define the security outcomes required, that can encourage suppliers to compete to develop the most effective and value-for-money approaches to delivery. The most innovative approaches can then provide a market differentiator for the supplier that helps them to build business in the private sector, the export market, or both.

Challenges and barriers

Challenges and barriers to effective ICT supply-chain security include lack of coordination, unclear standards, a fragmented approach to security accreditation, uneven access to the market for suppliers and the need to comply with requirements to provide value for money.

Lack of a coordinated approach

Government procurement of ICT covers a vast range of products and services with different security implications, from commodity hardware for everyday use to highly sensitive specialist defence and national security systems. The Australian Government’s ICT expenditure is also spread across approximately 200 departments and agencies, which typically make their own procurement decisions based on their requirements and priorities. Overall governance is provided by the Department of Finance (for example, through the Commonwealth Procurement Rules8). The Digital Transformation Agency (DTA) has also negotiated government-wide contracts with key global suppliers,9 although departments and agencies are not compelled to use those suppliers. This fragmentation hinders efforts to use the combined market power of government procurement. In seeking more coordinated approaches, care will be needed to avoid the pitfalls that the DTA has faced in trying to set up government-wide frameworks.

Security standards and requirements

The Commonwealth Procurement Rules mandate the consideration of security risks in procurement, and it appears that the mandate is being applied. A study by IDC of global procurements for IT hardware showed that Australia performs better than many of its peers, and notably was the only country where there were no examples of ICT hardware procurements that didn’t specify any security requirements.10 Analysis for this report (see box) supports that conclusion but also shows that suppliers need to be ready to comply with a broad range of requirements. It also shows room for improvement for tenders that aren’t for direct ICT procurement but may have a key dependency on the security of suppliers’ systems to protect sensitive data.

Those working on defence projects often face the most significant risks and sophisticated threats, so for many years the Defence Industry Security Program has been in place to provide assurance of defence suppliers. The program has recently been overhauled to address the market barriers that it created and to implement options for different levels of assurance for different aspects of security, such as personnel, facilities and ICT, appropriate to the nature and sensitivity of the work.

Outside of Defence, requirements are generally more ‘light touch’, reflecting the different level and nature of risk, but are also much more fragmented and complex. From our analysis the standards that vendors may be asked to comply with, or at least be aware of, include the following:

  • The Protective Security Policy Framework (PSPF),11 issued by the Attorney-General’s Department, articulates government protective security policy, covering not just information security but also governance, personnel and physical security. This is quite high level, articulating five principles and 16 requirements to achieve the desired outcomes.
  • The Information security manual (ISM),12 issued by the ACSC, is a detailed cybersecurity framework for IT and security professionals. It consists of more than 180 pages and includes hundreds of controls tailored for different levels of government classified material, from ‘OFFICIAL’ to ‘TOP SECRET’.
  • Other guidance from the ACSC includes the Essential Eight Maturity Model,13 which is intended to provide a more manageable list of the top 8 recommended measures that can be implemented to improve cybersecurity, which are themselves a subset of 38 proposed strategies.14
  • ISO 27001 is an international standard for an information security management system (rather than specific controls).15
  • PCI-DSS is a specific set of standards for the secure storage and processing of payment card information.16

Review of government tender documents 

On one day in February 2020, 126 open approaches to the market were published and available on the Australian Government’s AusTender website.17 Of those, 18 were for the procurement of ICT products and services. All of them had some mention of security in the requirements, but the level of detail and approach differed:

  • Two didn’t specifically mention the PSPF or the ISM, and included vague, very high-level statements; one referred to no security requirements other than personnel screening.
  • Twelve specified the ISM and, in most cases, the PSPF. They were supplemented by additional requirements generally appropriate for the nature of the project. However, confusingly, sometimes specific ISM requirements were also called out as separate requirements. Of those 12, four included specific requirements for suppliers to ensure the security of their own supply chains; six were Defence projects referencing specific Defence security frameworks and requirements.

Other standards mentioned included other Australian Signals Directorate (ASD) guidance such as Strategies to mitigate cyber security incidents, ASD cryptographic evaluation, NIST–801 and ISO 27001. There were also a number of general statements about the required level of security, which varied from ‘reasonable efforts’ to mandated use of the ‘best available security’. There was inconsistency within individual tenders; for example, in one case requirements for security patching were mentioned in six different places, but the required timescales were variously described as ‘48 hours’ or ‘as required’ or weren’t specified.

Many of the other open approaches to market that were not directly ICT related still appeared likely to involve sensitive data being handed over to the successful contractor to allow it to deliver the required outcomes. Four were selected for review based on the likelihood that they involved the most sensitive data (financial data, personnel data for training, personal details of customers and health data). Of those, one had no security requirements, one mentioned only the need for personnel security screening, one mentioned a general need for compliance with the PSPF and awareness of the ISM, and one required compliance with a number of other standards, including PCI-DSS.

While these standards often have the same objectives, they take different approaches; for example, in whether they specify governance approaches, technical controls or expected security outcomes. It’s expensive and time-consuming for suppliers to go through a different process for each tender to prove compliance. A more efficient approach that would improve market dynamics would be to shift to a smaller, simplified set of standards. The DTA has tried to bring some standardisation into digital service delivery by government but has made limited forays into security.18 However, that may be appropriate, given DTA’s procurement focus; cybersecurity requirements should be specified by the appropriate experts and supported by procurement processes, not vice versa.

Furthermore, to be effective, the practical implementation challenges should be considered when choosing appropriate standards. In an attempt to find quick solutions from a buyer’s point of view, it appears that standards may be being recycled in different contexts. For example, many of the strategies recommended by ASD were originally formulated as recommendations for government departments and agencies. Although they’ve subsequently been broadened and recommended to businesses, too, applying them in a small business that doesn’t have the governance, policy and processes of a public-sector organisation can be very difficult. The Defence Industry Security Program requires even its smallest suppliers to comply with all of the ‘top 4’ controls, yet Australian National Audit Office reports regularly show that even many government departments can’t meet that threshold.19 ASD does provide specific guidance for small businesses,20 although we haven’t seen that guidance mentioned in the context of requirements for a government procurement.

There will be a need for experts who understand the practical implementation of the standards, both in the organisation that’s procuring the services and in the supplier that’s seeking to comply with the standards. Without that advice, expecting suppliers to simply follow the standards is unlikely to achieve the required security outcomes.

Security assurance of products and services procured

While assurance of suppliers and their IT systems is important, especially where sensitive data is being handed over to suppliers, the above standards still don’t really provide assurance when purchasing a product or service that it will be secure. This can be addressed by including specific requirements in the contract, but that doesn’t address the problem of verifying compliance. For more basic systems, it may be straightforward to verify configurations, safeguards, features and so on, but that’s more difficult for complex solutions, including software applications and cloud services. What about cybersecurity products themselves—how can buyers be assured that they behave as claimed and will have the desired security impact?

ASD has for the past few years awarded certification to some cloud services providers for processing data at ‘UNCLASSIFIED-DLM’ and ‘PROTECTED’ levels.21 This was a positive initiative by the appropriate technical experts in government to inject cybersecurity checks into the supply chain, and it has undoubtedly helped the take-up of cloud services by government departments by providing a ‘stamp of approval’. However, as it expanded beyond the initial focus on ‘infrastructure as a service’ into more complex cloud services such as ‘platform and software as a service’, demand seems to have exceeded the resources that ASD can provide, and it’s recently been confirmed that the scheme is being wound down.22 The announcement from ASD suggests that this will improve opportunities for local Australian businesses by removing a potential barrier. While the current list includes major multinational hyperscale cloud companies, we understand that some smaller providers have been waiting several years to go through this process, and the list hasn’t been updated for over a year. However, pushing the onus onto individual agencies and departments to make their own individual assessments runs the risk of fragmentation.

ASD also runs the Australasian Information Security Evaluation Program (AISEP), which certifies products in order to protect systems and information against cyber threats and lists them on the Certified Products List. This scheme uses an internationally recognised standard, the Common Criteria,23 with different levels of assurance based on impact, and ASD is also committed to the development of collaborative ‘protection profiles’ to further broaden the applicability of this scheme.

Product vendors must fund their own evaluations, which are carried out by an independent accredited test facility, and ASD oversees the process. However, where cryptographic evaluation is required, that’s done internally by ASD, and this can act as a bottleneck in the process due to a shortage of ASD resources. Given the importance of sovereign assurance of this aspect, additional resources should be found, potentially through engaging an external partner if one isn’t available internally.

Access to market

Cybersecurity is emerging as one of Australia’s most promising growth opportunities and has produced a number of vibrant companies and innovative ideas.24 Those companies need to connect with initial customers to validate their capabilities and provide a credible customer reference for broader sales efforts. Government contracts could be a good opportunity to do that and are potentially even better than grant funding, but it’s difficult for smaller companies, especially new entrants, to gain visibility and access to market opportunities. Many procurements are made through inflexible panel arrangements, forcing procurement to be routed through a handful of suppliers, and panel refreshes take place seldom, if at all, during a 3–5 year time frame. Procurement initiatives to reduce numbers of vendors and the bundling of projects as large integrated work packages are also factors that limit the ability of smaller players to directly tender for work. This means that small businesses may need to sell through a major prime, giving up 15–20% of revenue, which might be the difference between profitable and unprofitable work.

Even if they do get access to respond directly to requests for quotes, smaller companies may struggle to get brand recognition, while decision-makers prefer recognised brand names. Of course, to some extent this is in recognition of the fact that large multinationals can invest heavily in security, but it’s notable that many security companies that receive large venture capital investments seem to spend much of them on marketing, such as airport display advertising. There needs to be an even playing field to allow government buyers to assess and compare the security of the products and services being offered by companies of different types and sizes, by assessing against common standards and avoiding ratings based just on perceived brand reputation.

The value-for-money challenge

The Commonwealth Procurement Rules mandate value for money, but it’s currently difficult, if not impossible, to put a value on security. Agencies can stipulate minimum mandatory security requirements, but that doesn’t allow suppliers to differentiate themselves—customers and suppliers said that their expectation was that normally the winner would be the lowest cost solution that meets the minimum standards. Of course, for the most sensitive projects there may be more weighting on the security assessment, but that appears to be the exception rather than the rule. If providers believe they have differentiating security capabilities, their only realistic route is to lobby buyers before tender documents are drafted to get their preferred requirements included in the specification (once again, something that’s easier for larger established companies to do).

A better alternative would be a mechanism that mandates that security should always be explicitly included in the evaluation. One suggested option has been to explicitly include security as a ‘fourth pillar’ in evaluating proposals, alongside cost, quality and timescales, although this then leaves subjectivity about how to measure security and weight it against the other criteria. A better approach would be an effective pricing mechanism, reflecting the fact that better security should equate to lower financial risk. We understand that governments have been looking at how to value cybersecurity risk and found it challenging, so little progress has been made on this to date.

Of course, there’s a well-established market that provides a mechanism for consolidating data, sharing risk and best practice, helping organisations to manage and reduce risk, and putting a price on the residual risk—the insurance industry. However, the market for cybersecurity insurance, particularly in Australia, is currently poorly developed.25 Major players are still working out how traditional insurance concepts work in a cyber world where there are different threats (from petty criminals to nation states), attribution is difficult and collateral impacts can be significant. One example is the case of Mondelez v. Zurich Insurance, in which the insurer refused to pay out for the costs of a major cyberattack attributed to nation-state conflict, citing ‘act of war’ exemption clauses.26 There could be concerns that having insurance cover might make companies more complacent about security, and even make them more attractive targets for attackers if it’s known that they’re covered to pay out ransoms to recover encrypted data.

Recommendations for improvement

We recommend specific actions in the areas of assurance standards; testing and certification; cyber insurance; building sovereign capability; and securing government data.

Supplier assurance standards

There’s a need for a single set of standards for the assessment of supplier security to be used across government procurement. Further work is needed to define exactly what this should be, but the key characteristics should include the following:

  • Cover more than just technical IT controls by also including trust in the owners and employees of the supplier and a physical security component. The Defence Industry Security Program provides a good model for this, although required controls should be tailored to the level of risk.
  • Go beyond a single pass/fail level by providing a number of graduated levels. This will allow buyers to tailor the minimum level they require based on the nature of the project, but also gives suppliers a chance to show how they may exceed the minimum level, which may be considered an advantage in the evaluation process.
  • Encourage independent certification to build credibility, combined with efforts to build the pool of available assessors, for example through ASD accrediting assessors and ongoing quality control through reviews of randomised samples of work.
  • Ensure that, at the lower levels, it will be feasible for a large number of suppliers to be accredited in a short period of time. This will require ensuring that the criteria (for example, the existence of specific IT controls) can be readily evaluated.
  • Ensure that, at the higher levels, the assurance criteria are based more on risk and outcomes, encouraging suppliers to take a mature approach and to put in place continuous ongoing improvement plans.

Where possible, we should aim to learn from and leverage the experience of other countries. While the Australian market and customers may have some specialised requirements, it should be carefully considered whether those requirements are worth the costs of diverging from a standard used by another major country. Apart from the direct costs and benefits of reusing something that works for one of our allies, export opportunities will be improved if local companies that are getting certified for the local market automatically have a certification recognised overseas.

One example to consider is the UK Cyber Essentials Scheme.27 At the basic level, the scheme involves five basic controls that can be readily verified, and there’s an enhanced ‘Plus’ level that also includes an independent security test of the company’s systems. The UK Government has recently partnered with a commercial organisation to run the scheme and is reviewing the need for additional levels above and/or below those two levels.28

The US is getting ready to roll out CMMC (cybersecurity maturity model certification).29 Although CMMC is specifically defence focused, it is aimed at ‘controlled unclassified data’, which can be a common requirement across all of government. It combines recommended practices from existing US federal procurement regulations, international standards and even ASD’s ‘Essential Eight’, providing a graduated scale from level 1 with 17 specified practices through to level 5 with 10 times that number.

It includes a requirement for independent certification even at the lowest level and is designed to scale across the whole US defence supplier base (more than 300,000 companies) using a phased transition plan. Guidance material is still being developed, but it generally mandates outcomes rather than specific technical controls, so vendors may need technical advice to implement it effectively. 

Testing and certification processes

As noted above, assuring the security of a supplier and its systems is important, and that may be a sufficient safeguard when the potential risks concern sensitive data being handed over for processing or use by the supplier. However, where an IT product or service is being procured, supplier assurance in itself does not mean that the product or service is secure.

For hardware, particularly commodity hardware, customers may trust the vendor to do product assurance. This would require confirmation of the vendor’s processes for assuring its own supply chains. For example, how does the supplier ensure the traceability of components and products, verify chains of custody, and track any discovered vulnerabilities back to their point of origin? If there’s concern over specific products having targeted backdoors for a given customer, the customer could insist on choosing the items themselves from general stock in a warehouse. As an additional safeguard against any interference in transit, delivery systems could have their entire software (including firmware, BIOS etc.) rebuilt from verified images provided by the manufacturer. Some government departments have well-established procedures for this, which could be shared across other departments and agencies to build capability and scale.

These approaches can work for ‘commodity’ hardware (products that are manufactured and sold in significant quantities globally) and where the manufacturer is trusted. A different approach is needed for more specialised systems, smaller or untrusted vendors, and particularly software, which is inherently more complex and susceptible to security vulnerabilities. Assurance may be from a combination of design assurance and testing of the delivered product.

ASD has run schemes to centrally evaluate and test commercial products and services, such as the Certified Cloud Services List (CCSL) and Certified Products List. However, those schemes have suffered from resource constraints, particularly the CCSL, which hasn’t been updated for over a year. This has left government customers with the option of accepting self-certification from the vendor, with all the obvious risks and uncertainty that entails, or carrying out their own testing, which is likely to lead to, at best, duplication of effort among departments but more likely to the risk of inconsistent standards and potential failings due to the lack of specialist skills in each agency. A quick win would be to set up some sort of centralised library of evaluations carried out by individual departments, so that another department looking to use the same product could see and potentially reuse work already done.

Of course, care would be needed to ensure that a prior evaluation isn’t reused without considering the relevance of the context. It would also be preferable if there were some independent oversight or review, such as by the ACSC, to apply a common standard across agencies to ensure that vendors can’t ‘game’ the system by shopping around for the most favourable evaluation. This potential risk may be exacerbated by the recent decision for the ACSC to no longer maintain a list of certified cloud services and thus put the onus on individual departments. That announcement also suggested unspecified enhancements and uplift of the Information Security Registered Assessors Program. This could usefully include the suggestion that ASD accredits the certifiers and also provides some ongoing quality control through regular checking of a sample of the work undertaken.

However, ultimately, there needs to be an independent test and evaluation facility. If the ACSC doesn’t have the resources or capabilities to run such a facility, it could seek a partner to implement it and provide some specialist staff to support and accredit the processes being used. AustCyber has proposed a ‘sandbox’ that could be used for general proving of capabilities to potential government clients.30 Such a facility needs to be funded by the companies that are using it in order to ensure that it’s appropriately resourced and used when it can add value. It’s recognised that this could become a barrier to entry for small and medium-sized enterprises, but existing mechanisms (such as AustCyber’s role in identifying companies with commercially viable propositions and in providing targeted grants) could address that problem.

The ACSC has announced plans to establish consultative forums with industry, the first of which focuses on cloud security.31 The broader requirements for security testing and evaluation would be a suggested topic for a subsequent forum. However, it’s recommended that there be greater transparency about how industry representatives can be nominated and are selected—the announcement seems to suggest that the ACSC will select and invite representatives as it sees fit. When the Department of Home Affairs announced the establishment of an industry advisory panel for the 2020 Cyber Security Strategy, consisting of current or past executives of leading telecoms companies plus a representative of a US defence prime,32 that appeared to lack diversity and, in particular, to exclude any representation of small and medium-sized businesses.

Mandatory cybersecurity insurance for suppliers

For all government procurements of IT products and services, suppliers should be mandated to have appropriate cybersecurity insurance cover, thereby ensuring that there’s a price signal for risk. We’ve noted the problem that current mechanisms don’t provide an incentive to spend more on better security. In other spheres, we see that insurance provides this incentive—those that behave in less risky ways and take steps to mitigate their risk are rewarded with lower premiums. For example, household insurers typically offer discounts for houses that are normally occupied during the day and have good locks and monitored alarm systems.

This would be similar to existing obligations for public liability insurance and in some cases professional indemnity insurance that are commonly found in government tender requirements. Insurance should cover incident response, resilience resources and third-party breach liability. Government customers often insert such obligations in contractual clauses, but this would provide assurance that the company can have access to the right people and has the financial resources to meet these commitments, irrespective of the size and nature of the business—thereby removing an implicit preference for larger established brands.

It’s recognised that at present a number of factors are holding back the creation of an effective, functioning cybersecurity insurance market. Mandatory insurance would be a major factor in maturing the market, by ensuring sufficient demand to create economies of scale and building the overall volume of data that can be used for effective underwriting.

However, the market will require transitional support to manage the initial impact. Ideally, this move could be coordinated with Australia’s allies to build global scale and critical mass, but it’s unlikely to be practicable to achieve consensus without wasting the opportunity. If Australia is a global ‘first mover’ to make such a change, we’ll need to ensure that this provides opportunities for local insurers while insulating local suppliers from any initial systemic shocks. Other countries will seek to learn from our experience, and we need to ensure that there’s flexibility to also adapt in order to learn these lessons. The supplier assurance scheme, with graduated levels of assessment, should be designed to also meet the needs of insurers to help them with assessing risk. Appropriate risk-weighted premiums will be vital to ensure that insurance doesn’t effectively encourage risky behaviour or a false sense of comfort. The government may also need to regulate or even set up its own insurer to ensure that all companies have access to affordable cover in the short term. There’s a precedent for this: the government established Medibank to keep the private health insurance providers honest, and when the market was working well was then able to privatise the company.

In the longer term, there may still be a need for the government to be a last-resort reinsurer for major nation-state attacks, in a role analogous to its role in terrorism incident reinsurance.

Building sovereign capability

We’ve seen that cybersecurity represents a great economic opportunity for Australian industry, and that supplier trust is important. This means that, especially for the most sensitive applications, the development of sovereign industry capability should be encouraged. The government should establish a sovereign capability framework, identifying which technologies it’s strategically important to develop locally, and using that to guide more targeted mandated procurement and investment. An openly published framework would also help industry to prioritise its research and development to deliver in those areas. This would be analogous to the approach currently underway for the defence industry capability. This approach would effectively modify current procurement rules to allow government buyers to make decisions to prefer local suppliers where there’s a compelling need for a sovereign capability.

The US has for many years gone much further under the Buy American Act, which mandates government to prefer local suppliers in all cases unless the price premium is more than 25%. Applying such a blunt approach in Australia would make government spending less efficient and risk conflicting with international trade agreements. However, at the very least, the government should ensure that there’s a level playing field on which local companies of all sizes are able to have access to the market on an equal basis with global multinationals. There are arguments for a more measured ‘Buy Australian’ approach (for example, a target of, say, 5% of the IT spend on Australian companies) to be considered as a further step if sovereign capability development is slow to take off. This could act as a strong signal to those making procurement decisions about the importance of considering local suppliers.

Securing government data Where sensitive government data is provided to suppliers, assurance that the confidentiality and integrity of that data will be protected is needed. There are numerous examples of breaches, such as fighter aircraft plans being stolen from a small defence contractor’s network.33 Also, even if no information is passed to the contractor, the data that the contractor generates and delivers (for example, detailed blueprints for designs that it produces under the contract) may be sensitive.

While there’s a well-developed framework of security requirements for classified material, there can be significant risks involving unclassified but sensitive material that’s generally less well protected.34

We also see small businesses struggling to implement security on their IT systems to meet the requirements of the ISM with their limited budgets. While significant improvements can be made by improved basic cyber hygiene, for situations in which more sensitive data that may be of interest (for example, to nation-state attackers) is being processed, it’s difficult to implement advanced monitoring and the required defence in depth.

To address this, the government should establish a secure cloud-based environment that contractors can use for projects under contract to the government. This would allow companies to process, use and generate data using suitable technologies to assure separation from the host systems of the supplier. The environment would need to be fully functioning and have the range of ‘infrastructure as a service’ and ‘platform as a service’ offerings that companies would need. In order to avoid the overheads, and the moral hazard, of a government department trying to set up and run the assured environment, a better approach would be to license a small number of cloud vendors to provide it and to mandate suppliers to use one of those licensed services.

This approach should not only provide better assurance of data privacy and integrity but, by reducing the overheads of individual businesses implementing their own controls, should reduce the costs effectively charged by suppliers to government for compliance.

Conclusions

As the Australian Government looks to refresh its cybersecurity strategy in 2020, while end-user awareness and education will be important, the onus needs to be on the government and the private sector to uplift security across the board and make the lives of adversaries in cyberspace more difficult.

Government has limited human and financial resources and so needs to use them as effectively as possible. The significant overall ICT procurement spend by government represents an opportunity to do so, but is currently hampered by a fragmented approach, differing standards and regulations, and procurement approaches that don’t facilitate value being attached to innovative security approaches and sovereign capability.

Our main policy recommendations to address these challenges are as follows:

  • The Australian Government, working with the state and territory governments, should include in government procurement strategies consideration of how governments can use their market power to encourage better cybersecurity in what they purchase, and use that approach to encourage suppliers to improve the security of their offerings in all customer sectors.
  • Simplify the current array of supplier standards to a single set that provides multiple levels that can be used for different risk levels and also allow suppliers to demonstrate progress and enhanced levels of security.
  • Address gaps in the market for independent testing and certification, allowing buyers to be confident about the security of products and services and companies to be able to demonstrate and prove innovative approaches.
  • Follow up the recent announcements on the future of the CCSL and Information Security Registered Assessors Program by establishing a framework to standardise and assure the quality of work of independent assessors to provide a viable alternative, and ensure that industry consultations on future requirements are fully inclusive.
  • Ensure that risks to security are effectively factored into supplier quotes by investigating how a mandatory insurance regime could operate.
  • Develop and implement a sovereign capability strategy to ensure market opportunities for Australian companies of all types and sizes in order to build local capability in the most sensitive areas and to exploit the global economic opportunity that the cybersecurity market provides for local industry.
  • Use shared services approaches to ensure that consistent best practice is applied for the secure handling of sensitive data by government suppliers, without duplication of cost and effort.

Appendix: Detailed review of tender documents

Please download the report PDF to access the Appendix. 

Launch video

Minister for Industry, Science and Technology, the Hon Karen Andrews MP joins this ASPI webinar to provide a keynote address for the launch of the International Cyber Policy Centre’s report ‘Working smarter, not harder’.

The keynote is followed by a panel discussion and Q&A with report author and ASPI Fellow, Rajiv Shah, CEO for AustCyber, Michelle Price, Managing Director & Co-Founder, Macquarie Government, Aidan Tudehope and moderated by Director of ASPI’s International Cyber Policy Centre, Fergus Hanson.


Acknowledgements

The author would like to acknowledge the support of several Australian Government departments that were consulted for this study,in particular the Department of Human Services, along with other industry stakeholders who took time to share their experiences and perspectives. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. ASPI would like to acknowledge Macquarie Government for supporting this research project.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise. To develop capability in Australia and our region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2020

Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use the following sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by the Australian Strategic Policy Institute’s International Cyber Policy Centre.’

Funding for this report was provided by Macquarie Government.

  1. Rob van der Meulen, ‘Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016’, Gartner, 7 February 2017, online. ↩︎
  2. Australian Signals Directorate (ASD), Annual report 2018–19, Australian Government, 2019, online. ↩︎
  3. ASD, Australian Cyber Security Centre (ACSC), Cybercrime in Australia: July to September 2019, Australian Government, no date, online. ↩︎
  4. Henry Belot, ‘Federal government’s $10b IT bill now rivalling Newstart Allowance welfare spend’, ABC News, 28 August 2017, online. ↩︎
  5. Justin Hendry, ‘NSW govt IT spending tops $3bn’, ITNews, 1 August 2018, online. ↩︎

Clean pipes: Should ISPs provide a more secure internet?

Introduction

One of the largest online challenges facing Australia is to provide effective cybersecurity to the majority of internet users who don’t have the skills or resources to defend themselves.

This paper explores the concept of ‘Clean Pipes’, which is the idea that internet service providers (ISPs) could provide security services to their customers to deliver a level of default security.

The Australian Government looks to be implementing a version of Clean Pipes: on 30 June 2020 the Prime Minister announced a funding commitment to ‘prevent malicious cyber activity from ever reaching millions of Australians across the country by blocking known malicious websites and computer viruses at speed’.1

This paper examines arguments for Clean Pipes and possible implementation roadblocks.

Background

Australia’s 2016 Cyber Security Strategy recognised the opportunities and risks that come with cyberspace and committed to ‘enabling growth, innovation and prosperity for all Australians through strong cyber security’.2

Despite that strategy, however, the online security environment has continued to deteriorate.

There have already been several significant and newsworthy attacks3 so far this year:

  • Toll Group was affected by ransomware in both February and May.4
  • BlueScope Steel’s operations were affected by ransomware in May.5
  • MyBudget, a money management company, had outages caused by ransomware in May.6
  • Lion Australia, a beverage giant, was crippled by ransomware in June.7

However, most attacks aren’t publicly reported, so these incidents are undoubtedly just the tip of the iceberg.

A 2018 estimate that included broader direct costs calculated the potential loss to the Australian economy at $29 billion per year.8

During the Covid-19 crisis, there’s also been significant domestic and international concern about the vulnerability of critical infrastructure such as hospitals and the health sector to cyberattacks. Interpol warned that cybercriminals were targeting critical healthcare institutions with ransomware, and the Cyber Peace Institute issued a call for all governments to ‘work together now to stop cyberattacks on the healthcare sector’.9

This also rose to the highest levels of international diplomacy—the Department of Foreign Affairs and the Australian Cyber Security Centre (ACSC) issued a joint statement on ‘unacceptable malicious cyber activity’, and US Secretary of State Mike Pompeo warned of consequences for malicious cyber activity affecting hospitals and healthcare systems.10

This high-level diplomatic concern emphasises not only that cybersecurity is critically important, but that our current approaches to protecting Australia have failed to adequately protect all of our critical infrastructure.

The Problem

Providing resilient cybersecurity isn’t an inherently intractable task—for those who have the necessary skills and resources.

Individual organisations can and do make significant improvements in their cybersecurity posture when they’re motivated to prioritise security and invest the resources required, but when cybersecurity is viewed as an economy-wide challenge, there are significant sectors of the economy that do not, and probably never will, have the ability to successfully defend themselves.

Unfortunately, the motivation, capability and resources to provide robust cybersecurity are not aligned within the Australian internet ecosystem. Currently, too few businesses in Australia are motivated and capable of providing for their own security.

These are businesses that understand the risk to their operations that arise from failing to address security. Their business model demands that this risk be addressed, and, accordingly, they’ll pay to mitigate it. Some parts of the Australian business community could provide for their own cybersecurity but don’t give the task sufficient priority. Government should employ strategies that encourage them to invest in their own security. However, the bulk of Australian people and businesses fall into a third category: they would like to defend themselves online but don’t have the expertise or the resources to do so.

Large parts of the Australian economy and community can’t protect themselves online because they don’t have the skills or resources to do so.

Criminals, meanwhile, are agnostic about their targets and will attack whoever it is profitable to attack. As weaknesses in security in one area of the economy get shored up, other avenues are explored. If the top end of town is too tough, criminals will ransack those with relatively poor security—individuals and small and medium-sized enterprises.

They also take a ‘belt and braces’ approach to extracting money from their victims. In the May 2020 Toll Group ransomware attack, for example, the criminals first attempted to extract money with ‘traditional’ ransomware—encrypting IT systems to disrupt operations. When Toll refused to pay the ransom, the criminals changed to the exact opposite tactic and threatened to publicly release corporate data unless they were paid.11

Given that malicious actors seek out weakness and vulnerability wherever it exists in the economy, and that some parts of the economy will never have the sophistication and ability to protect themselves, we need to develop initiatives that provide ‘default security’ and bring resources and skills to those who don’t have them—who are generally small and medium-sized enterprises and consumers.

There are already initiatives that bring default security to groups that don’t have the skills or resources to protect themselves. 

They occur at different ‘layers’ of the architecture of the internet: at the hardware level, in operating systems, in some of the services that underpin the operation of the internet, and in the software applications that people use to access the internet (see Table 1).

Table 1: Current default security protections occur at different layers

At the most fundamental level, chip manufacturers have invested in the development of more secure computing architectures.12

Building upon those hardware improvements, operating system manufacturers have also baked default security into their products. This includes features such as automatic updates that make it easier to patch vulnerabilities, built-in anti-malware features such as Windows Defender and architectural features that make it more difficult for hackers to seize control, such as address space layout randomisation and data execution prevention.13

At the internet services layer, a number of Domain Name System (DNS; the system that converts human-readable internet addresses into internet protocol addresses) providers also include default security protection: Quad9, OpenDNS,14 Comodo Secure DNS15 and CleanBrowsing,16 among others. For example, Quad9 states in its FAQ that it ‘uses threat intelligence from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them’.17

Google’s Safebrowsing18 and Microsoft’s SmartScreen,19 for example, are web-scanning, anti-phishing and anti-malware systems built into their respective browsers and operating systems to prevent users from visiting potentially dangerous web pages. As users browse the web, the pages they visit are compared to a list of ‘known-bad sites’ that have been confirmed to be hosting phishing or malware. If a user tries to visit one of those sites, instead of taking them directly there the user is shown a warning. These protections are imperfect, as the user can ignore the warning and click through to the site, and criminals and hackers are constantly trying new techniques to evade them, but they have very broad reach. Safebrowsing is used in Google’s Chrome, Mozilla’s Firefox and Apple’s Safari browsers, and together with SmartScreen in Microsoft Edge these systems protect billions of users by default. Google’s Transparency report statistics show that the SmartBrowsing system issued in the order of 5–10 million warnings per week so far this year up to late May 2020.20

These security improvements have occurred at different ‘layers’ of the internet—in browsers, in operating systems and in the underlying plumbing of the internet. They are also ‘high-leverage’ initiatives, in that these investments can improve security for millions to billions of internet users.

There have been improvements in default security in some aspects of online security over the past two decades, but there’s still a very long tail of vulnerability that we must cope with for the foreseeable future. Additionally, other developments threaten to undermine those improvements. The proliferation of the ‘internet of things’ (IoT)—internet-connected but poorly secured and increasingly ubiquitous consumer devices—threatens to introduce a large vector of insecurity that could drastically affect overall cybersecurity.21

Given the success of previous default-security initiatives, what other initiatives could have a widespread positive impact on the cybersecurity of millions of users?

Clean Pipes

One proposal that could help provide advanced capabilities to internet users is that ISPs be required or encouraged to perform ‘due diligence’ to protect their users from malicious traffic. This concept has been called ‘Clean Pipes’, drawing an analogy to water utilities providing clean drinking water.

Clean Pipes could involve ISPs using a variety of technologies to provide default security to their clients. At the conceptual level, this would involve:

  1. positively identifying threats, which could be, for example
    • internet locations that host malware or phishing
    • malware command and control
    • bogus traffic that can be used in attacks that try to overwhelm a service
    • ‘spoofed’ traffic that claims to originate from somewhere it doesn’t
  2. having some capability to proactively protect from different threats, such as
    • blocking and warning users who are attempting to navigate to dangerous locations, such as ones that host malware or phishing
    • removing bogus or spoofed traffic
  3. being able to adjust this blacklist dynamically and alter it through customer feedback if a location is inadvertently blacklisted.

These kinds of capabilities are already deployed around the world, in corporate networks, by British Telecom22 and recently by Telstra.

The Advantages

The key advantage of Clean Pipes is that it brings advanced scalable protection to an ISP’s entire customer base, which is particularly important to that majority of customers who don’t have the skills and resources to provide for their own security.

It’s also highly leveraged—although in a well-organised protection system the entire workforce involved in identifying malicious internet sites may be thousands of people, the knowledge they generate can be used to provide protection to potentially millions of ISP customers.

There are other advantages. ISPs also have a unique position in the network and are able to see all of the internet protocols that are being used, not just the very few that are used in web browsing. This means that ISPs can see different indicators of malicious behaviour than can, say, operating systems manufacturers, browser manufacturers, DNS providers, or even the anti-malware systems that work on individual computers. Each of these different vantage points into the internet has a different view and can be used to detect or even interrupt different kinds of activity. Browser-based protection, for example, can warn users of malicious websites but can do nothing to stop malware command and control once a computer is compromised.

Not only do ISPs get different views, they also get to act on those other protocols, blocking or redirecting them if need be. This is already standard practice where ISPs need to protect their networks from activity that could degrade or disrupt the network23 or where there’s already an established mechanism to block illegal content.24 ISPs could protect users from threats that can’t be tackled by the other default security providers previously mentioned.

There’s no legal impediment to ISPs providing some level of protection to their customers (excepting techniques that would be privacy-invading). Telstra has already implemented some customer protection under a Cleaner Pipes initiative and has blocked the ‘command and control communications of botnets and malware and [stopped] the downloading of remote access trojans, backdoors and banking trojans’.25 These initiatives can be written into terms-of-service contracts, although perhaps an ideal position would be to provide users with the ability to opt out if they don’t want default protection. For example, Google Safebrowsing and Microsoft SmartScreen both provide warnings that users are still able to navigate past.

ISPs already operate security operations centres and have security teams to protect their own networks’ integrity, so there are already skills and expertise resident within their organisations, although skill levels can vary significantly between ISPs. Providing default security to customers may require additional investment in resources, but it requires that an existing capability be grown rather than a new one created from scratch.

Additionally, ISP-level protections could be particularly useful in mitigating the risk from poorly secured IoT devices. Those devices can’t take advantage of some of the other default security advances that have taken place over recent years, such as improvements in browsers or operating systems, but they still communicate over the internet and do so in relatively standard ways, such that anomalous behaviour can be detected and at least some malicious behaviour blocked. That is, ISPs providing Clean Pipes could help mitigate one of our potential looming security threats.

Although ISPs providing default security protection has many benefits and could significantly reduce the damage caused by malicious traffic, it isn’t a panacea for all the ills of the internet. As with protections built into operating systems and browsers, malware, phishing and other threats will break through and cause harm to internet users.

ISP-level concerns and blockers

In Australia, ISPs, other than Telstra, don’t provide extensive default security protections to their customers. There are several reasons for this that fall into four categories:

  1. costs and ISP security expectations
  2. capability to detect and act
  3. understanding harms
  4. reputational risk.

Costs and security expectations

Possibly the underlying reason that most ISPs don’t invest significantly in Clean Pipes is that enhanced security costs more money and neither customers nor ISPs expect that an ISP should provide increased levels of default security.

Related to this, ISPs don’t believe that their customers value a more secure service, so there’s no potential profit available to justify a business case to provide these security services; therefore, no resources are allocated.

Additionally, there’s been no legal or regulatory obligation that has pushed ISPs to provide enhanced default security services.

Capability to detect and act

All ISPs have some level of security capability, which they need to protect their own networks. However, providing increased levels of default security to customers requires more extensive and more advanced capability to both detect malign behaviour and to act on it.

All ISP security operations must prioritise self-protection and they might not have additional capacity to detect malicious activity that doesn’t directly threaten their own operations. Without a clear view of malicious activity that affects their customers (or even third parties), ISPs are unable to act on it.

Any individual ISP would be able to identify some threats on its network, but a collaboration with multiple partners provides a more comprehensive and effective picture of both the threats and effective mitigations. Holistically understanding threats requires collaboration with multiple partners in the security ecosystem, including providers of threat intelligence, other industry verticals and competitor ISPs. Each organisation provides a different slice of the view so that the overall picture is far more complete than any individual organisation can develop on its own.

This industry collaboration would require two separate forms of trust:

  • Competitors would have to trust that companies within the same industry would not seek to gain competitive advantage through security collaboration. This is relatively straightforward within the information security community, as competitive advantage is seen to lie outside security, and effective security is generally perceived as a precondition for competition rather than as a basis for it.26
  • Companies need to trust the technical competence of collaborators. This is currently based on reputation and past performance, and there’s no formal process for technical trust to be built or certified.

The two forms of trust affect both the ability and willingness to share reliable information and to act effectively on information received. Discussions with stakeholders have indicated that significant skill and capacity differences exist between the security operations within different ISPs, and that those differences may make it difficult to engage in effective widespread information sharing across Australian ISPs.

Beyond merely detecting malicious activity, ISPs also need to have the ability to act on it. Acting on malicious behaviour requires additional financial investment beyond detecting it, so, even if ISPs see damaging activity, they may have decided that the costs of implementing default security for customers are simply too high. At the ISP level, most customers don’t pay extra for security services, so investment in providing improved security might not be seen as an economically viable return on investment.

Understanding harms

Beyond merely detecting malicious activity is understanding the harm that it causes. What malicious activity that ISPs see on their networks causes the most harm to customers? For activity that damages their own networks, that harm is easy for ISPs to understand, but quantifying damage caused to customers is very difficult.

Understanding the harms to customers could be improved by information sharing about the costs of cybercrime from government mechanisms such as ReportCyber, from NGOs such as IDCARE,27 or even from other industry verticals that collate information about the most damaging cybercrimes affecting their customer bases.

Some ISPs, particularly smaller ones, might not be able to detect malicious activity and don’t understand the harms it causes their customers. In such cases, ignorance is bliss—once an ISP sees malicious activity and understands that it causes harm to its customers, it faces its own version of the ‘trolley problem’. Do they intervene to protect their customers from dangerous activity on the internet, even though that may come at some financial cost?

Reputational risk

ISPs could also be concerned about the reputational risks involved in attempting to provide default security.

A key reputational concern is that ISPs may inadvertently block legitimate traffic. Although terms and conditions can mitigate legal concerns, ISPs still have to strike a balance between providing enhanced security and the risk that false positives will affect service quality. Importantly, there are harms to customers that occur when ISPs accidentally block non-malicious traffic and when ISPs allow customers to be harmed by malicious traffic. An ideal balance would minimise both harms while preserving online freedom, but this balance is inconsistently applied across different ISPs and is therefore probably suboptimal.

ISPs may also be concerned about the perception that default security requires them to compromise customer privacy. Certainly, government internet initiatives have focused on law enforcement and intelligence requirements, and Australia’s metadata retention laws28 and the Assistance and Access Act 201829 have been controversial.30 Telstra’s recent announcement regarding Cleaner Pipes, however, hasn’t so far been the subject of any significant level of controversy about privacy. In any case, whether through lack of obligation, understanding, capability or a business case, there’s no broad-based, ISP-led effort to provide default security to Australian internet users.

Government challenges

The challenges facing government mirror those facing ISPs.

The Australian Government hasn’t tried to lead a broader effort to provide default security to Australian internet users through a Clean Pipes initiative involving ISPs. In some sense, it hasn’t accepted that leading this kind of initiative is its job. In the absence of an industry consensus that ISPs should be providing some level of default security, the absence of government leadership or direction probably means that this status quo will continue.

A significant concern may be the controversies over privacy, censorship and surveillance that have accompanied previous internet initiatives, such as an internet filter proposed in 201231 and the previously mentioned metadata retention legislation and Access and Assistance Act. Those former initiatives have been focused on supporting law enforcement or preventing access to harmful content, rather than on providing secure internet access to consumers.

Concerns about privacy, censorship and surveillance could be mitigated by government initiatives having:

  1. a clear focus on threat filtering, with a clear and explicit goal of protecting internet users
  2. government leadership that doesn’t necessarily include government implementation
  3. actions focusing exclusively on cybersecurity threats rather than falling into mission creep and including other online harms (such as child exploitation) that are being tackled through other avenues (such as the e-Safety Commissioner)32
  4. transparency about how default security provisions are enacted and what they achieve
  5. a default system with an opt-out for those who don’t want to participate.

The cost of cybercrime isn’t well understood, and that makes it difficult to appropriately allocate resources. One of the most quoted estimates for cybercrime (a Microsoft-commissioned report from Frost and Sullivan) estimated in 2018 that cybercrime could cost Australia $29 billion per year,33 whereas a 2019 ACSC report estimated $328 million in annual losses.34

The ACSC report was based mostly on incidents self-reported to the ReportCyber platform and so is likely to be an underestimate of the cost, but the 100-fold difference between the estimated and measured values shows that the level of uncertainty is high. More comprehensive data would be helpful, and a granular understanding of the cyber threats that are causing the most harm would provide an economic justification for security investments that would be required to mitigate that harm.

Conclusion

This paper has documented some of the arguments for Clean Pipes initiatives in which ISPs deploy their security capabilities to provide default cybersecurity for their customers, and the potential difficulties in implementing such initiatives.

Large portions of the Australian economy and community aren’t capable of effectively providing for their own cybersecurity, and there are significant opportunities for wide-ranging and effective improvements in the security environment for all internet users.

Those approaches would be additional to other broad-based security improvements that have occurred in recent years and could go some way to mitigating the threat from the proliferation of poorly secured IoT devices.

Road Map

Currently, these opportunities aren’t being taken up because the Australian Government has yet to set a clear policy direction and because industry doesn’t see this as a business obligation. Recently announced government funding, including over $35 million to develop a ‘new cyber threat-sharing platform’ and over $12 million towards ‘strategic mitigations and active disruption options’ is an opportunity to change this status quo.35

The Australian Government should:

  • clearly articulate its position on ISPs providing default security services in its 2020 Cyber Security Strategy (Home Affairs)
  • raise the baseline of ISP security operational expertise by facilitating technical workshops (funding is available to support technical tools, but skilled cybersecurity personnel are also needed to both provide validated information and to make effective use of threat information) (ACSC)
  • investigate providing incentives to ISPs to implement improved default security (this could include technical training to improve capacity, funding for new capabilities, or even regulation or legislation to encourage adoption) (Home Affairs)
  • convene closed-door consultations with ISPs to discuss how the government could support and encourage the delivery of default security to customers (Home Affairs)
  • require transparency reports in which ISPs report on their efforts to provide safe and secure networks (Australian Communications and Media Authority)
  • more comprehensively quantify the cost of cybercrime in Australia through surveys and by engaging directly with Australian industry (Home Affairs).

ISPs should:

  • work with government to centralise and expand upon existing industry-wide efforts in collaboration, intelligence sharing and coordinated action. 

Australian industry, beyond ISPs, should:

  • increase the sharing of technical indicators of compromises that are affecting its customers (a government-supported centralised clearing house for information would support this)
  • measure the cost of cybercrime and share information, within intelligence-sharing bodies, about the most damaging cybercrime techniques
  • factor in consideration of the cost and risk of failing to manage security issues in supplying their services.

Acknowledgements

ASPI’s International Cyber Policy Center receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. There is no sole funding source for this paper.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published July 2020.
ISSN 2209-9689 (online),
ISSN 2209-9670 (print)

Funding Statement

There is no sole funding source for this paper.

  1. Scott Morrison, ‘Nation’s largest ever investment in cyber security’, media release, 30 June 2020, online. ↩︎
  2. Department of Home Affairs (DHA), Australia’s Cyber Security Strategy, Australian Government, May 2016, online. ↩︎
  3. The underlying cause of these attacks is not public, so it isn’t possible to say whether ISPs providing Clean Pipes would have prevented them. ↩︎
  4. Ry Crozier, ‘Toll Group “returns to normal” after Mailto ransomware attack’, iTnews, 18 March 2020, online; Ry Crozier, ‘Toll Group suffers second ransomware attack this year’, iTnews, 5 May 2020, online. ↩︎
  5. Ry Crozier, ‘BlueScope confirms a “cyber incident” is disrupting its operations’, iTnews, 15 May 2020, online. ↩︎
  6. Bension Siebert, Shuba Krishnan, ‘MyBudget blames hack for outage affecting thousands of customers’, ABC News, 15 May 2020, online. ↩︎
  7. Ben Grubb, ‘Drinks giant Lion hit by cyber attack as hackers target corporate Australia’, Sydney Morning Herald, 9 June 2020, online. ↩︎
  8. Swetha Das, ‘Direct costs associated with cybersecurity incidents costs Australian businesses $29 billion per annum’, Microsoft News Centre Australia, 26 June 2018, online. ↩︎
  9. Interpol, ‘Cybercriminals targeting critical healthcare institutions with ransomware’, news release, 4 April 2020, online; ‘CyberPeace Institute—call for government’, CyberPeace Institute, 26 May 2020, online. ↩︎
  10. Michael Pompeo, ‘The United States concerned by threat of cyber attack against the Czech Republic’s healthcare sector’, press statement, US Department of State, 17 April 2020, online; Department of Foreign Affairs and Trade, Australian Cyber Security Centre (ACSC), ‘Unacceptable malicious cyber activity’, news release, Australian Government, 20 May 2020, online. ↩︎
  11. Toll Group, ‘Toll IT systems update’, 29 May 2020, online. ↩︎
  12. For example, investment in trusted platform modules, Apple’s Secure Enclave in iOS devices. ↩︎
  13. Microsoft, ‘The most secure Windows ever’, no date, online. ↩︎
  14. OpenDNS, ‘Why users love OpenDNS’, 2020, online. ↩︎
  15. Comodo Cybersecurity, ‘Secure internet gateway’, 2020, online. ↩︎
  16. CleanBrowsing, ‘Browse the web without surprises’, no date, online. ↩︎
  17. Interestingly, when customers use these optional DNS services their ISP loses visibility and can no longer detect malware and assist them; ‘FAQ: DNS need to know info’, Quad 9, 2019, online. ↩︎
  18. Google, ‘Google safe browsing’, 2019, online. ↩︎
  19. Microsoft, ‘Microsoft Defender SmartScreen’, 27 November 2019, online. ↩︎
  20. Google, ‘Google safe browsing’, 2019, online. ↩︎
  21. Eliza Chapman, Tom Uren, The Internet of Insecure Things, ASPI, Canberra, 19 March 2018, online. ↩︎
  22. Dave Harcourt, ‘BT’s proactive protection: supporting the NCSC to make our customers safer’, National Cyber Security Centre, UK Government, 25 October 2018, online. ↩︎
  23. Such as, for example distributed denial of service (DDoS) attacks that attempt to overwhelm networks or websites. ↩︎
  24. For example, Interpol’s ‘Worst of’ provides a list of domains carrying child abuse material; Interpol, ‘Blocking and categorizing content’, 2020, online. ↩︎
  25. Andrew Penn, ‘Safer online and the new normal’, Telstra Exchange, 6 May 2020, online. ↩︎
  26. Even within the cybersecurity industry competitors collaborate, and the Cyber Threat Alliance serves as a model for competitors sharing information about threats. There are also many effective information-sharing initiatives overseas and in Australia (for example, see ‘Member ISACs’, National Council of Information Sharing and Analysis Centers, 2020, online). ↩︎
  27. ‘National identity and cyber support’, IDCARE, 2020, online; ACSC, ‘ReportCyber’, Australian Signals Directorate, Australian Government, 2020, online. ↩︎
  28. DHA, ‘Data retention’, Australian Government, March 2020, online. ↩︎
  29. DHA, ‘The Assistance and Access Act 2018’, Australian Government, September 2019, online. ↩︎
  30. For example, see Elise Scott, ‘Senate passes controversial metadata laws’, Sydney Morning Herald, 27 March 2015, online; Damien Manuel, ‘Think your metadata is only visible to national security agencies? Think again’, The Conversation, 5 August 2019, online; Stilgherrian, ‘Home Affairs report reveals deeper problems with Australia’s encryption laws’, ZDNet, 29 January 2020, online. ↩︎
  31. Ry Crozier, ‘Conroy abandons mandatory ISP filtering’, iTnews, 8 November 2012, online. ↩︎
  32. There are already mechanisms to block objectionable material, such as the Sharing of Abhorrent and Violent Material Act 2019, and those mechanisms should remain separate from security provisions. See Attorney-General’s Department, ‘Abhorrent violent material’, Australian Government, no date, online. ↩︎
  33. Frost and Sullivan, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, 2018. ↩︎
  34. ACSC, Cybercrime in Australia—July to September 2019, Australian Signals Directorate, Australian Government, 2019, online. ↩︎
  35. Morrison, ‘Nation’s largest ever investment in cyber security’. ↩︎

Genomic surveillance

Inside China’s DNA dragnet

What’s the problem?

The Chinese Government is building the world’s largest police-run DNA database in close cooperation with key industry partners across the globe. Yet, unlike the managers of other forensic databases, Chinese authorities are deliberately enrolling tens of millions of people who have no history of serious criminal activity. Those individuals (including preschool-age children) have no control over how their samples are collected, stored and used. Nor do they have a clear understanding of the potential implications of DNA collection for them and their extended families.

Earlier Chinese Government DNA collection campaigns focused on Tibet and Xinjiang, but, beginning in late 2017, the Ministry of Public Security expanded the dragnet across China, targeting millions of men and boys with the aim to ‘comprehensively improve public security organs’ ability to solve cases, and manage and control society’.1 This program of mass DNA data collection violates Chinese domestic law and global human rights norms. And, when combined with other surveillance tools, it will increase the power of the Chinese state and further enable domestic repression in the name of stability maintenance and social control.

Numerous biotechnology companies are assisting the Chinese police in building this database and may find themselves complicit in these violations. They include multinational companies such as US-based Thermo Fisher Scientific and major Chinese companies like AGCU Scientific and Microread Genetics. All these companies have an ethical responsibility to ensure that their products and processes don’t violate the fundamental human rights and civil liberties of Chinese citizens.

What’s the solution?

The forensic use of DNA has the potential to solve crimes and save lives; yet it can also be misused and reinforce discriminatory law enforcement and authoritarian political control. The Chinese Government and police must end the compulsory collection of biological samples from individuals without records of serious criminal wrongdoing, destroy all samples already collected, and remove all DNA profiles not related to casework from police databases. China must enact stringent restrictions on the collection, storage, use and transfer of human genomic data.

The Chinese Government must also ensure that it adheres to the spirit of the International Covenant on Civil and Political Rights (1966), the International Declaration on Human Genetic Data (2003), the Universal Declaration on the Human Genome and Human Rights (1997) and the Convention on the Rights of the Child (1989), as well as China’s own Criminal Law (2018). National and international legal experts have condemned previous efforts to enrol innocent civilians and children in forensic DNA databases, and the UN Special Rapporteur on the right to privacy should investigate the Chinese Government’s current collection program for any violations of international law and norms.2

Foreign governments must strengthen export controls on biotechnology and related intellectual property and research data that’s sold to or shared with the Chinese Government and its domestic public and private partners. Chinese and multinational companies should conduct due diligence and independent audits to ensure that their forensic DNA products and processes are not being used in ways that violate the human and civil rights of Chinese citizens.

Executive summary

Forensic DNA analysis has been a part of criminal investigations for more than three decades. Dozens of countries have searchable DNA databases that allow police to compare biological samples found during forensic investigations with profiles stored in those databases. China is no exception.

In 2003, China’s Ministry of Public Security began building its own forensic DNA database.3 Like other such databases, it contains samples taken from criminal offenders and suspects. However, since 2013, Chinese authorities have collected DNA samples from entire ethnic minority communities and ordinary citizens outside any criminal investigations and without proper informed consent. The Chinese Government’s genomic dataset likely contains more than 100 million profiles and possibly as many as 140 million, making it the world’s largest DNA database, and it continues to grow (see Appendix 3).

This ASPI report provides the first comprehensive analysis of the Chinese Government’s forensic DNA database and the close collaboration between Chinese and multinational companies and the Chinese police in the database’s construction. It draws on more than 700 open-source documents, including government bid tenders and procurement orders, public security bureaus’ Weibo and Weixin (WeChat) posts, domestic news coverage, social media posts, and corporate documents and promotional material (see Appendix 1). This report provides new evidence of how Xinjiang’s well-documented biosurveillance program is being rolled out across China, further deepening the Chinese Government’s control over society while violating the human and civil liberties of millions of the country’s citizens.

The indiscriminate collection of biometric data in China was first reported by Human Rights Watch.4

Beginning in 2013, state authorities obtained biometric samples from nearly the entire population of the Tibetan Autonomous Region (3 million residents) under the guise of free annual physical exams (Figure 1).5 In 2016, a similar program was launched in Xinjiang, where data from nearly all of the region’s 23 million residents was collected.6

Figure 1: Blood being collected as part of the free physical exam projects in Lhasa, Tibet Autonomous Region, May 2013, and Urumqi, Xinjiang Uyghur Autonomous Region, February 2018

Sources: ‘Tibet: People’s physical examination to protect the health of the people on the plateau’ (西藏:全民体检为高原百姓保健康), Government of China Web (中国政府网), 15 May 2013, online; ‘Xinjiang National Health Checkup: Cover the last mile and benefit the furthest family’ (新疆全民健康体检:覆盖最后 一公里 惠及最远一家人), Xinhuanet (新华网), 9 February 2019, online.

In those minority regions, DNA collection was only one element of an ongoing multimodal biometric surveillance regime, which also includes high-definition photos, voiceprints, fingerprints and iris scans, which are then linked to personal files in police databases. In both Xinjiang and Tibet, authorities intentionally concealed the reasons for biometric collection.7 When that data was combined with an extensive system of security cameras8 and intrusive monitoring of local families,9 the Chinese Government was able to extend its control over these already tightly monitored communities.

Such programs, however, were only the beginning. Starting in late 2017, Chinese police expanded mass DNA data collection to the rest of the country. Yet in contrast to the wholesale approach adopted in Tibet and Xinjiang, authorities are using a more cost-efficient but equally powerful method: the collection of DNA samples from selected male citizens. This targeted approach gathers Y-STR data—the ‘short tandem repeat’ or unique DNA sequences that occur on the male (Y) chromosome. 

When these samples are linked to multigenerational family trees created by the police, they have the potential to link any DNA sample from an unknown male back to a specific family and even to an individual man.

In this report, we document hundreds of police-led DNA data-collection sorties in 22 of China’s 31 administrative regions (excluding Hong Kong and Macau) and across more than a hundred municipalities between late 2017 and April 2020. Evidence suggests that, in some locations, blood collection has occurred in preschools (Figure 2) and even continued during the Covid-19 pandemic.10

Figure 2: One of more than 1,500 blood samples collected from kindergarten and elementary school students in Xiabaishi Township, Fujian Province, June 2019

Source: ‘Xiabaishi police energetically launch male ancestry inspection system development work’ (下白石派出所大力开展男性家族排查系统建设工作), Gugang Huangqi Weixin (古港黄崎威信), 4 June 2019, online.

The scale and nature of this program are astounding. We estimate that, since late 2017, authorities across China have sought to collect DNA samples from 5–10% of the country’s male population, or roughly 35–70 million people (Figure 3, and see Appendix 3). These ordinary citizens are powerless to refuse DNA collection and have no say over how their personal genomic data is used. The mass and compulsory collection of DNA from people outside criminal investigations violates Chinese domestic law and international norms governing the collection, use and storage of human genetic data.

Figure 3: Blood collection in Garze Tibetan Autonomous Prefecture, Sichuan Province, August 2019, and Binhe Township, Zhongwei, Ningxia Hui Autonomous Region, June 2018

Sources: ‘Batang police department continued to carry out information collection work of male family tree investigation system’ (巴塘县公安局持续开展男 性家族排查系统信息采集工作), Batang Police WeChat (巴塘县公安局微信), 20 August 2019, online; ‘Actively carry out DNA blood sample collection’ (积极 开展DNA血样采集工作), Binhe National Security Web (滨河治安国保), 13 June 2018, online.

The corporate world is profiting handsomely from this new surveillance program. Leading Chinese and multinational companies are providing the Chinese police with the equipment and intellectual property needed to collect, store and analyse the Y-STR samples. Key participants include Thermo Fisher Scientific, which is a US-headquartered biomedical and bioinformatics company, and dozens of Chinese companies, including AGCU Scientific, Forensic Genomics International, Microread Genetics and Highershine (see Appendix 4). Under China’s 2019 Regulations on Human Genetic Resource Management,11 if these companies partner with public security bureaus to develop new forensic products, any results and patents must be shared with the police. The continued sale of DNA profiling products and processes to China’s public security bureaus is inconsistent with claims that these companies have made to improve the quality of life and wellbeing of the communities they serve.

China’s national Y-STR database

In 2003, China’s Ministry of Public Security established a national DNA database for police forensic work.12 Over the following decade, police collected DNA samples during criminal investigations.

However, by the early 2010s, Chinese authorities began to engage in the mass collection of DNA from even wider groups. This included not only programs in Tibet and Xinjiang, which were the first to start, but also more targeted efforts elsewhere. Between 2014 and 2016, the Public Security Bureau of Henan Province collected DNA samples from 5.3 million men, or roughly 10% of the province’s male population.13 The province’s police saw the project as a massive improvement in their ability to conduct forensic investigations and extend state surveillance over even more of Henan’s population.

The success of that project encouraged its expansion nationwide and, on 9 November 2017, the Ministry of Public Security held a meeting in Henan’s provincial capital, Zhengzhou, calling for the construction of a nationwide Y-STR database (Figure 4).14

Figure 4: Ministry of Public Security Meeting on Promoting Nationwide Y-STR Database Construction, Zhengzhou, Henan Province, November 2017

Source: ‘The Criminal Investigation Bureau of the Chinese Academy of Sciences made an experienced introduction at the on-site promotion meeting for the construction of the Y-STR DNA database’ (厅刑侦局在全国Y-STR DNA数据库建设现场推进会上作经验介绍), Shaanxi Public Security Party Construction Youth League (陕西公安党建青联), 10 November 2017, online.

Data collection quickly expanded across the country. Between November 2017 and April 2020, documented instances of police-led Y-STR sample collection have been found in 22 of China’s 31 administrative regions (excluding Hong Kong and Macau) and in more than a hundred municipalities.15

Those are only the instances for which we have direct evidence. Given the national scope of this program, these figures are certainly an underestimate.

Unlike autosomal STR data, which is present in the DNA of both males and females, Y-STRs (the short tandem repeats on Y chromosomes) are found only in male DNA.16 Passed directly from father to son, they aren’t recombined with every successive generation. There’s therefore little variation in Y-STRs, apart from random mutations, and the Y-STR profile of a man will be nearly identical to that of his patrilineal male blood relatives. This means that forensic traces drawn from Y-STR data can point only to a genetically related group of men and not to an individual man.

However, when combined with accurate genealogical records (family trees) and powerful next-generation gene sequencers,17 Y-STR analysis can be a powerful tool. Because surnames are usually inherited from fathers, men who share a common surname are likely to share a common paternal ancestor and a common Y-STR profile.18 Likewise, if the Y-STR profiles of two men match, their surnames are likely to match, too. Therefore, if a Y-STR database contains a large representative sample of DNA profiles and corresponding family records, even an unknown male’s data can potentially be matched to a family name and even an individual, so long as investigators have on file the Y-STR data of that male’s father, uncle or even third cousin (Figure 5).

Figure 5: Illustration of shared Y-STR profile among patrilineal male relatives (translated)

Source: ‘The “hero” behind the murder case of the girl from the Southern Medical University: What is the Y-STR family investigation technique?’ (南医大女生 被害案背后 “功臣”: Y-STR家系排查技术是什么), Youku Video Net (优酷影视网), 25 February 2020, online. Partially translated from Chinese by ASPI.

For the Chinese Government, Y-STR analysis presents a more cost-effective and efficient method of building a national genetic panopticon. Unlike in Tibet and Xinjiang, authorities don’t need to collect DNA samples from all Chinese citizens in order to dramatically increase their genomic surveillance capacity. Authorities in Henan achieved 98.71% genetic coverage of the province’s total male population by collecting Y-STR samples from 10% of the province’s men and developing family trees for nearly all of the province’s patrilineal families.19 Following a similar program nationally, Chinese authorities could achieve genetic coverage for nearly all men and boys in China.

This is highly disturbing. In China’s authoritarian one-party system, there’s no division between policing crime and suppressing political dissent. A Ministry of Public Security-run national database of Y-STR samples connected to detailed family records for each sample would have a chilling impact not only on dissidents, activists and members of ethnic and religious minorities, but on their extended family members as well.

Figure 6: Meeting on Y-STR database construction, Suide County, Shaanxi Province, March 2019

Source: Lu Fei (路飞), ‘The successful completion of the training and mobilisation meeting of the Suide County public security bureaus for work on building a male ancestry inspection system’ (绥德县公安局男性家族排查系统建设工作动员部署及应用培训会圆满完成), Meipian (美篇网), 28 March 2019, online.

The Chinese state has an extensive history of using threats and violence against the families of regime targets in order to stamp out opposition to the Communist Party. Leaked documents obtained by the International Consortium of Investigative Journalists20 and The New York Times reveal that authorities in Xinjiang collect information on family members of detainees in the region’s re-education camps,21 and a detainee’s release is conditional upon the behaviour of their family members outside the camps.22 The repression of family members extends far beyond Xinjiang. Parents23 and children24 of prominent human rights lawyers, and the siblings of overseas government critics,25 are routinely detained and tortured by Chinese police.

By forcing a dissident’s family to pay the price for their relative’s activism, these tactics cruelly yet effectively increase the cost of resistance.26 A police-run Y-STR database containing biometric samples and detailed multigenerational genealogies from all of China’s patrilineal families is likely to increase state repression against the family members of dissidents and further undermine the civil and human rights of dissidents and minority communities.

Figure 7: Genealogical records collected from a single extended family, Hanjia Village, Liaoning Province, March 2018, and a meeting of police officers concerning family records in Weinan, Shaanxi Province, August 2018

Sources: ‘Wolong Police Station carrying out Y-bank construction’ (卧龙派出所深入开展Y库建设), Meipian (美篇网), 15 March 2018, online; ‘To implement the spirit of the Heyang meeting, the Huazhou District Public Security Bureau went to Fuping to learn the process of the construction of a male family investigation system’, (落实合阳会议精神,华州区公安局赴富平实地学习男性家族排查系统建设), Huazhou Criminal Investigation Bureau (华州刑侦), 10 August 2018, online.

We also know that Chinese researchers are increasingly interested in forensic DNA phenotyping. This computational analysis of DNA samples—also known as ‘biogeographic ancestry inferences’27—allows investigators to predict the biogeographical characteristics of an unknown sample, such as hair and eye colour, skin pigmentation, geographical location, and age. Chinese scientists have been at the forefront of these controversial methods,28 claiming to be able to identify whether a sample belongs to an ethnic Uyghur or a Tibetan, among other ethnic groups.29 Scientists have warned about the potential for ethnic discrimination,30 yet Chinese scientists are using these methods to assist the Chinese police in targeting ethnic minority populations for greater surveillance,31 while Chinese and foreign companies are competing to provide the Chinese police with the tools to do their work.32

Figure 8: Blood collection in Xi’an, Shaanxi Province, April 2020, and Tongchuan, Shaanxi Province, February 2019

Sources: ‘The technical squadron of the Criminal Police Brigade of the Huyi Branch Bureau fully endeavoured to ensure the smooth progress of the construction of the Y library’ (鄠邑分局刑警大队技术中队全力保障Y库建设工作顺利进行), Meipian (美篇网), 2 April 2020, online; ‘Chen Jiashan Police Station catches up and surpasses, and completes the Y library information collection task’ (陈家山派出所追赶超越 全面完成Y库信息采集任务), Meipian (美篇网), 24 February 2019, online.

A national database containing the genetic information of tens of millions of ordinary Chinese citizens is a clear expansion of the already unchecked authority of the Chinese Government and its Ministry of Public Security. Chinese citizens are already subjected to extensive surveillance. Even beyond Tibet and Xinjiang, religious believers and citizen petitioners across China are added to police databases to track their movements,33 while surveillance cameras have expanded across the country’s rural and urban areas.34 The expansion of compulsory biometric data collection only increases the power of the Chinese state to undermine the human rights of its citizens.

Building comprehensive social control

A range of justifications have been provided by Chinese authorities for the mass collection of DNA samples from boys and men across China. Some of those reasons can be found in a notice released online on 1 April 2019 by the Public Security Bureau in Putian, Fujian Province:

Blood Collection Notice

In order to cooperate with the foundational investigative work of the seventh national census and the third generation digital ID cards, our district’s public security organs will on the basis of earlier village ancestral genealogical charts, select a representative group of men from whom to collect blood samples.

This work will not only help carry on and enhance the genealogical culture of the Chinese people, but will also effectively prevent children and the elderly from going missing, assist in the speedy identification of missing people during various kinds of disasters, help police crack cases, and to the greatest extent retrieve that which is lost for the masses. This is a great undertaking that will benefit current and future generations, and we hope village residents will enthusiastically cooperate.35

From this and other similar notices found across the Chinese internet, it can be difficult to assess the primary motive behind this program. Yet there are clear indications that it is the forensic and social control applications of the program—commonly referred to as the construction of a ‘male ancestry inspection system’—which most interest authorities. An 18 November 2019 article from People’s Daily Hubei states:

The construction of a male ancestry investigation system is currently important work being carried out across the country by the Ministry of Public Security. Through foundational work such as illustrative mapping of male ancestral families, the extraction of biological specimens, and the collection of samples and building of databases, we will further understand and grasp the information of male individuals. In this way we will strengthen the use of male hereditary marker DNA technology, continue to increase the efficiency of the investigative screening of criminal offenders, comprehensively improve public security organs’ ability to solve cases, and manage and control society, and maximise the efficiency of criminal technologies to crack cases.36

At first glance, it might appear that Chinese police are engaged in the mass screening of local men as part of ongoing forensic investigations. So-called ‘DNA dragnets’ are rare but not unheard of: in 2012, Dutch police collected Y-STR data through cheek swabs from 6,600 male volunteers as part of an investigation into the 1999 rape and murder of a teenage girl,37 while Y-STR samples were collected from 16,000 men as part of a criminal investigation into the 2011 murder of an Italian teenager.38

Yet such mass screenings are highly controversial. Both the Forensic Genetics Policy Initiative39 and the Irish Council for Civil Liberties40 note that police pressure can transform the ‘voluntary’ submission of samples into compulsory acts, while the American Civil Liberties Union has condemned police-led DNA dragnets in the US as ‘a serious intrusion on personal privacy’.41 Best practices require that DNA samples collected in such mass screenings should be connected to a specific criminal investigation, provided only by volunteers in the geographically restricted area in which the offence took place, and be destroyed following the completion of the investigation.

The Chinese Government’s program of male DNA data collection violates all of those principles. In none of the hundreds of instances of police-led mass DNA collection-related work uncovered in our research is data collection described as part of an ongoing forensic investigation. Nor are any of the men or boys targeted for DNA collection identified as criminal suspects or as relatives of potential offenders. Finally, China’s authoritarian political system makes refusing police requests for DNA samples impossible.

Figure 9: Blood collection in Kaifeng, Henan Province, August 2019 (cropped), and Ordos, Inner Mongolia, October 2018 (still image from video)

Sources: ‘Xinghua Camp has taken several measures to complete the Y-DNA blood collection task’ (杏花营所多项举措完成DNAY库采血任务), Meipian (美篇 网), 14 August 2019, online; ‘Albas police station actively carries out blood collection work of Y library construction’ (阿尔巴斯派出所积极开展Y库建设采血 工作), Meipian (美篇网), 24 October 2018, online.

Instead, the Chinese Government’s national Y-STR database appears to be part of larger efforts to deepen comprehensive social control and develop multimodal biometric profiles of individual citizens.

Those profiles would allow state security agents to link personal information to biometric profiles, including DNA samples, retinal scans, fingerprints and vocal recordings.42 When completed, such a system could allow Chinese police to connect biometric data from any unknown sample to identifying personal information.

As in the earlier campaigns in Tibet and Xinjiang, DNA collection occurs in a range of places, including private homes,43 schools,44 streets,45 shops46 and village offices47 (see Appendix 2 for a full description of the collection process). Unlike in those two regions, the current program seems aimed at all Chinese men and boys, irrespective of ethnicity or religious faith. Yet there’s evidence that in one case police targeted ethnic Hui Muslims at a local cultural event, in a possible extension of the anti-Muslim campaign that began in Xinjiang (Figure 10).

Figure 10: DNA sample collection in a private residence in Jinhua, Zhejiang Province, September 2018, and at a Hui ethnic minority community centre in Shiyan, Hubei Province, October 2019

Sources: ‘The Baima Police Station of the County Public Security Bureau went to the jurisdiction to carry out blood collection work’ (县公安局白马派出所到 辖区开展血液采集工作), Pujiang County Public Security Bureau (浦江县公安局), 28 September 2018, online; ‘The Hubeikou Police presented safety lectures to the Hui ethnic people on the spot and collected male blood samples during the holy Ramadan festival of the Hui ethnic people’ (湖北口派出所利用回族 群众圣纪节日,给到场回族群众做法制安全讲座,并采集男性血样), Hexie Hubeikou Microblog (和谐湖北口微博), 10 October 2019, online.

The scale of data collection is enormous. Tens of thousands of DNA samples have been collected in single localities. In Tunliu County in Chanzhi, Shanxi Province, local authorities recommended collecting blood samples from 36,000 men,48 or roughly 26% of the county’s male residents; in Laoting County in Tangshan, Hebei Province, 56,068 samples were recommended for collection from the county’s 320,144 men;49 and an invitation for bids for the construction of a Y-STR database for the Xian’an District of Xianning, Hubei Province, states that 40,000 blood samples were collected from the district’s roughly 300,000 male residents.50 These figures alone—a mere fraction of the total size of the Chinese Government’s current DNA collection program—represent some of the largest targeted DNA dragnets in police history.

More disturbing still is the compulsory collection of DNA samples from children (Figure 11).51 Unconnected to any criminal investigation, police have collected blood samples from students at schools across China, including in Shaanxi,52 Sichuan,53 Jiangxi,54 Hubei,55 Fujian,56 and Anhui.57 In a single township in Fujian, more than 1,500 blood samples were taken from students at local kindergartens and elementary schools.58 In some cases, teachers have been enlisted to assist in DNA collection.59

Figure 11: Collecting blood samples from students, Poyang County, Jiangxi Province, November 2018, and Yunxi County, Hubei Province, March 2019

Sources: ‘Actively cooperate with students in collecting DNA samples’ (积极配合做好学生DNA样本信息采集工作), Dongxi Primary School Web (东溪小学王 网), 14 November 2018, online; ‘Safety management: Nine-year standard school in Shangjin Town actively cooperates with DNA information collection’ (安 全管理:上津镇九年一贯制学校积极配合做好DNA信息采集工作), Nine-year Standard School in Shangjin Town WeChat account (上津镇九年一贯制学校), 22 March 2019, online.

These accounts are in keeping with a 2017 Wall Street Journal investigation that found that police in rural Qianwei, Sichuan Province, collected DNA samples from male schoolchildren without explanation (Figure 12).60 This is a clear violation of Article 16 of the UN’s Convention on the Rights of the Child (to which China is a signatory) against the ‘arbitrary or unlawful interference with [a child’s] privacy’61 and an abuse of the authority police have over vulnerable adolescents.

Figure 12: Police-led DNA collection from middle and elementary school students in Shifan County, Sichuan Province, September 2019, and in Hanzhong County, Shaanxi Province, October 2019

Sources: ‘Shigu Junior High School actively cooperates with the public security police to do a good job of collecting DNA samples from teenagers’ (师古初中 积极配合公安民警做好青少年DNA样本采集工作), Shifang City Government Web (什邡市人民政府), 12 September 2019, online; ‘This elementary school in Nanzheng District has launched the collection of student DNA samples’ (南郑区这个小学,开展了学生DNA样本采集), Eastday (东方咨询), 12 October 2019, online.

While DNA samples are taken from men and boys outside of a police investigation, data samples are stored permanently in the Ministry of Public Security’s National Public Security Organ DNA Database (Figure 13).62

Figure 13: National Public Security Organ DNA Database screenshot (cropped)

Source: ‘Public Security Organ DNA Database Application System’ (公安机关DNA数据库应用系统), Beijing Haixin Kejin High-Tech Co. Ltd (北京海鑫科金高 科技股份有限公司), online.

Like the FBI’s Combined DNA Index System (CODIS) in the US,63 China’s national database permits DNA samples collected by police to be compared with samples stored in hundreds of local and provincial databases across the country. This database also contains additional core STR loci (locations on a chromosome) for enhanced discriminatory capacity tailored to the ethnic make-up of China’s population.64

The Chinese Government’s DNA database feeds into a constantly evolving program of state surveillance under the banner of the Golden Shield Project, which is led by the Ministry of Public Security. The project seeks to make the personal information of millions of Chinese citizens, including forensic and personal data, available to local police officers nationwide.65 According to the website of Highershine Biological Information Technology Co. Ltd, a company that builds Y-STR databases for the Ministry of Public Security, its databases allow DNA data to be compared with non-genetic data on Chinese citizens contained in the national personal residence database system and the comprehensive police database system, which are both part of China’s Golden Shield Project (Figure 14).

Figure 14: Highershine’s National Public Security Organ Male Family Ancestry Investigation System

Source: ‘National Public Security Male Family Investigation System collects clients’ (全国公安男性家族排查系统采集用户端), China Highershine (北京海华鑫安生物), online.

Evidence already suggests that this new DNA database is being integrated with other forms of state surveillance and ‘stability maintenance’ social control operations.66 Local officials in Sichuan Province have linked Y-STR data collection to the Sharp Eyes Engineering Project,67 which is a national surveillance program aimed at expanding video monitoring across rural and remote areas.68 The Chinese company Anke Bioengineering has also spoken of building a ‘DNA Skynet’,69 in an apparent allusion to another national surveillance program.70

Corporate complicity

Chinese and multinational companies are working closely with the Chinese authorities to pioneer new, more sophisticated forms of genomic surveillance. According to Ping An Securities, China’s forensic DNA database market generates Ұ1 billion (US$140 million) in sales each year and is worth around Ұ10 billion (US$1.4 billion) in total.71 Competition is intense. While multinational companies currently dominate equipment sales, domestic players are making significant inroads, and biotechnology is listed as a critical sector in the Chinese Government’s Made in China 2025 strategy.72 More than two dozen Chinese and multinational companies are known to have supplied local authorities with Y-STR equipment and software (see Appendix 4).

One of the key domestic producers of Y-STR analysis kits is AGCU Scientech Inc.,73 which is a subsidiary of one of China’s largest and fastest growing biotech companies, Anhui Anke Bioengineering (Group) Co. Ltd.74 AGCU’s founder and Anke’s vice president is Dr Zheng Weiguo.75 After working for Thermo Fisher affiliate Applied Biosystems and other companies in the US, he was invited by the Ministry of Public Security to help develop the Chinese Government’s DNA database in 2004 and set up AGCU in the city of Wuxi under the Thousand Talents Program in 2006.76 He now serves as an expert judge for this Chinese Government talent recruitment program and has been awarded numerous state prizes for his scientific and patriotic contributions.77

AGCU has partnered with public security bureaus across China to apply for patents for Y-STR testing kits78 and in 2018 entered into an exclusive distribution partnership with US biotech company Verogen to sell Illumina’s next-generation DNA sequencers in China.79 AGCU is now actively promoting Illumina next-generation solutions at domestic and international trade fairs organised by the Ministry of Public Security (Figure 15).80

Figure 15: An AGCU engineer discusses Y-STR data systems at the Public Security Bureau of Pingxiang, Jiangxi Province, August 2018

Source: ‘Pingxiang City Public Security Bureau Male Family Investigation System Construction Promotion Conference and “FamilyCraftsman” training class’ (乡市公安机关男性家族排查系统建设工作推进会暨“家系工匠”培训班), Meipian (美篇网), 17 August 2018, online.

Other players include Forensic Genomics International,81 which is a fully owned subsidiary of the Beijing Genomic Institute Group—a company with an increasingly global footprint. In August 2018, Forensic Genomics International signed a strategic partnership agreement with the Public Security Bureau of Xi’an82 and has worked with other public security bureaus to build Y-STR databases as part of this national program.83 Another company is Microread Genetics Co. Ltd, a leading life sciences company with a joint genetic lab in Kazakhstan,84 which has won contracts to provide public security bureaus with Y-STR testing kits85 and database construction services.86

Beijing Hisign Technology Co. Ltd is also providing Y-STR database solutions to the Ministry of Public Security.87 Founded by former People’s Liberation Army member Liu Xiaochun,88 Hisign has developed a range of big-data biometric surveillance products used to collect, store and analyse finger (palm) patterns, facial scans and forensic DNA samples (Figure 16).89 Its Y-STR databases, which the company boasts can be ‘seamlessly connected with the DNA National Library’ and which can ‘provide intelligent family tree mapping’, are used by the public security bureaus of eight provinces, autonomous regions and directly administered cities.90

Figure 16: Hisign’s Y-STR database genealogical mapping function

Source: ‘YSTR database application system’ (YSTR数据库应用系统), Hisign Technology (北京海鑫科金高科技股份有限公司网), online.

A number of leading multinational companies are also providing DNA sequencers and other forensic technologies to public security bureaus across China. They include the China subsidiaries of Thermo Fisher Scientific and Eppendorf. Of those companies, Thermo Fisher’s role is most prominent.

This corporate giant has 5,000 employees in China, which contributed over 10% of the company’s US$25 billion in revenue in 2019.91

The company’s involvement in biometric surveillance in Xinjiang is well documented.92 But, while it has vowed to stop selling human identification products in the region,93 Thermo Fisher’s extensive involvement in the Ministry of Public Security’s national DNA database program is less well known.

One week before the launch of the national Y-STR data program, representatives from Thermo Fisher joined Chinese academics and police officials at a conference held by the Forensic Science Association of China in Chengdu, Sichuan, from 1 to 3 November 2017 (Figure 17).94 Recorded presentations from the conference give a clear sense of how closely Thermo Fisher has worked with the Ministry of Public Security to improve police collection of Y-STR data.

Figure 17: Presentation on forensic Y-STR kits designed for the Chinese market by a representative of Thermo Fisher, Chengdu, Sichuan Province, November 2017

Source: ‘Dr Zhong Chang’ (钟昌博士), Tencent Video (腾讯视频), 8 November 2017, online.

In a talk by Dr Zhong Chang, a researcher at Thermo Fisher, two of the company’s DNA kits—the VeriFiler Plus PCR amplification kit95 and Yfiler Platinum PCR amplification kit96—are described as having been created in direct response to the Ministry of Public Security’s need for enhanced discriminatory capacity tailored to the ethnic make-up of China’s population.97 More disturbingly, Thermo Fisher’s Huaxia PCR amplification kit was developed specifically to identify the genotypes of Uyghur, Tibetan and Hui ethnic minorities.98

Such kits have been instrumental to the current national Y-STR collection program aimed at ordinary men and boys, and numerous local public security bureaus have purchased Thermo Fisher Y-STR analysis kits as part of the construction of male ancestry investigation systems99 and Y-STR databases.100

Thermo Fisher may defend these sales, as it did to Human Rights Watch in 2017, on the grounds that it’s impossible ‘to monitor the use or application of all products’ that it makes.101 That may be true, but the company is clearly aware of how its products are being used, and it actively promotes its close collaboration with the Chinese police in its Chinese-language publicity material. In a profile of Gianluca Pettiti, Thermo Fisher’s former head of China operations and current President of Specialty Diagnostics,102 the company boasts: ‘In China, our company is providing immense technical support for the construction of the national DNA database, and has already helped to build the world’s largest DNA database.’103 Similarly, in 2018, the company’s Senior Director of Product Management, Lisa Calandro, discussed the ‘sinicizing’ of their forensic science product line for the Chinese market.104

Even if multinational companies object to the use of their genetic products as part of China’s surveillance regime, new legislation puts them at risk of acting as the handmaidens of repressive practices. Under China’s 2019 Regulations on Human Genetic Resource Management, any patents emerging from joint research projects must be shared between foreign-owned and Chinese entities.105

That means that, if Chinese or international biomedical companies partner with the public security bureaus, their research results and patents must be shared with the police. Furthermore, Article 16 of the Regulations grants the Chinese state sweeping powers to make use of DNA datasets created by public or private researchers for reasons of ‘public health, national security and the public interest’.

This means that any genetic data or processes in China may be used by Chinese authorities in ways these companies might have never intended.

Human rights violations

The Chinese Government’s genomic surveillance program is out of step with international human rights norms and best practices for the handling of human genetic material.106 Article 9 of the UN Universal Declaration on the Human Genome and Human Rights states that ‘limitations to the principles of consent and confidentiality may only be prescribed by law, for compelling reasons within the bounds of public international law and the international law of human rights’,107 while Article 12 of the UN International Declaration on Human Genetic Data states that the collection of genetic data in ‘civil, criminal or other legal proceedings’ should be ‘in accordance with domestic law consistent with the international law of human rights’.108

The Chinese Government’s DNA dragnet is also a clear violation of the International Covenant on Civil and Political Rights’ prohibition against ‘arbitrary or unlawful interference’ with a person’s privacy,109 and Article 16 of the UN Convention on the Rights of the Child (to which China is a signatory) against the ‘arbitrary or unlawful interference with [a child’s] privacy’.110

There are three areas in particular where this program appears to violate the human rights of Chinese citizens:

1. Lack of legal authority

The compulsory collection of biological samples among non-criminal offenders is not currently authorised under Chinese law. Article 132 of the revised 2018 Criminal Procedures Law only permits the collection of fingerprints, blood and urine samples from victims or suspects in criminal proceedings.111 Chinese authorities are aware of this issue. Chinese scholars and experts have warned about the lack of a clear legal basis for the collection of biometric samples by police outside criminal investigations,112 while others have cautioned about the potential for mass social unrest if compulsory collection should occur.113

Figure 18: Blood collection in Tongchuan, Shaanxi Province, February 2019 (cropped), and Xi’an, Shaanxi Province, January 2020

Sources: ‘Wangjiabian Police Station solidly carried out the security work of opening the school campus’ (王家砭派出所扎实开展开学校园安保执勤工作), Meipian (美篇网), 20 February 2019, online; ‘The Zoukou Police Station combined with the “Millions of Police Entering Tens of Millions Community” activity, went deep into the jurisdiction to carry out male “Y” blood sample collection work’ (零口派出所结合“百万警进千万家”活动,深入辖区开展男性“Y”系血样 采集工作), Meipian (美篇网), 14 January 2020, online.

The compulsory collection of DNA samples in China has sparked controversy in the past. The mass DNA screening of 3,600 male university students by police in 2013 following a spate of campus thefts was condemned as disproportionate and a violation of China’s Criminal Law.114 When discussing the creation of a nationwide Y-STR database in 2018, Pei Yu of the Hubei Police Academy warned that the ‘large-scale coercive collection of blood’ from ordinary civilians would violate both Chinese domestic law and international norms and suggested that this would be a major legal hurdle for Chinese authorities.115

Police notices and social media posts make it clear that the authorities are worried about potential pushback. Posters urge public cooperation, while police are told to carry out careful propaganda work aimed at dispelling any concerns about blood collection.116 Yet online posts suggest that some still question the legal basis of this program.117

2. Lack of informed consent

Outside of a criminal investigation, the voluntary submission of genetic samples requires prior, free and informed consent.118 The Chinese Government’s current program of compulsory Y-STR data collection isn’t part of any criminal investigation. Yet there’s no evidence in the sources reviewed for this report that Chinese authorities sought people’s consent before collecting Y-STR samples; nor are those who have given samples likely to be aware of how this program could subject them and their families to greater state surveillance and potential harm.

Figure 19: Blood collection in Shangrao, Jiangxi Province, October 2019 (cropped), and Lantian County, Xi’an, Shaanxi Province, January 2019

Sources: ‘Xianshan Primary School: District public security bureau visits the school to collect blood samples’ (仙山小学:区公安局到校进行血样采集), Meipian (美篇网), 1 November 2019, online; ‘(Striving for “Safety Vessel” Lantian Public Security in Action: Public Security police keeping the peace at the end of the Spring Festival’ (争创“平安鼎”蓝田公安在行动: 年终岁尾春节至,公安民警守平安), Meipian (美篇网), 30 January 2019, online.

Police provide contradictory explanations or speak in vague generalities about the purpose of the DNA collection program. A local resident, for example, expressed confusion about why men in his village were being targeted for blood collection in a 2019 social media post.119 Other posts express concern about being compelled to provide biometric samples. In a post made in late 2018, a netizen reported that men were being required to submit blood samples to police when applying to change their residency permits.120 Extensive police powers (both legal and extra-legal) make it virtually impossible for someone to refuse a request for biometric data in China.121

3. Lack of privacy

Despite some assurances that personal information will be protected,122 police are given a wide remit to make use of genetic resources. DNA collected in Tibet and Xinjiang as part of a free ‘physicals for all’ program was used to enhance biosurveillance over those ethnic minority populations, without the knowledge of those from whom DNA samples were taken.123 Legal experts and ordinary citizens have also expressed concerns about the lack of robust privacy protections when it comes to Y-STR sample collection.124

Figure 20: Blood collection in Yantai, Shandong Province, March 2019, and Yulin, Shaanxi Province, April 2019

Sources: ‘Xiaoyang Police Station of Haiyang City: Check and fill the vacancies for the construction of the Y library’ (海阳市小纪派出所: 对Y库建设工作进行 查漏补缺), Shuimu Web (水母网), 28 March 2019, online; ‘Recent work trends of Sanchuankou Police Station of Public Security Bureau of Zizhou County’ (子洲县公安局三川口派出所近期工作动态), Meipian (美篇网), 7 May 2019, online.

Online posts note that police blood collection outside of a criminal investigation constitutes an infringement on personal privacy.125 In one post, a father claimed that a police officer threatened to revoke his residency permit if he didn’t provide a Y-STR sample for his child.126 The father wrote that, when he expressed confusion about the purpose of the program, he was asked: ‘Don’t you trust the government?’

A nationwide program of male DNA collection not only represents a serious challenge to the privacy of those whose profiles are contained in the database, but also undermines the privacy of their relatives, who may be unaware that their personal information is contained in the family trees that police have created as part of this project.127

These concerns about legality, consent and privacy are all the more evident when the Chinese Government’s program is compared with two other national DNA collection programs: the UK’s National DNA Database, which until recently stored DNA samples taken from people merely suspected (but not convicted) of recordable offences, and a 2015 law in Kuwait, which would have required all residents and visitors to Kuwait to provide DNA samples to the government. Both programs were highly controversial.

In a 2008 ruling by the European Court of Human Rights, the UK’s program was found to have ‘fail[ed] to strike a fair balance between the competing public and private interests’.128 Likewise, the UN Human Rights Committee’s 2016 periodic review of Kuwait raised concerns about the ‘compulsory nature and the sweeping scope’ of the program, the ‘lack of clarity on whether necessary safeguards are in place to guarantee the confidentiality and prevent the arbitrary use of the DNA samples collected’ and ‘the absence of independent control’.129

In both cases, the collection regime was dramatically scaled back or scrapped altogether. In the UK, the European Court’s ruling led to the UK’s Protection of Freedoms Act in 2012130 and the subsequent destruction of 1.76 million DNA profiles taken from people innocent of any criminal offence.131 In the case of Kuwait, the law was eventually found to violate constitutional protections of personal liberty and privacy by the country’s supreme court in 2017.132

The criticisms leveled against the UK’s and Kuwait’s DNA programs could easily apply to the Chinese Government’s current campaign of mass DNA collection, but a similar outcome is highly unlikely. China lacks independent courts that can check the power of the Chinese Government, the Communist Party and domestic security forces.133 Nor has the Chinese Government been receptive to criticisms of earlier mass DNA collection programs made by international human rights organisations.134 Finally, China’s authoritarian political system lacks a free press, opposition political parties and a robust civil society that can openly challenge the legality of this program.135

Recommendations

DNA analysis is now considered the gold standard for police forensics. Recent innovations in DNA sequencing and big-data computing make the process of analysing biometric samples more efficient and cost-effective. Yet forensic DNA collection has also been linked to the abuse of police power,136 and even commercial genealogical websites can lead to the loss of genetic privacy for the relatives of those who have voluntarily uploaded their data.137 In order to defend against possible abuses, compulsory police collection and storage of biometric data must be strictly limited to those convicted of serious criminal wrongdoing.

As detailed in this report, there’s no evidence that Chinese authorities are adhering to these standards. 

Unconstrained by any checks on the authority of its police, the Chinese Government’s police-run DNA database system is extending already pervasive surveillance over society, increasing discriminatory law enforcement practices and further undermining the human rights and civil liberties of Chinese citizens.

The tools of biometric surveillance and political repression first sharpened in Xinjiang and Tibet are now being exported to the rest of China.

In the light of our report, ASPI recommends as follows:

  • The Chinese Government should immediately cease the indiscriminate and compulsory collection of DNA samples from ordinary Chinese civilians, destroy any biological samples already collected, and remove the DNA profiles of people not convicted of serious criminal offences from its forensic databases.
  • The UN Special Rapporteur on the right to privacy should investigate possible human rights violations related to the Chinese Government’s DNA data collection program and broader programs of biosurveillance.
  • Governments and international organisations should consider tougher export controls on equipment and intellectual property related to forensic DNA collection, storage and analysis being sold in Chinese markets.
  • Biotechnology companies should ensure that their products and services adhere to international best practices and don’t contribute to human rights abuses in China, and must suspend sales, service and research collaborations with Chinese state authorities if and when violations are identified.

Appendix 1: Data sources

In chronicling the Chinese Government’s latest DNA dragnet, this report draws on more than 700 Chinese-language open-source documents that refer to the current program of Y-STR data collection, as well as related research on the forensic applications of Y-STR analysis in China and materials concerning China’s domestic forensic science market.

The sources listed in Table 1 don’t include the Chinese- and English-language sources we have cited concerning China’s broader systems of surveillance and governance, China’s earlier biometric data collection programs in Xinjiang and Tibet, or reports on DNA collection programs outside of China.

Table 1: List of primary data sources

Documented instances of police-led Y-STR data collection have been found in 22 of China’s 31 administrative regions (excluding Hong Kong and Macau),138 and in more than a hundred municipalities. It’s important to note that this total is likely to be an underestimate; instances of DNA collection may go unreported, and the true scale of the program is likely to be much greater. Data collection also appears to be continuing in some locations.

Appendix 2: How Y-STR samples are collected

The Chinese Government’s Y-STR data collection program appears to happen mostly in rural areas or townships and villages located on the periphery of cities. This may be because it is easier for police to produce accurate genealogies of patrilineal families and collect samples from multiple members of the same family in rural areas, where multiple generations of a single family are more likely to live in close proximity.139 Furthermore, many current urban residents are first- or second-generation migrants who can trace their ancestry back to extended families living in rural areas. Greater genetic coverage of Chinese men is more likely to be achieved by focusing on their ancestral families, rather than recent migrants to major cities. Finally, Chinese authorities may be focusing on rural areas because they believe their program will face less public scrutiny there than in more developed urban areas.

No matter where data collection occurs, this program is broken down into four stages: 

1. Preparatory meetings

Local Y-STR data-collection work begins with meetings led by the public security bureaus where police officers and other government officials are introduced to the role Y-STR data collection can play in combating crime and strengthening ‘social management’ (Figure 21).140

Figure 21: Local officials meeting to discuss male ancestry inspection systems, Anlu, Hubei Province, September 2019, and Weinan, Shaanxi Province, August 2018

Sources: ‘Chendian Township held a training seminar on mobilisation of the male family tree investigation system’ (陈店乡举办男性家族排查系统建设工作 动员业务培训会), Anlu Government (安陆政府网), 3 September 2019, online; ‘Weinan Municipal Public Security Bureau’s male family investigation system construction site promotion meeting was successfully held in Heyang’ (渭南市公安局男性家族排查系统建设现场推进会在合阳圆满召开), Meipian (美篇 网), 9 August 2018, online.

During these meetings, officers are organised into subgroups responsible for particular datacollection-related tasks. Meetings end with the signing of letters of responsibility, which lay out the obligations government offices have for completing Y-STR data-collection work.

2. Creating family trees

The next step is creating family trees for local men and boys. Collecting accurate genealogical information on local patrilineal families is of vital importance. This information will be used to identify a representative sample of men and boys from whom to collect genetic data and, in the future, will allow police to connect Y-STR data from an unknown male to a particular patrilineal surname and all the men sharing that name.

To collect genealogical information on male family members, police officers visit individual families, often accompanied by village cadres.141 Through these visits, police try to map out family genealogies going back from five to eight generations (Figure 22).142

Figure 22: Collecting genealogical data by hand, Chaohu, Anhui Province, April 2018, and Jinan, Shandong Province, September 2018

Sources: ‘Huailin town carried out male family tree survey and mapping’ (槐林镇开展男性家族家系调查和图谱绘制工作), Chaohu Government (巢湖政 府网), 10 April 2018, online; ‘The Chengguan Office successfully completed the Y library information collection task’ (城关所圆满完成Y库信息采集任务) Chegguan Police Station (城关派出所), 29 September 2018, online.

A mock illustration of these family trees is found in a 21 August 2018 government notice on Y-STR data collection in Sui County, Hubei Province, where names, mobile numbers and ID card numbers are collected (Figure 23).

Figure 23: Mock genealogical chart, Sui County, Hubei Province

Source: ‘Notice of the County Government Office on printing and distributing the work plan for the construction of the “Y-STR” DNA database in Sui County’ (县人民政府办公室关于印发随县’Y-STR’DNA数据库建设工作方案的通知), Sui Country Government (随县政府网), 4 September 2018, online. This mock
chart captures five generations of a single patrilineal family with the names, phone numbers and presumably state ID numbers to be recorded for each individual identified.

Family trees are first drawn by hand,143 and police officers and local officials work with members of targeted families to ensure accuracy (Figure 24).144 Not all local males are targeted, however. According to the same 2018 work notice from Sui County, only information on permanent residents in the rural or semi-rural counties, townships or ‘villages within cities’ of these municipalities is recorded.145

Figure 24: Completed family trees, Luliang, Shanxi Province, June 2018, and Baoji, Long County, Shaanxi Province, October 2018 (cropped)

Sources: ‘Lin County Public Security Bureau Y-STR DNA Family Investigation System Construction Database’ (临县公安局: Y—STR DNA家族排查系统建设数 据库), Meipian (美篇网), 26 June 2018, online; Caojiawan Police Station of Long County Public Security Bureau completed the first male family survey map (陇县公安局曹家湾派出所完成首张男性家族家系调查图谱), Meipian (美篇网), 10 October 2018, online.

After family trees are checked for errors, the finished charts are entered into computer databases using the commercially available genealogical mapping software ‘Ancestry Artisan’ (Figure 25).

Figure 25: Inputting genealogical information, Tongchuan, Shaanxi Province, August 2018 (cropped)

Source: ‘Chengguan Police Station completed the construction of male Y DNA bank’ (城关派出所全面完成男性Y库建设工作), Nanyuan Police (南苑警务网), 8 August 2018, online.

3. Compulsory collection of blood samples

Based on the family trees, a non-random sample of local men is targeted for compulsory Y-STR data collection (Figure 26). Estimates for the proportion of local men targeted vary from roughly 8.1% in Dongsheng District, Lingqiu County, Shanxi Province146 and 9.6% in Ordos, Dongsheng District, Inner Mongolia,147 to 25.4% in Tongchuan, Yijun County, Shaanxi Province148 and 26.4% in Changzhi, Tunliu County, Shanxi Province.149

Figure 26: Blood collection in Tongchuan, Shaanxi Province, June 2019, and Zhangzhou, Fujian Province, April 2019

Sources: ‘Tongchuan police: Hongqiao Yuhua Police Station completed the annual DNA blood sample information collection task’ (铜川公安:虹桥玉华派出 所完成全年DNA血样信息采集任务), Hongqiao Yuhua Police Station (虹桥玉华派出所), 9 June 2018, online; “Changtai: Blood Collection Notice” (长泰:采血 通告), Soho (搜狐网), 20 April 2019, online.

Samples are taken in the form of blood via a pinprick to the finger,150 and blood is collected on a paper card, which is then inserted into an envelope (Figure 27). This method of sample collection allows large amounts of data to be collected in the absence of storage space.151

Figure 27: Blood collection cards and envelopes, Tongchuan, Shaanxi Province, June 2019 (cropped), and Xi’an, Zhouzhi County, Shaanxi Province, May 2019

Source: ‘Jiufeng has taken multiple measures, combined points with points, broken common rules, and promoted quickly to strive to complete the construction of male family trees as soon as possible’ (九峰所多策并举、点面结合、打破通例 、快速推动,争取早日全面完成男性家系建设工作), Meipian (美篇网), 24 May 2019, online.

In some cases, blood is collected from individuals in their community, as shown in a video from 17 May 2019 of a police officer in Anqing, Anhui Province, taking blood from an elderly man (Figure 28).

Figure 28: Screen capture taken from video of blood collection in Anqing, Anhui Province, May 2019

Source: ‘In order to build the Y-DNA bank and not affect the farming time of the masses, the auxiliary policemen from Liuping Police Station entered the field on 17 May to collect blood samples for the Y-DNA bank from the people in the jurisdiction and publicise safety precautions’, (为了Y库建设工作和不影响群 众农耕时间5月17日柳坪派出所民辅警走进田间地头,为辖区群众采集Y库血样和宣传安全防范), Susong Liuping Police (宿松柳坪派出所), video, 17 May 2019, online.

In other cases, samples are collected simultaneously from numerous men at a designated location. 

A July 2019 video (possibly from Sichuan Province) shows dozens of men—many holding what appear to be copies of their family trees—having their blood taken by public security officers (Figure 29).

Figure 29: Screen capture taken from video of blood collection in Sichuan Province, July 2019 (cropped)

Source: ‘Rural: What are you doing together? It turns out collecting blood samples!’ (农村:大家围在一起干吗了,原来是在采集血样!), Tencent Video (腾讯视频), video, 15 July 2019, online.

Uniformed police officers aren’t the only ones who conduct blood collection. In a June 2019 video shot at a village government office in the Fuling District of Chongqing, local officials are seen recording identifying information for numerous men on sample collection envelopes before collecting blood samples (Figure 30).

Figure 30: Screen capture taken from video of blood collection in Fuling District, Chongqing Municipality, June 2019 (cropped)

Source: ‘The staff went to the village to collect DNA blood samples, which greatly conveniences the people’ (工作人员到村里面进行DNA血样采集,极大的 方便了人民群众), Haokan Video (好看视频), 11 June 2019, online.

According to the website of Bosun Life—a Beijing-based company that builds Y-STR databases—one person is selected for Y-STR collection out of a family of five to six, while two people are selected from a family of up to fifty.152

Figure 31: Blood collection in Ningde, Zhejiang Province, April 2019

Source: Nodded attention! Male family blood sample collection work started’ (点头人注意!男性家族血样采集工作开始了), Sohu (搜狐网),| 30 April 2019, online.

Local governments are under intense pressure to meet DNA sample-collection targets set by superiors higher up in the state, and there’s evidence that systems of rewards and punishments have been instituted to ensure that sample-collection quotas are met.153

4. Data sharing with public security bureaus

Once local blood collection is complete, data is entered into specialised police-run Y-STR databases (Figure 32). Numerous requests for tenders and procurement orders for the construction of Y-STR databases have been found for local public security bureaus across China.154

Figure 32: Data entry, Wulanhaote, Inner Mongolia, September 2019

Source: ‘Collection of blood samples from male families’ (男性家族血样采集工作), Meipian (美篇网), 17 September 2019, online.

In turn, these local databases are connected to a network of provincial Y-STR databases and the national forensic DNA database, as stated in government tenders (Figure 33).155

Figure 33: Data sharing between public security bureaus using Yingdi’s Y-STR database system (translated)

Source: ‘Solution pages of police equipment’ (解决方案列表), Yingdi (武汉英迪科技发展有限公司), online. Translated from Chinese by ASPI.

Appendix 3: Estimating the scale of Y-STR sample collection

While we know Y-STR samples have been collected from males across China, it’s difficult to determine how many boys and men in total have been targeted. However, a rough estimate can be produced. 

This requires first calculating the size of the pool from which samples could be taken. The scale of the Henan Y-STR database gives us a good indication of the proportion of men and boys who may have been targeted. Between 2014 and 2016, 5.3 million Y-STR profiles were collected from a total male population of roughly 49.6 million, or roughly 10% of all males. This was believed to have given authorities nearly 98.71% coverage of the province’s male population.156

In some cases, precise figures indicating the scale of male data collection in particular localities are available. By comparing the total number of Y-STR samples collected to the population of local males (roughly estimated to be half the total local population), we’re able to estimate the percentage of men and boys from whom biometric data may have been taken (Table 2).

Table 2: Local data on Y-STR sample collection

Please download PDF for full source listing.

We know from government records that, in areas where Y-STR data collection has occurred, anywhere from roughly 8.1% to 26.4% of all males have been targeted. The wide variation in those figures may reflect efforts to collect more data than needed.

Government procurement orders can also be used to estimate the scale of Y-STR sample collection (Table 3). Some of those orders provide precise figures for the number of Y-STR sample-collection cards local authorities have purchased. By comparing the number of sample-collection cards to the local male population (roughly estimated to be half the total local population), we can estimate the percentage of local men who may have been targeted for DNA data collection.

Table 3: Government bid invitations and procurement orders for Y-STR blood sample collection cards

Please download PDF for full source listing.

From these records, we can estimate that local authorities have purchased enough Y-STR analysis kits to collect samples from anywhere between roughly 7.4% and 26.2% of all local males. The wide variation in these figures may again reflect efforts to collect more data than needed.

The large proportion of men and boys targeted for data collection in some localities may be offset by lower levels of data collection in other areas. We have also considered the possibility that in some areas of the country data collection might not be taking place. While we know that this is a nationwide campaign, we don’t yet have precise figures for the number of municipalities in which data collection has occurred. For example, mass Y-STR collection doesn’t so far seem to be taking place in first-tier cities such as Beijing or Shanghai.

Based on these considerations, and the scale of the earlier provincial Y-STR database built by the Henan Public Security Bureau,157 we therefore estimate that the Chinese Government may be seeking to collect Y-STR profiles from as many as one out of every 10 males in China.

The proportion of men and boys within individual families targeted for Y-STR sample collection also gives us clues about the possible scale of this program. There are indications that the authorities aim to collect samples from at least two men from every family of six to 50 people, and a further one or two samples from families of more than 50 members.158 It isn’t clear how rigorously police are adhering to these standards, but at a minimum this suggests that the Chinese Government aims to collect Y-STR samples from roughly five out of every 100 men.

We therefore conservatively estimate that authorities aim to collect DNA samples from around 5-10% of China’s total male population of roughly 700 million. Based on these calculations, a completed nationwide system of Y-STR databases will likely contain at least 35–70 million genomic profiles.

How do these tens of millions of Y-STR samples relate to the Chinese Government’s broader genomic surveillance capabilities? According to a report by the Chinese insurance company Ping An, in 2016 Chinese authorities possessed DNA records for 44.35 million people, including 40.7 million from forensic databases, 1.49 million from crime-scene databases, 594,000 from missing people databases, and 513,000 in so-called ‘base level’ DNA databases.159 To those numbers we can add the roughly 23 million profiles taken in Xinjiang and 3 million in Tibet, for a new total of roughly 70 million—a total slightly lower than the figure of 80 million cited in recent Chinese press reports160 but identical to that provided on the website for Hisign Technology.161

If we add the estimated 35–70 million Y-STR profiles to the 70 million profiles authorities already possess,162 the Chinese Government likely has 105–140 million profiles on file. That doesn’t include DNA profiles currently being enrolled in the ‘newborn genebank’ that is being trialed in the Guangxi Zhuang Autonomous Region and Chongqing.163

Appendix 4: Companies participating in national Y-STR data collection

Table 4 lists Chinese and multinational companies that are known to provide the equipment, consumables, services and intellectual property used by the Ministry of Public Security and public security bureaus across China as part of the ongoing national program of Y-STR data collection.

Table 4: Chinese and multinational companies involved in the Y-STR data collection program

[[ Please download PDF for full source listing. ]]

Download

Readers are urged to download the full report PDF for the full sources, citations and references.


Acknowledgements

The authors would like to thank Danielle Cave, Derek Congram, Victor Falkenheim, Fergus Hanson, William Goodwin, Bob McArthur, Yves Moreau, Kelsey Munro, Michael Shoebridge, Maya Wang and Sui-Lee Wee for valuable comments and suggestions with previous drafts of this report, and the ASPI team (including Tilla Hoja, Nathan Ruser and Lin Li) for research and production assistance with the report. ASPI is grateful to the Institute of War and Peace Reporting and the US State Department for supporting this research project.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

ASPI’s International Cyber Policy Centre has no core funder. Rather, it is supported by a mixed funding base that includes sponsorship, research and project support from across governments, industry and civil society.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published June 2020.

ISSN 2209-9689 (online)
ISSN 2209-9670 (print)