Capabilities, competition and communication

Why the West needs a strategy for technology

Introduction

At the conclusion of his time as a Distinguished Visiting Fellow with ASPI’s International Cyber Policy Centre, Admiral Rogers shares five factors that government and policymakers should consider as they prepare for the next wave of disruptive technologies.

Seeing technology as a capability, not a product

Technology is going to be a core aspect of the future for us, and it’s not just cyber technology. It’s going to be technology writ large. I believe that we can assimilate this. Game-changing technologies with social implications have been a part of human history during our entire existence as a species. We tend to think that the time we’re living in is the most different or somehow the toughest, but it’s not.

There have been game-changing technologies with potential negative second- and third-order effects throughout the history of humanity. We’ve dealt with this before. I believe we can deal with it now. But we’ve got to be willing to sit down and think about this. And we really need to ask ourselves what’s the way forward.

One of my concerns as I left government was, quite frankly, that I didn’t think we fully understood the implications of technology in national security. I thought that in many ways we were still organised and focused along very industrial lines, that we tended to think of ‘technology’ through the prism of something that’s produced. It might be a particular good. It might be a particular service. It might be a particular product. On the other hand, the idea of technology as an underpinning that powers a broader set of activities—I didn’t think we were working our way through this enough.

What’s the right answer for the implementation of a technology that will be a fundamental building block for a nation’s economic competitiveness in this digital world that we’re living in?

I would argue 5G is emblematic of this, because 5G is not just about, ‘Well, I’m going to get a better phone service,’ right? That’s not the heart of it. 5G is going to enable us to address latency issues. We’re going to be able to move massive, increased amounts of data at incredible, stable rates that will turn our handheld digital devices into the kinds of capabilities and functionality that we take for granted today in our laptops and our mainframes.

5G is going to underpin all of that, and it’s only one of many foundational technologies that are being developed right now. As I used to say about 5G in our system, ‘Hey, it’s just the wolf closest to the sled.’ It’s emblematic of a broader set of challenges that we’re going to have to deal with over time.

Rethinking technological competition

In the US, our theory had always been that the edge for us is the innovative power of our private sector. And as long as the government largely stayed out of that, we could compete head to head, and compete very well.

I would argue that for 1G, 2G, 3G, 4G, that worked perfectly. But the dynamics we’re seeing now with 5G are prompting the question of how that strategy works when the competition isn’t a single foreign company. The competition now is an integrated national strategy in which that foreign company is just one component. How does a single private company compete against the integrated efforts and resources of an entire nation-state?

I think we have to be asking ourselves how we need to change our model, because if we think it’s bad now with 5G, I would argue it’ll be even worse when 6G comes along in about three years. It’ll be even worse with artificial intelligence, quantum computing and other new technologies coming down the pipeline right now. We’re going to have a series of technological changes coming up. They’re going to be so foundational that if we don’t change the dynamic, we’re going to have this conversation over and over again.

This is not about stopping any particular nation. This is not about contesting a particular company. This is about ensuring our own and our partners’ competitive ability in the 21st-century digital age. Because, again, you’re going to have to deal with this with other countries and other companies over time. Right now, that happens to be China, Huawei and 5G, but it’ll be something different in the future.

To me, China is not an enemy. They aren’t an adversary. They’re a competitor, and we need to ask ourselves, ‘How do we compete with them?’

Let’s not waste our time trying to figure out how we stop the growth of China, how we contain China. My view is that is a losing strategy. I think a much smarter strategy is that, given that growth, given that rise, how can we work together collaboratively to ensure that the growth is done in a way in which it becomes a part of the greater, broader world order? And that it’s done in a way that optimises outcomes both for China and for its neighbours, including the US.

We shouldn’t approach this as a zero-sum game; I never believe that. I think that for Australia and the US our respective relationships with China are going to be fundamental to our competitiveness and our economic performance in this century. You can’t pretend otherwise.

I think the goal is to make sure that the playing field is level. Once we have a level playing field, then it’s up to our private sector. But the challenge right now is that the playing field is not level, and it’s really difficult for the West’s firms to compete. And I just don’t think it’s realistic to expect them to do this on their own. Levelling the playing field is going to take work. It’s also about ensuring agreements are adhered to and there are consequences for clear breaches.

Developing a strategy

In the end, to me it’s all about developing a strategy. I’m watching other nations develop strategies, and I’m saying to myself, ‘Where’s ours? How did we get ourselves into this situation? And what are we going to do so that we can compete?’

So, let’s think about the strategy we’re going to develop. Let’s think about how we’re going to compete.

Let’s think about how we’re going to ensure our continued strong economic performance, our strong technological edge. How are we are going to retain that? And at the same time as we’re retaining that, how are we going to retain the values of the societies that we’re a part of?

Our number one competitive advantage, I argue, is our values: the idea of freedom, the idea of the choice of the individual, the idea of the private sector’s ability to compete without the constraint of the government. I also argue that the power of innovation is one of our competitive edges, and we should be doing more to support and protect that innovative edge. So I think, again, if we can get to a level playing field, then our inherent advantages—that structure, those values, that ability to innovate—will enable us to compete with anybody.

I think we have to acknowledge that our structures and our processes aren’t really optimised for this world. I also think we have to acknowledge that it all starts from recognition and acknowledgment of the problems, so we’ve got to be willing to do that. You can’t fix anything if you don’t acknowledge that you have an issue.

I think there’s an element of changing structures and changing process in the way we do things. Part of that model which needs to change, at least in the US, is the kind of wall we build between the functions of the government and the private sector. We really need to step back and ask ourselves—given this world of technological change, given technology’s impact on national security and economic competitiveness, given the speed with which this is happening, given the geopolitical applications of some of this technology—some really fundamental questions like, ‘So, what’s the role of the private sector in this world? What’s the role of the government in this world? Are there ways they could team together?’

It doesn’t mean control. A lot of times I hear people say, ‘You’re just arguing that the government should control everything.’ That isn’t what I’m saying. That hasn’t tended to work out so well in many areas, and it’s not a model that I would default to. On the other end, I think there are some things we can do in partnership with each other. I just think we have to be open to the fundamental idea that in this digital age we’ve got to be willing to look at very different approaches to how we do things.

Strengthening our alliances

I think if we’re honest with ourselves, we have tended to take the US–Australia relationship for granted for some time, and that just isn’t going to work for us anymore. We’ve been together in every major conflict in the past century. In the post-9/11 environment, we’ve worked and fought together. Everywhere I’ve been, on the battlefields in Afghanistan and Iraq, in my professional career, I’ve loved hearing the sound of an Australian accent in the middle of nowhere. In some really tough circumstances, hearing that cheery, ‘G’day, mate,’—I just really like that. I think there’s something really powerful about that. But we can’t take this relationship for granted.

The ability to bring like-minded nations together to work on tough problems is a great thing. Five like-minded nations with a broadly common set of values and a willingness to address not only their own national interests but to support others in the execution of theirs, all with the view of ensuring that we’re helping to make the world a better place: that’s a pretty powerful fundamental idea.

I think that’s still very relevant. It doesn’t pretend for one minute that we don’t have national interests and that those interests never differ. It doesn’t pretend that we don’t have respective national interests that we want to make sure are addressed. But I still think that within that framework we can do powerful things together.

One of my concerns is that, if we don’t get this right, if we don’t think about national security, economic competitiveness and the implications of technology, then we’re individually going to make decisions that potentially increase the risk for other partners in the Five Eyes, or which potentially force other members of the Five Eyes to make some really tough choices that might not be in the interest of all five. If we’re not careful, we could start to go down the road where Five Eyes starts to splinter. If that happens, it should be a conscious decision, not something that kind of happens as an afterthought of other choices. We have to work at maintaining those alliances, and we have to be able to articulate their value. The Five Eyes structure is so important, and one of its strengths has been that we’re willing to have a discussion with each other on those kinds of issues.

Communicating with broader audiences about cyber strategy

As policymakers and as leaders, we’ve got to think about how to articulate the challenge of technology in a way that non-technical people can understand and relate to. I don’t think we’re particularly effective at this at times. One point I would make is, ‘Hey, look, we got to articulate these important topics in ways that non-technical people can understand.’

The second point I would make is this. We need to try to provide meaningful, concrete, specific examples, not an apocalyptic, cyber-could-destroy-the-world-around-us story, because what happens with that is you cry wolf too many times and people just tune you out. Instead, we should be trying to break these big, complex problems down into smaller, more understandable, more digestible components that enable us to build a comprehensive strategy.

Speaking only for the US, we have publicly started talking about how cyber is a tool within the toolkit which we will consider using in an appropriate manner, with a legal basis, for various measurable and proportionate responses to other activity.

For example, you saw us acknowledge in congressional testimony that for the November 2018 election cycle in the US, the US Government authorised and executed a strategy designed to preclude the Russians’ ability to do some of the things against US election infrastructure which they did in 2016. That’s significant: firstly, the fact that we did it; secondly, the fact that we’re willing to publicly talk about it.

What this indicates to me is a kind of evolution in strategy and policy which says, ‘Look, we need to acknowledge that being passive and responding quietly has not really gotten us to where we want to be or where we feel we need to be. Therefore, we need to try to do something different.’

The difference is that we need to start publicly talking about cyber as a tool: the fact that we have capabilities, the fact that we’re willing to use them, and then showing our willingness to use them — again, for very specific purposes, under a very specific legal regime and with a very specific sense of proportionality.


ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society.

It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

The work of ICPC would be impossible without the financial support of our partners and sponsors across government, industry and civil society.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

The post-caliphate Salafi-jihadi environment

In 2019, the global Salafi-jihadi architecture is very different from the one that emerged in September 2001, when transnational terrorism burst on to the international scene, or July 2014, when ISIL controlled more than 34,000 square miles in Syria and Iraq and thousands of young men and women were flocking to be part of its ‘caliphate’.

Many of the leaders of the Salafi-jihadi movement are gone. Some, like Osama bin Laden and Abu Muhammad al-Adnani, have been killed, and many others have been captured or are in hiding. And yet, despite having no territory and having lost many of their leaders, both al-Qaeda and ISIL continue to pose a threat to the maintenance of international peace and security. In fact, one could argue that they pose more of a threat today, as the structure of the groups has moved from integrated to fragmented, making command and control more tenuous.

In 2018, there were at least 66 Salafi-Jihadi groups around the world, the same number as in 2016 and three times as many as there were in 2001. The Center for Strategic and International Studies has pointed out that in 2018 there were at least 218,000 Salafi-jihadis and allied fighters around the world—a 270% increase.1 These figures indicate that, despite 18 years of combat and the spending of trillions of dollars, we’re nowhere near ending the jihadist threat, as the ideology continues to resonate with people.

This Strategic Insight reviews the post-caliphate Salafi-jihadi environment, focusing on two issues: the franchising strategy of al-Qaeda and Islamic State in Iraq and the Levant (ISIL) and the evolving threat of online messaging. I highlight a change in the threat posed by Salafi-jihadis to Australia; it’s now less a ‘top-down’ threat than a ‘bottom-up’ one and emanates from homegrown individuals whose links with and understanding of Salafist-jihadism are minimal. Consequently, I offer three sets of recommendations for how Australia’s official counterterrorism community should change its strategies.

Evolution of the protection of civilians in UN peacekeeping

This year marks twenty years since the Security Council added the ‘protection of civilians in armed conflict’ to its agenda and authorised the first UN peacekeeping mission to explicitly protect civilians. Yet efforts to carry forward that mandate in the field over the last two decades have been mixed. While there is consensus among the member states within the UN that peacekeeping missions should protect, there remain different views among the various stakeholders on the limits and expectations of peacekeepers when it comes to implementing this mandate. And the consequences for the civilians on the ground—which expect protection from the UN—can be dire.

The UN Secretary-General, Antonio Guterres, has called upon member states ‘to find consensus around the language and implications of peacekeeping tasks’ on the protection of civilians. This Special Report includes contributions from leading experts in the field examining some of the contemporary challenges facing UN peacekeeping missions and the actions that can be taken by member states to strengthen consensus on some issues of contention, including the role of the Security Council, managing host state consent, addressing performance and accountability, and identifying the potential limits of UN peacekeeping.

Additionally, the report explores the evolution in discussions taking place over the last decade, identifying some of the highlights and findings emerging from a series of ten workshops co-hosted by the Permanent Missions of Australia and Uruguay to the United Nations as one example of member state engagement on the issue.

With contributions from Richard Gowan, Aditi Gorur, Victoria K Holt and Lisa Sharland, this new report by ASPI’s International Program draws together analysis on the challenges faced by UN peacekeeping missions in their efforts to protect civilians over the last two decades, while offering some reflections on a way forward.

North of 26 degrees south and the security of Australia: Views from The Strategist

North of 26° south and the security of Australia’, a new report by ASPI’s The North and Australia’s Security Program, presents a series of articles by a range of trusted and up and coming authors exploring the continued importance of Northern Australia to national security and defence strategy.

The last time real attention was paid to what our regional environment means for defence in the north of Australia was in Paul Dibb’s 1986 Review of Defence Capabilities and the 1987 Defence White Paper. Following that work, the Australian government invested billions of dollars in bases and bare base infrastructure in the north, with a real focus on the Northern Territory.

The strategic environment since then has changed dramatically.

First, regional nations continue to get richer and more capable, including in their ability to project military power within and beyond their own territories—meaning that near-region partners like Indonesia, Malaysia and Singapore are becoming more important in Australia’s security and diplomacy.

Second, great-power competition and potential conflict have returned to the forefront of world affairs. China and the US are now actively engaged in deep strategic competition and arm-wrestling over political, economic and strategic relationships and technological dominance across our Indo-Pacific region.

There are credible prospects of a major military conflict between these great powers over the next couple of decades, which, if it happens, will most likely spill beyond a bilateral conflict into a wider regional war.

Northern Australia’s dispersed critical infrastructure and primary resources remain vulnerable to traditional and non-traditional national security threats. Modern weapon systems put these resources within striking distance of conventional weapons, and they’re also susceptible to hybrid warfare strategies like that used by Russia in Ukraine.

While Australia has a long-term defence capability plan, we need to continue to test our assumptions about the defence of northern Australia and the north’s significance to national security. On paper, government has made a strong declaratory commitment to northern Australia. But there is evidence of a widening gap between declaratory policy and Defence’s activities in the North.

This report provides much needed contemporary analysis of the criticality of the North to Australia’s national security and defence.

Protecting critical national infrastructure in an era of IT and OT convergence

ASPI Policy Brief 18/2019

What’s the problem?

Today, we’re seeing an increasing convergence between the digital and the physical worlds. This is sometimes referred to as the convergence of IT (information technology) and OT (operational technology)—devices that monitor physical effects, control them, or both. More and more devices are becoming interconnected to create the ‘internet of things’ (IoT).

While this brings many benefits, it also brings new types of risks to be managed—a cyberattack on OT systems can have consequences in the physical world and, in the context of a critical national infrastructure provider, those physical consequences can have a potentially major impact on society.

Insecure OT systems can also be a back door to allow attackers to penetrate IT systems that were otherwise thought to be well secured.

Among Australian critical national infrastructure providers, the level of maturity and understanding of the specific risks of OT systems lags behind that of IT systems. There’s a shortage of people with OT security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience. Mandating or recommending standards could help boards understand what’s expected of them, but it isn’t clear which standards are appropriate for managing these risks.

What’s the solution?

A lesson learned from IT security over the past decade is that impacts are severe unless security is considered up front and threats are managed proactively rather than reactively. As the convergence of IT and OT gathers pace in our critical national infrastructure, urgent action on a range of fronts is needed to address risks introduced by the IT–OT convergence.

Concerted effort is needed to ensure that boards of critical infrastructure organisations are mandated and enabled to decide, communicate and monitor their OT cyber risk appetite; that the right skills and tools are available to address the problems; and that there’s effective sharing of threat intelligence and best practice. Achieving this will require the prioritisation of resources to appropriate parts of government to support these actions.

This paper looks at critical infrastructure policy in Australia, the convergence of cyber and physical systems, and the risk and threat environment applicable to those systems. It then looks at the current state of maturity and how this could be improved, concluding with policy recommendations.

What are OT, ICS and SCADA?

OT refers to operational technology. Gartner defines it as ‘hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events’.1

Other terms commonly used in discussions of this area are ICSs (industrial control systems), which are a key sector in OT, and often a key area of concern since, as the name suggests, they’re used to control major industrial processes such as power plants. ICSs are often managed via SCADA (supervisory control and data acquisition) systems, so SCADA cybersecurity is a key focus, as the compromise of the SCADA system allows full control of the industrial process.

This report uses the term OT throughout, as this refers to the full range of cyber–physical systems that should be considered in developing policy approaches to securing critical infrastructure.

Convergence creates risk

IT and OT systems have traditionally been separate but have converged in recent years, as OT devices that monitor and control ‘real-world’ physical systems are increasingly connected to the internet or wider communication networks, in particular in our critical national infrastructure providers.

For example, managers may be provided with a dashboard of the performance of a power plant, allowing operational changes (such as changing load generation) and commercial decisions (such as the execution and pricing of electricity sale contracts) to be made in real time.

Although this brings clear benefits, it also brings new risks. OT systems are no longer isolated and stand-alone, so a cyberattack on the internet-connected combined IT–OT system can have direct physical consequences. When the organisation is part of our critical national infrastructure, such an attack can have a potentially major impact on national security.

Research and survey methodology

This study examined the understanding and management of the risks of IT–OT convergence in critical national infrastructure, particularly the telecommunications, energy, water and transport sectors. These areas are considered the most critical to the security of Australia and are the focus of government legislation. Many of the issues of IT–OT convergence identified here occur in other sectors of the economy and society, although exploring the implications outside of critical infrastructure is beyond the scope of this paper.

This paper drew on desktop research; interviews with key stakeholders in major Australian critical infrastructure providers, generally targeting the senior risk owners, government officials and subject-matter experts; and a survey of a limited sample of critical infrastructure operators (a dozen organisations in the four priority sectors). The survey explored approaches to IT–OT convergence, the level of understanding of the risks, and approaches to managing the risks.

Critical national infrastructure in Australia

In Australia, the federal, state and territory governments have defined critical infrastructure as:

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.2

Examples include the systems providing food, water, energy, transport, communications and health care.

Critical infrastructure providers in Australia cover a broad range of organisation types—some are government agencies or government-owned corporations, but a large proportion are run by commercial organisations, which may be privately owned companies, public corporations or part of multinational organisations. Government-owned providers may be at the federal, state or local government level, with differing access to resources and security expertise.

The policy for critical infrastructure resilience was launched by then Attorney-General George Brandis in 2015, and is now the responsibility of the Department of Home Affairs. Australian policy sets out two key objectives: to improve the management of reasonably foreseeable risks, and to improve resilience to unforeseen events. Much of our critical infrastructure is owned and operated by commercial organisations and the strategy recognises that, so implementation is intended to be through a broadly non-regulatory business–government partnership.

The Critical Infrastructure Centre was established in January 2017 with a mandate to work across all levels of government and with owners and operators to identify and manage the risks to Australia’s critical infrastructure. It aims to bring together expertise from across the Australian Government to manage complex and evolving national security risks to critical infrastructure from espionage, sabotage and foreign interference. Although other forums, such as the Trusted Information Sharing Network (TISN), look across a broader range of critical infrastructure sectors and threats, budget constraints mean that the Critical Infrastructure Centre has focused on a more limited range of sectors that pose the greatest potential threat to national security if attacked. Therefore, the initial work has focused on understanding potential foreign ownership and control risks, enabled by the Security of Critical Infrastructure Act 2018, which mandates obligations for a range of assets that meet specified thresholds in the electricity, gas, water and ports sectors (currently estimated to number around 165).

In managing broader security risks from potential foreign or domestic actors attacking our critical infrastructure, the Critical Infrastructure Centre also administers the telecommunications sector security reforms, which are based on the Telecommunications and Other Legislation Amendment Act 2017, which came into force on 18 September 2018. The reforms place obligations on providers in the telecommunications sector to ensure the security of their networks and to notify government of changes with potential security impacts, and enable government to obtain information to monitor compliance and to direct providers to do ‘a specified thing that is reasonably necessary to protect networks and facilities from national security risks’.

Cyber–physical convergence

Critical national infrastructure providers are typically significant users of OT in order to automate the services that they provide. They’re under pressure to deliver services more efficiently and at lower cost, due to market competition, technological change, reduced government funding and price regulation.

To achieve this, organisations have sought to automate and integrate more and more of their IT and OT systems. Research for this report showed that, although most organisations hadn’t seen much change in their degree of IT–OT convergence over the past two years, in the next two years they expect a rapid increase in convergence. Most providers interviewed for this report expect a high degree of convergence and extensive two-way connectivity.

Another convergence driver is the proliferation of interconnected devices, often referred to as the ‘industrial internet of things’ (IIoT). This has been helped by the development of open standards, low-powered sensors and electronic controllers, and short-range communication networks.

In the past, an organisation might have had a ‘stovepiped’ system provided by a single vendor communicating using proprietary protocols, with a single gateway into the back-office IT system.

Today, it’s more likely that there will be a range of different vendor systems communicating with each other in a complex mesh network, and the concept of a clear boundary between IT and OT domains is less relevant. A Kaspersky study of 320 worldwide professional OT security decision-makers showed that 53% saw implementing these types of IIoT solutions as one of their top priorities.3

As the volume of data grows due to the exponential increase in connected sensors, the data can be mined to monitor operational performance, scheduling and utilisation, faults and anomalies, compliance and so on. It can, in turn, be used to identify actions to improve effectiveness, often in real time. However, to implement effective machine learning and artificial intelligence algorithms, it is often easiest to connect to today’s public cloud services, which can provide flexible and easy-to-use processing power. This results in a more porous border between corporate IT systems and public networks, and effectively interconnects OT networks with public networks. Although the use of cloud services can bring security opportunities, unless managed appropriately it can bring new vulnerabilities by making formerly separate corporate systems accessible through the wider internet.

Some commentators have noted that getting full value from this sort of data analysis requires close partnership between the users and manufacturers of OT systems. Gartner predicts that, by 2020, 50% of OT service providers will create key partnerships with IT-centric providers for IoT offerings.4 Another report suggests that 95% of organisations using the IoT have some form of partnership with another organisation to implement their IoT solutions, so it’s likely that even for the other 50% of providers many will still have features and services that expect the OT devices to be connected to the internet.5

Communications technologies are also improving: 5G network rollouts by Telstra and Optus are expected to enable better latency and availability for remote applications. This means we’re likely to see more interconnectedness between IT and OT systems not only within organisations but between organisations and supply chains, further increasing complexity and the potential cyberattack surface.

Challenges of OT cybersecurity

The key principles may be similar, but IT cybersecurity is considered much more mature and advanced than OT cybersecurity. This is because IT systems are much more prevalent, the risks are well recognised and there are enough case studies of real-life attacks to ensure focus and understanding of how to address the risks. Historically, OT systems were physically isolated, and cybersecurity was not a priority until the recent convergence trend drove it up the agenda.

There are significant overlaps and similarities, and OT cybersecurity can learn much from IT cybersecurity. Probably 80% of the threats are the same as for IT systems, but it’s with the other 20% where the biggest challenges lie. Some of the key differences are as follows:

  • The risk calculus is different. A successful OT attack can cause major physical damage or even loss of life, which can make a significant difference to the risk appetite.
  • For OT systems, the availability of service is often more important than confidentiality, whereas in IT that priority is often reversed. Shutting down a system to stop an attack might not be an option for an OT system, and even applying updates to fix known vulnerabilities may not always be feasible. Integrity is also more important, given the potential safety-critical impact of changes to data.
  • The operational lifetime of OT systems is typically much longer than that of IT systems. Plant and machinery can last 20–50 years, whereas IT systems may be replaced every 3–5 years. Older systems might not be built to withstand modern threats, and support and security patches might not be available.
  • The threat and attack models are different. Typically, the design of firewalls and security monitoring tools is based on characteristic indicators of IT attacks, meaning that OT attacks could pass through undetected.

The risk and threat environment

A cyberattack on an OT system is not just theoretical—there have already been many publicly reported attacks. As long ago as 2001, a disgruntled subcontractor used remote radio access to release sewage into town water, parks and other areas in Australia.6

More recent examples include suspected nation-state-motivated attacks on Saudi Arabian industry. In 2012, Saudi Aramco, the Saudi national oil company, was hit by a major attack that disabled 35,000 computers, halting all its operations, even though OT systems were not directly attacked.7 In August 2017, attackers breached the safety control systems at a Saudi petrochemical plant, intending to sabotage them and cause an explosion. Fortunately, it appears that a coding error meant they were unsuccessful.8

Other energy companies have also been targeted. In December 2015, a Ukrainian electricity distribution company’s control systems were breached in an attack subsequently attributed to Russia.9 The operator had to switch to manual mode, and approximately 225,000 customers lost power in what was the first publicly acknowledged cyber incident to result in power outages.10

In March 2018, the US Government issued an alert that Russian Government actors were remotely targeting US Government energy, nuclear, water and other critical infrastructure sectors, carrying out reconnaissance as a potential precursor to targeted attacks.11 Interestingly, it appeared to be a multi-stage campaign in which the attackers first targeted small commercial facilities’ networks and then used those systems as a bridge to move into the networks of larger, more critical organisations— an example of exploiting the type of supply-chain connectivity mentioned above.

So far, reported attacks have affected the availability of services, which can still have major impacts on society, but through good design, good fortune, or both, major direct physical impacts have been avoided. However, if the aim of an adversary is to cause significant physical damage and potentially loss of life, it is conceivable that they could compromise the integrity of the systems not only by sabotaging control systems but by modifying monitoring systems to override fail-safe mechanisms and alarms. Fortunately, we haven’t seen any such incidents to date, at least from publicly available information, but the Saudi petrochemical company attack showed this intent, making it a very real possibility that policymakers need to address.

Another class of threat is the potential use of unsecured OT systems as an entry point for penetration of a connected IT system that may otherwise be well protected. Examples of exploitation of unsecured consumer IoT devices have recently been seen; for example, the Mirai botnet ‘weaponised’ devices such as CCTV cameras with default credentials to launch a massive distributed denial-of-service attack.12

The current state of maturity: survey results

At a high level, there’s clear awareness of the threat from IT–OT convergence. The Kaspersky study mentioned above showed that 77% of companies ranked cybersecurity as a major priority, 66% saw targeted attacks as a major concern, and 77% believed that they were likely to be the target of an OT cybersecurity incident.13 Two-thirds saw the advent of the IIoT as bringing even more significant OT security risks.

In all discussions with Australian providers for this report, cyber risks were recognised from board level all the way down through the organisation. While only one organisation of the 12 interviewed had a clear directive on its OT risk appetite, most providers were cautious, stating that their OT risk tolerance was lower than for IT systems, and an assessment of benefits versus risks was made before interconnecting systems. OT cyber risk is reported at least quarterly to the board in two-thirds of the organisations, although it’s normally combined with IT risk rather than reported as a stand-alone item.

It was encouraging that in seven out of 12 cases there was at least one director at board level with some expertise in the area. Over 80% of respondents said they had participated at least occasionally in the sharing of lessons learned and best practice for both IT and OT security across their sector, which perhaps reflects the active engagement of the TISN and other organisations.

However, many organisations clearly felt there was scope to do better. Half said there was room for improvement in their understanding of the degree of convergence in their systems and in ensuring that they had a comprehensive view of the risks and vulnerabilities. Less than half were able to confirm that vulnerability testing of their OT systems was carried out at least annually. Although 11 out of 12 had an approved incident response plan that had been tested within the past 12 months, in a third of cases the OT security incident response plan was considered to be the same as the IT security incident response plan. The different approaches for isolating and recovering from OT attacks, and the focus on availability in OT, mean that recycling the IT response plan for this sort of incident is unlikely to be effective. This probably explains why two-thirds of organisations felt they were only partially prepared or underprepared to respond to a real incident.

An approach for managing the risks—and some of the challenges in doing so

Research for this report suggests several approaches to improve security as a result of IT–OT convergence.

Setting expectations

Effective security starts with leadership. Boards need to provide strong awareness and sponsorship, setting and communicating their risk appetite in a way that drives their approach to IT–OT convergence. Given the lack of board members with specific expertise, the key will be to encourage and enable boards to be more inquisitive—creating a culture in which they can ask questions and explore issues in an open and transparent manner. This shift in board understanding and engagement is what has occurred in recent years with ‘traditional’ cybersecurity.

Critical infrastructure providers have to deal with conflicting pressures, such as maintaining service quality, reducing costs, regulating prices and more. It’s important that government recognises the threats and mandates that providers face to ensure the security of their systems. For government organisations, the recent NSW cyber strategy is a good example that sets a clear mandate for all government agencies to ensure that there are ‘no gaps in cyber security’ related to physical systems.14

A different approach may be needed for commercial providers—not all of them recognise the commercial risk of a security incident and act accordingly, and hence some compulsion and enforcement are probably required. For regulated industries, licence conditions are often used to place clear obligations on providers, although as this is typically done at the state or local level there may be variability across the nation. The telecommunications sector security reform regulations place more specific obligations on telecommunications providers, such as reporting planned changes and potential direction powers; the operation and applicability of this framework should be reviewed to see whether a modified approach would be appropriate for other sectors.

Of course, just mandating or setting a vision is not sufficient; action is needed to see it realised. The right tools need to be made available to enable providers to embed a culture of security throughout the organisation, and the right governance to ensure that this is happening.

Risk identification and management

No single control will eliminate the risk of a cyberattack; hence, given the potentially catastrophic impacts if an incident occurs, providers need to be very clear about their risk appetite as they potentially converge IT and OT. They must build a clear understanding of the various systems—physical systems, networks, software, computers and other devices—and their interdependencies and connectivity. This should allow analysis of potential threat vectors and allow a risk register to be developed and maintained.

Idaho National Lab has proposed a step-by-step approach for mission-critical systems, called ‘consequence-driven, cyber-informed engineering’, to identify the functions whose failure could have catastrophic consequences.15 It proposes that for the ‘crown jewels’ the approach should be to minimise any internet connectivity, and put in analogue monitoring and fail-safes to protect against the risk of failure or sabotage of digital systems. This has already been implemented as a year-long pilot at Florida Power & Light, one of the largest electric utilities in the US. The case for such an approach might not be proven in all cases, but discussion using this sort of framework may help to drive a better definition of risk appetite.

Where the decision is made to converge systems, a ‘defence-in-depth’ approach should be used to reduce the risks. This could include appropriate network segregation, physical security measures, gateways, system and device configurations, user access controls and so on. These need to be backed up by regular monitoring of systems and networks to identify anomalous patterns of behaviour and to investigate them in real time. The costs of defence in depth will clearly need to be factored into decision-making about the efficiency and benefits of specific IT–OT convergence plans.

Given the differences between IT and OT security, the right tools need to be chosen: an IT firewall might not protect an OT network from malicious traffic, and a standard IT security monitoring solution might not detect OT attacks, as the characteristics of hostile activity will be different. Critical infrastructure providers have commented on the lack of mature commercially available solutions to assist with this, although other industry experts consulted suggested the problem may in some areas be overlapping, competing solutions along with unrealistic marketing claims. An appropriate framework would help to assess these claims and identify any gaps in the market where government intervention may be appropriate, whether this is investment to help accelerate development or certifications for products to help buyers assess their efficacy for solving their problems.

Standards and guidance

Standards are always an emotive subject, especially when it comes to security. The right standards can work well in setting a baseline, provided they’re implemented as part of an overall strategy and not as a blind tick-the-box exercise. However, inappropriate standards will at best give a misleading picture and at worst may drive insecure behaviours.

The limited survey conducted for this report asked about some common standards and found that, while the information security standard ISO27001 and the risk management standard ISO31000 were used by 58% and 33% of respondents, respectively, the business continuity standard ISO22301 and the US Department of Energy’s Cybersecurity Capability Maturity Model (ES-C2M2) cyber maturity framework hardly seem to be used at all. However, over 80% were either actively using or considering other OT-specific security standards.

While the research for this report was underway, the Australian Energy Market Operator published the inaugural report into the cyber maturity of energy operators. This was based on self-assessments against a framework developed specifically for this purpose but drawing on a number of international standards as well as Australian Signals Directorate guidance and Australian legislation. The companies voluntarily completed 67 self-assessments, the details of which have not been released, but the conclusion of the report was that the responses ‘identified opportunities to improve cyber security maturity across the sector’.16

Standards should be reviewed on a sector-by-sector basis—for example, using a guiding council of experts in a given sector—in order to identify which standards should be recommended as suitable for organisations to adopt and regularly audit against. 

Education

The general shortage of cybersecurity skills in the workforce has been well documented and discussed,17 but a recurring theme from interviews for this report was an even more acute challenge involving the availability of suitably skilled OT security professionals.

Education will be the key to addressing this gap. This should start with broad user education, as part of building the right culture across an organisation, supplemented by the right policies and processes. This can help avoid some of the most common weaknesses. For example, it’s thought that some of the attacks described above were facilitated by a well-meaning employee inserting an unknown USB stick into a computer to check who it belonged to, and a study by Honeywell18 found that 44% of USB devices present at surveyed industrial facilities had a security issue. Common resources should be created for use in general user education and executive awareness.

The Academic Centres of Cyber Security Excellence program19 should include specific provision for OT security courses to be created, either as stand-alone courses or as part of broader curriculums.

Courses should be available both for those entering the workforce and as ongoing education and professional development for those in the industry. Formal education can be supplemented by other approaches, such as a program of secondments between IT and OT security teams. In any case, while an OT security team needs to be specialised and focused on this area, it will need to work closely with IT security professionals to share expertise and also to identify and stop threats that cross the domains.

Sharing threat information

In cybersecurity, we’re stronger together, and OT security is no exception. Given the relative lack of maturity and the potential risks, it’s vital that there are effective mechanisms for sharing threat information and lessons learned. There seems to be a divide in the availability of sector-specific OT threat intelligence—two-thirds of organisations surveyed for this report received it regularly, but one-third said they received it rarely or not at all. The sharing of OT security information seems to be noticeably less common than for IT security; the reasons cited included resources, contact details and security clearances being focused on IT security.

Several organisations within government can help with building cross-sector threat intelligence information and disseminating it, including the TISN, the Australian Cyber Security Centre and the Business and Government Liaison Unit in the Australian Security Intelligence Organisation. However, there need to be clear leadership and ownership to make this happen, not just by top-down information flow from government but by facilitating sharing between peers in each sector.

This should also be accessible to a broad range of geographically dispersed stakeholders—tier 1 major companies can attend summits in Canberra, but local councils running transport or water companies won’t have the resources for extensive travel. It’s possible that the Critical Infrastructure Centre’s TISN could take on this leadership role, but it would require a significant boost in resources and a change in its operating model to be able to do so.

Incident response readiness

Organisations need to ensure that they have clear response and recovery plans for attacks. The plans need to go beyond theoretical documents that are dusted off and read only when something goes wrong. As noted, there’s room for improvement in testing incident response plans, but organisations need to go one step further with active war-gaming exercises that bring together boards, executives and business continuity teams to work through scenarios, and technical red-team testing that simulates the potential activity of an attacker to test detection and response capabilities.

The Australian Cyber Security Centre runs a national program for the owners and operators of Australia’s critical infrastructure that uses exercises and other readiness activities that target strategic decision-making, operational and technical capabilities, strategic engagement and communications. Additional resources could be provided to ensure that this is extended to cover OT security incident scenarios and is accessible across the spectrum of critical infrastructure providers.

Conclusions and recommendations

Given the potential impact to society and our national security from the accelerating convergence of IT and OT systems, it’s important that this issue is prioritised and managed effectively. Research for this report has shown a general lack of focus, mature understanding and effective solutions. Some of the measures outlined above are already being implemented, but may still need accelerating or boosting, and some are more critical than others. The top three recommendations are as follows:

  1. Boards of critical infrastructure providers need to explicitly set their OT cyber risk tolerance and monitor their organisation’s performance against it. This requires a combination of regulatory mandate and enforcement (building on existing regulatory models, learning from the experience in implementing the telecommunications sector security regulations, and enabling boards to manage risk); for example, through recommended standards and approaches tailored to each sector. Considering ‘worst-case’ outcomes may lead to a list of critical assets that by default should not be connected to external systems unless there are a compelling benefit and robust measures to manage the security risks arising from the connection. The Critical Infrastructure Centre would appear to be best placed to coordinate and drive this across Australia to ensure a common best-practice approach.
  2. Better education and information are needed at all levels to improve the understanding and management of risks, from both a business and a technical point of view. Key areas for action are:
  • General awareness and training. Specialised skills will be in short supply, but boards can be enabled to be curious to ask the right questions to understand and measure the risks and build the right culture, and all users should be educated in threat awareness and basic ‘hygiene’ to remove some of the easy targets for attackers.
  • Specialist courses. The creation and delivery of specific OT security courses should be included in plans for university, TAFE and other institutional programs. 
  • Better threat information sharing. Clarity should be provided on the current range of government agencies that can help with threat intelligence sharing, providing clear leadership and ownership of this responsibility for the critical infrastructure sector.
  • Technical information sharing. There appears to be a perception that there’s a lack of appropriate commercial solutions for protecting OT systems, but globally the market can appear crowded. The maturity of commercial solutions specifically to address OT security requirements should be reviewed. This information could be shared with providers and also used to identify whether there’s a gap that may merit government investment to help accelerate the development of the capabilities needed.

The Australian Cyber Security Centre could lead this activity, aligned with its existing programs of work.

  1. Resources need to be prioritised to ensure that the appropriate organisations are able to implement all of the required actions at the required pace. The longer that action is delayed, the more of a head start malicious actors will have, the more convergence will have taken place without security being at the core, and the greater will be the threat.

Address by author Rajiv Shah at launch event.


Acknowledgements

The author would like to thank Aakriti Bachhawat for her assistance in running the survey, and all those who took the time to respond. Thanks also to those respondents and other government and industry experts who made themselves available for discussions that provided valuable input to this paper.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society. It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

The work of ICPC would be impossible without the financial support of our partners and sponsors across government, industry and civil society. This research was made possible thanks to the generous support of Thales.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. Gartner, Inc., ‘Operational technology (OT)’, IT glossary, no date, online. ↩︎
  2. Australian Government, Critical Infrastructure Resilience Strategy, 2010, online. ↩︎
  3. Wolfgang Schwab, Mathieu Poujal, The state of industrial cybersecurity 2018, CXP Group, June 2018, online. ↩︎
  4. Christy Petty, ‘When IT and operational technology converge’, Smarter with Gartner, 13 January 2017, online. ↩︎
  5. Gemalto, The state of IoT security, 2018, online. ↩︎
  6. Michael Crawford, ‘Utility attack led to security overhaul’, Computerworld Australia, 16 February 2006, online. ↩︎
  7. Jose Pagliery, ‘The inside story of the biggest hack in history’, CNN Money, 5 August 2015, online. ↩︎
  8. Nicole Perlroth, Clifford Krauss, ‘A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try’, New York Times, 15 March 2018, online. ↩︎
  9. John Hultquist, ‘Threat research: Sandworm team and the Ukrainian power company attacks’, FireEye, 7 January 2016, online. ↩︎
  10. Electricity Information Sharing and Analysis Center, Analysis of the cyber attack on the Ukrainian power grid: defense use case, 18 March 2016, online. ↩︎
  11. US Department of Homeland Security, ‘Alert (TA18‑074A): Russian Government cyber activity targeting energy and other critical infrastructure sectors’, US Government, 16 March 2018, online. ↩︎
  12. Josh Fruhlinger, ‘The Mirai botnet explained: how teen scammers and CCTV cameras almost brought down the internet’, CSO, 9 March 2018, online. ↩︎
  13. Schwab & Poujal, The state of industrial cybersecurity 2018. ↩︎
  14. Digital NSW, NSW Government policy: cyber security policy, NSW Government, February 2019, online. ↩︎
  15. Office of Scientific and Technical Information, Consequence-driven cyber-informed engineering (CCE), US Department of Energy, 18 October 2018, online. ↩︎
  16. Australian Energy Market Operator, 2018 summary report into the cyber security preparedness of the national and WA wholesale electricity markets, December 2018, online. ↩︎
  17. AustCyber, Australia’s cyber security sector competitiveness plan, Australian Cyber Security Growth Network, 2018, online. ↩︎
  18. Honeywell, Honeywell industrial USB threat report: universal serial bus (USB) threat vector trends and implications for industrial operators, 2019, online. ↩︎
  19. Department of Education and Training, ACCSE program guidelines, Australian Government, 13 February 2017, online. ↩︎

Women, peace and security: Defending progress and responding to emerging challenges

This is the third year ASPI has run a series on The Strategist to coincide with International Women’s Day and examine Australia’s approach to women, peace and security (WPS).

The series offered a timely opportunity to assess progress and identify some of the challenges that need further examination as the international community prepares to mark twenty years since the adoption of the first UN Security Council resolution on women, peace and security, and as Australia approaches the release of its second National Action Plan on WPS.

The range of topics and themes canvassed in this year’s collection of articles reminds us that we cannot afford to be complacent. There have been significant challenges to the agenda in high-level multilateral fora over the past year, which risk reversing some of the normative and practical gains that have been made in recent decades. Considering this, several of the contributors note that it is important we not only respond to emerging challenges but also revitalise the agenda moving forward. This Strategic Insights paper subsequently offers insights and recommendations for the Australian government, private sector, civil society and other interested stakeholders to address some of the emerging challenges in women, peace and security.

Last years report is available here: Women, peace and security: Addressing the gaps and strengthening implementation.

Australia-China law enforcement cooperation

Australia and China have an extensive and growing economic relationship underpinned by diverse people-to-people connections. China is Australia’s largest two-way trading partner in goods and services (A$195 billion in 2017–18). Chinese investment into Australia’s real estate industry increased by 400% in the five years to 2015, to A$12 billion in 2014–15. Money flows from China into Australia almost doubled between 2011–12 and 2015–16, from A$42 billion to almost A$77 billion. China is Australia’s largest source of overseas students (over 157,000 studied in Australia in 2016) and second largest and highest spending inbound tourism market (with 1.2 million visits in 2016).

This economic relationship is mutually beneficial, but it also creates opportunities for criminals. The large volume of money, goods and people moving between the two countries makes it easier to conceal crimes, such as trafficked drugs or laundered money. Much activity also takes place online, making the cyber realm a major vector for cross-border criminal activity. It’s therefore important that the two governments work together to fight transnational crime where there are links between Australia and China, or where either’s citizens play key facilitator roles.

The Cost of Defence. ASPI Defence Budget Brief 2019-2020

One hundred & five million, eight hundred & fifty-three thousand, five hundred & seventy-three dollars & seventy-seven cents per day.

Executive Summary

Little has changed in the defence funding picture since last year. This year’s budget continues to follow the trajectory of solid real annual increases set out in the 2016 Defence White Paper. The consolidated defence budget (that is, the budget for the Department of Defence and the Australian Signals Directorate) reaches $38.7 billion in 2019–20. Real growth is only 1.3%—the smallest increase under the Coalition government—and the budget has actually decreased slightly as a percentage of GDP (from 1.94% to 1.93%) because GDP has grown faster than the defence budget.

But those figures are a little misleading. Late in the previous financial year, $620 million was moved forward into 2018–19 from 2019–20, making the former a little bigger and the latter a little smaller than planned. If that hadn’t occurred, real growth would have been 4.6% and the budget would have been 1.96% of GDP. Ultimately, it makes no real difference to Defence which year it gets the money—it got it and has already spent it.

The real story is that the government so far has delivered on its White Paper funding commitments. The White Paper presented a 10-year fixed funding line that would not vary as GDP fluctuated up and down. We’re now four years into that decade. Once we take all variations into account (such as adjustments due to foreign exchange rates and supplementation for operations), the $143.2 billion in funding Defence has received over those four years is within 1% of the White Paper funding line. Granted, Defence has had to fit more things into that envelope; it doesn’t seem to have received additional funding to cover its contribution to the Pacific Step-up announced by the government last year, for example. But it’s rare that Defence has had such funding certainty.

The other key issue to note is that the defence budget, at least for planning purposes, has already moved well beyond 2% of GDP. According to the Portfolio Budget Statements (PBS), the budget will hit that milestone in 2020–21, meeting the government’s White Paper commitment. But after that the budget continues to grow, hitting almost 2.2% by the end of the forward estimates. In essence, the White Paper funding line and a 2% of GDP funding line diverge significantly. The difference is substantial, reaching $5 billion a year and totalling over $22 billion for the remainder of the decade after 2020–21. That gap is even bigger if GDP fails to grow at 2¾% or at 3% from 2021-22 as forecast in the budget papers.

During the 2019 election campaign, the government reaffirmed its commitment to restoring the budget to 2% of GDP, but it was silent on whether it was committed to the White Paper funding line. The forward estimates figures in the PBS suggest it is. But if it isn’t, Defence will have a major headache, as any move back towards 2% will entail large reductions and deferrals to planned capability.

Much of the increased funding is planned to flow into capital acquisitions. Indeed, for Defence to have any chance of delivering the significantly larger and more capable—and therefore significantly more expensive—future force outlined in the White Paper, that must happen. On paper, the capital budget grows very strongly, hitting 39% of the total budget by the end of the forward estimates. According to the White Paper’s funding model, it stays there for the rest of the White Paper decade. That would deliver a massive increase in which the capital budget alone reaches $19 billion by the end of the forward estimates and nearly $23 billion by the end of the decade. Since 2013–14, when the Coalition came to power, that’s real growth of 155% and 185%.

Will it happen? Prognostication is a risky art, but there are a few reasons to be cautious about counting chickens. There are some heroic annual leaps built into the capital budget in the forward estimates, for example, of 19% in real terms in 2020-21 and 15.5% 2021-22. Yet it can be hard to spend money. We noted last year that Defence was underspending against the White Paper’s capital predictions, and that trend has continued. The shortfall now totals over $5 billion since the White Paper, and probably only a third of that at most is due to foreign exchange adjustments.

Despite a rapid increase in capital as a percentage of the total defence budget early in the Coalition’s term, since the White Paper it’s hovered stubbornly around 30%. It is, however, difficult to assess the precise situation as neither the Defence PBS nor the annual report give data on actual achievement in the capital and sustainment programs. Rectifying this information gap should be straightforward and would strengthen transparency.

Moreover, as Defence increases capital spending, it is likely to need to increase sustainment spending in order to use the new equipment as well as personnel spending in order to crew it. We also noted last year that sustainment spending was exceeding predictions by roughly the same amount that capital was underspending. That trend has continued this year.

The rise in operating costs can been seen in the increase in the Chief Information Officer Group’s suppliers budget. This covers much of the cost of running the ICT backbone that allows the networked force to function. It’s an enabler that’s absolutely vital to capability. Since 2008–09, it’s grown by 148% in real terms while the Defence budget has only grown by 36%. It’s not just the cost of capital acquisitions that’s rising much faster than inflation.

The personnel picture also suggests there are some deep challenges in the plan. The White Paper put the ADF on a trajectory from 58,000 personnel to 62,400. That’s only an 8% increase to cover the constantly increasing complexity of the Defence organisation and its component parts. Nevertheless, the ADF hasn’t been able to achieve even the modest White Paper increases. Overall, it’s only increased by 600 actual people against a target of around 1,730 over the period since the White Paper. If increasing capital spending quickly is hard, increasing ADF numbers seems even harder. It looks like that is starting to hurt—HMAS Perth will be up on blocks for two years after its latest upgrade for want of a crew.

In short, there may well be structural factors that will hinder Defence in achieving the capital spending predicted in the PBS and White Paper. Sustaining capital spending at around 40% of the total budget might just not be achievable.

It’s possible that the lack of any updates to the Integrated Investment Plan (IIP) since the White Paper was released in early 2016 is due to Defence and the government grappling with the eternal problem of how to make everything fit the funding envelope. Rather than silence, there needs to be a better conversation between government, Defence, industry and the public. Rather than depicting the IIP as carved in stone, all stakeholders need to regard it as a living organism that evolves in response to and in anticipation of new circumstances and requirements. If there are now major pressures on and in the IIP, then the government has to make some big decisions on how to manage them. 

And in our strategic environment, with our system of government, some transparency and informed public debate would be in order.

The substantial investment the government is making is delivering greatly enhanced capability across all of Defence’s capability streams. Underneath the headlines about heavy investment in locally assembled protected and armoured vehicles, the digitisation of the Army (often referred to as its highest priority) continues, as do enhancements to soldier systems. The delivery of key air capabilities such as P-8A maritime patrol aircraft and trainers is nearing completion. The Air Force still has some way to go to get the Reaper and Triton unmanned aerial systems into service. And Defence is in something of a golden age of infrastructure investment. Also, the upgrades necessary to keep the Anzac-class frigates and Collins-class submarines a relevant capability for many years during the long transition to the future fleet are being delivered.

The other key capability transition from the classic Hornet to the F-35A has entered a critical phase. While the first F-35A aircraft have arrived in Australia and supporting infrastructure has been delivered, the fleet’s flying hours will need to increase nearly sixfold over the next four years to achieve final operating capability. As with every other platform, the increase in capability delivered by the new air combat fleet will come at significantly greater cost, particularly if the F-35A hourly flight cost continues to be twice the classic Hornet’s.

This year in Chapter 5 we provide an update on progress in the Naval Shipbuilding Plan (NSP), which is at the core of the investment program and the government’s Defence Industry Policy. In many regards, the NSP has made great progress. The Arafura-class offshore patrol vessel has started construction on schedule. In the past year, BAE’s Type 26 was selected as the design for the Hunter-class future frigate. Importantly, the revised commercial strategy under which ASC Shipbuilding become a subsidiary of BAE has been implemented, and a head contract for the frigate program has been signed in an astonishingly short time.

In contrast, the Future Submarine Program delivering the Attack-class submarines took nearly three years to sign its head contract, which is the strategic partnering agreement. But it’s done now, and Defence has repeatedly stated that the long negotiations over the agreement haven’t affected schedule.

Progress continues on underpinning programmatic elements of the shipbuilding enterprise. Development of the Osborne South surface shipyard should be completed in time to start prototyping of frigate blocks in 2020. Work has commenced on the submarine yard, though its mainly still in the design phase. The development of the necessary workforce was always one of the greatest risks and that hasn’t changed. Nevertheless, several measures to address this risk are underway, including the start of the Naval Shipbuilding College (which in reality has more of a coordination function than an instruction-delivery function) and the release of the Naval shipbuilding strategic workforce discussion paper to inform development of a shipbuilding workforce strategy. While the number of skilled workers required may sound large and some skills in short supply, it’s small compared to both Adelaide’s and Australia’s workforce. This means that the challenge is not insoluble, but also that the supply of shipbuilding workforce will always be exposed to changing demands for workers in the broader economy.

But as the schedule for the future frigates and submarines becomes clearer, we can see that we won’t get the first of the frigates into service until around 2030. All going well, the first submarine won’t be in service until 2034 or 2035, despite a conservative design philosophy based on using only currently mature technologies. Even if they deliver the planned capability, that’s a long time to wait.

Moreover, the annual cash flow for the NSP is ramping up quickly. It passes $2 billion this year even though the two biggest programs (frigates and submarines) don’t start construction for several more years. Last year, we predicted that the annual cash flow for the NSP would reach $3.5–4 billion; that’s looking increasingly certain. We also predicted that Defence will have spent over $20 billion before the first frigate and submarine become operational. That’s looking conservative.

Meanwhile, as we review in Chapter 1, Australia’s strategic circumstances are increasingly uncertain as China’s power grows along with its willingness to use that power outside of the rules-based global order. US military power is increasingly stretched, and that can’t be rectified through greater spending. So far, the government hasn’t signalled any substantial changes either to the military strategy of the White Paper or its force structure, but it’s likely we’ll need to become more self-reliant, at least in some areas of military capability. That probably can’t wait until the 2030s.

The ships being delivered by the NSP will enter an operating environment characterised by proliferating threats, such as cheap anti-ship cruise missiles and potentially hypersonic missiles as well as a more congested undersea domain. While modern warships are designed to defeat a range of threats, this has meant they have become exquisitely expensive, so much so that they can only be acquired in small numbers. The value-for-money calculus doesn’t favour billion-dollar manned platforms that are too valuable to risk losing.

The capability we need in the future could be enabled by another fundamental development reshaping the world: the ‘fourth industrial revolution’ (4IR). The key elements of the 4IR include autonomous systems, artificial intelligence (AI), more accessible space resources, and 3D printing. While these have the potential to ‘democratise’ technology by increasing the threat posed by non-state actors, they could help militaries to break out of the vicious cycle of increasingly complex but increasingly expensive manned platforms.

Chapter 6 suggests ways to hedge in the development of our future naval capability. The key is to devote more resources to autonomous systems. Even the US Navy, the world’s largest, seems to have realised that this is the only viable way to deliver greater mass and is making significant investments in unmanned platforms that will complement manned vessels. The ADF needs to do the same to compensate for its lack of mass, to get new capability sooner, and perhaps most importantly to remove humans from an increasingly lethal battlespace. Moreover, the technologies in fields such as AI can be integrated into legacy platforms to enhance their effectiveness. Australian industry and academia are well placed to contribute to this—perhaps even better placed to do so than export large finished platforms.

Of course, it will require investment, but it needs to be done. Currently, less than 1% of Defence’s budget goes into its innovation funds. That must be increased, and in a way that connects innovation to the large, well-funded programs in the IIP. But just as important is imagination and a willingness to pursue the disruptive potential of new technologies so they aren’t dismissed out of hand as poor substitutes for traditional platforms.

Chapter 7 briefly considers the way forward after the election. ASPI recently published Agenda for change 2019: strategic choices for the next government, which proposes policy recommendations for the new government in the areas of strategy, defence and security. Rather than duplicate them here, we refer readers to that document. However, there’s no doubt that the world has changed fundamentally since the 2016 White Paper. There’s no point investing billions in military capability if it doesn’t support Australia’s political or military strategy. It’s time for a new Defence White Paper so that the government can assure itself that the strategic triumvirate of ends, ways and means are properly aligned to preserve Australia’s security.

Author Marcus Hellyer discusses key findings of this years report with Michael Shoebridge

Download

Download the full report here.

Dr Hellyer presents this years report at the launch event.


© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquires should be addressed to the publishers.

Notwithstanding the above, educational institutions (including schools, independent colleges, universities, and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

Hacking democracies

Cataloguing cyber-enabled attacks on elections

Foreword

One of the great hopes for the internet was that it would herald a new era in the democratisation of information. To a large extent, it’s been successful. So successful, in fact, that global platforms, technology diffusion and mobility have brought some unintended consequences by enabling the rapid dissemination of disinformation and fake news.

We live in a time when trust in our democratic and other key institutions has declined, and this is compounded by new capabilities of adversaries seeking to interfere in our elections and to undermine people’s trust in those institutions.

In this policy brief, the writers explore areas where interference has been detected across the world and consider key learnings from those examples in order to develop policy responses for countering each type of interference.

Technology has the power to transform lives by reducing barriers to entry and creating greater equity so that all our citizens can participate in education and the economy. We want to live in a world where friction is removed and technology enhances our experience, where all citizens have access to the internet, and where we can vote electronically in elections. However, our interconnection needs to be safe and trusted, protecting and enhancing our democracies.

This brief starts an important national conversation, generating awareness of the approaches commonly taken by adversaries to spread disinformation, misinformation and fake news. It lays out a series of measures for managing risk, and serves as an educational resource for our citizens on what to keep an eye out for, and how to better distinguish reputable information from disinformation in real time.

Yohan Ramasundara
President, Australian Computer Society

What’s the problem?

Analysis of publicly known examples of cyber-enabled foreign interference in elections reveals key challenges. First, while perceptions of interference are widespread, the actors are few—Russia and China—and the effort is highly targeted. Russia is targeting the US and Europe (with a few forays into South America), while China targets its region (having, for the moment, reached as far as Australia).

Second, the methods used can be hard to pick up and democracies seem poorly equipped to detect intrusions, being traditionally focused on external intelligence collection. Adversaries are able to enter public debates, infiltrate legitimate activist networks and even enter the mainstream media as trusted commentators. Significant activity may be being missed. Finally, while opinion polling shows concerning levels of dissatisfaction with democracy and weakening trust in public institutions, it’s very difficult to assess the impact of election interference on those phenomena. It’s likely to have some impact but be outweighed by larger societal factors.

What’s the solution?

First, the response from democracies should be calibrated to the likely risk and adversary. The US and European states are clear targets of Russia; Indo-Pacific nations are targets of the Chinese Communist Party (CCP).

Second, more effort is needed to detect foreign interference, including offline and non-state efforts. Because democracies have a natural aversion to government surveillance, a better answer than simply stepped-up government monitoring may be supporting non-profit, non-government initiatives and independent media.

Third, effort is needed to develop better ways to measure the impact of foreign interference to allow for a more informed decision on resourcing efforts to counter it. Notwithstanding the lack of current empirical data on impact, opinion polling points to a perception that foreign interference will occur and, in places such as the US, a view by many that the 2016 presidential election was swayed by it (a credible view, given the narrowness of the outcome). Research is needed to measure the effectiveness of different education and awareness efforts to address these concerns.

Fourth, public funding may be needed to better secure political parties and politicians from cyber intrusions. Finally, democracies need to impose costs on the two primary state actors: they should consider joint or regional action to make future or continued interference sufficiently costly to those states that they will no longer pursue it. Legislation may also be needed to make it more difficult for foreign adversaries to operate (being mindful of the differing objectives of the two main actors); this may be a second best for countries that find it too difficult to call out adversaries.

Introduction

In 2016, Russia comprehensively and innovatively interfered in the US presidential election, offering a template for how democracies around the world could be manipulated.1 Since then there have been 194 national-level elections in 124 countries and an additional 31 referendums.2 This report seeks to catalogue examples of foreign interference in those polls and group them into three ‘buckets’:

  • interference targeting voting infrastructure and voter turnout
  • interference in the information environment (to make the scope manageable, we have focused on interference surrounding elections, but it’s apparent that such efforts continue outside election periods as part of longer term efforts to manipulate societies)
  • longer term efforts to erode public trust in governments, political leadership and public institutions.

This research focused on cyber-enabled interference (including, for example, information operations that harness social media and breaches of email and data storage systems), but excluded offline methods (for example, the financing of political parties and the suborning of prominent individuals). 

The yardstick for counting an activity as interference was that proposed by former Prime Minister Malcolm Turnbull, who put it this way when introducing counter-foreign-interference laws in Australia in 2017: ‘we will not tolerate foreign influence activities that are in any way covert, coercive or corrupt.

That’s the line that separates legitimate influence from unacceptable interference.’3 A major issue has become the public perception that results may have been swayed, with consequences for the direction of these states’ policies and actions, together with a loss of public trust in democratic institutions and processes.

Multi-country Pew Research Center polling shows that there’s an increasing expectation among global publics that elections will suffer interference: majorities (including 65% of Australians) in 23 of 26 countries surveyed in 2018 said it was very or somewhat likely that a cyberattack would result in their elections being tampered with.4

In some cases, such as the 2016 US presidential election, polling shows that a large proportion of people (39% of US adults) feel that Russian meddling swung the election,5 which is probably the most valuable outcome Russia could have hoped for, given that it’s seeking to undermine confidence in US global leadership and the US public’s faith in the nation’s democratic process.6

Since that election, reports of foreign interference in democratic elections have continued to surface. This suggests a belief among adversary states that interference is serving their interests and that the costs of action are not sufficiently high to deter this behaviour.

Of course, foreign governments interfering in elections is nothing new.7 While the objectives might be similar to those of Cold War style efforts, the means are different. Today, a state such a Russia is able to reach more than a hundred million Americans through a single platform such as Facebook without sending a single operative into US territory.8 Or, as nearly happened in Ukraine, the official election results can be remotely altered to show a candidate who received just 1% of the vote as winning.9

And, significantly, a little effort goes a long way: in 2016, Russian operatives were able to organise two opposing groups to engage in a protest in front of the Islamic Da’wah Centre of Houston for ‘the bargain price of $200’.10 Having a big impact is now much easier, cheaper and less risky. For democratic governments, responding can be extremely difficult. The methods used by adversaries typically exploit treasured democratic principles such as free speech, trust and openness. Detection can be hard both because the methods are difficult to identify and because democracies avoid surveillance of their own domestic populations and debates (outside niche areas such as traditional criminal and terrorist activity). Typically, the bulk of intelligence resources is directed towards external collection, and domestic populations are rightly wary of increased government monitoring.

Democratic governments themselves can be obstacles: if the winning party believes it benefited from the foreign interference or would be delegitimised by admitting its scale, it can even mean the newly elected government will play down or ignore the interference. Tensions in the US in the wake of Russian interference in the 2016 election point to the potential for these sorts of issues to arise.11

Measuring levels of interference and adversary’s objectives is another challenge. Given the difficulty of detection and the variance in methods employed, it’s hard to compare relative levels of interference across elections. Objectives are also not always straightforward. Most efforts to interfere in elections are not about directly altering the vote count. Instead, many appear aimed at disrupting societies or undermining trust in important institutions. There also appear to be different overarching aims depending on the adversary involved.

Project overview and methodology

This research was generously supported by the Australian Computer Society and stemmed from a series of engagements with policymakers on countering election interference. Desk research and interviews focused on developing a database of cyber-enabled foreign interference in democratic elections. It was informed by a full-day workshop in London involving several electoral commissioner equivalents from around the world as well as the President of the Australian Computer Society. A key focus of the workshop was the development of a framework for mapping election interference with a view to improving the policy response.

The start date for the research was the 2016 US presidential election and the end date was April 2019. During that period, this research identified 194 national-level elections in 124 countries and an additional 31 referendums.

Using Freedom House’s Freedom in the world report,12 of the 124 states that have held national elections since November 2016, 53 are considered ‘free’, 45 ‘partly free’ and 26 ‘not free’. Given the focus of this report on democracies, we limited the research scope to the 97 countries that held elections and that were deemed free or partly free.

As noted above, examples of foreign interference were grouped into three buckets. This built off and expands on a framework in the International Cyber Policy Centre’s Securing democracy in the Digital Age report.13

Categorising incidents was an inexact science. Often there was a lack of publicly available information about the case (many media reports described ‘hacks’ without elaborating), or it might easily straddle more than one category. Consider the intrusion into Australia’s parliament and three political parties reported by Prime Minister Scott Morrison on 18 February 2019,14 suspected to have been carried out by Chinese state-sponsored actors. The intent behind this incident is still unclear.

Was it solely espionage or an act of foreign interference?15 The sophisticated state actor has not seemed to use any material obtained to interfere in the current election. That may be because of the discovery of the intrusions, or because the information obtained is being used for a different purpose (as suggested by ASPI’s Michael Shoebridge16). For the purposes of this report, it was classified as ‘long-term erosion of public trust’, given that the public reporting highlighted inadequate security
among core Australian institutions.

This report captures examples of interference that were executed (for example, Russian online disinformation campaigns that ran on social media during the 2016 US presidential election) and those that were discovered but not executed (such as Russians’ accessing of US voter rolls during that election without manipulating or using them).
 

Findings

Of the 97 national elections in free or partly free countries reviewed for this report during the period from 8 November 2016 to 30 April 2019, a fifth (20 countries) showed clear examples of foreign interference, and several countries had multiple examples (see the appendix to this report).17 It’s worth noting that confidence in attributions to foreign actors varied widely. In ideal circumstances, a government source made the attribution, but often the attribution was more informal. Our intention was not to provide an exhaustive list of every alleged case of foreign interference but instead to capture the spread of states experiencing the phenomenon and illustrative examples of different methods. Details on all examples identified through this research are set out in the appendix.

Country analysis

Of the 97 elections and 31 referendums reviewed, foreign interference was identified in 20 countries: Australia, Brazil, Colombia, the Czech Republic, Finland, France, Germany, Indonesia, Israel, Italy, Malta, Montenegro, the Netherlands, North Macedonia, Norway, Singapore, Spain, Taiwan, Ukraine and the US.

Of those 20 states, 14 were deemed ‘free’ and 6 ‘partly free’. Just over half (12 of 20) of the states were in Europe, which is unsurprising given Russia’s leading role in this area (Table 1).

Table 1: Regional spread (alleged actor)

Table 1 shows the strong geographical link between the target and actor. With the exception of one anomalous case involving the UK (which was alleged to have supported a Yes campaign in a Montenegrin referendum), Russia was the only state interfering in European elections. Similarly, in the Indo-Pacific, China was the only actor (except for Indonesia, where Russia was also involved). Iran’s interference in Israel has a clear connection to its adversarial relationship. In the Americas, there’s more diversity among the actors, but Russia remains the dominant player.

China’s versus Russia’s motivations

Russia’s and China’s interference reflect different national approaches. For Russia, a key objective is to erode public trust in democracies and to undermine the idea that democracy is a superior system.18 This might be driven by President Putin’s personal drive to make the West ‘pay’ for its destruction of the Soviet bloc and by the desire to mount a case inside Russia that democracies are flawed and therefore not a model that Russians should aspire to. As a consequence, Russian interference is inherently destructive to democratic systems, even at the same time as Moscow may seek to promote a party or a candidate thought to be more sympathetic to its interests.19

Chinese interference seems more strategically focused on ensuring that its interests are promoted across all party lines. Unlike the Russian stance, one party’s interests don’t appear to be favoured at the expense of others (with the exception, perhaps, of Taiwan20). Instead, all consequential parties are in its crosshairs with a view to making them more sensitive to core CCP interests. China also seems to pursue a broader front of influencing activities (many of which aren’t captured by this report’s focus on cyber-enabled methods), which can include financial donations,21 aligning the policy interests and public comments of party figures to CCP political goals and suborning prominent individuals to advocate for Beijing’s interests. China doesn’t seem to be as openly intent on doing damage to the credibility of foreign political systems so much as aligning those systems to its strategic objectives.22

Methods

A review of the dataset reveals considerable repetition in methods. There are multiple examples of social media platforms being exploited to reach target populations, often used in concert with state-sponsored media outlets. There is, however, considerable variation in the way social media are exploited. This ranges from organising rallies and amplifying the voices of favoured groups to suppressing voter turnout and exacerbating existing divisions.23 There are also several examples of system breaches, again to pursue different ends, including stealing and leaking emails and accessing voter rolls.

Given the lack of detail in many media reports on foreign interference, it’s difficult to provide a list of the most common methods. Frequency of use also does not translate into impact. For example, the breach of one person’s email account (such as the account of Hillary Clinton’s campaign chair, John Podesta) can have much greater impact than any single social media post or perhaps all of them.

Types of interference

This section examines our three defined buckets of interference.

Targeting of voting infrastructure and voter turnout

Direct tampering with election results is perhaps the most affronting form of foreign interference because it most directly overturns the will of the people. 

Ukraine has long been one of the main targets of Russian election interference efforts and has also suffered the most egregious effort to alter the technical results of an election. As Mark Clayton reported back in 2014 (a date outside the scope of the mapping period covered by this report):

Only 40 minutes before election results were to go live on television at 8 p.m., Sunday, May 25, a team of government cyber experts removed a ‘virus’ covertly installed on Central Election Commission computers, Ukrainian security officials said later.

If it had not been discovered and removed, the malicious software would have portrayed ultra-nationalist Right Sector party leader Dmytro Yarosh as the winner with 37 percent of the vote (instead of the 1 percent he actually received) and Petro Poroshenko (the actually [sic] winner with a majority of the vote) with just 29 percent, Ukraine officials told reporters the next morning.24

There are multiple means by which adversary states could interfere with the technical results of elections. Various methods could be used to prevent citizens from being able to vote (for example, by rendering electronic voting booths unusable or corrupting the voter roll so eligible voters are removed and turned away from voting booths25) or reducing the turnout of certain voter groups with known dominant voting behaviours (for example, via online campaigns that encourage a boycott26 or targeted misinformation that has the effect of deterring certain voter groups27).

The result itself could be altered via various means. Electronic voting booths could be maliciously programmed to record a vote for Candidate A as a vote for Candidate B instead, the transmission of votes tallied at individual voting booths could be intercepted and altered, affecting the final tally, votes in the central tally room or system could be altered remotely or, as was attempted in Ukraine, the release of the vote outcome could be tampered with (a tactic unlikely to go unnoticed, but likely to cast doubt among some about the integrity of the poll and of the national electoral system).

Research for this report identified six countries that had experienced interference targeted at voting infrastructure and voter turnout: Colombia, Finland, Indonesia, North Macedonia, Ukraine and the US (Table 2).

Table 2: Targeting of voting infrastructure and voter turnout

Examples included the targeting of voter registration rolls in Colombia,28 Indonesia29 and 21 US states,30 a denial of service (DoS) attack on a Finnish web service used to publish vote tallies,31 a distributed denial of service (DDoS) attack on Ukraine’s Central Election Commission,32 and the use of social media to suppress voter turnout in North Macedonia33 and in the US.34 In the US, an Oxford University report noted that Russian operatives tried to suppress the vote of African-Americans by pushing the narrative that ‘the best way to advance the cause of the African American community was to boycott the election and focus on other issues instead’.35 While it’s difficult to determine the effect of the disinformation campaign by Russia’s Internet Research Agency, the Pew Research Centre reported that the voter turnout of African-Americans fell in 2016 (see appendix, page 19).36

The attackers identified in public reports (sometimes speculatively) were Russia (in one instance, combined with Venezuela) and China. Russia was by far the dominant actor. 

Interference in the information environment around elections

It’s difficult to detect foreign interference during elections with high confidence in a timely manner.

Consider this example from Bret Schafer, which fooled multiple media outlets: Have you met Luisa Haynes? She was a prolific force in the #BlackLivesMatter community on Twitter. In just over a year, she amassed more than 50,000 followers; and her outspoken, viral takes on everything from Beyoncé to police brutality earned her hundreds of thousands of retweets and media coverage in more than two dozen prominent news outlets.

She was, on the surface, a symbol of a new generation of Black activists: young, female, and digitally savvy—except—she was fake.37

At the International Cyber Policy Centre, journalists periodically approach us about websites and social media accounts they suspect are run by foreign agents or trolls. Mostly, investigations lead to dead ends, or to apparently real people who are hard to definitively classify as foreign trolls rather than colourful citizens.

Now that the traditional media have lost their old gatekeeper role and control over the information environment, it’s far easier for foreign adversaries to inject themselves into national debates and much harder to trust what you’re reading and seeing. When Australians were asked in 2018 ‘Do you feel like the news you read or watch gives you balanced and neutral information?’, 54% said ‘never’ or ‘rarely’. There were similar results in democracies around the world38 (in historical terms, in the US the proportion of people reporting ‘a great deal’ and ‘quite a lot’ of confidence in newspapers has dropped from a high of 39% in 1990 to 23% in 201839).

While avenues for altering the technical results of elections are limited, opportunities to manipulate the information environment are limited only by creativity. Methods might include amplifying a party’s existing narrative using social media accounts that have assiduously built up followers over lengthy periods,40 or creating and spreading disinformation to undermine a candidate (for example, the state-owned Russian news agency Sputnik calling French presidential candidate Emmanuel Macron an agent of ‘the big American banking system’).41 It might involve infiltrating genuine activist groups and attempting to increase polarisation,42 or it could involve the creation of fake personas who provide inflammatory commentary on divisive issues, as with Luisa Haynes. Often such campaigns seek to prey on and exacerbate existing social cleavages with a view to exploiting them to manipulate the information environment in the desired direction.

While the impact of this manipulation isn’t as direct as interfering with key election infrastructure, its ease and cheapness, combined with the difficulty of timely detection, make it a preferred method. Foreign interference in the information environment was identified in 10 states: France, Israel, Italy, Malta, the Netherlands, North Macedonia, Spain, Taiwan, Ukraine and the US (Table 3).

Table 3: Interference in the information environment

Examples included information disruption campaigns targeting French presidential candidate Emmanuel Macron (such as the theft and release of 21,000 emails just before the final vote in the election—a technique likely to be of enduring utility for adversaries)43 and the spreading of disinformation by Russian media outlets Russia Today (RT) and Sputnik in Catalonia44 and Italy with headlines like ‘Migrant chaos, the beginning of a social war’45 or claiming in the Macedonian referendum that, depending on who won, Google would remove Macedonian from its list of recognised languages.46 Chinese-backed disinformation campaigns targeting Taiwan were reported as using zombie accounts and China’s so-called ‘50 Cent Army’ of online trolls and commentators to amplify the dissemination of disinformation.47 In Ukraine, Russia sought to buy or rent Ukrainian Facebook accounts to disseminate disinformation.48 There was also an unusual case of the UK’s Foreign and Commonwealth Office being accused of funding British PR agency Stratagem International to help the Macedonian Government with its ‘Yes’ campaign on the changing of the country’s name, thereby opening up the opportunity for Macedonia to join the EU and NATO.49

Research identified four alleged actors: Russia (the most dominant by far), China, Iran and the UK.

Long-term erosion of public trust in public institutions

Perhaps the most pernicious aspect of foreign interference is the longer term corrosion of public trust in the institutions that underpin democracy.

For example, the Center for Strategic and International Studies’ Defending Democratic Institutions Project has looked at Russian efforts to weaken trust in the rule of law as administered by the justice systems in both the US and Europe.50 In Australia, China is alleged to have attacked the Australian Parliament in 2011 and 2019, as well as three political parties in 2019.51 And in several countries attacks on electoral commissions responsible for impartially conducting elections have been reported.52

If foreign adversaries can destroy trust in these pillar institutions and related organs of democracy, democracy quickly unwinds.

Making this phenomenon even harder to confront, it’s often not immediately clear whether a campaign is being run by a nation-state or by conspiracy-oriented individuals. During the Brexit vote in the UK, what appeared to be a conspiracy theory (that had first surfaced during the 2014 Scottish referendum) spread online, urging voters to use pens, not pencils, to complete their ballot papers.53

The not-so-subtle inference was that government officials were rubbing out ballots completed in pencil and changing people’s votes (figures 1 and 2).

Figure 1: ‘I voted in pencil’

Source: Professor Brian Cox, Twitter, 23 June 2016.

Figure 2: ‘Use pens plea’

Source: BBC News, 22 June 2016.

It’s difficult to know how damaging these sorts of campaigns are for public trust in critical democratic institutions or whether they’re state-backed. What’s apparent is that polling has picked up distrust in key electoral institutions. The Australian voter experience report revealed that just 42% of Australians have a great deal of confidence in the Australian Electoral Commission’s ability to conduct an election, while a further 43% have ‘some’ confidence.54 In the UK, just 21% reported that they were ‘very confident’ and 48% said they were ‘fairly confident’ that the 2015 election was well run.55 While electoral commissions are generally off voters’ radars, trust in democracy collapses if people lose trust in those organisations’ ability to conduct elections impartially.

More significantly, there’s also been a dramatic drop in levels of satisfaction with democracy in Australia. Although once again it’s hard to track a causal relationship, it seems likely that democracies experiencing rising dissatisfaction with democracy would be more vulnerable to interference. The Australian voter experience report noted that just 55% of Australians “are satisfied with the way democracy works in their country nowadays. This places Australia on the lower end of established democracies, which typically have rates of satisfaction that exceed two-thirds. Historical data indicates that there’s been a dramatic fall in satisfaction. Data from the Australian Election Study in 2007 indicated that 86% reported being satisfied with democracy, falling to 72% in 2013”.56 Surveys such as the Lowy Institute Poll have tracked this dissatisfaction with democracy and speculated about its causes, but with no definitive answers.57

The Democracy Perceptions Index 2018 provides hints to the growing levels of public distrust in democracies around the world. It found that 64% of the public in ‘free’ countries (as defined by Freedom House) said their government ‘never’ or ‘rarely’ acts in their interest, compared to 41% in ‘not free’ countries. In Australia, a third of Australian adults say the government ‘mostly’, ‘often’ or ‘sometimes’ acts in their interest (67% say it does so ‘never’ or ‘rarely’).58 While this is a large proportion of the population, it hasn’t yet resulted in French-style yellow vest protestors.59

In Australia and elsewhere, it’s highly unlikely that this dissatisfaction is driven entirely by foreign interference. Anxiety about large economic and social changes brought about by globalisation and technological development could all be in play.60 Longitudinal Gallup surveys have also picked up a long downwards trend in average trust in public institutions (Figure 3).61

Figure 3: Americans’ average confidence in public institutions over time

Quantifying examples of the long-term erosion of public trust is perhaps the trickiest of tasks, as in many cases more immediate efforts to shape public opinion (such as spreading disinformation) also have the longer term impact of eroding public trust in the media and other institutions. Efforts to erode public trust also typically exploit existing societal cleavages,62 making detection difficult and any additional impact from interference on pre-existing divisions hard to measure. However, for the purposes of this research, 10 states were identified as having experienced efforts to create long-term erosion of public trust: Australia, Brazil, the Czech Republic, Germany, Montenegro, Norway, the Netherlands, Singapore, Ukraine and the US (Table 4).

Table 4: Long-term erosion of public trust

Examples have included the use of social media bots in Brazil to question the democratic model,63 amplification by Russia using Twitter bots of far-right Alternative für Deutschland’s warnings about election fraud,64 and systematic efforts by Russia to weaken ‘faith in the rule of law as administrated by the justice system’ in the US through the use of disinformation and the exploitation of ‘legitimate criticisms of the justice system’.65

The two identified actors in this category were Russia and China.

Limitations

There are several notable limitations to this research.

First, we focused on states and therefore missed private actors that are distorting democratic debates in similar ways. For example, there have been several cases of the commercialisation of Russian-like disinformation campaigns. Consider the group in the Balkans that built up popular Facebook pages with titles such as ‘Australians against Sharia’ and ‘Aussie infidels’ that targeted Australians to generate ad revenue.66 Future research could usefully explore the impact that these groups are having and how to counter them.

Second, our focus was on public cases, which perhaps tends to favour the identification of Russian efforts, given Moscow’s more overt and detectable methods and the media’s growing familiarity with its approach. Parallel research on CCP methods that the International Cyber Policy Centre is preparing suggests that Beijing often uses techniques that are harder to detect and longer term and so may be underreported. A broader methodology is probably needed to capture difficult-to-spot influence activities such as subverting policy positions and decision-making as well as long-term campaigns to cultivate supportive political figures and voices and silence, pressure or sideline critics.67

Third, the focus on foreign state actors has, of course, excluded domestic efforts to harness these same techniques, for example by political parties and local activists that may also be contributing to voter dissatisfaction with democracy and trust in institutions.

Fourth, there has been a tendency to favour English-language sources.

Finally, the increasing ability to micro-target voters and the difficulty of detecting many of the types of interference reported here mean that many examples could be being missed in the online information arena. Consider the case of a Russian-operated fake Black Lives Matter Facebook page that was only reported as suspicious because it used the phrase ‘Don’t shoot’—an expression that genuine activists had stopped using.68 The shift by major platforms such as Facebook to move from public broadcasting to private messaging will only accentuate this challenge.69

Findings and recommendations

The motivation behind this research is that, by better understanding the methods being used and the targets of high-activity adversary states, democracies will be able to better assess their existing response and mitigation capabilities and adjust as necessary.

We make the following recommendations.

1. Targets are limited: respond accordingly

Despite the enormous amount of media coverage that’s been devoted to state-backed election interference, the phenomenon isn’t universal. From public accounts, there are two primary actors and they focus judiciously on states that matter to them. Democracies should calibrate their policy responses to the likely risk, methods and adversary. The US and European states are clear targets of the Russian Government; Indo-Pacific nations are targets of the CCP.

2. Build up detection capabilities

More effort is needed to detect foreign interference, including offline and non-state efforts (such as by for-profit groups that misuse social media platforms to stir up hate). Because democracies have a natural aversion to government surveillance, a better answer than simply stepped-up government monitoring may be supporting non-profit, non-government initiatives and independent media. These groups can more credibly monitor for interference and more easily engage at the community level. In smaller states, where local media outlets are disappearing, government subsidies may be needed to ensure sufficient scrutiny of local and state political groups (which are often feeder groups for national politics).

3. Fund research to measure impact and measure the effectiveness of education campaigns to address public concerns

Governments should fund research to develop better ways to measure the impact of foreign interference to allow for a more informed decision on resourcing efforts to counter it. Notwithstanding the lack of current empirical data on impact, opinion polling points to a perception that foreign interference will occur, and in places such as the US to widely held views that elections have been swayed. Various efforts have been made to respond, including fact-checking services,70 opening up social media data streams to election-oriented academic research,71 and legislation to counter fake news.72 Research is needed to understand which efforts are most effective, after which those tougher measures should be twinned with public awareness campaigns to address these concerns.

4. Publicly fund the defence of political parties

Political parties and politicians are clear targets of foreign adversaries. With their shoestring budgets and the requirement to scale up dramatically during election campaigns, they’re no match for the resources of sophisticated state actors. Politicians are also vulnerable, including through the use of their personal devices. There’s a strong public interest in preventing foreign states from being able to exploit breaches of both parties and individual politicians to undermine domestic political processes. Democratic governments should consider public funding to better protect all major political parties and to step up cybersecurity support to politicians.

5. Impose costs 

Democracies need to look at better ways of imposing costs on adversaries. Because of spikes in interference activity around elections, they can be prone to being picked off or to discounting interference if the party that won benefited from it. Democracies should consider concerted joint global or regional action that looks beyond their own particular cases as well as more traditional approaches such as retaliatory sanctions. Legislation may also be needed to make it more difficult for foreign adversaries to operate (being mindful of the differing objectives of the two main actors)—this may be a second best for countries that find it too difficult to call out adversaries. 

6. Look beyond the digital

Russian interference is detectable, if not immediately, then often after the event. This has generated a natural focus on Moscow’s methods and activities. However, there are many more subtle ways to interfere in democracies. Research like this that focuses on digital attack mechanisms also misses more traditional and potentially more corrosive tactics, such as the provision of funding to political parties by foreign states and their proxies and the long-term cultivation of political influence by foreign state actors. Australia has recently passed legislation to counter more subtle forms of foreign interference73 that were starting to be detected.74 States, particularly those in the Indo-Pacific, should be attuned to these types of interference and make preparations to prevent, counter and expose them.

7. Look beyond states

Troubling public perceptions of democracy are unlikely to be explained by foreign interference alone. Foreign interference may, however, magnify or exploit underlying sources of tension and grievance in particular societies. A thorough response by government and civil society needs to consider a wider set of issues and threat actors, including trolls working for profit, and the health of the political and media environment (including by ensuring that local and regional media remain viable or are adequately funded).
 

Appendix

Examples of foreign interference (November 2016 to April 2019)

Sources for all examples can be found in Table 5 of the accompanying report.


ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society.
It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

The work of ICPC would be impossible without the financial support of our partners and sponsors across government, industry and civil society. This research was made possible thanks to the generous support of the Australian Computer Society (ACS).

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. This has been comprehensively documented; see, for example, Office of the Director of National Intelligence (ODNI), Background to ‘Assessing Russian activities and intentions in recent US elections’: the analytic process and cyber incident attribution, US Government, 6 January 2017, online; PN Howard, B Ganesh, D Liotsiou, J Kelly, The IRA, social media and political polarization in the United States, 2012–2018, Computational Propaganda Research Project, Oxford University, 2018, online. ↩︎
  2. ElectionGuide: democracy assistance and elections news, online. ↩︎
  3. Malcolm Turnbull, ‘Speech introducing the National Security Legislation Amendment (Espionage and Foreign Interference) Bill 2017’, 7 December 2017, online. ↩︎
  4. Jacob Poushter, Janell Fetterolf, International publics brace for cyberattacks on elections, infrastructure, national security, Pew Research Center, 9 January 2019, online. ↩︎
  5. ‘Americans’ views on Russia, the 2016 election, and US–Russian relations (trends)’, news release, Gallup, August 2018, online. ↩︎
  6. Matthew Cole, Richard Esposito, Sam Biddle, Ryan Grim, ‘Top-secret NSA report details Russian hacking effort days before 2016 election’, The Intercept, 6 June 2017, online; Zeynep Tufekci, ‘The election has already been hacked’, New York Times, 3 November 2018, online. ↩︎
  7. Ishaan Tharoor, ‘The long history of the US interfering with elections elsewhere’, Washington Post, 13 October 2016, online. ↩︎
  8. ‘As many as 146 million people on Facebook may have received information from Russian agency, Zuckerberg says’, PBS News Hour, 9 April 2018, online. ↩︎
  9. Mark Clayton, ‘Ukraine election narrowly avoided “wanton destruction” from hackers’, Christian Science Monitor, 17 June 2014, online. ↩︎
  10. Claire Allbright, ‘A Russian Facebook page organized a protest in Texas. A different Russian page launched the counterprotest’, Texas Tribune, 1 November 2017, online. ↩︎
  11. Karen Yourish, Troy Griggs, ‘8 US intelligence groups blame Russia for meddling, but Trump keeps clouding the picture’, New York Times, 2 August 2018, online. ↩︎

Mapping China’s Tech Giants

This report accompanies the Mapping China’s Tech Giants website.

This is our first report on the topic – updated reports are also available; 

Executive summary

Chinese technology companies are becoming increasingly important and dynamic actors on the world stage. They’re making important contributions in a range of areas, from cutting-edge research to connectivity for developing countries, but their growing influence also brings a range of strategic considerations. The close relationship between these companies and the Chinese Communist Party (CCP) raises concerns about whether they may be being used to further the CCP’s strategic and geopolitical interests.

The CCP has made no secret about its intentions to export its vision for the global internet. Officials from the Cyber Administration of China have written about the need to develop controls so that ‘the party’s ideas always become the strongest voice in cyberspace.’1 This includes enhancing the ‘global influence of internet companies like Alibaba, Tencent, Baidu [and] Huawei’ and striving ‘to push China’s proposition of internet governance toward becoming an international consensus’.

Given the explicitly stated goals of the CCP, and given that China’s internet and technology companies have been reported to have the highest proportion of internal CCP party committees within the business sector,2 it’s clear these companies are not purely commercial actors.

ASPI’s International Cyber Policy Centre has created a public database to map the global expansion of 12 key Chinese technology companies. The aim is to promote a more informed debate about the growth of China’s tech giants and to highlight areas where this expansion is leading to political and geostrategic dilemmas. It’s a tool for journalists, researchers, policymakers and others to use to understand the enormous scale and complexity of China’s tech companies’ global reach.

The dataset is inevitably incomplete, and we invite interested users to help make it more comprehensive by submitting new data through the online platform.

Our research maps and tracks:

  • 17,000+ data points that have helped to geo-locate 1700+ points of overseas presence for these 12 companies;
  • 404 University and research partnerships including 195+ Huawei Seeds for the Future university partnerships;
  • 75 ‘Smart City’ or ‘Public Security Solution’ projects, most of which are in Europe, South America and Africa;
  • 52 5G initiatives, across 34 countries;
  • 119 R&D labs, the greatest concentration of which are in Europe;
  • 56 undersea cables, 31 leased cable and 17 terrestrial cables;
  • 202 data centres and 305 telecommunications & ICT projects spread across the world.

Introduction

China’s technology, internet and telecommunications companies are among the world’s largest and most innovative. They’re highly competitive, and many are leaders in research and development.

They’ve played a central role in bringing the benefits of modern technology to hundreds of millions of people, particularly in the developing world.

As a function of their increasingly global scale and scope, China’s tech giants can exert increasing levels of influence over industries and governments around the world. The close relationship between Chinese companies and the Chinese Communist Party (CCP) means that the expansion of China’s tech giants is about more than commerce.

A key research question includes: What are the geostrategic, political and human rights implications of this expansion? By mapping the global expansion of 12 of China’s largest and most influential technology companies, across a range of sectors, this project contributes new data and analysis to help answer such questions.

All Chinese companies are subject to China’s increasingly stringent security, intelligence, counter-espionage and cybersecurity laws.3 That includes, for example, requirements in the CCP constitution4 for any enterprise with three or more full party members to host internal party committees, a clause in the Company Law5 that requires companies to provide for party activity to take place, and a requirement in the National Intelligence Law to cooperate in and conceal involvement in intelligence work.6

Several of the companies included in this research are also directly complicit in human rights abuses in China, including the reported detention of up to 1.5 million Uyghur Muslims in Xinjiang.7 From communications monitoring to facial recognition that enables precise and pervasive surveillance, advanced technology – from these and other companies – is crucial to the increasingly inescapable surveillance net that the CCP has created for some Chinese citizens.

Every year since 2015, China has ranked last in the annual Freedom on the Net Index.8 The CCP has made no secret of its desire to export its concepts of internet and information ‘sovereignty’,9 as well as cyber censorship,10 around the world.11 Consistent with that directive, this research shows that Chinese companies are playing a role in aiding surveillance and providing sophisticated public security technologies and expertise to authoritarian regimes and developing countries that face challenges to their political stability, governance and rule of law.

In conducting this research, ASPI’s International Cyber Policy Centre (ICPC) has used open-source information in English and Chinese to track the international operations and investments of12 major Chinese technology companies: Huawei, ZTE, Tencent, Baidu, China Electronics Technology Group Corporation (CETC), Alibaba, China Mobile, China Telecom, China Unicom, Wuxi, Hikvision and BGI.

This research has been compiled in an online database that ICPC is making freely accessible to the public. While it contains more than 1,700 projects and more than 17,000 data points, it’s not exhaustive. We welcome and encourage members of the public to help us make this dataset more complete by submitting data via the website.

The database

Throughout 2018, ICPC received frequent questions from media and stakeholders about the international activities of Chinese technology companies; for example, about Huawei’s operations in particular regions or how widespread the use of Baidu or WeChat is outside of China.

These were always difficult questions to answer, as there’s a lack of publicly available quantitative and qualitative data, and some of these companies disclose little in the way of policies that affect data, security, privacy, freedom of expression and censorship. What information is available is spread across a wide range of sources and hasn’t been compiled. In-depth analysis of the available sources also requires Chinese-language capabilities, an understanding of Chinese state financing structures, and the use of internet archiving services as web pages are moved, altered or even deleted.

A further impediment to transparency is that Chinese media are under increasing control from the CCP and publish few investigative reports, which severely limits the available pool of media sources. The global expansion and influence of US internet companies, particularly Facebook, for example, has rightly received substantial attention and scrutiny over the past few years. Much of that scrutiny has come from, and will continue to come from, independent media, academia and civil society.

However, the same scrutiny is often lacking when it comes to Chinese tech and social media companies. The sheer capacity of China’s giant tech companies, their reach and influence, and the unique party-state environment that shapes, limits and drives their global behaviour set them apart from other large technology companies expanding around the world.

This project seeks to:

  1. Analyse the global expansion of a key sample of China’s tech giants by mapping their major points of overseas presence.
  2. Provide the public with an analysis of the governance structures and party-state politics from which those companies have emerged and with which they’re deeply entwined.

The data and map is available here: https://chinatechmap.aspi.org.au/

Methodology

To fill this research gap, ICPC sought to create an interactive global database to provide policymakers, academics, journalists, government officials and other interested readers with a more holistic picture of the increasingly global reach of China’s tech giants.

A complete mapping of all Chinese technology companies globally would be impossible within the confines of our research. ICPC has therefore selected 12 companies from across China’s telecommunications, technology, internet and biotech sectors:

  • Alibaba
  • Baidu
  • BGI
  • China Electronics Technology Group (CETC)
  • China Mobile
  • China Telecom
  • China Unicom
  • Hikvision (a subsidiary of CETC)
  • Huawei
  • Tencent
  • Wuxi
  • ZTE

This dataset will continue to be updated during 2019. This research relied on open-source information in English and Chinese. This has included company websites, corporate information, tenders, media reporting, databases and other public sources.

The size and complexity of these companies, and the speed at which they’re expanding, means this dataset will inevitably be incomplete. For that reason, we encourage researchers, journalists, experts and members of the public to contribute and submit data via the online platform in order to help make the dataset more complete over time.

China’s tech firms & the CCP

The CCP’s influence and reach into private companies has increased sharply over the past decade.

In 2006, 178,000 party committees had been established in private firms.12 By 2016, that number had increased sevenfold to approximately 1.3 million.13 Today, whether the companies, their leadership, and their employees like it or not, the CCP is present in private and public enterprise. Often the activity of party committees and party-building activity is linked to the CCP’s version of the concept of ‘corporate social responsibility’14—a concept that the party has explicitly politicised. For instance, in the publishing industry, corporate social responsibility includes political responsibility15 and protecting state security.16 Internet and technology companies are believed to have the highest proportion of CCP party committees in the private sector.17

This expanding influence and reach also extends to foreign companies. For example, by the end of 2016, the CCP’s Organisation Department claimed that 70% of China’s 100,000 foreign enterprises possessed party organisations.18 Expanding the party’s reach and role inside private enterprises appears to have been a priority since party chief Jiang Zemin’s ‘Three Represents’ policy, which opened party membership to businesspeople, became CCP doctrine in 2002.

All the companies mapped as a part of this project have party committees, party branches and party secretaries. For example, Alibaba has around 200 party branches;19 in 2017 it was reported that Tencent had 89 party branches;20 and Huawei has more than 300.21

Sometimes, the relevance and significance of the CCP’s presence within technology companies is dismissed or trivialised as merely equivalent to the presence of government relations or human resources departments in Western corporations. However, the CCP’s expectations of these committees is clear.22 The CCP’s constitution states that a party organisation ‘shall be formed in any enterprise … and any other primary-level work unit where there are three or more full party members’.23 Article 32 outlines their responsibilities, which include encouraging everyone in the company to ‘consciously resist unacceptable practices and resolutely fight against all violations of party discipline or state law’. Article 33 states that party committees inside state-owned enterprises are expected to ‘play a leadership role, set the right direction, keep in mind the big picture, ensure the implementation of party policies and principles, and discuss and decide on major issues of their enterprise in accordance with regulations’.24

The establishment and expansion of party committees in private enterprises appears to be one of the ways in which Beijing is trying to reduce financial risks and exercise control over the economy. Because entities ‘cannot be without the party’s voice’ and ‘must safeguard the state-owned assets and interests from damage’,25 the party committees are expected to weigh in on major decisions and policies, including the appointment and dismissal of important cadres, major project investment decisions and large-scale capital expenditures.26 

Although this guidance is longstanding practice in state-owned enterprises, it also appears to be taking root in private enterprises. Conducting a review of corporate disclosures in 2017, the Nikkei Asian Review identified 288 companies listed in China that ‘changed their articles of association to ensure management policy that reflects the party’s will’.27 In 2018, 26 publicly listed Chinese banks revised their articles of association to support party committees and the establishment of subordinate discipline inspection committees. Many of the revised articles reportedly include language requiring party consultation before major decisions are made.28

This control mechanism is explicit in the party’s vetting of business leaders. For example, although he’s not a party member, Baidu CEO Robin Li is a member of the Chinese People’s Political Consultative Conference, the country’s primary ‘united front’ body.29 The party conducts a comprehensive assessment of any of the business executives brought into official advisory bodies managed by the United Front Work Department, the Chinese People’s Political Consultative Conference and the National People’s Congress. Two of the four criteria – which relates to a business person’s political inclinations – include, their ‘ideological status and political performance’, as well as their fulfillment of social responsibilities. And second, their personal compliance with laws and regulations.30

Enabling & exporting digital authoritarianism

The crown jewel of Chinese foreign policy under Xi Jinping is the Belt and Road Initiative (BRI), which is to be a vast global network of infrastructure intended to enable the flow of trade, people and ideas between China and the rest of the world.31 Technology, under the banner of the Digital Silk Road, is a key component of this project.

China’s ambitions to influence the international development of technological norms and standards are openly acknowledged.32 The CCP recognises the threat posed by an open internet to its grip on power—and, conversely, the opportunities that dominance over global cyberspace could offer by extending that control.33

In a 2017 article published in one of the most important CCP journals, officials from the Cyber Administration of China (the top Chinese internet regulator) wrote about the need to develop controls so that ‘the party’s ideas always become the strongest voice in cyberspace.’34 This includes enhancing the ‘global influence of internet companies like Alibaba, Tencent, Baidu [and] Huawei’ and striving ‘to push China’s proposition of internet governance toward becoming an international consensus’.

Officials from the Cyberspace Administration of China have written that ‘cyberspace has become a new field of competition for global governance, and we must comprehensively strengthen international exchanges and cooperation in cyberspace, to push China’s proposition of Internet governance toward becoming an international consensus.’35 China’s technology companies are specifically referenced as a part of this effort: ‘The global influence of Internet companies like Alibaba, Tencent, Baidu, Huawei and others is on the rise.’36

Western technology firms have attracted heated criticism for making compromises in order to engage in the Chinese market, which often involves constraining free speech or potentially abetting human rights abuses.37 This attention is warranted and should continue. However, strangely, global consumers have so far been less critical of the Chinese firms that have developed and deployed sophisticated technologies that now underpin the CCP’s ability to control and suppress segments of China’s population38 and which can be exported to enable similar control of other populations.

The ‘China model’ of digitally enabled authoritarianism is spreading well beyond China’s borders. Increasingly, the use of technology for repression, censorship, internet shutdowns and the targeting of bloggers, journalists and human rights activists are becoming standard practices for non-democratic regimes around the world. 

In its 2018 Freedom on the net report, Freedom House singled out China as the worst abuser of human rights on the internet. The report also found that the Chinese Government is actively seeking to export its moral and ethical norms, expertise and repressive capabilities to other nations. In addition to the Chinese Government’s efforts, Freedom House specifically called out the role of the Chinese tech sector in facilitating the spread of digital repression. It found that Chinese companies:

have supplied telecommunications hardware, advanced facial-recognition technology, and data analytics tools to a variety of governments with poor human rights records, which could benefit Chinese intelligence services as well as repressive local authorities. Digital authoritarianism is being promoted as a way for governments to control their citizens through technology, inverting the concept of the internet as an engine of human liberation.39

Reporters Without Borders has also sounded the alarm over the involvement of Chinese technology companies in repressing free speech and undermining journalism. As part of an extensive report on the Chinese Government’s attempts to reshape the world’s media in its own image, it concluded that:

From consumer software apps to surveillance systems for governments, the products that China’s hi-tech companies try to export provide the regime with significant censorship and surveillance tools … In May 2018, the companies were enlisted into the China Federation of Internet Societies (CFIS), which is openly designed to promote the Chinese Communist Party’s presence within them. Chinese hi-tech has provided the regime with an exceptional influence and control tool, which it is now trying to extend beyond China’s borders.40

Pushing back against both the practices of digital authoritarianism and the norms and values that underpin such practices requires a clear-eyed understanding of the way they’re being spread. For example, a study of the BRI has found that the ways in which some BRI projects, including digital projects, are structured create serious concerns about the erosion of sovereignty for host nations, such as when a recipient government doesn’t have full control of the operations, management, digital infrastructure or data being generated through those projects.41

Sovereign governments are, of course, ultimately responsible for their actions. For some, particularly Western governments, this includes being transparent and accountable in their use of technology for surveillance and information control. And, if they aren’t, the media, civil society and the public have avenues to hold them to account. However, companies also have responsibilities in this space, which is why many sensitive and dual-use technologies are subject to export controls. The need for companies to be held accountable for how new technologies are used is particularly acute in developing countries, where the state may be less able or less willing to do so because of challenges arising from governance, legislative and regulatory capacity, transparency and corruption.

The following case studies have been selected as illustrations of the ways in which Chinese technology companies, often with funding from the Chinese Government, are aiding authoritarian regimes, undermining human rights and exerting political influence in regions around the world.

Surveillance cities: Huawei’s ‘smart cities’ projects

An important and understudied part of the global expansion of Chinese tech companies involves the proliferation of sophisticated surveillance technologies and ‘public security solutions’.42 Huawei is particularly dominant in this space, including in developing countries where advanced surveillance technologies are being introduced for the first time.

Through this research and as of April 2019, we have mapped 75 Smart City-Public Security projects, most of which involve Huawei.43 Those projects—which are often euphemistically referred to as ‘safe city’ projects—include the provision of surveillance cameras, command and control centres, facial and licence plate recognition technologies, data labs, intelligence fusion capabilities and portable rapid deployment systems for use in emergencies.

The growth of Huawei’s ‘public security solution’ projects has been rapid. For example, the company’s ‘Hisilicon’ chips reportedly make up 60% of chips used in the global security industry.44 In 2017, Huawei listed 40 countries where its smart-city technologies had been introduced;45 in 2018, that reach had reportedly more than doubled to 90 countries (including 230 cities). Because of a lack of detail or possible differences in definition, this project currently covers 43 countries.46

This research has found that, in many developing countries, exponential growth is being driven by loans provided by China Exim Bank (which is wholly owned by the Chinese Government).47 The loans, which must be paid back by recipients,48 are provided to foreign governments, and it’s been reported in academia and the media that the contractors used must be Chinese companies.49 In many of the examples examined, Huawei was awarded the primary contract; in some cases, the contract was managed by a Chinese state-owned enterprise and Huawei played a ‘sub-awardee’ role as a provider of surveillance equipment and services.50

Smart-city technologies can impart substantial benefits to states using them. For example, in Singapore, increased access to digital services and the use of technology that exploits the ‘internet of things’ (for traffic control, health care and video surveillance) has led to increased citizen mobility and productivity gains.51

However, in many cases, Huawei’s safe-city solutions focus on the introduction of new public security capabilities, including in countries such as Ecuador, Pakistan, the Philippines, Venezuela, Bolivia and Serbia. Many of those countries rank poorly, some very poorly, on measures of governance and stability, including the World Bank’s governance indicators of political stability, the absence of violence, the control of corruption and the rule of law.52

Of course, the introduction of new public security technologies may have made cities ‘safer’ from a crime prevention perspective, but, unsurprisingly, in some countries it’s created a range of political and capacity problems, including alleged corruption; missing money and opaque deals;53 operational and ongoing maintenance problems;54 and alleged national security concerns.55

Censorship and suppression: aiding authoritarianism in Zimbabwe

The example set by the Chinese state is increasingly being looked to by non-democratic regimes—and even some democratic governments—as proof that a free and open internet is neither necessary nor desirable for development. ‘If China could become a world power without a free Internet, why do African countries need a free internet?’ one unnamed African leader reportedly asked interviewers from the Department of Media Studies at the University of Witwatersrand.56 

The business dealings of Chinese technology companies in Zimbabwe, for example, are closely entwined with the CCP’s support for the country’s authoritarian regime. China is Zimbabwe’s largest source of foreign investment, partly as a result of sanctions imposed by Western countries over human rights violations by the regime. Zimbabwean President Emmerson Mnangagwa’s first visit outside of Africa after his election was to China, where he thanked President Xi Jinping and China for supporting Zimbabwe against Western sanctions and called for even deeper economic and technical cooperation between the two nations.57

Chinese companies play a central role in Zimbabwe’s telecommunications sector. Huawei has won numerous multimillion-dollar contracts with state-owned cellular network NetOne, some of which have been the subject of corruption allegations.58 Several of Huawei’s Zimbabwe projects have been financed through Chinese Government loans.59

ZTE also has a significant footprint in the country (and has also been the subject of corruption allegations).60 This has included a $500 million loan, in partnership with China Development Bank, to Zimbabwe’s largest telco, Econet, in 2015.61 ZTE has previously provided equipment, including radio base stations, for Econet’s 3G network.62 Zimbabwean telecommunications providers currently owe millions of dollars to Huawei and ZTE, as well as Ericsson, which reportedly led to network disruptions in March 2019.63

The CCP and Chinese companies haven’t just helped to cushion Zimbabwe’s leaders against the impact of sanctions. They’re also providing both a model and means for the regime’s authoritarian practices to be brought forward into the digital age, both online and offline.

The Zimbabwean Government has been considering draconian new laws to restrict social media since at least 2016, when the official regulator issued an ominous warning to internet users against ‘generating, passing on or sharing such abusive and subversive materials’.64 In the same year, a law was passed to allow authorities to seize devices in order to prevent people using social media.65

In early 2019, the government blocked social media and imposed internet shutdowns in response to protests against fuel price increases. Information Minister Energy Mutodi stated that ‘social media was used by criminals to organize themselves … this is why the government had to … block [the] internet,’ as he announced plans for forthcoming cybercrime laws to criminalise the use of social media to spread ‘falsehoods’.66

The government has openly been looking to China as a model for controlling social media,67 including by creating a cybersecurity ministry, which a spokesperson described as ‘like a trap used to catch rats’.68

Parts of this ‘trap’ reportedly come from China. In 2018, it was reported that China, alongside Russia and Iran, had been helping Zimbabwe to set up a facility to house a ‘sophisticated surveillance system’ sold to the government by ‘one of the largest telecommunications companies’ in China.69 Given the description and context, it seems plausible that this company may be Huawei or ZTE.

‘We have our means of seeing things these days, we just see things through our system. So no one can hide from us, in this country,’ said former Intelligence Minister Didymus Mutasa.70 

The government is increasingly looking to expand its surveillance from the online space into the real world. It’s signed multiple agreements with Chinese companies for physical surveillance systems, including a highly controversial planned national facial recognition system with Chinese company CloudWalk.71

It’s also interested in developing its own indigenous facial recognition technology, and is working with CETC subsidiary Hikvision to do it.72 Hikvision is already supplying surveillance cameras for police and traffic control systems.73 In 2018, Zimbabwean authorities signed a memorandum of understanding with the company to implement a ‘smart city’ program in Mutare. This included the donation of facial recognition terminals equipped with deep-learning artificial intelligence (AI) systems.

In a media statement, the government stated: 

The software is meant to be integrated with the facial recognition hardware which will be made locally by local developers in line with the government’s drive to grow the local ICT sector making Zimbabwe to be the number one country in Africa to spearhead the facial recognition surveillance and AI system nationwide in Zimbabwe.74

National ID programs: Venezuela’s ‘Fatherland Card’

Chinese tech companies are involved in national identity programs around the world. One of the most concerning examples is playing out amid the political and humanitarian crisis in Venezuela. A Reuters investigation in 2018 uncovered the central role played by ZTE in inspiring and implementing the Maduro regime’s ‘Fatherland Card’ program.75 The Fatherland Card (Carnet de la Patria) records the holder’s personal data, such as their birthday, family information, employment, income, property owned, medical history, state benefits received, presence on social media, membership of a political party and history of voting.

Although the card is technically voluntary, without it Venezuelans can be denied access to government-subsidised food, medication or gasoline.76 In the midst of Venezuela’s political crisis, registering for a ‘voluntary’ card is no choice at all for many. In fact, people in Caracas are queuing for hours to get hold of one, despite the risks of handing over personal data to the increasingly unstable and repressive Maduro regime.77

According to Reuters, ZTE was contracted by the government to build the underlying database and accompanying mobile payment system. A team of ZTE employees was embedded with Cantv, the Venezuelan state telecommunications company that manages the database, to help secure and monitor the system. ZTE has also helped to build a centralised government video surveillance system.

There are concerns that the card program is being used as a tool to interfere in the democratic process. During the 2018 elections, observers reported kiosks being set up near or even inside voting centres, where voters were encouraged to scan their cards to register for a ‘fatherland prize’.78 Those who did so later received text messages thanking them for voting for Maduro (although they never did get the promised prize).

Authorities claim that the cards record whether a person voted, but not whom they voted for. However, an organiser interviewed by Reuters claimed to have been instructed by government managers to tell voters that their votes could be tracked. Regardless of the truth of the matter, even the rumours that the government may be watching who votes for it—or, perhaps more pertinently, against it—could be expected to influence the way people vote.

In the context of the current crisis, this technologically enabled population control takes on an even sharper edge. Cyberspace has emerged as a key battleground in the struggle between the Maduro regime and the Venezuelan opposition led by Juan Guaidó.

In addition to selective social media blocks79 and total internet shutdowns,80 there’s also evidence of more insidious attacks. For example, a website set up by the opposition to coordinate humanitarian aid delivery was subject to a DNS hijacking attack, including the theft of the personal data of potentially thousands of pro-opposition volunteers.81

Cantv, Venezuela’s government-run telecommunications company, is reportedly ‘dependent on agreements with ZTE and Huawei to supply equipment and staff and … Cantv sends its employees to China to receive training.’82 These deals are financed through the Venezuela China Joint Fund. China is known as something of an international leader in DNS blocking and manipulation, and the Chinese Government is strongly supporting the Maduro regime, including by targeting social media users in China who post or share content critical of Maduro.83

Shaping politics and policy in Belarus

In some parts of the world, Chinese technology companies are helping shape the politics and policy of new technologies through the development of high-level relationships with national governments. This is particularly concerning in the case of non-democratic countries.

Often referred to as ‘Europe’s last dictatorship’, Belarus has been under the control of authoritarian strongman Aleksandr Lukashenko since 1994.84 In recent years, ties with China have come to play an increasingly significant role not only in Belarus’s delicate diplomatic relations with its powerful neighbours, but also in its very indelicate domestic policies of violent repression. This has included the use of digital technologies for mass surveillance and the targeted persecution of activists, journalists and political opponents.85

Huawei has been supplying video surveillance and analysis systems to the Lukashenko regime since 2011 and border monitoring equipment since at least 2014.86 Also in 2014, Huawei’s local subsidiary, Bel Huawei Technologies, launched two research labs for ‘intellectual remote surveillance systems’. Through the labs, Huawei provides ‘laboratory-based training … for the specialists of Promsvyaz, Beltelekom, HSCC and other organisations’.87

Over the past several years, collaboration between the Belarusian Government and Chinese technology companies has expanded rapidly, in line with Belarus’s engagement with the BRI and with deepening diplomatic and economic ties between Lukashenko’s regime and the CCP.88

In March 2019, Belarus unveiled a draft information security law. ‘It is purely our own product. We didn’t borrow it from anyone,’ State Secretary of the Security Council Stanislav Zas told Belarusian state media.89

A day later, China’s ambassador to Belarus spoke to the same outlet about how ‘Belarusian and Chinese companies [have] managed to establish intensive cooperation in the area of cyber and information security’, and about the desire of both countries to ‘expand cooperation in the sphere of cybersecurity’.90

‘Both countries have good practice in this field. We are going to even deeper cooperate [sic] and share experience,’ the Chinese ambassador said. 

Huawei has played an especially prominent role in this process at multiple levels. It has continued and expanded the training it provides to Belarusians, including sending students to study in China and signing an agreement with the Belarusian State Academy of Communications for a joint training centre.91

Huawei is also exerting political and policy influence. In May 2018, the company released its National ICT priorities for the Republic of Belarus.92 The proposal includes recommendations for ‘public safety’ technologies, such as video surveillance and drones, and a citizen status identification system.

‘Belarus has not yet widely deployed integrated police systems, and thus can refer to the solution adopted in Shenzhen,’ the document notes. This is likely to be a reference to the facial recognition program implemented by Shenzhen police to ‘crack down on jaywalking’.93

During a meeting with the chairman of Huawei’s board, Guo Ping, for the launch of the plan, then Belarusian Prime Minister Andrei Kobyakov expressed his hope that: the accumulated experience and prospects of cooperation will play an important role in the development of information and communication technologies in Belarus and in making friendship between our countries stronger. The Belarusian government counts on further effective interaction and professional cooperation.94

Controlling information flows—WeChat and the future of social messaging

Launched in 2011, WeChat quickly became China’s dominant social network but has largely struggled to build up a significant user base overseas. Still, of the social media super-app’s 1.08 billion monthly active users,95 an estimated 100–200 million are outside China.96

Southeast Asia provides the most fertile ground for WeChat outside of China: the app has 20 million users in Malaysia; 17% of the population of Thailand use it;97 and it’s the second most popular messaging app in Bhutan and Mongolia.98

The potential for WeChat to substantially grow its user base overseas remains, particularly as it hits a wall in user growth in China99 and overseas expansion becomes more of an imperative. To the extent that it’s being used outside of mainland China, WeChat poses significant risks as a channel for the dissemination of propaganda and as a tool of influence among the Chinese diaspora.

WeChat is increasingly used by politicians in liberal democracies to communicate with their ethnic Chinese voters, which necessarily means that communication is subject to CCP censorship by default.100

In one instance, in September 2017 Canadian parliamentarian Jenny Kwan posted a WeChat message of support for Hong Kong’s Umbrella Movement – a series of pro-democracy protests that took place in 2014 – only to have it censored by WeChat.101

In 2018, Canadian police received complaints about alleged vote buying taking place on WeChat.102 A group called the Canada Wenzhou Friendship Society was reportedly using the app to offer voters a $20 ‘transportation fee’ if they went to the polls and encouraging them to vote for specific candidates.

Because WeChat is one of the main conduits for Chinese-language news, censorship controls help Beijing to ensure that news sources using the app for distribution report only news that serves the CCP’s strategic objectives.103

WeChat is not only a significant influence and censorship tool for the CCP, but also has the potential to facilitate surveillance. An Amnesty International study ranking global instant messaging apps on how well they use encryption to protect online privacy gave WeChat a score of 0 out of 100.104 Content that passes through WeChat’s servers in China is accessible to the Chinese authorities by law.105

Enabling human rights abuses in China: Uyghurs in Xinjiang

Many of the repressive techniques and technologies that Chinese companies are implementing abroad have for a long time been used on Chinese citizens. In particular, the regions of Tibet and Xinjiang are often at the bleeding edge of China’s technological innovation.

The complicity of China’s tech giants in perpetrating or enabling human rights abuses—including the detention of an estimated 1.5 million Chinese citizens106 and foreign citizens107—foreshadows the values, expertise and capabilities that these companies are taking with them out into global markets. 

From the phones in people’s pockets to the tracking of 2.5 million people using facial recognition technology108 to the ‘re-education’ detention centres,109 Chinese technology companies—including several of the companies in our dataset—are deeply implicated in the ongoing surveillance, repression and persecution of Uyghurs and other Muslim ethnic minority communities in Xinjiang.

Many of the companies covered in this report collaborate with foreign universities on the same kinds of technologies they’re using to support surveillance and human rights abuses in China. For example, CETC—which has research partnerships with the University of Technology Sydney,110 the University of Manchester111 and the Graz Technical University in Austria112—and its subsidiary Hikvision are deeply implicated in the crackdown on Uyghurs in Xinjiang. CETC has been providing police in Xinjiang with a centralised policing system that draws in data from a vast array of sources, such as facial recognition cameras and databases of personal information. The data is used to support a ‘predictive policing’ program, which according to Human Rights Watch is being used as a pretext to arbitrarily detain innocent people.113 CETC has also reportedly implemented a facial recognition project that alerts authorities when villagers from Muslim-dominated regions move outside of prescribed areas, effectively confining them to their homes and workplaces.114

Huawei provides the Xinjiang Public Security Bureau with technical support and training.115 At the same time, it has funded more than 1,200 university research projects and built close ties to many of the world’s top research institutions.116 The company’s work with Xinjiang’s public security apparatus also includes providing a modular data centre for the Public Security Bureau of Aksu Prefecture in Xinjiang and a public security cloud solution in Karamay. In early 2018, the company launched an ‘intelligent security’ innovation lab in collaboration with the Public Security Bureau in Urumqi.117

According to reporting, Huawei is providing Xinjiang’s police with technical expertise, support and digital services to ensure ‘Xinjiang’s social stability and long-term security’. 

Hikvision took on hundreds of millions of dollars worth of security-related contracts in Xinjiang in 2017 alone, including a ‘social prevention and control system’ and a program implementing facial-recognition surveillance on mosques.118 Under the contract, the company is providing 35,000 cameras to monitor streets, schools and 967 mosques, including video conferencing systems that are being used to ‘ensure that imams stick to a “unified” government script’.119 

Most concerningly of all, Hikvision is also providing equipment and services directly to re-education camps. It has won contracts with at least two counties (Moyu120 and Pishan121) to provide panoramic cameras and surveillance systems within camps.

Future strategic implications

The degree to which nations and communities around the world are coming to rely on Chinese technology companies for critical services and infrastructure, from laying cables to governing their cities, has significant strategic implications both now and for many years into the future:

  • Undermining democracy: Perhaps the greatest long-term strategic concern is the role of Chinese technology companies – and technology companies from other countries that aid or engage in similar behaviour – in enabling authoritarianism in the digital age, from supplying surveillance technologies to automating mass censorship and the targeting of political dissidents, journalists, human rights advocates and marginalised minorities. The most challenging issue is the continued export around the world of the model of vicious, ubiquitous surveillance and repression being refined now in Xinjiang.
  • Espionage and intellectual property theft: The espionage risks associated with Chinese companies are clearly laid out in Chinese law, and the Chinese state has a well-established track record of stealing intellectual property.122 This risk is only likely to increase as ‘smart’ technology becomes ever more pervasive in private and public spaces. From city-wide surveillance to the phones in the pockets of political leaders (or, in a few years, the microphones in their TVs and refrigerators), governments, the private sector and civil society alike need to seriously consider how to better protect their information from malicious cyber actors.
  • Developing technologies: Chinese companies are leading the field in research and development into a range of innovative, and strategically sensitive, emerging technologies. Their global expansion provides them with key resources, such as huge and diverse datasets and access to the world’s best research institutions and universities.123 Fair competition between leading international companies to develop these crucial technologies is only to be expected, and Chinese tech companies have made enormous positive contributions to the sum total of human knowledge and innovation. However, the strategic, political and ideological goals of the CCP—which has directed and funded much of this research—can’t be ignored. From AI to quantum computing to biotechnology, the nations that dominate those technologies will exercise significant influence over how the technologies develop, such as by shaping the ethical norms and values that are built into AI systems, or how the field of human genetic modification progresses. Dominance in these fields will give nations a major strategic edge in everything from economic competition to military conflict.
  • Military competition: In cases of military competition with China, the Chinese Government would of course seek to leverage, to its own advantage, its influence over Chinese companies providing equipment and services to its enemies. This should be a serious strategic consideration for nations when they choose whether to allow Chinese companies to be involved in the build-out of critical infrastructure such as 5G networks, especially given the CCP’s increasing assertiveness and coercion globally.

This issue is particularly acute for countries already experiencing tensions over China’s territorial claims in regions such as the South China Sea. For example, in 2016, after a ruling by a UN-backed tribunal dismissed Chinese claims, suspected Chinese hackers attacked announcement and communications systems in two of Vietnam’s major airports, including a ‘display of profanity and offensive messages in English against Vietnam and the Philippines’.124 A simultaneous hack on a Vietnamese airline led to the loss of more than 400,000 passengers’ data. Vietnam’s Information and Communications Minister said that the government was ‘reviewing Chinese technology and devices’ in the wake of the attack.125 Cybersecurity firm FireEye says that it’s observed persistent targeting of both government and corporate targets in Vietnam that’s suspected to be linked to the South China Sea dispute.126

5G infrastructure build outs should be an area of particular concern. An article in the China National Defence Report in March 2019127 discusses the military applications for China of 5G in the move to ‘intelligentised’ warfare. ‘[A]s military activities accelerate towards extending into the domain of intelligentization, air combat platforms, precision-guided munitions, etc. will be transformed from ‘accurate’ to ‘intelligentized.’ 5G-based AI technology will definitely have important implications for these domains,’ write the authors, who appear to be researchers affiliated with Xidian University and the PLA’s Army Command Academy.

Conclusion

Chinese companies have unquestionably made important and valuable contributions to the technology industry globally, from contributing to cutting edge research and pushing the boundaries of developing technologies, to enabling access to affordable, good quality devices and services for people around the world. They are not going anywhere, and they are going to continue to play a vital role in the ways in which governments, companies and citizens around the world connect with one another.

At the same time, however, it is important to recognise that the activities of these companies are not purely commercial, and in some circumstances risk mitigation is needed. The CCP’s own policies and official statements make it clear that it perceives the expansion of Chinese technology companies as a crucial component of its wider project of ideological and geopolitical expansion. The CCP committees embedded within the tech companies and the close ties (whether through direct ownership, legal obligations or financing agreements including loans and lucrative contracts) between the companies and the Chinese government make it difficult for them to be politically neutral actors, as much as some of the companies might prefer this. There is also a legitimate question about whether global consumers should demand greater scrutiny of Chinese technology firms that facilitate human rights abuses in China and elsewhere.

Governments around the world are struggling with the political and security implications of working with Chinese corporations, particularly in areas such as critical infrastructure, for example in 5G, and in collaborative research partnerships that might involve sensitive or dual-use technologies. Part of this struggle is due to a lack of in-depth understanding of the unique party-state environment that shapes, limits and drives the global behaviour of Chinese companies. This research project aims to help plug that gap so that policymakers, industry and civil society can make more informed decisions when engaging China’s tech giants.


What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.


ASPI International Cyber Policy Centre

The ASPI International Cyber Policy Centre’s mission is to shape debate, policy and understanding on cyber issues, informed by original research and close consultation with government, business and civil society.


It seeks to improve debate, policy and understanding on cyber issues by:

  1. conducting applied, original empirical research
  2. linking government, business and civil society
  3. leading debates and influencing policy in Australia and the Asia–Pacific.

The work of ICPC would be impossible without the financial support of our partners and sponsors across government, industry and civil society. ASPI is grateful to the US State Department for providing funding for this research project.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional person.


© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. Sarah Cook, ‘China’s cyber superpower strategy: implementation, internet freedom implications, and US responses’, written testimony to House Committee on Oversight and Government Reform, Freedom House, 28 September 2018; Kania et al., ‘China’s strategic thinking on building power in cyberspace: a top party journal’s timely explanation translated’, online. ↩︎
  2. , online. ↩︎
  3. Samantha Hoffman, Elsa Kania, ‘Huawei and the ambiguity of China’s intelligence and counter-espionage laws’, The Strategist, 13 September 2018, online. ↩︎
  4. Constitution of the Communist Party of China, revised and adopted on 24 October 2017, online. ↩︎
  5. People’s Republic of China Company Law, online. ↩︎
  6. Hoffman & Kania, ‘Huawei and the ambiguity of China’s intelligence and counter-espionage laws’. ↩︎
  7. Chris Buckley, Amy Qin, ‘Muslim detention camps are like “boarding schools,” Chinese official says’, New York Times, 12 March 2019, online; Fergus Ryan, Danielle Cave, Nathan Ruser, Mapping Xinjiang’s ‘re-education’ camps, ASPI, Canberra, 1 November 2018, online. ↩︎
  8. ‘China: not free: 88/100’, Freedom on the net 2018, Freedom House, Washington DC, 2018, online. ↩︎
  9. Jun Mai, ‘Xi Jinping renews “cyber sovereignty” call at China’s top meeting of internet minds’, South China Morning Post, 3 December 2017, online. ↩︎
  10. Josh Rogin, ‘White House calls China’s threats to airlines “Orwellian nonsense”’, Washington Post, 5 May 2018, online. ↩︎
  11. Samantha Hoffman, Social credit: technology-enhanced authoritarian control with global consequences, ASPI, Canberra, 28 June 2018, online. ↩︎
  12. Wu Jiao, ‘Party membership up in private firms’, China Daily, 17 July 2007, online. ↩︎