Tag Archive for: Cyber

An informed and independent voice: ASPI, 2001-2021

To mark its establishment in August 2001, the Australian Strategic Policy Institute has published an intellectual history of its work over two decades: An informed and independent voice: ASPI, 2001–2021.

ASPI’s mission is to ‘contribute an informed and independent voice to public discussion’. That was the vision embraced by the Australian Government in creating ‘an independent institute to study strategic policy’, designed to bring ‘contestability’ and ‘alternative sources of advice’ to ‘key strategic and defence policy issues’.

The story of how the institute did that job is told by ASPI’s journalist fellow, Graeme Dobell. He writes that ASPI has lived out what its name demands, to help deliver what Australia needs in imagining ends, shaping ways and selecting means.

An informed and independent voice covers the terrorism era and national security; the work of the Defence Department; Australia’s wars in Iraq and Afghanistan; the evolution of Australia’s strategy in the Indo-Pacific; relations with China and the US; cyber and tech; Japan, India and the Quad; Indonesia and Southeast Asia; Australia’s island arc—the the South Pacific and Timor-Leste; Northern Australia; Women, peace and security; Climate change; Antarctica; 1.5 track dialogues; the work of the digital magazine The Strategist; and ‘thinking the ASPI way’.

The submission to cabinet on ASPI’s founding said that the principles of contestability had ‘not yet been effectively implemented in relation to defence and strategic policy, despite the vital national interests and significant sums of money that are at stake’. That demand, at the heart of the institute’s creation, has been met and still drives its work.

Introduction: sometimes we will annoy you

A senior diplomat from one of Australia’s close ‘Old Commonwealth’ partners tells a story about hosting an Australian visit from his country’s defence minister, an aspiring political operator. The minister came to ASPI for a 90-minute roundtable with senior staff. Mark Thomson briefed on Defence’s budget woes—this was one of those years when financial squeezing was the order of the day, and a gap was quietly appearing between policy promises and funding reality.

Andrew Davies reported on the challenges of delivering the Joint Strike Fighter, the contentious arrival of the ‘stop-gap’ Super Hornet and the awkward non-arrival of the future submarine. Rod Lyon spoke about the insurmountable problems of Iraq and Afghanistan, the rise of the People’s Republic of China (PRC) and our own government’s foreign policy foibles. It was, like many ASPI meetings, a lively and sustained critique of policy settings. Driving back to the High Commission, a somewhat startled minister muttered to his diplomatic escort: ‘Thank God we don’t have a think tank like that back home!’

The genius of ASPI is that it’s designed to be a charming disrupter. Sufficiently inside the policy tent to understand the gritty guts of policy problems, but with a remit to be the challenger of orthodoxies, the provider of different policy dreams (as long as they’re costed and deliverable), the plain-speaking explainer of complexity, and a teller of truth to power. Well, that’s perhaps a little too grand. ASPI aims to be a helpful partner to the national security community, not a hectoring lecturer. But the institute ceases to have any value if it just endorses current policy settings: the aim is to provide ‘contestability of policy advice’. Not always easy in a town where climbing the policy ladder is the only game.

The story of ASPI’s creation has been told by several present at the creation1 and, very enjoyably, by Graeme Dobell in the second chapter in this volume. With the release of the Howard government cabinet records for the year 2000, we now get to see that the National Security Committee of cabinet deliberated carefully over ASPI’s composition, charter, organisational location, geographical location and underlying purpose. The annual expenditure proposed ($2.1 million) was, by Defence’s standards, trivial even in 2000. What the government was chewing over was the sense or otherwise of injecting a new institution into the Canberra policymaking environment.

The case for a strategic policy institute was set out in a cabinet submission considered on 18 April 2000:

There are two key reasons to establish an independent institute to study strategic policy.

The first is to encourage development of alternative sources of advice to Government on key strategic and defence policy issues. The principles of contestability have been central to our Government’s philosophy and practice of public administration, but 2 An informed and independent voice: ASPI, 2001–2021 these principles have not been effectively implemented in relation to defence and strategic policy, despite the vital national interests and significant sums of money that are at stake. The Government has found in relation to the COLLINS Class Submarines project for instance, and more recently in relation to White Paper process, that there are almost no sources of alternative information or analysis on key issues in defence policy, including the critical questions of our capability needs and how they can best be satisfied. The ASPI will be charged with providing an alternative source of expertise on such issues.

Second, public debate of defence policy is inhibited by a poor understanding of the choices and issues involved. The ASPI will be tasked to contribute an informed and independent voice to public discussion on these issues.2

‘An informed and independent voice’. There couldn’t be a better description of what the institute has sought to bring to the public debate; nor could there be a more fitting title for this study of ASPI’s first 20 years by Graeme Dobell, ably assisted by the voices and insights of many ASPI colleagues.

The April cabinet meeting agreed that ASPI should be established, but the government went back to Defence a second time to test thinking about the institute’s organisational structure.

In July, the department proposed several options, including that ASPI could be added as an ‘internal Defence Strategic Policy Cell’, or operate as an independent advisory board to the Minister for Defence, or be based at a university, or be a statutory authority, executive agency or incorporated company. Having considered other possibilities, the government accepted Defence’s recommendation (endorsed by other departments) that ASPI be established as a government-owned incorporated company managed by a board ‘to enhance the institute’s independence within a robust and easy to administer corporate structure’.3

The most striking aspect of this decision is that the government opted for the model that gave ASPI the greatest level of independence. There were options that would have limited the proposed new entity, for example, by making it internal to Defence or adding more complex governance mechanisms that might have threatened the perception of independence. Those options were rejected. A decision to invite a potential critic to the table is the decision of a mature and confident government. It’s perhaps not surprising that there aren’t many ASPI-like entities. Prime Minister Howard was also keen to see that the institute would last beyond a change of government. ASPI was directed to be ‘non-partisan’, above daily politics. The leader of the opposition would be able to nominate a representative to the ASPI Council. ASPI would also be given a remit to ‘pursue alternate sources of funding and growth’, giving the institute the chance to outgrow its Defence crib.

Interestingly, the August 2000 cabinet decision to establish ASPI as a stand-alone centre structured as an incorporated company and managed by a board of directors also stated that: ‘The Cabinet expressed a disposition to establish the centre outside of the Australian Capital Territory.’4 By the time ASPI was registered in August 2001 as an Australian public company limited by guarantee, the institute’s offices were located in Barton in the ACT, where they remain to this day.

The government appointed Robert O’Neill AO as the chair of the ASPI Council, and the inaugural membership of the council was appointed in July 2001, meeting for the first time on 29 August 2001. That month, the council appointed Hugh White AO as the institute’s executive director and Hugh set about building the initial ASPI team. A fortnight later, the world fundamentally changed. Terrorist attacks on New York’s World Trade Center and the Pentagon and one unsuccessfully aimed at the White House jolted the strategic fabric of the Middle East and the world’s democracies. ASPI couldn’t have started at a more challenging time for strategic analysis.

Writing in ASPI’s first annual report, Hugh White reported that the institute in 2001–02 ‘did a small amount of work directly for government, including a substantial assessment for the Minister for Defence, Senator Hill, of the implications of September 11 for Australia’s defence’.5

ASPI’s first public report was a study by Elsina Wainwright, New neighbour, new challenge: Australia and the security of East Timor. This was followed by the first of Mark Thomson’s 16 editions of The cost of Defence: the ASPI defence budget brief 2002–03. This included a rundown of the top 20 defence capability acquisition projects. The slightly cheeky cartoon covers—state and territory seagulls pinching Defence spending chips is my favourite—didn’t start until 2003–04, but the first Cost of Defence began the trend to report Defence’s daily budget spend: $39,991,898.63. (The 2021–22 Cost of Defence records the daily spend at $122,242,739.73.)

Hugh White closed off his 2001–02 Director’s report with ‘Clearly the task of defining our role in the policy debate will take some time to complete, but we believe we have made a good start.’ It was quite a foundation year: tectonic global security shifts, challenging regional deployments, defence budget and capability analysis. ASPI’s course was set, and the rest, as they say, makes up the history that Graeme Dobell and ASPI colleagues cover in this book. Graeme’s analysis makes sense of what, to the participants, might have felt from time to time like one damned thing after another. But patterns do emerge, and they coalesce into the realisation that ASPI’s first 20 years have marked some of the most turbulent shifts in Australia’s security outlook. All of which puts, or should put, a tremendous premium on the value of strategic policy, contestable policy advice, an informed and engaged audience and a new generation of well-trained policy professionals.

ASPI today is a larger organisation working across a wider area of strategy and policy issues.

The annual report for 2019–20 lists 64 non-ongoing (that is, contracted) staff, of whom 45 were full time (22 female and 23 male) and 15 were part time (11 female and four male). The overall ASPI budget was $11,412,096.71, of which $4 million (35%) was from Defence, managed by a long-term funding agreement. A further $3.6 million (32%) came from federal government agencies; $0.122 million (1%) from state and territory government agencies; $1.89 million (17%) from overseas government agencies, most prominently from the US State Department and Pentagon and the UK Foreign and Commonwealth Office. Defence industry provided $0.370 million (3%); private-sector sponsorship was $1.241 million (11%) and finally, funding from civil society and universities was $0.151 million (1%).6

Behind those numbers is a mountain of effort to grow the institute and sustain it financially.

Think tanks need high-performing staff, and high-performing staff need salaries that will keep them at the think tank. The nexus between money and viability is absolute. Around the world, there are many think tanks that don’t amount to much more than a letterhead and an individual’s dedicated effort in a spare room at home. The reality is that building scale, research depth, a culture of pushing the policy boundaries and a back-catalogue of high-quality events and publications takes money. In the early stages of ASPI’s life, I recall the view expressed that the institute couldn’t possibly be regarded as independent if the overwhelming balance of its resources came from the Department of Defence. More recently, the charge is that the ‘military industrial complex’ or foreign governments must be the tail that wags the dog. The Canberra embassy of a large and assertive Leninist authoritarian regime can’t conceive that ASPI could possibly be independent in its judgements because, well, no such intellectual independence survives back home. ASPI must therefore be the catspaw of Australian Government policy thinking.

None of those contentions are borne out by looking at the content of ASPI products over the past two decades. There are plenty of examples (from critiques of the Port of Darwin’s lease to a PRC company; analysis of key equipment projects such as submarines and combat aircraft; assessments of the Bush, Obama, Trump and now the Biden presidencies; assessments of the Defence budget; differences on cyber policy) in which the institute’s capacity for feisty contrarianism has been on full display. In my time at ASPI, I haven’t once been asked by a politician, public servant, diplomat or industry representative to bend a judgement to their preferences. It follows that, for good or ill, the judgements made by ASPI staff, and our contributors, are their views, and their views alone. ASPI is independent because it was designed to operate that way. Its output demonstrates that reality every day.

And as you will see in these pages, ASPI has views aplenty. It became clear several years ago that the institute needed to broaden its focus away from defence policy and international security more narrowly conceived to address a wider canvas of security issues. That’s because the wider canvas presents some of the most interesting and challenging dilemmas for Australia’s national security. We sought to bring a new policy focus to cyber issues by creating the ASPI International Cyber Policy Centre. This was followed by streams of work addressing risk and resilience; counterterrorism; policing and international law enforcement; countering disinformation; understanding the behaviour of the PRC in all its dimensions; and, most recently, climate and security.

Does ASPI’s work have real policy effect? One of the curiosities of the Canberra environment is that officials will often go to quite some length to deny that a think tank could possibly shift the policy dial. To do so might be to acknowledge an implicit criticism that a department or agency hasn’t been on its game. Changing policy is often more like a process of erosion than a sudden jolting earthquake. It can take time to mount and sustain a critique about policy settings before the need for change is finally acknowledged. And it has to be said that the standard disposition of Canberra policymakers is to defend current policy settings. That shouldn’t be too surprising: current policy settings in many cases will be the result of government decisions, and, at times, the role of the public service is to raise the drawbridge and defend the battlements. So, it’s often the case that a department’s response to the arrival of an ASPI report isn’t a yelp of joy so much as the cranking up of a talking points brief for the minister that explains why current policy settings are correct, can’t be improved upon and quite likely are the best of all possible worlds.

ASPI’s influence is therefore more indirect than that of the Australian Public Service (APS), but, as Sun Tzu reminds us, ‘indirect methods will be needed in order to secure victory.’7 The institute has some natural strengths in this approach. ASPI has the advantage of being small and flexible; it has a charter to look beyond current policy settings; it can talk to a wide range of people in and out of government to seed ideas; it can engage with the media; it allows expertise to develop because more than a few ASPI staff have stayed in jobs for years and built a depth of knowledge not necessarily found in generalist public servants who frequently change roles.

Taking a longer view, I would suggest that ASPI has indeed managed to influence the shape of policy in a number of areas. The institute has helped to create a more informed base of opinion on key defence budget and capability issues. This has helped to strengthen parliamentary and external scrutiny of the Defence Department and the ADF. ASPI is really the only source providing detailed analysis of defence spending and has helped to lift public understanding about critical military capability issues, such as the future submarine project, the future of the surface fleet, air combat capabilities, the land forces, space, and joint and enabling capabilities.

ASPI has had substantial impact on national thinking about dealing with the PRC, and that has helped at least set the context for government decision-making on issues such as the rollout of the 5G network, countering foreign interference, strengthening security consideration of foreign direct investment and informing national approaches to fuel and supply-chain security.

ASPI has sought to make policy discussions about cyber, critical and emerging technologies more informed and more accessible. The institute has offered many active, informed and engaged voices on critical international issues of importance to Australia, from the Antarctic to the countries and dynamics of the Indo-Pacific, the alliance with the US, the machinery of Defence and national security decision-making, the security of northern Australia and even re-engaging with Europe.

It’s best left to others to judge the success or otherwise of the institute. Both from the approval, and sometimes disapproval, that ASPI garners, we can see that people pay attention to the institute’s work. That’s gratifying and motivates the team to keep doing more. 

Coincidentally to ASPI’s 20th anniversary, the Australian Parliament’s Senate Foreign Affairs, Defence and Trade References Committee has been conducting an inquiry into funding for public research into foreign policy issues. In making a submission to that inquiry, I offered what I hoped was useful advice about the contours of what a notional ‘foreign policy institute’ should look like if the government wanted to promote in the field of foreign policy what ASPI seeks to do for defence and strategic policy. That led me to suggest the following seven approaches, presented here with minor edits:

  1. A foreign policy institute must be genuinely independent, with a charter that makes its core functions clear and a governance framework that supports its independence. If the Department of Foreign Affairs and Trade (DFAT) were to be the prime source of funding, it should be made clear that DFAT should not influence the policy recommendations of the institute’s work. A government-appointed council, including a representative of the leader of the opposition, should provide overall strategic direction for the institute. Any entity that is part of a larger government department will inevitably come to reflect the parent. A clear separation between the parent department and the institute is essential.
     
  2. The institute should not be part of a university, because university priorities would weaken the institute’s capacity to retain a sharp focus on public policy. The committee might like to test this proposition by seeing whether it can identify any contemporary foreign policy research outfit that is part of a university which has substantially shaped Australian foreign policy. My view is that you will search in vain. This is true in the main because universities have priorities other than shaping public policy outcomes. How universities recruit, reward and promote, what they teach and the outcomes they regard as constituting excellence are shaped towards other ends than providing contestable and implementable foreign policy.
     
  3. The institute needs scale to develop excellence. Successful think tanks—such as those at the top end of the University of Pennsylvania’s ‘Go To’ index—attract people interested in policy ideas and with lateral thinking skills and with some entrepreneurial flair. The quality of their thinking is strengthened by being able to test their ideas with colleagues and collaborate on interesting policy work. Some scale is needed to bring a group of people like that together, offering terms and conditions that allow people to develop skills over a few years. This approach stands in contrast to the instinct of some departments to offer one-off, short-term, small funding grants. In my experience, multiple ‘penny-packet’ grants become difficult for departments to administer, produce reports that lack an understanding of how public policy is really done and do not develop skills.
     
  4. The institute will need some time to establish itself. ASPI is 20, and every day is a story of how we manage the tasks of offering policy contestability, engaging with our stakeholders and sustaining ourselves financially. It took probably 15 years for an acceptance to be built in the rather tightknit defence and security community that ASPI was not simply to be tolerated but could add value and even be constructively brought into policy discussions. A foreign policy institute will take a similar amount of time to build an accepted place for itself. Hopefully, an institute would start producing good material on day one, but it will take years for such a group to be seen as a natural (indeed, essential) interlocutor in critical foreign policy discussions.
     
  5. The institute must be non-partisan, reaching out to all parts of parliament. Because foreign policy is a public policy good, it is appropriate and likely that the bulk of funding for a foreign policy institute will come from the public sector. If it is successful, the institute will survive through changes of governments, ministers and senior officials. As such, it can’t afford to be partisan in the way that many private think tanks are. That will still leave scope for engaged debate on policy options, which leads to approach number 6.
     
  6. Accept that the institute will, from time to time, annoy you. This is the price of contestability of policy advice. There is no question that ASPI has annoyed governments, oppositions and officials over the years on all manner of issues, from key bilateral relationships to defence equipment acquisitions, military operations, budgets and the rest. To advance policy thinking, it’s necessary from time to time to question existing policy orthodoxies. The test for the institute’s stakeholders is whether the value of contestable policy advice is worth the occasional annoyance. The test for the foreign policy institute will be whether the issue in question has been appropriately researched and thought through.
     
  7. A professional outfit needs appropriate funding. To succeed, a foreign policy institute needs to be able to attract a mix of staff who can be remunerated in line with their skills. As in all walks of life, one gets what one pays for. Funding of between $2 million and $3 million would set up an institute able to build some critical mass, working out of offices fitted out to an appropriately modest APS standard. The institute should have a remit to grow its funding base through its own efforts. This would be sufficient to enable a promising start to a potentially nationally important organisation.

    ASPI was designed to place the executive director position at (approximately) the level of the APS Senior Executive Service Band 3 (deputy secretary) level. Salary and conditions are determined by the Remuneration Tribunal. The executive director, on direction from the ASPI Council, determines salary levels for ASPI’s staff, who are recruited on contracts. The intent is to recruit people with the mix of policy skills and hands-on public policy experience who can realistically shape policy thinking. Government departments and agencies are, in general, willing to support staff taking positions at ASPI, using options for leave without pay from the APS. For more senior staff, the hope is that some time spent at ASPI will enhance their careers, perhaps enabling them to return to the APS with new skills and capacities. For more junior staff, the aim is to equip them with skills that will make them attractive new hires for departments and agencies.8

Of course, I was doing little more than describing the ASPI business model developed more than 20 years ago and validated through two decades of enthusiastic policy research and advocacy by many dozens of ASPI staff.

Speaking personally, it has been the privilege of my professional life to spend almost a decade as the executive director of the institute since April 2012, and a few more years before that as ASPI’s director of programs between 2003 and 2006. My commitment to the organisation comes about because of the value I believe it adds to Australia’s defence and strategic policy framework. These policy settings matter. They’re the foundation of the security of the country, the security of our people and the very type of country that Australia aspires to be. Australia would be better defended if we had more lively debates about the best ways to promote our strategic interests. ASPI has truly been a national gem in sustaining those debates.

At the core of this book is Graeme Dobell’s sharp take on the intellectual content of hundreds of ASPI research publications, thousands of Strategist posts and many, many conferences, seminars, roundtables and the like. Graeme has done a wonderful job of breathing life into this body of work, reflecting some of the heat and energy that came from ASPI staff and ASPI contributors investing their brain power into Australia’s policy interests. In these pages, you read the story of Australia’s own difficult navigation through the choppy strategic seas of the past 20 years. It’s a thrilling ride and a testament to the many wonderful people who have worked at or supported the institute.

We should all hope that ASPI reaches its 40-year and even 50-year anniversaries, because there’s no doubt in my mind that Australia will continue to need access to contestable policy advice in defence and strategic policy. The coming years will be no less difficult and demanding than the years recounted here. In fact, Australia’s future is likely to face even greater challenges. 

Never forget that strategy and policy matter. Profoundly so. That’s why ASPI matters.

Peter Jennings

Download

Readers are encouraged to download the full publication in PDF format here.


About ASPI

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices.

ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements. It is incorporated as a company, and is governed by a Council with broad membership. ASPI’s core values are collegiality, originality & innovation, quality & excellence and independence.

ASPI’s publications—including this report—are not intended in any way to express or reflect the views of the Australian Government. The opinions and recommendations in this report are published by ASPI to promote public debate and understanding of strategic and defence issues. They reflect the personal views of the author(s) and should not be seen as representing the formal position of ASPI on any particular issue.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

ISBN 978-1-925229-67-7 (print)
ISBN 978-1-925229-68-4 (online pdf)

Funding statement: No specific sponsorship was received to fund production of this report

  1. See, for example, Kim Beazley, John Howard et al., ASPI at 15, ASPI, Canberra, October 2016, online. ↩︎
  2. Cabinet memorandum JH00/0131—Establishment of the Australian Strategic Policy Institute—Decision, 18 April 2000, online. ↩︎
  3. Cabinet decision JH00/0216/CAB—Australian Strategic Policy Institute—alternate models to establish a strategic policy research centre—Decision, online. ↩︎
  4. Cabinet decision JH00/0216/CAB. ↩︎
  5. Australian Strategic Policy Institute, Annual report 2001–2002, ASPI, Canberra, October 2002, 10, online. ↩︎
  6. Australian Strategic Policy Institute, Annual report 2019–2020, ASPI, Canberra, October 2020, online; staff numbers are on page 10; funding data is on page 154. ↩︎
  7. Sun Tzu, The art of war, translated by Lionel Giles, Chapter V, 5, online. ↩︎
  8. My submission to the inquiry is available via the internet home page of the Senate Foreign Affairs, Defence and Trade References Committee, Inquiry into funding for public research into foreign policy issues, online. ↩︎

Buying and selling extremism

New funding opportunities in the right-wing extremist online ecosystem

What’s the problem?

As mainstream social media companies have increased their scrutiny and moderation of right-wing extremist (RWE) content and groups,1 there’s been a move to alternative online content platforms.2

There’s also growing concern about right-wing extremism in Australia,3 and about how this shift has diversified the mechanisms used to fundraise by RWE entities.4 This phenomenon isn’t well understood in Australia, despite the Australian Security Intelligence Organisation (ASIO) advising in March 2021 that ‘ideological extremism’5 now makes up around 40% of its priority counterterrorism caseload.6

Research by ASPI’s International Cyber Policy Centre (ICPC) has found that nine Australian Telegram channels7 that share RWE content used at least 22 different funding platforms, including online monetisation tools and cryptocurrencies, to solicit, process and earn funds between 1 January 2021 and 15 July 2021. Due to the opaque nature of many online financial platforms, it’s difficult to obtain a complete picture of online fundraising, so this sample is necessarily limited. However, in this report we aim to provide a preliminary map of the online financial platforms and services that may both support and incentivise an RWE content ecosystem in Australia.

Most funding platforms found in our sample have policies that explicitly prohibit the use of their services for hate speech, but we found that those policies were often unclear and not uniformly enforced. Of course, there’s debate about how to balance civil liberties with the risks posed by online communities that promote RWE ideology (and much of that activity isn’t illegal), but a better understanding of online funding mechanisms is necessary, given the growing concern about the role online propaganda may play in inspiring acts of violence8 as well as the risk that, like other social divisions, such channels and movements could be exploited by adversaries.9

The fundraising facilitated by these platforms not only has the potential to grow the resources of groups and individuals linked to right-wing extremism, but it’s also likely to be a means of building the RWE community both within Australia and with overseas groups and a vector for spreading RWE propaganda through the engagement inherent in fundraising efforts. The funding platforms mirror those used by RWE figures overseas, and funding requests were boosted by foreign actors, continuing Australian RWEs’ history of ‘meaningful international exchange’ with overseas counterparts.10

What’s the solution?

The ways online funding mechanisms can be exploited by individuals and groups promoting RWE ideology in Australia are an emerging problem. Any response must include strong policies and programs to address the drivers of right-wing extremism. However, another strategy that Australian law enforcement, intelligence agencies, policymakers and civil society should explore involves undermining the financial incentives that can help sustain and grow RWE movements.

This response should include examining whether emerging online funding platforms have obligations under Australian laws aimed at countering terrorism financing, as well as enhancing the transparency of platform policies and enforcement actions related to fundraising activity by individuals and groups promoting RWE and other extremist content. The authorities could also explore whether the financial activities of RWE individuals in Australia may in some cases fall under legal prohibitions against the commercial exploitation of a person’s notoriety from criminal offending.

In addition, the Australian Government should create systems to better monitor hate crimes and incidents that can be used to assess linkages of crimes to extremist ideologies and groups, and to track trends to inform the formulation of policy responses related to RWE fundraising. Likewise, more research should be supported to examine the relationships between online content creation and fundraising by RWE influencers, radicalisation, mobilisation to violence, and the potential financial and social influence appeal of online funding and content-production mechanisms when disengaging people from RWE groups and movements.

Defining right-wing extremism

ASIO has said that ‘right-wing extremism is the support for violence to achieve political outcomes relating to ideologies, including but not limited to, white supremacism and Neo-Nazism’.11 That definition points to the central role of violence in defining RWE for law enforcement, but also highlights the role of supporting rather than perpetrating violence. For ASIO, it’s ‘an individual or group’s support for violence’ that triggers the agency’s interest.12

However, international attention is being paid to RWE content and activities that might not fit neatly within existing counterterrorism or violent extremism13 frameworks.14 That work also recognises a ‘post-organisational’ understanding15 of RWE that isn’t limited to membership of defined or static groups.16 This has brought a focus on how threats such as ‘lone wolf’ attacks can emerge from the broad environment of right-wing or other extremism, especially via online ecosystems that can operate as a culture of inspiration for violence.

In this report, we use the term ‘right-wing extremism’ in the following way, as described by Macquarie University’s Department of Security Studies and Criminology in its report on online right-wing extremism in NSW, to denote:

communities and individuals committed to an extreme social, political, or ideological position that is pro-white identity (the ‘in-group’), and actively suspicious of non-white others (the ‘out-group’).

It is characterised by individuals, groups, and ideologies that reject the principles of democracy for all and demand a commitment to dehumanising and/or hostile actions against out-groups.

RWE can be used as an umbrella phrase which incorporates a collection of terms that have been adopted internationally to describe this diverse social movement, including the ‘far-right’, ‘alt-right’, ‘extreme-right’ etc. RWE communities actively misappropriate the language of conservative, right wing political philosophy to reject democratic norms and values.17

This working definition is useful because of the difficulty in scrutinising right-wing extremism in Australia.18 Hate crime is rarely prosecuted here, and individuals who have committed crimes motivated by right-wing extremism may have been charged with other offences.19 Nor do we have any central open registry of ‘crimes motivated by offenders’ bias against race, gender, gender identity, religion, disability, sexual orientation, and ethnicity’ similar to the US Federal Bureau of Investigation’s Uniform Crime Reporting (UCR) Program that would allow us to better understand the issue and identify potential risks and escalations.20 So far, only one RWE group, the Sonnenkrieg Division, has been designated as a terrorist organisation by the Australian Government.21 And Australia lacks research entities that make hate group designations, such as the Southern Poverty Law Center (SPLC) in the US. Our understanding is also complicated by volatile allegiances among people who hold and act on such beliefs and by their geographical dispersal.22

This vacuum in Australia could make right-wing extremism an attractive avenue for foreign adversaries seeking to exploit and exacerbate existing social cleavages, because any governmental response will be sluggish and probably politically fraught, further exacerbating the problem.23 Clearly, there’s also an important debate about how to approach these issues while ensuring that the expression of diverse beliefs and views, including views that other members of Australian society may find distasteful, remains possible.

Given these challenges, we also note other work tracking US RWE fundraising that has relied in part on the SPLC’s hate group designations and draw on those designations in our sample where they occur recognising that they may be imperfect when removed from the US context.24 However, content from US hate groups was shared among the report’s sample, and some channels declared direct affiliations.

The SPLC defines a hate group as:

an organization or collection of individuals that—based on its official statements or principles, the statements of its leaders, or its activities—has beliefs or practices that attack or malign an entire class of people, typically for their immutable characteristics.25

Those characteristics include race, religion, ethnicity, sexual orientation or gender identity. However, the SPLC doesn’t consider the committing of violence to be a prerequisite for being listed as a hate group ‘because a group’s ideology can inspire hate violence even when the group itself does not engage in violent activity’.26 Of course, the SPLC is a private organisation, so its designation of hate groups carries no legal consequence (i.e. prosecution).

There’s evidence that some RWE figures and groups have intentionally toned down their more extreme rhetoric in order to reach a broader audience while avoiding the scrutiny of law enforcement.27 As the Macquarie University’s Department of Security Studies Studies and Criminology report found:

few, if any, groups explicitly and publicly advocate the use of violence against those considered part of the out-group such as Muslims, Jews or immigrants, but rather adopt a longer term opportunistic strategy.28

Likewise, the report of the New Zealand royal commission into the 2019 Christchurch terrorist attack discussed how many individuals and groups that use ‘dehumanising and divisive rhetoric’ against others ‘are careful to avoid direct engagement with, or endorsement of, violence’.29 Nevertheless, it suggested that such rhetoric can serve to normalise Islamophobia or anti-immigrant sentiment in a way that may encourage or legitimise the use of violence.30 ASIO Director-General Mike Burgess has also voiced concern about the internet’s role in this milieu, stating that ‘extremists are security conscious and adapt their security posture to avoid attention. In their online forums and chat rooms, they show that they’re savvy when it comes to operating at the limits of what is legal… The online environment is a force multiplier for extremism; fertile ground for sharing ideology and spreading propaganda’.31

Research methodology

For this analysis, we drew on a dataset of nine Australian Telegram channels that shared RWE content between 1 January 2021 and 15 July 2021. Due to the rapid evolution of online ecosystems, the use of encrypted platforms and the difficulties of tracking financial transactions, especially in cryptocurrencies, this snapshot is necessarily limited. The sample size is small; however, we seek to provide a preliminary survey of the online financial platforms promoted by RWE Telegram channels in Australia before a more comprehensive analysis of the ecosystem.32

The nine channels were chosen by a version of ‘snowball sampling’ (a technique, often used for studying specific groups that are hard to reach, in which research participants are asked to help researchers identify further subjects) adapted for a digital messaging platform built around forwarded messages and link sharing. The first Telegram channel was chosen because it shared RWE content such as posts that glorified Hitler as a martyr and called for a White Australia, and is connected to an individual who has a documented history of connection with Australian RWE groups. The next eight channels were chosen by following forwarded links from other channels (a function of the Telegram platform) to provide a sample (Figure 1).

Figure 1: How the nine Telegram channels were connected by forwarded links between 1 January and 15 July 2021.

Nine Telegram channels were chosen to form the sample based on the following characteristics:

  • An initial assessment of content (posts, images, videos, website links) shared in the channel revealed its ideological alignment with RWE, as defined above.

or

  • The channel shared content from or was affiliated with groups designated by the SPLC as hate groups, such as the Proud Boys, and the channel:
    • was linked to Australia
    • promoted at least one platform that offers online fundraising
    • had at least 100 subscribers as a baseline of audience reach.

This report seeks only to provide a preliminary mapping of where the Australian RWE ecosystem fundraises online. It doesn’t claim to be representative of the complete RWE ecosystem in Australia or assess the overall presence of certain ideologies. Nor do we attempt to analyse the scale or legality of RWE fundraising activity in Australia, how much is raised overall or how funds are ultimately used.

In recognition of work identifying the dangers of amplifying RWE and providing ‘breadcrumbs’ for the public into these ecosystems, only figures who are already well known to the public due to criminal charges and convictions highlighted in Australian media are named here.33 As shown in Figure 1, they include Thomas Sewell, whose affiliations with RWE groups have been covered extensively by Australian media and who is facing armed robbery, assault and violent disorder charges as recently as June 2021.34

This report examines the use of online funding platforms used by RWE Telegram channels in our sample but doesn’t analyse their broader uses and audiences. In general, those platforms weren’t intentionally built for RWE content; however, we note where platforms have purposefully taken a more laissez-faire approach to content moderation in stated opposition to more mainstream platforms.

Data collection and analysis included:

  • exporting the nine Telegram channels associated with our sample
  • examining channel files for terms including ‘donate’, ‘fund’ and ‘view’ to identify fundraising attempts and related platforms
  • mapping the funding ecosystem that stemmed from Telegram onto external platforms (Websites, YouTube, BitChute, DLive, Entropy, Odysee, Trovo, SubscribeStar, Patreon, cryptocurrency wallets, Buy Me a Coffee, Ko-fi, GoFundMe and PayPal, Represent)
  • examining websites related to channels in the sample using tools such as BuiltWith to identify advertising and ecommerce services such as Google AdSense, PayPal, Square and Amazon Associates Program
  • exporting and analysing Telegram JSON files using R packages tidyverse, lubridate and jsonlite to analyse how links were forwarded between channels.

Mapping the Australian RWE funding landscape

Introduction

We found at least 22 platforms, payment services, online tools and cryptocurrencies being used to solicit, process and earn funds linked to a sample of Telegram channels that shared RWE content in Australia between 1 January and 15 July 2021. Where we’ve been able to identify earnings in our sample, they appear to have been limited. This work establishes only that RWE-related fundraising activity is occurring and that the channels for it have been taken up in the Australian environment.

The sampled platforms include multiple emerging live-streaming websites such as DLive and Entropy, which are central to efforts aimed at building an audience for RWE content as well as the RWE community. Some of the platforms provide a means of soliciting donations or micropayments in cash or cryptocurrency. Fundraising was sometimes promoted via the sale of merchandise as well as on platforms such as Patreon, Buy Me a Coffee, PayPal and SubscribeStar. Others advertised various cryptocurrency wallets.

The range of platforms being used mirrors a recent review of the UK RWE online ecosystem published by Bellingcat.35 Likewise, Institute for Strategic Dialogue analysis in 2020 examined ‘73 US-based groups involved in promoting hatred against individuals on the basis of their gender, sexuality, race, religion or nationality’ and found similar online funding mechanisms.36 While global fundraising for RWE causes isn’t a new phenomenon, it’s arguably becoming a more complex one.37 Australia has domestic laws and is party to international taskforces concerning terrorism financing.38 However, there’s a ‘significant gap’ in knowledge internationally regarding the financial operations of groups that support acts of terrorism inspired by RWE ideology, or that support the broader ecosystem that creates content that could incite violence.39 The UN Counter-Terrorism Committee Executive Directorate has written that ‘money is often raised to fund a milieu – which may be accessed by those aspiring to carry out more violent acts – via event fees, merchandizing and donations.’ 40

The relationship between RWE material online, funding and acts of terrorism has been particularly scrutinised following the Christchurch terror attack. While in New Zealand, the Christchurch terrorist reportedly made at least ‘14 donations to RWE, anti-immigration groups and individuals’, 41 but his own attack was apparently self-funded.42 However, the Christchurch report said that it was ‘plausible to conclude’ that his exposure to RWE content online may have contributed to his actions on 15 March 2019.43 His donations formed a part of his engagement with that content. In an interview, professor of computer science at Elon University Megan Squire, who tracks RWE fundraising, described the use of online funding platforms that combine ‘tips’ and RWE live streams as the ‘monetisation of propaganda itself’.44

While RWE groups such as the US-based neo-Confederate group ‘League of the South’ historically solicited ‘dues’ or membership fees from members and sold merchandise,45 among other activities, requests for funds among the sample we examined were sometimes framed around individuals as RWE content creators rather than the activities of RWE groups specifically. This may mirror a social media ‘influencer’ model of patronage in which figures are rewarded for both the entertainment value and perceived credibility of the material they create online. Like wellness ‘influencers’, who use online platforms such as YouTube or Instagram to embody their health approach and build audiences ‘off the appeal of intimacy, authenticity and integrity’,46 RWE content creators may be supported for ostensibly ‘living’ the ideology they propagate.

Of course, the online funding ecosystem could also lead people to make RWE content simply to court money and attention rather than due to ideological commitment. However distinguishing between social harms caused by those who are dedicated to right-wing extremism and those who are simply exploiting a fundraising or profile-raising opportunity is not simple if both make RWE content. This ‘influencer’ model also demonstrates a potential impact of more leaderless or decentralised strategies on fundraising approaches,47 and a ‘borderless’ internet means that new funding strategies are quickly shared and emulated. As Dr Cynthia Miller-Idriss suggested in Hate in the Homeland: The New Global Far Right:

The modern far right is working to build muscular warriors equipped with the physical capacity to fight, along with “alt-right” thinkers with the intellectual capacity to lead and the commercial ecosystems that help market, brand, and financially support these actions. Underpinning all of these activities, though, is the modern far right’s rapid adoption—and creation—of a broad new tech and media ecosystem for communication, dissemination, and mobilization.48

Where they can be identified, the funds raised by our Australian sample via live streams and crowdfunding appear limited in comparison to the significant amounts raised by high-profile individuals in the US who share RWE content. They shouldn’t be dismissed, however, as fundraising can spike alongside high-profile events, as we discuss below.49 Likewise, donating can have an impact on an individual’s ties and symbolic commitment to an organisation or cause. Activists who seek to build movements online sometimes discuss the ‘commitment curve’, in which new members begin by viewing and liking content but can shift to being supposedly more committed to the cause once they begin to donate.50

In addition, fundraising links were forwarded and promoted in more popular RWE British, Canadian and American Telegram public channels, helping to solidify ties between RWE influencers and groups in multiple countries. Similarly, some Australian figures in the sample channels were hosted on overseas podcasts and livestream shows, which offered another opportunity to raise a group’s or individual’s profile and promote fundraising efforts, while others created dedicated content for foreign media channels with links to right-wing extremism.

Funding platforms used by our sample

Table 1: The online platforms, payment processors and cryptocurrencies used by channels in our sample that offer the opportunity to raise funds.

Live streaming and video hostingDLiveEntropyOdyseeBitChuteTrovoYouTubeVideo platforms that allow various forms of monetisation, including tips paid to content makers during a live stream, or donations facilitated on the content maker’s video page or channel.
Subscription platformsSubscribeStarPatreonPlatforms that allow users to make ongoing contributions to a content maker, or pay for access to exclusive content.
Cryptocurrency walletsBitcoin (BTC)MoneroLitecoin (LTC)Ripple (XRP)Ethereum (ETH)Cryptocurrencies with variable functionality, some of which may attempt to obscure the destination of funds. The publication of wallet addresses in public channels allows anyone to donate.
Micropayments and donationsBuy Me a CoffeeKo‑fiOnline platforms that allow users to make ongoing or one‑off contributions to a content maker or individual.
CrowdfundingGoFundMeWebsites that allow users to request donations for a specific cause or activity.
Payment gatewayPayPalAn online payment system that allows users to accept tips and donations, as well as a payment gateway on websites.
Ecommerce websiteRepresentAn ecommerce website that allows users to set up an online store, largely through uploading designs that are then added to T‑shirts and other merchandise.
Ecommerce platformWooCommerceAn open‑source ecommerce platform built on WordPress that allows users to offer goods or services for sale on their websites.
Ecommerce serviceSquareA web solution that helps users set up online retail stores as well as payment processing.
Donation widgetDonorboxSoftware that allows users to create donation forms that are embedded on their websites.
Online advertisingGoogle AdSenseAmazon Associates ProgramOnline advertising programs that allow website owners to potentially earn revenue by showing ads alongside online content. Amazon Associates Program allows web‑page owners to recommend Amazon products and earn revenue if a purchase occurs, among other customer actions.

Platform analysis

Telegram

The chat app Telegram plays an important role in the online funding ecosystem among our sample, while not itself being a mechanism for raising money. The platform did briefly attempt to set up a cryptocurrency before shutting it down after pushback from the US Securities and Exchange Commission, indicating a potential crossover between fundraising and content creation on the app if such a scheme were to ever go ahead.51

In our sample, Telegram was used by individuals who shared RWE content appeared to act as a central guide and point of communication with followers—potentially because channels in the sample feel their channels are less likely to be removed than on platforms such as YouTube or Facebook, as well as the perception of security offered by encryption and its ‘self-destruct’ function.52 Fundraising links were often shared across the channel’s online presence, creating a network that provided a plethora of funding options (Figure 2). For example, one channel in our sample used the video description section on its YouTube videos to provide a link to its Telegram channel, as well as offering a range of funding mechanisms, including PayPal.

Figure 2: Links to fundraising platforms stemming from one Telegram channel in our sample (some social platforms are omitted).

Within the broader ecosystem, there are also Telegram channels dedicated to acting as ‘guides’ to RWE audio and video content, and particularly live streams on sites such as YouTube and DLive,53 including those in Australia that discuss extremist content (Figure 3). Those channels post times and links to such content with the goal of helping followers find and engage with it. This ostensibly helps channels find more viewers and potentially financial supporters for their content. This ecosystem is particularly facilitated by Telegram’s forwarding function, which allows links from one public channel to be forwarded into another, creating a road map for users to expand the range of channels they follow.

In this way, like a channel using hyperlinks to connect a YouTube profile to a website or Facebook page, it builds ‘large propaganda networks with multiple entry points’.54

Figure 3: The top 20 channel links forwarded into a Telegram channel that appears to act as a guide for largely RWE and conspiracist videos and live streams on DLive, YouTube and other platforms between 1 December 2020 and 15 July 2021.

DLive

DLive.tv is a live stream video platform with an inbuilt ‘rewards’ system and is largely used for gaming content. Viewers can donate ‘lemons’ to content creators (a reward point system that creators can cash out, while DLive takes 20% on all transactions on the platform) and take part in live chat rooms.55 DLive was embraced by a number of extremist figures in the US in 2020, including American RWE figure Nick Fuentes, who earned around US$61,655 on the platform in April–October 2020, according to estimates by Dr Megan Squire.56 The SPLC also found that some extremists used the site to ‘supplement’ offline fundraising efforts.57

The platform came to global attention after several figures streamed on DLive during the 6 January 2021 breach of the US Capitol building.58 While DLive accounts linked to the Australian Telegram channels in our sample don’t appear to be raising similar levels of revenue to US figures, they’re making use of the platform and could expand both usage and income generation. Some have a regular weekly streaming schedule, while others use the website more sporadically.

While the platform appealed to RWE figures due to its lax moderation compared to more mainstream live-streaming sites, DLive has since cracked down on some white supremacist channels following the Capitol Hill storming. In a statement following the riot, DLive said it had ‘suspended 3 accounts, forced offline 5 channels, banned 2 accounts from live streaming and permanently removed over 100 past broadcasts’ … ‘for content that violated its Terms of Service and Community Guidelines on or about January 6th.’ 59 Also in January 2021, DLive announced restrictions on what kind of content could raise money on the platform—including streams under its ‘X-tag’ section for mature audience content.60

However, Australian RWE channels in our sample are still collecting donations on the site and regularly live streaming. For example, one live stream in our sample following the DLive announcement was tagged as being about the video game Fortnite but instead discussed race using terms such as ‘pure blood’ and ‘mongrels’.

Entropy

Entropy is a video platform that allows users to port their streams from other platforms, including YouTube, Twitch and DLive, in what it calls a ‘censorship free environment’.61 That means that, even if their channel is stripped of the ability to run advertising or accept tips on those platforms, they can keep collecting donations on Entropy. On Entropy, viewers can make ‘paid chats’, in which they post a comment or question by donating in multiple currencies, including US and Australian dollars. The site takes 15% from paid interactions.62

YouTube also performs a similar function, allowing users to pay for ‘Super Chats’ that make their chat messages stand out during a live-stream chat session. However, YouTube has cracked down on some RWE figures monetising their channels after outlets such as BuzzFeed News reported on their use of the platform for fundraising.63 One channel in our sample specifically cited YouTube’s demonetisation of his account as a reason why financial support was required. In a statement provided to ASPI on 16 June 2021, Google said: ‘Channels that repeatedly brush up against our hate speech policies will be suspended from the YouTube Partner program, meaning they can’t run ads on their channel or use other monetization features like Super Chat.’64

As an example of how Entropy is used, one Telegram channel in our sample regularly posts links to live stream content on sites such as YouTube and DLive while encouraging users to ask questions via Entropy. Earlier this year, this channel featured Thomas Sewell, who is associated with Australia’s National Socialist Network and the European Australia Movement,65 and who is facing a number of charges, as described earlier in this report.66 During the stream, which also took place on YouTube, the channel claimed that viewers paid between US$3 and US$50 on Entropy to ensure their questions were posed to Sewell.

Odysee

The video platform Odysee was launched at the end of 2020 by chief executive Jeremy Kauffman, who said he wanted to recapture what he saw as the early internet where ‘anyone could speak and anyone could have a voice’.67 It hosts a variety of content, but it does in some cases appear to operate as a backup archive for videos that appear on other sites from which clips expressing extremist rhetoric are more likely to be removed.68

Odysee claims to be built on blockchain technology,69 which potentially makes it more difficult to remove videos. It also offers different ways to monetise content, including earnings per view, tips from viewers and site promotions.70 The company is also introducing live streaming.71 At least four channels in our sample used Odysee, including channels that hosted anti-Semitic videos but it’s unclear if or how much they had earned. Their pages displayed a button that allows viewers to ‘support this content’ either by paying a tip or paying to ‘boost’ the channel (Figure 4).72 Those contributions are in LBRY credits, which is a cryptocurrency currently being scrutinised by the US Securities and Exchange Commission.73

Figure 4: A channel seeking LBRY credits.

BitChute

BitChute is a British video hosting website that hosts a range of content.74 It has been widely used by extremists and figures from conspiracist communities, including QAnon and anti-vaccination activists, largely as a means of backing up videos removed from other sites.75 Some channels in our sample used it to share anti-Semitic material, among other content. BitChute provides integration with a number of third-party payment providers, including SubscribeStar, CoinPayments, Patreon and PayPal (Figure 5).76 In our sample, two of the five channels with BitChute pages had ‘monetised’ it as of 15 July 2021: one with PayPal, and the other with PayPal and Patreon.

Figure 5: BitChute account seeking payments via PayPal.

Trovo

Three channels in our sample promoted live streams on the site, but it’s unclear whether they were able to earn any income from the platform. A video streaming service, Trovo is owned by TLIVE LLC, which is an affiliate of the Chinese technology giant Tencent. Trovo offers various opportunities to earn revenue,77 but it’s unclear whether the channels are monetised on the platform.

PayPal, Patreon and SubscribeStar

A number of channels in our sample offered direct ways to donate: four used PayPal.Me pages that allow people to send money, and two offered Patreon subscriptions. Patreon is a membership platform that allows content creators to offer different subscription levels with varying levels of content and access. One Patreon account belonging to an Australian RWE content creator in the sample offered six support levels, ranging from under $2 per month up to almost $300 per month for exclusive content and ‘follow backs’ on social media. Two channels also used SubscribeStar, which similarly allows users to sign up for various levels of membership offering content and access, for which the site takes a 5% service fee.78

Donorbox

One channel also used Donorbox on its related website. Donorbox allows a user to include a donation embed or widget on their website that prompts visitors to make one-time or monthly donations (Figure 6).

Figure 6: A Donorbox donation widget.

GoFundMe

Another channel attempted to use crowdfunding website GoFundMe to raise money for a project, but didn’t appear to have attracted any donors via the website as of 15 July 2021. The channel also claimed that donations to the program were ‘tax deductible’, but we couldn’t locate the company on the Australian Charities and Not-for-profits Commission register or on state-based community organisation registers.

This is an important mechanism to monitor, however, as RWE groups overseas have obtained charity status. The Institute for Strategic Dialogue’s 2020 report, Bankrolling bigotry: an overview of the online funding strategies of American hate groups, found that 32 (44%) of the 73 hate groups examined had some form of charity tax status in the US.79 ‘This potentially helps legitimise hate groups and provides them with avenues through which to raise money’, the report said.

Buy Me a Coffee and Ko-fi

Channels in our sample used microdonation sites such as Buy Me a Coffee and Ko-fi—platforms that allow content creators to solicit donations and subscriptions by buying ‘coffees’. On Buy Me a Coffee they start at around US$3.39 (A$4.60). One channel, for example, shared several Buy Me a Coffee pages in 2021, ostensibly for Thomas Sewell’s legal fees (see Figure 7 below) for the charges described earlier in this report. It’s unclear, however, whether Sewell was able to withdraw those funds, as his pages have been repeatedly removed by the website. However, a post in the channel said ‘it doesn’t do anything to the money when it gets taken down’. A Buy Me a Coffee spokesperson declined to say why the pages were removed.80

Figure 7: Buy Me a Coffee posts raising funds for Thomas Sewell’s legal fees.

Merchandise

Two channels in our sample offered merchandise associated with their branding and ideology, including clothing and books via linked websites, which were examined using the online tool BuiltWith.

One used the ecommerce widget WooCommerce on its website, as well as payment facilitator PayPal.

The other used the online marketplace Represent, which allows people to customise clothing and offer it for sale on dedicated branded pages, as well as via the website builder and payment processor Square.81 The volume of sales is unclear, but counterterrorism financing expert Jessica Davis has written that ‘propaganda sales are unlikely to generate significant profit for terrorists and extremists, but generate a small source of funds, create loose networks of likeminded individuals and serve to keep propaganda available to potential new recruits.’82

Online advertising

Of the five channels in our sample that directed viewers to associated websites, three of those websites appeared to use Google AdSense (an online advertising program that could allow them to earn revenue when ads are seen or clicked), based on analysis using the BuiltWith website analytics tool. One also used Amazon Advertising and appeared to be part of an Amazon Associates Program, which allows web-page owners to recommend and link to Amazon products and earn money if a sale occurs, among other functions.83 Links from the website to a number of products on Amazon’s webstore included Store ID tags.

Cryptocurrencies

We observed wallet addresses for cryptocurrencies including bitcoin, monero, ethereum, ripple and litecoin promoted in Telegram channels and on associated accounts as a means of soliciting funds.

John Bambeneck, a computer security researcher who has tracked donations to RWE figures in Europe and the US, said in an interview that such figures still mostly use bitcoin ‘because that’s the easiest for people to get their minds around for low dollar donors’. Nevertheless, while money may be accepted in bitcoin, it can be converted to another cryptocurrency and moved to another wallet in an attempt to ‘create a break in traceability’.84

The use of cryptocurrencies can also be seen as part of a distrust of traditional financial institutions by RWE actors, and, in some cases, the developers of these ‘coins’ have explicitly cultivated that perception.85 Monero, in particular, has been embraced by overseas RWE channels due to its emphasis on privacy and lack of traceability. Notorious white supremacist website the Daily Stormer has announced that it accepts only monero donations after having been pushed off other funding platforms.86 While it can’t promise complete anonymity, monero claims to ‘hide the sender, amount, and receiver in the transaction’, making it difficult for third parties to track.87 It does it by mixing the wallet address with others when the coin is transferred.88

In contrast, researchers were previously able to track bitcoin sent to a range of RWE figures in the US.89

In one case, according to a 14 January 2021 Chainalysis report, American RWE figure Nick Fuentes was gifted bitcoin worth around US$250,000 from a donor in December 2020.90 ‘Previously, the most he had ever received in a single month was $2,707 worth of Bitcoin,’ according to the report.

A monero wallet address was also shared on a Telegram channel associated with Thomas Sewell, describing the funds raised as being used for Sewell’s legal fees. Likewise, a channel linked to Sewell’s former associate Blair Cottrell similarly advertised a number of cryptocurrency addresses, described as a means of supporting his content. Cottrell was convicted of ‘inciting hatred, contempt and ridicule of Muslims’ in 2017.91

Despite the increasing difficulty of tracking some types of cryptocurrency transactions, Bambeneck emphasised that there are still relatively few platforms on which money can be turned into cryptocurrency and donated, and vice versa, and that this provides a potential point of scrutiny by authorities where appropriate. ‘They can be sitting on a bunch of monero, but eventually they’re going to want to cash it out, so they’re going to want to use regulated exchanges,’ he said.92

Table 2 shows the highest balances over the 12 months to 15 July 2021 in some of the cryptocurrency wallet addresses shared in our sample.

Figure 8 is a post on Telegram highlighting Thomas Sewell’s donation request in monero.

Table 3 summarises the use of funding platforms by the channels in our sample.

Table 2: Highest balance over the 12 months to 15 July 2021 in some of the cryptocurrency wallet addresses shared in our sample, as per walletexplorer.com and etherscan.io. (Conversion as of 12 August 2021).

CryptocurrencyHighest balance over past 12 months
Bitcoin0.11813704 (A$7,280.84)
Bitcoin0.01294395 (A$797.74)
Litecoin0
Ethereum0.120330393 (A$514.83)
Ethereum0.009916 (A$42.43)

Note: We can’t confirm who controls the wallet, whether funds in the wallet were raised by donation solely or in part, or whether funds were cashed out or transferred to another wallet. Monero and ripple aren’t included.

Figure 8: A post on Telegram highlighting Thomas Sewell’s request seeking donations in monero.

Table 3: Summary of funding platforms in our sample of nine Telegram channels.

PlatformPresence in sample
Bitcoin (BTC)Two channels
MoneroTwo channels
Litecoin (LTC)One channel
Ripple (XRP)Two channels
Ethereum (ETH)Two channels
DLiveFive channels
EntropyThree channels
OdyseeFour channels
BitChuteFive channels
TrovoThree channels

Platform policies and demonetisation

All but two of the platforms and services we examined had terms of service for users that explicitly prohibited hate speech or threatening behaviour in some way (Table 4). In general, however, online content and payment platforms grant themselves considerable flexibility when it comes to interpreting and enforcing their own rules and typically operate with limited independent oversight and disclosure.93 Efforts to remove individuals and groups that share RWE content from funding platforms have often been prompted by public pressure on private companies to enforce their existing terms of service. For example, following the Unite the Right rally in Charlottesville in 2017, which left one woman dead, PayPal was pushed to remove accounts used by figures involved in the event.94 Activist groups have also pressured payment providers such as Mastercard and Visa to remove what they called ‘white supremacist groups’ from their platforms.95 Bringing significant challenges for freedom of expression as well as social risks, the enforcement of terms of service by funding platforms has been described as ‘reactive and arbitrary’.96

Table 4: The policies on hate speech of platforms used by a sample of 9 RWE channels in Australia as of 15 July 2021.

PlatformPolicy on hate speech and extremist groups
DLiveDLive prohibits activities and material (including live streams, videos and comments) that: ‘Constitute or encourage hate speech that directly attacks a person or group on the basis of race, ethnicity, national origin, religion, medical or mental condition, disability, age, sexual orientation, gender, or gender identity’.
EntropyNo policy on website.
OdyseeNo specific policy on hate speech, but prohibits using the service to ‘Stalk, intimidate, threaten, or otherwise harass or cause discomfort to other users’ or ‘for any illegal or unauthorized purpose or [to] engage in, encourage, or promote any illegal activity’.
TrovoProhibits conduct that would ‘promote or advocate for terrorism or violent extremism’ or ‘is threatening, abusive, libelous, slanderous, fraudulent, defamatory, deceptive, or otherwise offensive or objectionable’.
Buy Me a CoffeeProhibits content that’s ‘threatening, abusive, harassing, defamatory, libelous, tortious, obscene, profane, or invasive of another person’s privacy’.
Ko-fiProhibits ‘hate speech, intimidation or abuse of any kind targeting any individual, group or institution’.
PayPalProhibits use of the service for activities that involve ‘the promotion of hate, violence, racial or other forms of discriminatory intolerance or the financial exploitation of a crime’.
BitChuteProhibits activities that contain incitement to hatred ‘as defined in section 368E subsection (1) of the UK Communications Act 2003. This applies to any material likely to incite hatred against a group of persons or a member of a group of persons based on any of the grounds referred to in Article 21 of the Charter of Fundamental Rights of the European Union’ and ‘any act of violence or intimidation carried out with the intention offurthering a religious, political or any other ideological objective’. BitChute maintains and publishes a prohibited entities list that contains entities that BitChute has independentlyidentified and explicitly prohibited on the platform under this guideline.
GoFundMeUsers agree not to use the service for ‘User Content or reflecting behavior that we deem, in our sole discretion, to be an abuse of power or in support of hate, violence, harassment, bullying, discrimination, terrorism, or intolerance of any kind relating to race, ethnicity, national origin, religious affiliation, sexual orientation, sex, gender, gender identity, gender expression, serious disabilities or diseases’.
SubscribeStarProhibits use that would ‘harass, abuse, insult, harm, defame, slander, disparage, intimidate, or discriminate based on gender, sexual orientation, religion, ethnicity, race, age, national origin, or disability’.
PatreonProhibits ‘projects funding hate speech, such as calling for violence, exclusion, or segregation. This includes serious attacks on people based on their race, ethnicity, national origin, religion, sex, gender, sexual orientation, age, disability or serious medical conditions.’
RepresentProhibits material that is ‘hateful, or racially, ethnically or otherwise objectionable’ or is ‘advocating persecution based on gender, age, race, religion, disability or national origin, containing explicit sexual content or is otherwise inappropriate for Represent production’.
WooCommerceNo policy. A spokesperson told ASPI ‘WooCommerce, just like WordPress, is a free and open‑source software (as opposed to a platform/SAAS) distributed under GPL V2 license which means that anyone is free to use and modify it without any restrictions or supervision from our side. There isn’t a way for us to force any sort of policies on WooCommerce users, or monitor any sort of compliance.’97
SquareProhibits the upload or provision of content that ‘is false, misleading, unlawful, obscene, indecent, lewd, pornographic, defamatory, libelous, threatening, harassing, hateful, abusive, or inflammatory’.
DonorboxProhibits ‘engaging in, encouraging, promoting, or celebrating unlawful violence toward any group based on race, religion, disability, gender, sexual orientation, national origin, or any other immutable characteristic’.
Google AdSenseProhibits content that ‘incites hatred against, promotes discrimination of, or disparages an individual or group on the basis of their race or ethnic origin, religion, disability,age, nationality, veteran status, sexual orientation, gender, gender identity, or othercharacteristic that is associated with systemic discrimination or marginalization’.
Amazon Associates ProgramUnsuitable sites include those that ‘promote or contain materials or activity that is hateful, harassing, harmful, invasive of another’s privacy, abusive, or discriminatory (including on the basis of race, color, sex, religion, nationality, disability, sexual orientation, or age)’.

Indeed, the approach of payment platforms to RWE content wasn’t consistent among our sample.98 Buy Me a Coffee fundraisers posted to a Telegram channel associated with Thomas Sewell appeared to be repeatedly suspended, but the company declined to say why.99 However, some of the sites used by our sample that allow donations or tips, such as the live-streaming platform DLive, have announced crackdowns on ‘violent extremists’.100 Nevertheless, we found Australian RWE DLive channels circumventing the platform’s policies, potentially due to their lack of international prominence, limited monitoring or a lack of focus from those platforms on Australia.

The definitional difficulties surrounding the sharing of RWE content, as explored above, may also play a role. The platforms rarely define, at least in publicly available documentation, what they mean by terms such as ‘hate speech’ or how a determination is made. One exception was Patreon, which provided a list of questions it may consider when reviewing an account for a potential hate-speech violation, such as ‘Does the creator glorify a group that is known to support ideologies that would be classified as hate speech under this policy?’101

The history of public pressure leading to RWE deplatforming from funding platforms has arguably fuelled what Cynthia Miller-Idriss has called an ‘entrepreneurial spirit within the far-right’.102 RWE groups and figures in the US and Europe have moved to fundraising platforms with fewer restrictions or those purpose-built for them. The now inactive crowdfunding site Hatreon is one example of this attempt to supplant more mainstream funding sources.103 However the demise of Hatreon (Visa reportedly suspended its processing support for the site) shows how funding platforms remain vulnerable to the decisions of major payment processors.104

Cryptocurrencies offer an increasingly popular alternative that’s seen as less vulnerable to deplatforming, as indicated by their use among our sample.105 Nevertheless, pressure points may emerge where cryptocurrencies are converted into or out of fiat currencies. Coinbase, a popular cryptocurrency exchange, reportedly shut down accounts attempting to make bitcoin transfers to RWE website the Daily Stormer in 2017.106 The company’s user agreement prohibits uses that ‘encourage hate, racial intolerance, or violent acts against others’.107 Reasearch fellow with the International Centre for Counter-Terrorism, Dr Eviane Leidig has also proposed that cryptocurrency exchanges like Coinbase and Bittrex become members of the Global Internet Forum to Counter Terrorism, which is a collection of technology companies that works to counter terrorist and violent extremist activity online.108

International case study

RWE figures in the US have raised significant amounts using crowdfunding tied to high-profile events such as the Million MAGA Marches in late 2020 and the 6 January 2021 Capitol riots. While the US political and media ecosystems are unique, they nevertheless provide an example of the scale of fundraising possible using online platforms. We don’t attempt to assess the legality of that activity in this report.

Various militia groups, as well as the Proud Boys (labelled a hate group by the SPLC109 and designated as a terrorist entity in Canada),110 appear to have raised thousands of dollars on the Christian crowdfunding platform GiveSendGo in December 2020 and January 2021, as revealed by a website data breach. Shared with ASPI ICPC by transparency group Distributed Denial of Secrets,111 the GiveSendGo dataset shows that the site was used to raise at least $172,000 in support of activities with claimed links to Proud Boy chapters in the two-month period, with the stated goal of covering expenses such as costs of travel and materials. As noted by The Guardian, ‘Two separate fundraisers asked patrons to fund protective gear and communications equipment for regional Proud Boys chapters, raising $4,876 and $12,900 respectively’.112 Analysis by the Washington Post found that at least $247,000 was raised on the site for 24 people looking to cover ‘travel, medical or legal expenses connected to “Stop the Steal” events’.113

GiveSendGo was also used to raise at least $164,399 as part of ‘legal defense’ funds as of February 2021, including funds ostensibly for high-profile figures in the Proud Boys, including Enrique Tarrio (at least $113,000, according to the DDoSecrets data and a cached GiveSendGo page)114 and Nick Ochs (two funds appear in his name, amounting to at least $22,899, according to the DDoSecrets data and cached GiveSendGo pages),115 as well as members of militia groups (Figure 9). These are likely to be a conservative estimates, given that we included only individuals and funds in our dataset with alleged links to events leading up to and including the 6 January riot and to the Proud Boys or the militia group Oath Keepers, as verified by cached records of the GiveSendGo website, media reports and other sources. In addition, some fundraisers captured in the DDoSecrets dataset are still accepting funds.

Figure 9: Funds raised on GiveSendGo as of February 2021 that are claimed to be linked to the Proud Boys and Oath Keepers, drawn from Distributed Denial of Secrets data.

‘Breadcrumbs’ and ties to the international RWE ecosystem

The online funding mechanisms described in this report also serve as an additional point of connection between the Australian RWE milieu and those who share their views internationally.

Funding techniques and strategies developed in one country or ecosystem are copied and refined, and vice versa. As Tom Keatinge, Florence Keen and Kayla Izenman wrote in 2019:

While there is no international struggle under which these actors currently unite (in contrast to the threat posed by Islamist actors), RWE terrorist and extremist groups are increasingly connected, sharing and emulating best practices, which may include financial methodologies and the transferring of funds.116

Public channels on Telegram, in particular, allow messages to easily be forwarded into other groups – a mechanism that helps build the RWE community domestically and internationally. For example, we observed pleas for support for Thomas Sewell’s legal fund, which the associated Telegram channel said could be provided in the cryptocurrency monero or via Buy Me a Coffee, forwarded into North American RWE Telegram channels—some with more than 50,000 members (Figure 10). Video clips of his alleged confrontation with a security guard, which resulted in an assault charge, were also highly shared across a variety of local and foreign Telegram channels alongside the financial support request.117

Figure 10: Calls for funding created in March 2021 in a Telegram channel associated with Tom Sewell and forwarded into a sample of Australian and overseas RWE and conspiracy theory channels (channel subscriber numbers recorded in July 2021).

We also observed channels in our sample and associated individuals solidifying connections to the international RWE ecosystem by appearing on British, South African and American podcasts and live-stream shows, which were sometimes used to promote fundraising efforts and posted back on their associated Telegram channels (Figure 11). In some cases, such exchanges appear to be formalised: individuals associated with at least two channels in the sample have regular shows and contribute to overseas media channels that sometimes share RWE content, although it isn’t clear what or whether they earn from those relationships financially.

Figure 11: The top 20 Telegram channels forwarded into a Telegram channel that shares content from a North American RWE figure between 1 January and 15 July 2021; a channel associated with Australian Thomas Sewell is among the top 10.

Recommendations

The ways online funding mechanisms can be exploited by individuals and groups sharing RWE material in Australia are an emerging problem. Strong policies and programs to address the drivers of right-wing extremism are important for undermining both the popularity of online extremist content and for disengaging people from RWE movements. However, another strategy that Australian law enforcement, intelligence agencies, policymakers and civil society should explore involves addressing and undermining the financial incentives that can help sustain and grow such movements. This report makes recommendations for government, companies and civil society. These recommendations are grouped into six categories:

1. Reporting obligations for online platforms that allow fundraising

Some financial platforms have obligations under Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) if they reach the benchmark of providing a ‘designated service’ with a ‘geographical link’ to Australia, among other requirements.118 While that may be unlikely or complex for some foreign entities that do not have a permanent establishment in Australia, for example, the AML/CTF Act requires a variety of customer identification and verification processes, as well as the reporting of suspicious transactions and record keeping.

Government and regulators should:

  • consider whether some of the emerging financial platforms discussed in this report have obligations under the AML/CTF Act
  • consider new processes to ensure that emerging online financial platforms are recording and reporting suspicious transactions, among other obligations, even if the service is not located in Australia.

2. Hate crime monitoring

As this report notes, Australia lacks a central registry of hate crimes and related incidents similar to the US Federal Bureau of Investigation’s Hate Crime Statistics program. Some organisations, such as Islamophobia Register Australia, track incidents. However, data is collected using different criteria, verification and methodologies and isn’t centralised, frustrating an overarching understanding of such crimes.119 As Professor Greg Barton has written, ‘we are flying blind’.120 Such a registry would provide considerable benefit in understanding the prevalence of RWE-motivated incidents and crime in Australia and provide a better framework to understand related financial activity.

  • The government should work with civil society and other groups to create a unified national hate crime and incidents statistics database.

3. Prohibitions against the commercial exploitation of a person’s notoriety from criminal offending

In Australia, various legal jurisdictions have varying and at times controversial laws aimed at preventing criminals from benefiting from their crimes,121 including in some cases from ‘selling’ their story.122 For example, the Proceeds of Crime Act 2002 has provisions that aim to deprive people of ‘literary proceeds derived from the commercial exploitation of their notoriety from having committed offences’.123 Commercial exploitation can be by any means, including visual media.124

  • Law enforcement should consider whether the online fundraising of RWE figures in Australia who have gained notoriety from criminal activity falls under the Proceeds of Crime Act or similar state provisions.

4. Enhanced transparency reporting

Many of the platforms in our sample have been co-opted by groups and individuals that share RWE content, even if they weren’t built for that purpose. In general, however, few offer governments, researchers, civil society or the public significant transparency about who is using their platforms, how much is being raised or whether funds are successfully ‘cashed out’—all of which necessarily raise privacy considerations, among other civil liberty concerns. Nor do they typically share detailed reports on how many accounts have been closed or removed from their platforms for sharing hate speech or otherwise breaking platform policies. This is also an issue when it comes to ‘false positives’, or when users are inappropriately removed—and especially when there are no meaningful avenues for appeal.

It’s important to note that ‘arbitrary and reactive’ action on the use of such platforms to fund RWE individuals and movements allows private companies considerable latitude over serious social issues, and government and civil society groups must play a role in defining platform regulatory responsibilities, thresholds and safeguards.125 Civil society is already pushing for change in this space.126 In June 2021, for example, the Electronic Frontier Foundation and 21 other digital rights organisations wrote to PayPal and its subsidiary Venmo calling on the companies to ‘ensure due process, transparency, and accountability’ for users.127 To that end, the letter broadly called for the companies to:

  • Publish regular transparency reports
  • Provide meaningful notice to users
  • Offer a timely and meaningful appeal process.

Non-governmental bodies such as the Global Internet Forum to Counter Terrorism are also playing a role in the moderation of extremist content,128 although not without scrutiny concerning the transparency and accountability of their activities.129 Founded in 2017 by Facebook, Microsoft, Twitter and YouTube, the forum aims to build tools and processes that counter the use of technology platforms by terrorists and violent extremists. Likewise, the Organisation for Economic Co-operation and Development is developing a Voluntary Transparency Reporting Framework for Terrorist and Violent Extremist Content Online.130

Government agencies, companies and civil society should:

  • examine multilateral mechanisms to ensure greater platform transparency and accountability on policy and enforcement
  • come together with the platforms and services mentioned in this report, where possible, to discuss opportunities for enhanced transparency and accountability regarding the application of those platforms’ terms of services and opportunities for greater clarity and information sharing
  • examine opportunities to promote a ‘safety by design’ approach that puts user safety and rights at the centre of the design, development and release of online funding products and services.

5. Further research on the relationships between online content creation and fundraising by RWE influencers, radicalisation and mobilisation to violence

More research is needed to better understand how online funding platforms may incentivise or help sustain the growth of RWE entities in Australia, and the symbiotic relationship between the two.

Government agencies and civil society should fund and support work that examines, among other topics:

  • further themes, tools and narratives of RWE fundraising in Australia
  • whether law enforcement agencies have sufficient capability and expertise to investigate these online ecosystems, and identify potential training to overcome any gaps
  • how the RWE funding ecosystem may overlap with other online movements, such as groups that espouse conspiracy theories concerning Covid-19
  • how the broader online ecosystem (for example, video platforms, chat apps, social media services and hosting services) amplifies, distributes or conducts traffic to the funding platforms mentioned in this report.

6. Countering violent extremism

While more work needs to be done to understand the role of online funding mechanisms in the RWE ecosystem, countering violent extremism early-intervention providers in government agencies and NGOs should be aware that those funding mechanisms could be a factor when they’re working to disengage people from the RWE community.

  • Government agencies and NGOs that provide countering violent extremism services should investigate whether income from online platforms could be influential or appealing for radicalised or at-risk individuals, and build the ability to identify that potential influence.

Acknowledgements

Thank you to Danielle Cave, Dr Jacob Wallis and Albert Zhang for all of their work on this project. Thank you also to all of those who peer reviewed this work and provided valuable feedback, including anonymous reviewers and Dr John Coyne, Michael Shoebridge, Fergus Hanson, Dr Debra Smith, Lydia Khalil, Dr Kaz Ross and Levi West. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. No specific funding was received to fund the production of this report.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2021
ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

Cover image produced by Claudia Chinyere Akole

Funding Statement: No specific sponsorship was received to fund production of this report.

  1. As an example, in June 2020, Facebook designated ‘boogaloo’ a ‘violent US-based anti-government network as a dangerous organization’ and banned it from the platform under its under Dangerous Individuals and Organizations policy, online. ↩︎
  2. Gerrit De Vynck, Ellen Nakashima, ‘RWE groups move online conversations from social media to chat apps—and out of view of law enforcement’, Washington Post, 18 January 2021, online. ↩︎
  3. The 2021 Lowy Institute Poll found that 42% of those surveyed saw ‘right-wing extremism as a critical threat to the vital interests of Australia in the next ten years’, online. ↩︎
  4. Will Carless, ‘Crowdfunding hate: how white supremacists and other extremists raise money from legions of online followers’, USA Today, 4 February 2021, online. ↩︎
  5. In March 2021, ASIO Director-General Mike Burgess announced the organisation’s new preference to categorise violent extremism as ‘religiously motivated’ or ‘ideologically motivated’, rather than as ‘Islamic’ or ‘RWE’, for example—a change that was challenged by some terrorism experts and political figures. ‘Ideological extremism’ includes right-wing extremism. Burgess told The Guardian that he would still say ‘extreme rightwing terror … when it matters and when that is sensibly there’. Daniel Hurst, ‘Australia’s spy chief vows to call out rightwing terrorism when there’s a specific threat’, The Guardian, 20 March 2021, online. ↩︎
  6. Australian Security Intelligence Organisation (ASIO), Director-General’s annual threat assessment, Australian Government, 17 March 2021, online. ↩︎
  7. Telegram is a messaging application. For more discussion of Telegram, please see the section titled ‘Telegram’ under the ‘Platform analysis’ section on page 10. ↩︎
  8. Report: Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain on 15 March 2019, Part 4, Chapter 7, paragraph 17, New Zealand Royal Commission, 21 December 2020, online. ↩︎
  9. ‘Posing as patriots: Graphika exposes an active campaign by suspected Russian actors to covertly target RWE US audiences on alternative platforms’, Graphika, 7 June 2021, online. ↩︎
  10. Kristy Campion, ‘A “lunatic fringe”? The persistence of right wing extremism in Australia’, Perspectives on Terrorism, April 2019, online. ↩︎

Influence for hire. The Asia-Pacific’s online shadow economy

The Asia-Pacific’s online shadow economy

What’s the problem?

It’s not just nation-states that interfere in elections and manipulate political discourse. A range of commercial services increasingly engage in such activities, operating in a shadow online influence-for-hire economy that spans from content farms through to high-end PR agencies. There’s growing evidence of states using commercial influence-for-hire networks. The Oxford Internet Institute found 48 instances of states working with influence-for-hire firms in 2019–20, an increase from 21 in 2017–18 and nine in 2016–17.1 There’s a distinction between legitimate, disclosed political campaigning and government advertising campaigns, on the one hand, and efforts by state actors to covertly manipulate the public opinion of domestic populations or citizens of other countries using inauthentic social media activity, on the other. The use of covert, inauthentic, outsourced online influence is also problematic as it degrades the quality of the public sphere in which citizens must make informed political choices and decisions.

The Asia–Pacific region contains many states in different stages of democratisation.2 Many have transitioned to democratic forms of governance from authoritarian regimes. Some have weak political institutions, limitations on independent media and fragile civil societies. The rapid rate of digital penetration in the region layered over that political context leaves populations vulnerable to online manipulation. In fragile democratic contexts, the prevalence of influence-for-hire operations and their leverage by agents of the state is particularly problematic, given the power imbalance between citizens and the state.

A surplus of cheap digital labour makes the Asia–Pacific a focus for operators in this economy, and this report examines the regional influence-for-hire marketplace using case studies of online manipulation in the Philippines, Indonesia, Taiwan and Australia. Governments and other entities in the region contract such services to target and influence their own populations in ways that aren’t transparent and that may inhibit freedom of political expression by drowning out dissenting voices. Several governments have introduced anti-fake-news legislation that has the potential to inhibit civic discourse by limiting popular political dissent or constraining the independence of the media from the state.3 These trends risk damaging the quality of civic engagement in the region’s emerging democracies.

What’s the solution?

This is a policy problem spanning government, industry and civil society, and solutions must incorporate all of those domains. Furthermore, influence-for-hire services are working in transnational online spaces that cut across legislative jurisdictions. Currently, much of the responsibility for taking action against the covert manipulation of online audiences falls to the social media companies.

It’s the companies that carry the responsibility for enforcement actions, and those actions are primarily framed around the terms of service and content moderation policies that underpin platform use. The platforms themselves are conscious of the growing marketplace for platform-manipulation services. Facebook, for example, notes this trend in its strategic threat report, The state of influence operations 2017–2020.4

Solutions must involve responsibility and transparency in how governments engage with their citizens.

The use of online advertising in political campaigning is distinct from the covert manipulation of a domestic population by a state. However, governments, civil society and industry have shared interests in an open information environment and can find alignment on the democratic values that support free—and unmanipulated—political expression. Support for democratic forms of governance remains strong in the Asia–Pacific region,5 albeit with degrees of concern about the destabilising potential of digitally mediated forms of political mobilisation and a trend towards democratic backsliding over the last decade that is constraining the space for civil society.6

The technology industry, civil society and governments should make that alignment of values the bedrock of a productive working relationship. Structures bringing these stakeholders together should reframe those relationships—which are at times adversarial—in order to find common ground. There will be no one-size-fits-all solution, given the region’s cultural diversity. Yet the Asia–Pacific contains many rapidly emerging economies that can contribute to the digital economy in creative ways. The spirit of digital entrepreneurship that drives content farm operations should be reshaped through stakeholder partnerships and engagement into more productive forms of digital labour that can contribute to a creative, diverse and distinct digital economy.

Introduction

It is already well known that the Kremlin’s covert interference in the 2016 US presidential election was outsourced to the now infamous Internet Research Agency.7

ASPI’s investigations of at-scale manipulation of the information environment by other significant state actors have also identified the use of marketing and spam networks to obfuscate state actor involvement. For example, ASPI has previously identified the use of Indonesian spam marketing networks in information operations attributed to the Chinese Government and targeting the Hong Kong protest movement in 2019.8 In 2020, ASPI also discovered the Chinese Government’s repurposing of Russian and Bangladeshi social media accounts to denigrate the movement.9 Those accounts were likely to have been hacked, stolen or on-sold in the influence-for-hire shadow economy. In May 2021, Facebook suspended networks of influence-for-hire activity run from Ukraine targeting domestic audiences and linked to individuals previously sanctioned by the US Department of the Treasury for attempted interference in the 2020 US presidential election.10

Audience engagement with, and heightened sentiment about civic events create new business models for those motivated to influence. Australia’s 2019 federal election was targeted by financially motivated actors from Albania, Kosovo and the Republic of Northern Macedonia.11 Those operators built large Facebook groups, used inflammatory nationalistic and Islamophobic content to drive engagement, and seeded the groups with links through to off-platform content-farm websites. Each click-through from the Facebook group to the content-farm ecosystem generated advertising revenue for those running the operation. A similar business model run from Israel used similar tactics to build audiences on Facebook, again manipulating and monetising nationalistic and Islamophobic sentiment to build audiences that could be steered to an ad-revenue-generating content-farm ecosystem of news-style websites.12 Mehreen Faruqi, Australia’s first female Muslim senator, was a target of racist vitriol among the 546,000 followers of 10 Facebook pages within the network. These financially motivated actors demonstrate that even well-established democracies are vulnerable to manipulation through exploitation of the fissures in their social cohesion.

This report examines the influence-for-hire marketplace across the Asia–Pacific through case studies of online manipulation in the Philippines, Indonesia, Taiwan and Australia over five chapters and concludes with policy recommendations (pages 36-37). The authors explore the business models that support and sustain the marketplace for influence and the services that influence operators offer.

Those services are increasingly integrated into political campaigning, yet the report highlights that those same approaches are being used by states in the region to influence their domestic populations in ways that aren’t transparent and that constrict and constrain political expression. In some instances, states in the region are using commercial services as proxies to covertly influence targeted international audiences.

Download full report

The above sections are the report introduction only – readers are encouraged to download the full report which includes many case-studies and references.


Editor and project manager: Dr Jacob Wallis is Head of Program, Information Operations and Disinformation at ASPI’s International Cyber Policy Centre.

About the authors: 

  • Ariel Bogle is an Analyst at ASPI’s International Cyber Policy Centre.
  • Albert Zhang is a Researcher at ASPI’s International Cyber Policy Centre.
  • Hillary Mansour is a Research Intern at ASPI’s International Cyber Policy Centre.
  • Tim Niven is a Research Scientist at Taiwan-based DoubleThink Lab.
  • Elena Yi-Ching Ho was a Research Intern at ASPI’s International Cyber Policy Centre.
  • Jason Liu is a Taiwan-based investigative journalist.
  • Dr Jonathan Corpus Ong is Associate Professor, University of Massachusetts-Amherst and Shorenstein Center Fellow, Technology and Social Change Project, Harvard Kennedy School.
  • Dr Ross Tapsell is Senior Lecturer at the College of Asia & the Pacific at Australian National University.

Acknowledgements

Thank you to Danielle Cave and Fergus Hanson for all of their work on this project. Thank you also to peer reviewers inside of ASPI, including Michael Shoebridge, and external, anonymous peer reviewers for their useful feedback on drafts of the report. Facebook Inc. provided ASPI with a grant of AU$100,000 which was used towards this report. The views reflected in the report are those of the authors only. Additional research costs were covered from ASPI ICPC’s mixed revenue base. The work of ASPI ICPC would not be possible without the support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers.

Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2021. ISSN 2209-9689 (online), ISSN 2209-9670 (print).

Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use the following sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by the Australian Strategic Policy Institute’s International Cyber Policy Centre.’

Funding statement: This report was in part funded by Facebook Inc.

  1. Samantha Bradshaw, Hannah Bailey, Philip N Howard, Industrialized disinformation: 2020 global inventory of organized social media manipulation, Computational Propaganda Research Project, 2020, online. ↩︎
  2. Lindsey W Ford, Ryan Hass, Democracy in Asia, Brookings Institution, 22 January 2021, online. ↩︎
  3. Andrea Carson, Liam Fallon, Fighting fake news: a study of online misinformation regulation in the Asia Pacific, La Trobe University, January 2021, online. ↩︎
  4. Threat report: the state of influence operations 2017–2020, Facebook, May 2021, online. ↩︎
  5. L.F. Ford, R. Hass, Democracy in Asia, Brookings, 2021, online. ↩︎
  6. V-Dem Institute, Democracy report 2021: Autocratization turns viral, 2021, online. ↩︎
  7. US Department of Justice, Internet Research Agency indictment, US Government, 2018, online. ↩︎
  8. T Uren, E Thomas, J Wallis, Tweeting through the Great Firewall: preliminary analysis of PRC-linked information operations on the Hong Kong protests, ASPI, Canberra, 3 September 2019, online. ↩︎
  9. Wallis, T Uren, E Thomas, A Zhang, S Hoffman, L Li, A Pascoe, D Cave, Retweeting through the Great Firewall: a persistent and undeterred threat actor, ASPI, Canberra, 12 June 2020, online. ↩︎
  10. Facebook, April 2021 coordinated inauthentic behaviour report, 2021, online. ↩︎
  11. M Workman, S Hutcheon, ‘Facebook trolls and scammers from Kosovo are manipulating Australian users’, ABC News, 15 March 2019, online. ↩︎
  12. C Knaus, M McGowan, M Evershed, O Homes, ‘Inside the hate factory: how Facebook fuels far-right profit’, The Guardian, 6 December 2019, online. ↩︎

Exfiltrate, encrypt, extort

The global rise of ransomware and Australia’s policy options

What’s the problem?

As the Covid-19 pandemic has swept across the world, another less visible epidemic has occurred concurrently—a tsunami of cybercrime producing global losses totalling more than US$1 trillion.1

While cybercrime is huge in scale and diverse in form, there’s one type that presents a unique threat to businesses and governments the world over: ransomware.

Some of the most spectacular ransomware attacks have occurred offshore, but Australia hasn’t been immune. Over the past 18 months, major logistics company Toll Holdings Ltd has been hit twice; Nine Entertainment was brought to its knees by an attack that left the company struggling to televise news bulletins and produce newspapers; multiple health and aged-care providers across the country have been hit; and global meat supplies were affected after the Australian and international operations of the world’s largest meat producer, JBS Foods, were brought to a standstill. It’s likely that other organisations have also been hit but have kept it out of the public spotlight.

A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed. Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets. The number of attacks will continue to grow unless urgent action is taken to reduce the incentives to target Australian companies and other entities.

What’s the solution?

All governments, civil society groups and businesses—large and small—need to know how to manage and mitigate the risk of ransomware, but organisations can’t deal with the attacks on their own. Given the significant—and increasing—threat ransomware presents to Australia, new policy measures are fundamental to dealing with this challenge. While there’s no doubt ransomware is difficult to tackle using traditional law enforcement methods because the criminal actors involved are usually located offshore, there are domestic policy levers that can be pulled, for example, to support cybersecurity uplift measures across the economy. Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response.

This policy report addresses key areas in Australia where new policies and strategies and improved guidance are needed and also where better support for cybersecurity uplift can be achieved.

Our recommendations include arguments for greater clarity about the legality of ransomware payments, increased transparency when attacks do occur, the adoption of a mandatory reporting regime, expanding the official alert system of the Australian Cyber Security Centre (ACSC), focused education programs to improve the public’s and the business community’s understanding and, finally, incentivising cybersecurity uplift measures through tax, procurement and subsidy measures. We also recommend the establishment of a dedicated cross-departmental ransomware taskforce, which would include state and territory representatives, that would share threat intelligence and develop federal-level policy proposals to tackle ransomware nationally.

Introduction: What’s ransomware?

Ransomware is a form of malware designed and deployed by state and non-state cybercriminals who seek out vulnerabilities in the computer systems of organisations, both large and small, locking up, encrypting and extracting data, and rendering computers and their files unusable.2 Attacks are accompanied by a demand for ransom to be paid in return for decrypting and unlocking systems.

Increasingly, ransomware attacks include an extortion element that usually involves threats to leak stolen data publicly or on the dark web if payment isn’t made (known as ‘hack and leak’) to exert pressure on the victim to pay the ransom.

Furthermore, payments can be difficult to trace because they’re generally made using cryptocurrency.3

This also makes it hard—but not impossible (as we saw with the Colonial Pipeline attack)—to investigate and prosecute the criminals responsible for ransomware attacks. Generally, those criminals operate with impunity in extraterritorial jurisdictions (most notably Russian threat actors) where governments protect or tolerate them or don’t have the legal systems, frameworks or capabilities in place to prosecute them.4

Ransomware is a form of cybercrime that’s both scalable and able to be commoditised. It can be bought as a service, generally on the dark web, where ransomware criminals essentially act as ‘guns for hire’. In 2020, a US analysis found buying malware online was ‘incredibly easy’, and that advanced malware tools sell for as little as US$50.5 The analysis also found that ‘almost all premium malware sellers provide buyers with in-depth tutorials and ideas about using their products for technically unskilled buyers.’6

The most common way ransomware is deployed into a system is via email phishing campaigns, remote access vulnerabilities and software vulnerabilities.7 In the case of phishing, a criminal sends an email containing a malicious file or link that deploys malware when it’s clicked. Phishing campaigns continue to evolve and are becoming increasingly sophisticated and targeted. Remote access vulnerabilities, such as weak username and password combinations, allow criminals access to and control of the computer remotely. Cybercriminals exploit such vulnerabilities via sustained attacks or by obtaining user credentials, which are often purchased on the dark web, enabling the deployment of malware onto a system.8 Finally, cybercriminals leverage security weaknesses in popular software programs to gain control of systems and deploy ransomware.9

It’s important to note that ransomware attacks are entirely foreseeable and almost always defendable.

In the physical world, organisations pay for security alarms, high fences and sensors to protect their property. And the digital world should be no different. Ransomware is simply another crime type and the threat should be viewed as another organisational risk because, behind every ransomware attack, are cybercriminals who have watched their victim’s network, laying the ground for encryption and data theft to hold the victim to ransom.

The domestic landscape

In 2019–20, the ACSC reported an increase in the number of ransomware attacks on Australian organisations, although specific metrics weren’t released.10 According to the ACSC, the top five sectors to report ransomware incidents during that period were health; state and territory governments; education and research; and transport and retail.11 It’s worth noting that the health sector was disproportionately affected, in line with global trends,12 reflecting its attractiveness as a target due to the value of the troves of personal health data stored and, most importantly, the criticality of the services provided. Put simply, a ransom is more likely to be paid if human life is endangered.

It should be noted that transnational cyberattacks are a serious concern for Australians. The recently published results of the 2021 Lowy Institute Poll reported that 98% of the poll’s nationally representative sample viewed ‘cyber attacks from other countries’ as a critical (62%) or important (36%) threat to Australia over the next decade.13 That makes transnational cyberattacks the highest of the 12 threats to Australia’s vital interests that the Lowy Institute asked people about, rating higher than climate change, Covid-19 and other potential epidemics, international terrorism, a severe downturn in the global economy and Australia–China relations.

Figure 1: Threats to Australia’s vital interests

Source: Lowy Institute Poll 2021, online.

Do Australians understand what ransomware is?

In a bid to better gauge the public’s understanding of what ransomware is, what it does and what to do in the event of an attack, the Cyber Security Cooperative Research Centre conducted a nationally representative online survey of 1,000 Australian adults in April 2021 on ‘Understanding ransomware’. The results—though not unexpected—painted an alarming picture of just how little the Australian public understands ransomware.

Twenty-five per cent of respondents said ransomware was the most significant cybersecurity threat to Australian businesses, coming in behind hacking (48%). Seventy-seven per cent said they wouldn’t know what to do if they fell victim to a ransomware attack but, when given a set of options, 56% said they would contact the ACSC. Of the respondents, 42% said they understood how a ransomware attack occurred, and 44% indicated that they knew what happened in a ransomware attack. Respondents believed financial gain was the key aim of an attack (71%), followed by data theft (14%).

While this survey wasn’t exhaustive, it clearly shows that the community, generally, has little understanding of ransomware, illustrating that a more concerted effort to educate Australians about it is required. That effort should be teamed with effective tools and policies to mitigate the risk of falling victim to a ransomware attack.

Major reported ransomware attacks in Australia in 2020 and 2021

Major attacks on Australian targets in 2020 and so far in 2021 included the following:

  • February and May 2020: Toll Holdings
    Employee and commercially sensitive data was stolen in two separate ransomware attacks on Toll Holdings, which is an Australian logistics giant.14 Some of the stolen data was leaked on the dark web.15 It’s understood that Toll didn’t pay either ransom.16 As a result of the attack, the company has undertaken substantial remediation and cybersecurity uplift programs.17
  • May 2020: BlueScope Steel
    A ransomware attack on a US-based system of BlueScope Steel had global ramifications, affecting production at the organisation’s Port Kembla facility in Australia.18 Details of the attack, including whether payment was made, were undisclosed.
  • June 2020 (two attacks): Lion Dairy and Drinks
    Dairy processor and drink manufacturer Lion was forced to shut down production as a result of two separate ransomware attacks, which had significant impacts on its vast domestic supply chain.19 Sensitive data was stolen in the attacks, and the criminals responsible threatened to publish it on the dark web.20 It’s unknown whether a ransom was paid.
  • December 2020: Law in Order
    Law in Order provides document-management services to the legal profession and purports to have ‘iron-clad security’.21 The criminals who attacked it threatened to publish stolen data on the dark web.22 It’s unknown whether a ransom payment was made.
  • March 2021: Nine Entertainment
    In late March, Nine Entertainment’s news and newspaper production were severely damaged by a ransomware attack.23 As a result, news teams were forced to work remotely, and most production had to be done out of Nine’s Melbourne office, which was the least affected. It took weeks for production to return to normal.24 It’s unknown whether the ransom was paid.
  • March 2021: Eastern Health
    Eastern Health, which operates several hospitals in Melbourne, was brought to a halt by a ransomware attack that resulted in multiple surgery cancellations and prevented access to patient medical records, internal emails and IT systems.25 Systems were reportedly damaged for weeks. It’s unknown whether a ransom was paid.
  • April 2021: Uniting Care Qld
    Uniting Care Qld, which operates several hospitals and disability and aged-care facilities across the state, had its access to internal IT systems and patient records severely compromised in a ransomware attack attributed to the REvil group.26 It’s unknown whether a ransom was paid.
  • June 2021: JBS Foods
    JBS Foods, the world’s largest meat supplier, had its global production brought to a standstill by a ransomware attack affecting 47 facilities in Australia.27 The company confirmed that it paid US$11 million to the attackers.28

Ransomware payments and regulating cryptocurrency

Cryptocurrencies are the preferred channel of payment for ransomware attacks because of the assumed untraceability of those payments. However, successful steps are being taken to crack down on cryptocurrency providers via law enforcement and recovery action. In the US, steps have been taken to regulate the use of cryptocurrencies more tightly and to recoup stolen funds; for example, US$2.3 million was recovered after the Colonial Pipeline ransomware attack.29

The US Treasury announced in May 2021 that, under a proposed reporting regime, cryptocurrency transfers of more than $10,000 would have to be reported to the Internal Revenue Service—a step that could help to improve the effectiveness of cryptocurrency tracking.30 There’s also a move in the US towards KYC (‘know your customer’) and AML (anti-money-laundering) cryptocurrency regulation. KYC policies govern the types of information banks must collect, and retain, about their customers; AML regulations require financial institutions to monitor the use of funds by their customers.31

In 2018, new laws came into force in Australia making it compulsory for digital currency exchange providers operating in Australia to register with AUSTRAC and comply with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.32 Under those laws, exchanges are required to collect information to establish a customer’s identity, monitor transaction activity and report transactions or activity that’s suspicious or involves amounts of cash over $10,000.33

The legality of ransomware payment in Australia

When a ransomware attack occurs, any payment made has legal implications, but in Australia the legality of such a payment is murky at best. This is an issue that needs to be addressed with haste, without the burden of bureaucratic process and a regulatory quagmire. Importantly, criminalising ransomware payment isn’t the solution. Mandatory reporting of ransomware attacks, however, should be considered.

The ACSC’s advice on payment is clear: don’t pay.34 At first blush, that appears to be straightforward, but any organisation faced with a ransomware attack (in which often every minute matters) grapples with the legal consequences of paying or not paying. This is a highly nuanced issue and one that other nations are also grappling with.

While the payment of a ransom should always be a last resort, criminalisation wouldn’t incapacitate the real offenders; nor would it bring restitution to victims. In fact, it would have the effect of further victimising the victim. There are also ethical considerations that need to be taken into account, the central one being the notion that criminalisation could punish organisations for taking proportionate action to protect stakeholders and the community more broadly. This is especially relevant in relation to critical infrastructure entities.

In the Australian context, the Criminal Code Act’s ‘instrument of crime’ provisions are broad. It’s an offence to ‘deal with’ money or other property if there’s a risk that the money or property will become an instrument of crime or if the payer is ‘reckless’ or ‘negligent’ about the fact that the money or property will become an instrument of crime.35 The Criminal Code also includes terrorism funding offences, which make it illegal to intentionally ‘make funds available to a [terrorist] organisation’ if the funder either knows that the organisation is a terrorist organisation or is reckless about whether the organisation is a terrorist organisation.36

Australia is also bound by UN sanctions laws and, under the Charter of the United Nations Act 1945 (which implements UN Security Council sanctions), it’s an offence to transfer assets to sanctioned people and entities or to contravene UN sanctions enforcement laws.37 Currently, no ransomware actors are explicitly listed on the UN’s sanctions list; however, sanctions laws could apply in relation to sanctioned states or to groups acting on behalf of sanctioned entities.38

The most commonly cited potential defence against a charge of making an ‘illegal’ ransomware payment is duress. A duress defence can be used if a person ‘reasonably believes’ that a threat made will be carried out unless an offence of ransom payment is committed, there’s no reasonable way the threat can be rendered ineffective, and the conduct or payment is a reasonable response to the threat.39 Such a defence would depend on the particular circumstances facing an organisation and its payment of a ransom.

In the US, where the Federal Bureau of Investigation (FBI) reported 2,474 ransomware incidents in 2020, ransom payment isn’t illegal.40 However, a ransomware advisory published by the US Treasury Department in October 2020 highlighted the possibility of sanction breaches that could be associated with ransomware payments to malicious cyber actors.41 The advisory contains a list of malicious cyber actors sanctioned by the department’s Office of Foreign Assets Control, signalling that ransom payments to such actors could be met with civil penalties. Of note, however, is the recognition that ‘a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement [will be] a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus’.42 On this point, a 2019 FBI ransomware alert highlighted the need for ransomware attacks to be reported, regardless of whether money is exchanged.43 Interestingly, the alert highlights the challenges that affected organisations face—and a possible reticence to prosecute for payment—by stating ‘the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers’.44

Given that the measures outlined in the Treasury advisory have, to date, not been applied, and the clear focus on reporting and transparency, it could be reasonably concluded in the US that there’s little appetite for penalising organisations for paying ransoms. Such a model could be employed in Australia, fostering an information-sharing culture without fear of legal consequences for organisations that pay ransoms. There’s also merit in the US approach of publishing a list of known malicious ransomware actors. While that wouldn’t remediate the problem, it would serve to better inform organisations about cyber threat actors.

A mandatory reporting regime could take the form of a legal obligation for an organisation to report the nature and root cause of a ransomware attack to the ACSC within a prescribed time frame (for example, within 21 days). That would be in addition to real-time reporting of a cyber incident.

Furthermore, this should occur regardless of whether payment is made and ensure the confidentiality of victims. It wouldn’t be about naming and shaming. Rather, by compelling victimised organisations to report under law, the ACSC would have improved access to vital and timely intelligence, assisting root-cause analysis and the identification of other attack vectors. Ultimately, when published, this would help better inform other stakeholders on how to reduce vulnerabilities. It would also enhance the operation of the federal government’s proposed changes to the Security of Critical Infrastructure Act 2018.45

It’s worth noting recent steps that the European Commission has taken ‘to tackle the rising number of serious cyber incidents’, announcing on 23 June that it will build a ‘Joint Cyber Unit’.46 The aim of the unit is to provide a coordinated response to ‘large-scale’ cyber incidents and assist in recovery, operating at both the operational and technical levels.47 It will involve key stakeholders from law enforcement, security, defence and diplomacy.48 Its functions will be enhanced by a new US–EU working group, which has been established specifically to address the ransomware threat.49

The joint EU and US approach demonstrates that, while Australia can take significant steps to address ransomware domestically by clarifying our law, there’s a vital need to work closely with allies and like-minded nations to tackle the threat globally. Longer term, sustained intelligence sharing and the adoption of responsibilities flowing from the agreed UN norms of responsible state behaviour in cyberspace will help achieve international consensus on tackling ransomware.50 In April, to that end, the Five Eyes nations committed to tackling the growing threat of ransomware, specifically addressing the issue in the Five Country Ministerial Statement Regarding the Threat of Ransomware.51

What about cyber insurance?

While still relatively immature, Australia’s cyber insurance market has expanded. Cyber insurance policies can be expensive, given the nature of the threat, and broad in scope, covering recovery, replacement and regulatory costs associated with a ransomware attack. Of concern, however, are policies that cover ransom costs, which could serve to encourage attacks targeted at insured entities.52 There are also concerns that ransomware criminals might access systems in search of insurance certificates and then demand ransom payment of the specific amount covered by an insurer.53 While there is a role for cyber insurance to play as part of an organisation’s holistic cyber security strategy, it is not a silver bullet, and it can have unintended consequences. As noted above, a key risk is the targeting of insured organisations by threat actors. There is also the potential for organisations with cyber insurance to be lax in their approach to managing cyber security. As noted in the Harvard Business Review: “Insurance is important, but it’s likely to take a back seat to the broader cyber security discussion…Insurance helps you recover from a situation, filling in the gaps when problems occur that you can’t prevent, but attempts to prevent problems are still crucial”.

Where do we go from here?

To better protect Australians and their businesses against ransomware, we believe that the three key words are transparency, education and incentivisation.

Increased transparency is vital

As it stands, there’s a dearth of official public data relating to ransomware attacks in Australia. For example, and as noted above, in the 2019–20 financial year the ACSC reported an increase in the number of domestic ransomware attacks, but no specific metrics were released.54 This is in stark contrast to the US, which has a much more transparent reporting system. The FBI publicly reported that it recorded 2,474 ransomware incidents in 2020, amounting to US$29.1 million in economic loss55 (and that’s likely to be a significant understatement of the overall incidence of ransomware attacks because reporting is voluntary).

While it’s understandable that the specifics of attacks and victims aren’t released into the public domain, if more insight were provided into the prevalence and root causes of ransomware crimes in Australia there would be greater onus on organisations to harden their systems against attack (especially known vulnerabilities). Furthermore, by building a public narrative on the threat landscape and threat actors, policymakers, organisations and the community more broadly would be better informed about the scale of the attacks. This would have a two-pronged effect—encouraging cybersecurity uplift across the economy and enhancing trust in government, especially in the light of the heightened reporting obligations touted for critical infrastructure entities.56

In April this year, the US Department of Justice established a dedicated ransomware taskforce.

A memo from Acting Deputy Attorney General John Carlin stated that 2020 had been ‘the worst year’ in history for ransomware and cyber extortion. He signalled that steps would be taken to deal with the root causes of ransomware, which could include actions ranging from ‘takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains’.57

The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) also provides regular ransomware alerts and tips to the public,58 which go into significant detail regarding the latest ransomware attacks, the systemic weaknesses that were exploited to gain access for malware to be deployed and steps organisations can take to mitigate those risks. The CISA played a pivotal role in disseminating real-time information about the Colonial Pipeline ransomware attack in May 2021,59 which brought the major provider of fuel to the US east coast to a grinding halt.60

The CISA kept the community and critical infrastructure entities informed during what was arguably the most serious ransomware attack the US has seen, ultimately assisting other organisations to be on guard.61

The US approach illustrates how comprehensive and more transparent official reporting of ransom ware attacks could be used to enhance preparedness for an attack and people’s understanding of the threat environment. While the ACSC does provide high-level threat intelligence to organisations, there’s a requirement for those organisations to register and be accepted into the ACSC Partnership Program. In addition, the alerts and advice are quite technical, which could make them inaccessible to some organisations, especially small and medium-sized enterprises (SMEs). Hence, there’s a need to build on the existing regime, with a view to enhancing transparency across the entire economy and community via public alerts and advice when ransomware attacks occur.

Education is necessary to improve knowledge and mitigate risk

While increased transparency is vital, it’s of little use if organisations don’t understand what ransomware is, what needs to be done to mitigate risk and haven’t implemented appropriate cybersecurity controls. Many ransomware attacks would be avoidable if effective organisational cybersecurity controls were in place and good cyber hygiene was practised. Ransomware is different from most other tools used by criminals in that it can have far-reaching consequences. The threat it poses through its ability to cripple critical infrastructure makes it all the more serious. Hence, there needs to be greater focus on the basics—a concerted education campaign that explains what ransomware is, what it does and how organisations can bolster their defences.

Top of the list must be patching. Patch management is essential for effective cybersecurity and ensures that the security features of software on computers and devices are up to date. All software is prone to technical vulnerabilities and, when a vulnerability is exposed and shared, cybercriminals have a metaphorical front-door key. A 2019 report by the Ponemon Institute on vulnerability responses found that, of the 48% of organisations that had experienced data breaches in the preceding year, 60% reported that the breaches resulted from failure to patch.62

And that brings us to people. Amid the barrage of policies and technical guidance, it’s often forgotten that the route to a cyber breach is surprisingly simple. In most cases, it comes down to a number: 1. That’s the number of people a cybercriminal needs to trick to gain access to a system.

Phishing emails containing malicious links are common lures used to deploy ransomware. The FBI reported 241,342 phishing complaints in 2020 and estimated that phishing cost more than US$54 million.63 Therefore, training employees to be better prepared to identify suspicious emails— and not to click on them—is essential. For large, well-resourced organisations, investing in threat hunting is the key.64 In many cases, the attacker has been inside the victim’s network for a significant period, watching and preparing the environment for an attack. An investment in threat hunting means that network anomalies can be more easily recognised and more swiftly contained. It could prove critical in detecting whether a cybercriminal is planning and plotting within a network.

It’s the responsibility of all executives, business leaders and boards to be aware of and effectively manage cybersecurity risks, to ensure that appropriate measures are in place and to foster a culture in which cybersecurity really does matter. If cybersecurity matters to a chair and board, that will trickle down and become a priority for the whole organisation. To that end, it’s also timely to note that Australian directors increasingly bear personal exposure to cyber risk liability, which may be heightened under the proposed changes to the critical infrastructure regime.

Incentivisation is needed to achieve real cybersecurity uplift

Good cyber hygiene is central to mitigating a ransomware attack, but cybersecurity uplift costs money—a cost that’s borne without immediately ‘tangible’ results for organisations. This is especially pertinent for SMEs, which generally don’t have the same level of resourcing to prioritise cybersecurity. Hence, incentivisation has a key role to play if cyber resilience is to be applied across all levels of the economy.

A clear example of where existing mechanisms could be used to incentivise cyber uplift is via full expensing, previously known as instant asset write-offs. The temporary full expensing scheme, which was extended in the 2021–22 federal Budget, allows organisations with an annual turnover of less than $5 billion to immediately write off the business portion of the cost of eligible new assets they first use or install by 30 June 2023, with no cap on the value of new assets that can be claimed (but there may be certain cost limits on particular assets).65 Put simply, this means organisations can make full or significant deductions for eligible purchases up front, rather than over a period of several years via depreciation. While this doesn’t remove the need for initial outlays, the scheme does offer significant taxation benefits. There’s clear scope for the federal government to provide clear information via the Australian Taxation Office about what cybersecurity asset purchases are covered under the scheme.

As it stands, cybersecurity assets aren’t clearly defined, and only bespoke in-house software is covered.66 If the scheme were broadened to include off-the-shelf products and subscription services (such as cloud services), it would support scalable and more rapid uplift. This relatively simple incentivisation solution, which should be promoted, would have a two-pronged effect, simultaneously easing financial imposts on organisations while also hardening cybersecurity resilience across a greater cross-section of the economy.

Another option is to leverage the power of federal government procurement to drive organisational cybersecurity uplift by mandating minimum cybersecurity standards for organisations feeding into the government supply chain. This has the potential to be transformative, given the government’s huge procurement spend (81,174 contracts with a combined value of $53.9 billion were published on AusTender in 2019–20).67 Despite that massive spend, cybersecurity is mentioned only once in the Commonwealth Procurement Rules, 68 which recommend that cybersecurity risk be considered along with other risks and be evaluated in accordance with the government’s Protective Security Policy Framework.69 Cybersecurity needs to play a more prominent role in government procurement practices, not be viewed as an afterthought or secondary consideration. The important role government procurement could play in cyber uplift was highlighted by Rajiv Shah in his 2020 report Working smarter, not harder.70 Shah observed that the government:

… has an opportunity to leverage its market power to provide for broader benefits to the Australian economy and society … Setting security standards expected from its suppliers may help to lift standards across the board. Companies will be incentivised to lift their standards in order to qualify to do business with the government, and it will often be easier for them to apply those standards across their whole enterprises rather than just for their government contracts.71

A cybersecurity uplift grant or subsidy scheme could be considered, in the vein of a program such as the Skilling Australia’s Defence Industry Grants Program.72 That program provides grants to SMEs with fewer than 200 employees over three years, assisting the development of defence sector skills and human resources practices and training plans. The program provides SMEs that service, or intend to service, the defence industry with the capacity and skills required to operate in that supply chain.

A similar program could be introduced for organisations that feed into the whole-of-government supply chain to uplift cybersecurity resilience via both training and physical upgrades.

Another option could be to expand and extend the remit of the Cyber Security Business Connect and Protect Program beyond assistance and advice to also include financial aid to lift SME cybersecurity.

As it stands, the program (which is currently closed), provides funding to ‘trusted organisations’ to raise awareness of cybersecurity risks to SMEs, promote action to address those risks and support and lift the cyber capability of SMEs. However, the scheme doesn’t provide funding to assist SMEs in the physical implementation of cybersecurity uplift.

Policy recommendations

We make eight policy recommendations under the following themes.

Legal clarity

  1. The Australian Government shouldn’t criminalise the payment of ransoms. Instead, a mandatory reporting regime should be adopted, fostering an information-sharing culture without fear of legal repercussions.
  2. A dedicated cross-departmental ransomware taskforce, including state and territory representatives, should be established to share threat intelligence and develop federal-level policy proposals to tackle ransomware nationally.

Greater transparency

  1. The ACSC’s existing official alert system should be expanded to include the real-time distribution of publicly available alerts and clear, actionable advice when ransomware attacks are reported. The alerts and advice should be updated as required.
  2. The non-punitive mandatory reporting regime should require organisations to report ransomware incidents and known root causes to the ACSC within 21 days. The information would then be de-identified and distributed publicly.
  3. The ACSC should publish a list of ransomware threat actors and aliases, giving details of their modus operandi and key target sectors, along with suggested mitigation methods.

Low-hanging fruit: incentivisation and education

  1. The federal government should implement practical incentivisation measures to drive cybersecurity uplift across the economy via temporary full expensing and changes to procurement practices and grant or subsidy programs.
  2. The government should deliver a concerted nationwide public ransomware education campaign, led by the ACSC, across all media. The campaign should highlight the key causes of ransomware vulnerability and how organisations can bolster their security, and it should draw in external expertise where necessary.
  3. A business-focussed multi-media public education campaign, led by the ACSC, should be launched to educate organisations of all sizes and their people about basic cybersecurity and cyber hygiene. It should focus on the key areas of patching, multifactor authentication, legacy technology and human error.

Conclusion

Ransomware isn’t an abstract possibility. In Australia, the threat’s right here, right now and isn’t going away. Unless a concerted effort is made to mitigate the risk, the problem could continue to get worse.

There’s a key role for the Australian Government to play in leading the way, but tackling ransomware is a shared responsibility. While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support.

The ongoing ransomware attacks that continue to strike unabated around the world must act as a red flag. And, because we’ve been warned, we need a plan.


Acknowledgements

Thank you to Danielle Cave for all of her work on this project. Thank you also to all of those who peer reviewed this work and provided valuable feedback including Michael Sentonas, Dr Natasha Molt, Fergus Hanson, Michael Shoebridge, Bart Hoogeveen, Jocelinn Kang and Tom Uren. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. The Cyber Security CRC is a bronze sponsor of the centre. No specific funding was received, from any organisation, to fund the production of this report.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements. 

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

ISSN 2209-9689 (online), ISSN 2209-9670 (print).

Funding Statement: No specific sponsorship was received to fund production of this report.

  1. ‘New McAfee report estimates global cybercrime losses to exceed $1 trillion’, news release, McAfee, 7 December 2020, online. ↩︎

Mapping China’s Tech Giants: Supply chains & the global data collection ecosystem

his report accompanies the re-launch of our Mapping China’s Technology Giants project.

This report is available for download in English and Arabic.

Other Reports that are part of this project include:

What’s the problem?

Most of the 27 companies tracked by our Mapping China’s Technology Giants project are heavily involved in the collection and processing of vast quantities of personal and organisational data — everything from personal social media accounts, to smart cities data, to biomedical data.1 Their business operations—and associated international collaborations — depend on the flow of vast amounts of data, often governed by the data privacy laws of multiple jurisdictions. Currently, however, existing global policy debates and subsequent policy responses concerning security in the digital supply chain miss the bigger picture because they typically prioritise the potential for disruption or malicious alterations of the supply chain. Yet, as we have defined it in this report, digital supply-chain risk starts at the design level (Figure 1).

For the People’s Republic of China (PRC), the designer is the Chinese party-state, through expectations and agenda-setting in laws and policy documents and actions such as the mobilisation of state resources to achieve objectives such as the setting of technology standards. It’s through those standards, policies and laws that the party-state is refining its capacity to exert control over companies’ activities to ensure that it can derive strategic value and benefit from the companies’ global operations. That includes leveraging data collection taking place through those companies’ everyday global business activities, which ASPI’s International Cyber Policy Centre (ICPC) described in the Engineering global consent report.2 Technology isn’t agnostic—who sets the standards and therefore the direction of the technology matters just as much as who manufactures the product. This will have major implications for the effectiveness of data protection laws and notions of digital supply-chain security.

What’s the solution?

This report recommends that governments, businesses and other organisations take a more multidisciplinary approach to due diligence. That approach needs to take into account the core strategic thinking that underlies the ways the Chinese party-state uses technology. It must also take into account the breadth of what’s considered to be ‘state security’ in China and the ramifications of the PRC’s cyber- and data-focused laws and regulations.

All governments should improve their regulatory frameworks for data security and privacy protection.

Doing so will put them in better ethical and legal positions to take meaningful long-term policy actions on a whole suite of issues. However, those efforts in isolation won’t solve all of the unique challenges posed by the Chinese party-state or other geopolitical challenges described in this report.

A more holistic approach, which would help to ensure that data is better protected, also requires a better definition of digital supply-chain risk and a reframing of global policy debates on these issues. There needs to be a greater understanding of how supply-chain risks manifest, including the intentional introduction of access and more subtle monitoring and information collection by malicious actors. Specific actions for managing potential data insecurity and privacy breaches in supply chains should include improving risk-based approaches to the regulation of data transfers.

Figure 1: Compromise of the digital supply chain without a malicious intrusion or alteration

Source: ASPI authors’ illustration.

1. The PRC’s data ecosystem

The PRC’s global data collection ecosystem was outlined in the ASPI ICPC policy report Engineering global consent: the Chinese Communist Party’s data-driven power expansion.3 In that report, we described ways the Chinese party-state directly and indirectly leveraged PRC-headquartered commercial enterprises to access troves of data that those enterprises’ products help generate.

That report was based on how the Chinese party-state articulated its objectives on data use and state security and a case study of the propaganda department–linked company Global Tone Communication Technology Co. Ltd (which we expand on in the ‘Downstream data access’ section of this report).

As part of the Mapping China’s Technology Giants project, we have identified the need to further define the PRC’s ‘global data ecosystem’ concept. In this section, we focus on the nature of interactions between political agenda-setting, active shaping of international technical standards, technical capabilities, and data as a strategic resource. This directly affects companies’ business activities, both domestic and global (Figure 2).

Figure 2: The PRC’s data ecosystem

Source: ASPI authors’ illustration.

The PRC’s data ecosystem begins with technical capability. That includes China’s advanced cyber offensive skills, but also extends to its companies’ normal business operations anywhere in the world providing access, collection, data processing or any combination of the three to the party-state.

The party-state’s ability to obtain large amounts of personal information and intellectual property through its state-sponsored cyber operations has been widely reported in detail, including in indictments by the US Department of Justice.4 However, the PRC’s policies and legislation— purposefully shaped by the Chinese Communist Party (CCP)—mean that the party-state’s ability to access data is extended even further than the normal operations of PRC-based companies with a global presence. It’s also consequential that those globally influential PRC-based technology companies occupy every layer of the ‘technology stack’.

In Table 1, we illustrate the ‘technology stack’ by using the ISO standard Open Systems Interconnection model as a reference (because it’s used for networking and data exchange but can also be illustrative of the technology industry ecosystem).5 We then charted it against the relevant companies in the Mapping China’s Technology Giants project and their US counterparts, which for several decades have had a dominant presence in every layer.

Table 1: Technology business ecosystem, referencing a simplified Open Systems Interconnection model

Source: ASPI authors’ illustration.

Technology companies everywhere are primarily driven by commercial interests. The difference between the US and China is that in China the way the state conceives of the usefulness of data goes beyond traditional intelligence collection. For the Chinese party-state, data and the information derived from it contribute to everything. Domestically, that ranges from solving policy problems to information control and state coercion. Globally, it ranges from expanding the PRC’s role in the global economy to understanding how to shape and control its global operating environment. In the next two sections, we elaborate on how the Chinese party-state’s laws, policies and actions, which apply to PRC-based technology companies, create an ecosystem that provides it with access to the data that those companies can obtain.

1.1 Who sets the standards matters

Technology isn’t values-agnostic. It takes on the values of its creator. Therefore, who sets the standards, and consequently the direction of the technology, matters. We know, for instance, that artificial intelligence has a history of racial and socio-economic bias built in from the design stage, reflective of the inherent biases of the designers and the choice of data used to train the algorithms.6

Technologies must be designed to be ‘values-neutral’7 to avoid those problems, but that aspiration might not ever be realistic.8

Liberal democracies don’t agree on what ‘values’ mean in this context. The European Union, for example, is increasingly prioritising indigenous technology development not just because of strategic competitors such as the PRC but also because of the US. That requires navigating often complex relationships with US-based technology giants such as Google, Apple and Facebook.9

Part of protecting values in any liberal democracy is about preventing the creep of illiberalism from sources both domestic and foreign. It’s also about introducing regulations and standards that protect the norms and freedoms underpinning democratic values. When it comes to Europe and the digital economy, much of that effort is currently targeted towards holding US technology companies accountable.10

The Chinese party-state is creating mechanisms and power structures through which it can ensure its ultimate and maximum access to datasets both domestically and globally. This is apparent through its agenda-setting (articulated in party and policy documents), its expectation-setting (signalled through new laws) and communications from the CCP (such as speeches and state media reporting). Part of the CCP’s effort takes place through the PRC’s attempts to set standards that guide the design of technologies. For example, PRC facial recognition systems are required to be designed to recognise ‘Uyghur faces’.11 Another example is big data platforms and systems designed to categorise individuals based on a politicised version of whom the CCP deems suspicious or potentially threatening (such as petitioners, Tibetans, Uyghurs or Falun Gong practitioners).12 Within the PRC, technologies are already being researched and developed to meet the needs of the party-state (see section ‘Data regulations: setting the standards’). When those technologies are exported, such design features can’t be erased by the technology’s end-user, whether it’s a global company or a foreign government.

1.2 Harnessing the strategic value of data

The Chinese party-state has deliberately formulated a strategy to harness the strategic value of data and the power of information to grow the power of the CCP over society. In 2013, Xi Jinping was quoted as saying, ‘big data is the “free” resource of the industrial society. Whoever has a hold of the data has the initiative.’13

In 2016, China’s 13th Five-Year Plan pushed for the creation of a ‘big data security management system’ alongside efforts to improve cyberspace governance by building an international consensus around the PRC’s ideas on cyberspace security.14 The 14th Five-Year Plan, unveiled in 2021, continues the party-state’s multifaceted priorities for the development and use of big data for economic and social governance and calls for building new data infrastructure and improving the rules governing data collection, storage and use.15

In addition to economic development, the party-state often describes big data technologies as contributing to ‘social management’ (also called ‘social governance’).16 Social management covers a broad and overlapping list of agenda items, from creating capabilities to improve public service administration to strengthening ‘public security’. Ultimately, social management refers to the party-state’s management of itself as well as of society. This process relies on shaping, managing and controlling its operating environment through capabilities that enhance service provision and the capacity for risk management.17

New and emerging digital technologies are valued because they’re viewed as a resource that can improve everyday governance capacity and facilitate problem-solving. In simplifying government service provision, the implementation of those technologies can in future facilitate communication across the PRC’s sprawling government apparatus.18 Digital and data-driven technologies obviously have multiple uses. For example, they can help streamline urban and social welfare services. In other respects, those same services can feed into the party-state’s totalitarian model of governance and the way it identifies and responds to what it believes are emerging threats.

This use of data occurs in ways that provide both convenience and control. Routine services are intertwined with surveillance and coercive tools in ways that are often not legally possible in liberal democratic societies—or, when they do occur, can be genuinely challenged by the public, media and civil society. That distinction doesn’t simply apply to the ways different PRC Government departments use similar technologies (such as ways the public security bureaus use technologies versus the ways industrial work safety offices use them).

One example is Human Rights Watch’s findings on Xinjiang’s Integrated Joint Operations Platform, which is used to centrally collect data on individual behaviours and flag ‘those deemed potentially threatening’. One metric used to identify threats is energy usage from smart electricity meters: abnormally high energy use could indicate ‘illegal’ activity, but such meters in their normal use would also improve the accuracy of meter readings.19 Another example is building datasets for use in the PRC’s ‘national defence mobilisation system’ (a crisis response platform) using data sourced from a variety of government cloud networks, from smart cities to tourism-related cloud networks (Figure 3).20

Figure 3: The concept of defence mobilisation and smart cities data integration and processing

Source: ASPI authors’ illustration.

Despite the benefits it can derive, the CCP also sees sources of harm emerging from technology and its use, and it realises that technology isn’t an all-encompassing solution to its problems. Xi Jinping has described science and technology as a double-edged sword: ‘On one hand, it can benefit society and the people. On the other hand, it can also be used by some people to damage the public interest and the interests of the people.’21 Such risks could include companies or officials having the ability to exercise too much power with the aid of technology.22 They could also include the use of technology by the CCP’s political opponents to organise against the party-state, from either inside or outside the PRC.23

1.3 A global outlook

The PRC’s plans to harness the strategic value of data and the power of information to grow state power are also globally oriented. The party-state sees its reliance on technologies originating in the West (especially the US) as a threat to state security, for fear of how foreign powers might exploit that reliance, especially in a crisis.24 That fear helps drive the development of the PRC’s indigenous technology capabilities.25 Its capability effort includes planning on big data development to build an ‘industry ecosystem’ with ‘globally oriented key enterprises and innovative small- and medium-sized enterprises with distinctive features’.26 It also includes a plan to export PRC-originated technology standards, envisioned through the China Standards 2035 project.27 Economic benefits and objectives are included in each plan, but through them the CCP also sets specific political ambitions.

As part of its global vision (see Figure 4), the Chinese party-state ensures that it’s a part of the market-driven expansion and success of its global technology giants. Under Xi Jinping, the government has increasingly demonstrated the extraterritoriality inherent in PRC state security concepts and law. Moreover, the fact that companies have the right to do business in China at the party-state’s discretion has become abundantly clear. The ability to harness the benefits of data would help to achieve the CCP’s global vision because, through the processing and application of that data, the party can improve the sophistication of its efforts to shape, manage and control its global operating environment.

Figure 4: Explainer: The Chinese party-state’s vision for the PRC in the world

Sources: ASPI authors’ illustration. See endnote for detailed citations.28

2. The PRC’s developing data security framework

PRC legislation related to state security29 provides reasons for foreign governments to be concerned about the exposure of any PRC-based commercial enterprise to the political demands of the party-state.30 Recent state security laws, such as the 2017 Intelligence Law, haven’t changed the longstanding de facto practice of state power in the PRC, but have further codified expectations in China that every citizen is responsible for state security.31 Assessments of those risks have helped address what should be the obvious political and legal risks of doing business with PRC-based technology companies.

Some analysts have attempted to downplay the significance of such laws by claiming that the law is never black and white in the PRC and by describing compliance with PRC law as ‘a negotiation’.32 The latitude of officials to enforce the law and corporations’ efforts to maintain their freedom of action leave open grey areas, but that claim, in the context in which it’s being made, is false. Law may be a negotiation in the PRC, as it is elsewhere, but the party-state decides whether there’s a negotiation at all, and where that negotiation ends. 

Critically, the party-state itself isn’t bound by the law when it’s challenged or when its interests are threatened. A recent illustration of this is Alibaba and its founder, Jack Ma, who briefly ‘disappeared’ at the end of 2020 following his public criticism of PRC regulators’ attitude towards big business, accusing them of having a ‘pawnshop’ mentality that stifled innovation.33 In April 2021, it was announced that Alibaba would be fined US$2.8 billion after a probe determined that it had abused its market position for years.34 Nobody in the PRC is too big or too powerful to be subject to the party-state’s demands.35

PRC-based technology companies themselves have acknowledged their exposure to legal risks emanating from the PRC. It’s standard practice for global companies to acknowledge in their privacy policies that user data may be transferred and governed by laws outside of their own jurisdiction.

According to most privacy policies for websites and products of the 27 companies in our Mapping China’s Technology Giants project, users who live outside the PRC may have their data transferred to and processed and stored in a country that isn’t where they reside or have ordered services from, including the PRC, where all of the companies have business. When the data is transferred it will be governed by the law in that country’s jurisdiction, not only the law in the place where the data originated (Figure 5).36

Figure 5: New Mapping China’s Technology Giants product—‘Thematic snapshots’

Source: Mapping China’s Technology Giants project website, online.

Most of the 27 companies state that they’re committed to protecting personal information, but acknowledge that they may be required to disclose personal data to meet law enforcement or state security requirements. The definition of what meets the threshold of being a national security or criminal case can be highly politicised in the PRC, and the process of definition isn’t similar to those that occur in a liberal democracy.

The political system of the PRC creates this risk. Law in the PRC is first and foremost political and a governing tool that enforces political power. It’s meant to be wielded by the party-state and to uphold and expand the power of the state. Its implementation is reliant on the CCP’s leadership and is used to strengthen the party’s governing capacity, but the law isn’t above the party-state even if it’s used to manage its members.37 Nonetheless, the law is more than a blunt weapon of state power. It’s important to think through the implications of the fact that the law also functions as a tool to set and communicate the state’s expectations of its apparatuses, its entities and individuals. New developments related to data collection, storage and transfer make these issues more apparent.

The Chinese party-state is currently deliberating on a draft Data Security Law (DSL) and draft Personal Information Protection Law (PIPL).38 In April 2021, second draft versions were issued publicly (see the appendix to this report for translations of the articles of the draft laws that we focus on in this section). Both are expected to become law in 2021. The third and probably final version of the draft DSL is expected to be deliberated at a National People’s Congress Standing Committee meeting on 7–10 June 2021.39

These laws don’t exist in a vacuum. They should be read along with a suite of other relevant state security legislation, including, for example, the State Security Law (2015) and the Cybersecurity Law (2016).

2.1 Data regulations: limiting individuals and organisations while empowering the state

The draft DSL and draft PIPL should be read together. The main distinction is that the draft DSL lays out the responsibilities of the state in creating a data security system and in guaranteeing data security, whereas the draft PIPL defines the boundaries and personal information protection requirements for individuals and entities.40

What makes the framework unique, compared to any other country’s laws regulating data security, is that data security is unambiguously part of the party-state’s security strategy and is first about protecting the CCP’s monopoly hold on power (Figure 6). The draft DSL says that the effort to guarantee data security must adhere to the party-state’s ‘comprehensive state security outlook’.41

The draft establishes the state as the leader of the data security system, stating that the ‘central state security leading mechanism’ is ‘responsible for decision making and overall coordination on data security work, and researching, drafting and guiding the implementation of national data security strategies and relevant major guidelines and policies.’42

Figure 6: Explainer: The PRC’s state security concept

Figure 6 (continued): Explainer: The PRC’s state security concept

Sources: ASPI authors’ Illustration. See endnote for detailed citations.43

The law says not only that a party entity is in charge, but also that any significant policies will originate there. The term ‘central state security leading mechanism’ in legal documents is synonymous with the Central State Security Commission, which is a CCP body led by Xi Jinping.44 Therefore, the activity of other state regulatory departments and public and state security organs responsible for implementing data security efforts would flow from the decision-making and strategy that the Central State Security Commission is tasked with overseeing and implementing.45

The draft DSL also applies to data-handling activities taking place ‘outside the territory of the PRC’, if those activities are seen to ‘harm the state security, the public interest, or the lawful rights and interests of citizens’ and organisations of the PRC, they are to be pursued for legal responsibility ‘in accordance with law.’ Existing law and practice illustrate the global application of such concepts.

Hong Kong’s new National Security Law, passed in 2020, criminalises ‘separatism’, ‘subversion’, ‘terrorism’ and ‘collusion’ in addition to support for any of those activities by anyone, no matter where in the world they’re located.46

The draft PIPL, meanwhile, is intended to regulate the power of individuals and entities who handle the personal data of PRC citizens both inside and outside the country. It establishes a more robust system for protecting individuals’ data privacy from individuals and companies.47 It applies to activities outside the PRC involving the handling of personal information of natural persons within the territory of the PRC when those outside actors are providing products or services to persons within the PRC, analysing and assessing the conduct of natural persons within PRC or ‘other situations provided for by law or administrative regulations’. Just like the draft DSL, it leaves open the potential that the law can be used as intended: to protect the CCP’s power wherever necessary. Laws such as the Intelligence Law illustrate specific cases in which other legislation might be used to justify this reach, and a law such as the Hong Kong National Security Law illustrates the fact that political opponents of the party-state might also be targeted in vague ‘other situations’.48

The draft PIPL also superficially applies to the state. For example, it says that any retrieval of personal information requires following ‘legally prescribed duties’ and must be done ‘in accordance with the authority and procedures provided by laws’.49 Yet, Article 19 establishes that: [W]hen personal information handlers handle personal information, where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not be announced, it is acceptable not to notify the individual.

On the basis of that logic, any case in which the 2017 Intelligence Law applies could be excluded from the PIPL’s protections. Article 7 of the Intelligence Law says that: [A]ny organisation and citizen shall in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any intelligence work they are aware of.50

The important takeaway is that digital technology can be applied in ways that expand the aforementioned capabilities of the party-state, but governance of its use can be managed in ways that restrict officials’ discretion in applying it. This doesn’t mean, however, that these regulations limit the party-state’s influence. In reality, the regulations enhance their ultimate influence over digital technologies and the flow of data.

2.2 Data regulations: setting the standards

Both draft laws contain directives on how the party-state expects data security and data privacy regimes to develop. They establish that, in the PRC, data shall be collected, stored and processed in a manner that’s consistent with the party-state’s paramount security concepts and objectives. Especially given the party-state security concept guiding data security, it’s notable that Xi Jinping has called for strengthening ‘the Party’s leadership over standardisation work’ and has described standardisation as the ‘commanding heights’ of international economic and technological competition.51

Beyond establishing which institutions are in charge and who is responsible for data security, the draft DSL also establishes expectations about how the PRC’s standardisation system is to function that are specific to data security. The draft DSL says that State Council administrative departments and other relevant State Council departments are responsible for organising ‘the formulation and appropriate revision of standards related to technology and products for the development and use of data and to data security.’52 The most relevant body under the State Council is the Standardisation Administration of China (SAC), which is an agency under the State Administration for Market Regulation. According to the revised 2017 Standardisation Law,53 the SAC is required to oversee standards initiation and implementation. At the practical level, technical committees develop standards, which are then accredited by the SAC.54

The technical committees working on the standards consist of stakeholders that are mostly government entities, government-linked research institutes and commercial enterprises. Many standards they develop are mandatory requirements, which companies must also meet to successfully bid for a project domestically. A March 2021 report by IPVM pointed to documents such as ‘GA/T1400.3—2017’ on ‘public security video image information application systems’ developed by the Science and Technology Information Technology Bureau of the Ministry of Public Security in coordination with several companies included in the Mapping China’s Technology Giants project, including Uniview, Hikvision and Dahua.55

As the standards develop domestically, they’ll also be projected globally, not just through market activity but also as the PRC seeks to participate and shape international technology standards. The SAC is also responsible for representing the PRC at international standards-setting bodies.56 Both the draft PIPL and the draft DSL have provisions stating that the state is required to participate in setting international rules and technology standards for data security and personal information protection.57

The expansiveness of that expectation-setting creates normalised pathways for the PRC to exploit data-sharing downstream in ways that can undermine the security of other countries, as we describe in the next section.

3. Rethinking digital supply-chain vulnerability

Not all methods used to acquire data need to be intrusive, subversive, covert or even illegal—they can be part of normal business data exchanges. Figure 1 illustrates how a digital supply chain can be compromised without a malicious intrusion or alteration. The data-sharing relationships that bring commercial advantages are also the same ones that could compromise an organisation.

Thinking about risk solely in terms of potential disruption ignores the ways in which supply-chain risk can emerge from normal processes, in which no disruption is required.

The vulnerability of supply chains was made apparent by the Covid-19 pandemic, which made supply-chain resilience even more important. As we become more digitally interconnected, the breadth of what’s considered a risk to the supply chain has grown to include risks to the digital supply chain—the electronic products we rely on and the data that flows through them.

Discussions about digital supply-chain security typically prioritise the potential for disruption or malicious alterations of the supply chain. Examples include cyberattacks, altered components inserted into the supply chain and limited access to critical supplies such as semiconductors. That kind of risk from well-resourced state and non-state actors is already well understood by governments thinking about supply-chain security.58 As we noted in the section on ‘The PRC’s data ecosystem’, the PRC’s sophisticated offensive cyber capability and its ability to obtain data through those methods are also well known. But a digital supply chain threat doesn’t necessarily require malicious alterations or cyber intrusions into a network.

The SolarWinds supply-chain attack of 2020 is one example of a supply-chain cyberattack perpetrated through the malicious insertion of software. In that case, threat actors, probably of Russian origin,59 compromised the software update service for the SolarWinds Orion platform to facilitate the distribution of malicious code to Orion customers.60

Another cybersecurity risk in the supply chain that’s hidden in plain sight comes from ‘white labelling’ of original equipment manufacturer (OEM) products.61 That was the case with US-headquartered Honeywell, which came under scrutiny in 2018 for selling Dahua cameras under its own brand, as Dahua was banned in the US under the National Defense Authorization Act.62 A simple example of risk for customers in this situation is that they may be monitoring cybersecurity vulnerabilities for Honeywell products, not knowing that in fact they should also be monitoring vulnerabilities for the underlying Dahua product.

Other areas of discussion include vendor trustworthiness. The 5G vendor debate within Australia a few years ago brought to light the importance of the ownership and control of network infrastructure.63 More broadly, it made organisations consider the risk of the vendors whose equipment their organisations’ data would be passing through and the obligations that those vendors have to their ‘home’ governments.64 Australia’s lead cybersecurity agency, the Australian Cyber Security Centre, in its guidance to organisations on identifying digital supply-chain risks, addresses this need to take into consideration foreign control, influence and interference.65

While these discussions are likely to lead to important policy responses that address some digital supply-chain vulnerabilities, they don’t capture the full scope of risk that currently exists. In the SolarWinds and Honeywell examples above, those charged with ensuring cybersecurity usually look for changes to normal activity as an indicator of a problem or threat. In cases where the risk lies within standard data exchange processes, therefore, it could be easily missed. 

3.1 Downstream data access: the GTCOM case study

The ASPI ICPC policy brief Engineering global consent focused on Global Tone Communication Technology Co. Ltd (GTCOM), which is a subsidiary of a state-owned enterprise directly controlled by the Central Propaganda Department of the CCP that collects bulk data globally in support of the party-state’s propaganda and state security objectives.66 The data ecosystem emerging from GTCOM’s commercial partnerships includes some of the PRC’s largest and most important technology companies. For GTCOM, strategic cooperation with globally recognisable PRC-based companies—notably Huawei and Alibaba Cloud—provides assistance in two key areas in the form of:

  • the opportunity to conduct bulk data collection by providing translation services to both companies, which have deeper market penetration
  • the development of or access to capabilities that support its bulk data collection.

As Figure 7 shows, GTCOM has commercial partnership agreements that provide it with access to bulk data from other PRC-based technology companies.

Data transfers can occur through processes built directly into the ecosystem. A technology company such as GTCOM provides an important case study in how the data ecosystem could reach far beyond the PRC’s data regulatory regime.

Figure 7: GTCOM and the global data collection ecosystem concept

Sources: ASPI authors’ illustration.

3.2 Processing power

The party-state prioritises data collection domestically and globally. As we’ve described above, it’s building an ecosystem that enables access to any bulk data collected through commercial enterprises.

It further recognises that technology will eventually catch up to its ideas for processing and generating specific outputs. Being able to collect data is useful, but it’s the ability to access and aggregate data for analysis and derive useful insights from it that’s powerful.

The business model of internet giants such as Facebook, Google, ByteDance and Tencent heavily relies on data and the use of artificial intelligence. They collect large volumes and many varieties of data from users of their service platforms. For example, they may collect such things as user platform preferences, platform behaviours (such as how long it took an individual user to click from one page to another), how long the user stayed on a page, what products they put into their shopping cart and who their friends are, as well as real-world information such as the running routes of the user and the user’s home location. The data is aggregated to generate profiles of individual users for marketing and advertising purposes, and also to improve the platform. That in turn leads to greater user engagement and provides additional opportunities to collect more data. Data brokers perform a similar aggregation and analysis task, but they usually use data that they’ve mined freely from the internet or purchased from other sources.

The concern isn’t necessarily that data is being collected, but rather the ability to infer sensitive details about individuals from the aggregation of seemingly innocuous bits of data from a variety of sources.

A single geolocation coordinate out of context isn’t meaningful, but, using location data from a single mobile device collected over time, it’s possible to identify an individual in a household and their pattern of life. All that’s needed is to identify their three primary locations—home, work and one other regularly used location.

That kind of data can be used to target individuals, such as by identifying and tracking the movements of the US President,67 and can identify sensitive military locations en masse,68 but it can also be used to create convenience. Google Search results provide popular times, wait times and visit durations for all users searching for a local business by using ‘aggregated and anonymised data from users who have opted in to Google Location History’.69

The use of big data analytics to monitor operations in smart cities can bring greater efficiency benefits to operations, facilitate data sharing and assist with decision-making and situational awareness overall. However, that same data, in the hands of adversaries, could give them macro-scale insights that would otherwise be difficult to obtain. If those systems are under the control of adversaries, the concern isn’t just about others having access to the data but also about adversaries’ ability to control or modify the data. As a consequence, the information used to create convenience, improve efficiency and enhance situational awareness is the same information that can be used by an adversary. The ability of some PRC-based technology companies to process big data is sufficiently large.

According to reporting in Foreign Policy, they’ve been used by the party-state to carry out intelligence tasks. According to ‘current and former officials’ cited in the report, this has included the acquisition of datasets from large data breaches, such as the 2014 cyber intrusion into the US Office of Personnel Management.70 It’s big data analysis like this that the US Central Intelligence Agency believes enabled the exposure of its undercover officers in Africa and Europe.71 The question that requires further research and analysis is why those PRC-based companies were chosen. For instance, were they chosen not just for their processing ability but also because, by ingesting the datasets and combining the data with their own holdings, they could enrich the information that could be derived from the data?

Commercial businesses aren’t the only entities carrying out large-scale data processing in the PRC.

The party-state is also doing it at the national level. The People’s Bank of China has included a ‘Big Data Analytics Centre’ as part of the design of the PRC’s ‘Digital Currency / Electronic Payments’ system. The bank’s officials have said that the data collected through the system will be used to improve macroeconomic policy. The bank will ‘analyse how money is being used, transacted, and stored; support tracking and surveillance using both static and real-time data; provide data and analysis inputs for monetary policy; and flag financial fraud’.72

Goals associated with harnessing the strategic power of data are a natural extension of long-enshrined goals in authoritative party-state documents and embedded in detailed economic policies and plans to ensure progress toward those goals.73 However, the party-state’s development of theory and policy is an iterative process and has always involved a degree of experimentation to ensure progress without too many unintended consequences.74 Control or the preservation of the CCP’s power isn’t a goal unto itself, but rather a prerequisite for achieving those ambitions. The collection, storage and processing of big data will play an increasingly key role in those efforts in future.

4. Recommendations

Adequately evaluating the risks associated with doing business with PRC-based technology companies, or companies that rely on their technologies in their supply chains, requires an understanding of the Chinese party-state’s articulation of its own intentions. It also requires an understanding of the implications of policy and legal documents that signal what steps will be taken to realise intended outcomes, as well as, of course, analysis of the party-state’s actual behaviour (domestic and global).

We recommend as follows.

1. Invest resources to better understand the PRC’s and the CCP’s articulation of their own intentions in order to set the tone for a more informed public debate that will generate targeted responses to the identified problems.

Incorrect assumptions are often made about the party-state’s intent. In addition, what’s being articulated and signalled through PRC policy and legal documents is too often ignored or not placed into the context in which it’s being articulated or signalled (such as being placed in an appropriate political context) or being described (for example, in the light of the CCP’s view that data security is a problem of state security, as the party-state defines ‘state security’).

2. Recalibrate data security policy and privacy frameworks to account for the Chinese state’s use of data to reinforce its political monopoly.

Companies and governments too often assume that other governments’ data and privacy regulations share the same goals as their own. That isn’t true when it comes to the Chinese party-state and PRC-based companies, even if common vocabularies are used or if some policy drivers are similar. In the PRC, unlike in liberal democracies, data security and privacy concepts (including draft legislation) reinforce the party-state’s monopoly power. Companies and governments need to recognise this risk and calibrate their policies to account for it.

3. Collaborate with like-minded countries to develop systems for improving risk-based approaches to improving the regulation of data transfers.

Organisations must assess the value of their data, as well as the value of that data to any potential party in their supply chain that may have access to it or that might be granted access. In an age in which information warfare and disinformation campaigns occur across social media platforms and are among the greatest threats to social cohesion, data that’s about public sentiment is as strategically valuable as data about more traditional military targets. Risk needs to be understood in a way that keeps up with the current threat landscape, in which otherwise innocuous data can be aggregated to carry meaning that can undermine a society or individuals.

4. Take a multidisciplinary approach to due diligence.

Governments, businesses and other organisations need to develop frameworks for conducting supply-chain reviews that take into account country-specific policy drivers. Developing such a framework shouldn’t be limited to just assessing a vendor’s risk of exposure to political risk. It should also include detailed analysis of the downstream actors who have access to the vendor’s data (and must include analysis of things such as the broader data ecosystem they’re a part of and the obligations those vendors have to their own governments). Taking this more holistic approach to due diligence will better ensure that data can be protected in an effective way.

Appendix: The draft Data Security Law and draft Personal Information Protection Law

Please download the PDF to access the appendix.


Acknowledgements

Thank you to Danielle Cave and Cheryl Yu for all of their work on this project. We would like to also thank our external peer reviewers Lindsay Gorman, Kara Frederick and Chris Crowley. We’re also grateful for the valuable comments and assistance provided by Peter Mattis, Tom Uren, Michael Shoebridge and Fergus Hanson.

This research report forms part of Mapping China’s Technology Giants, which is a multi-year project mapping and analysing the overseas expansion of key Chinese technology companies. The project seeks to:

  • analyse the global expansion of a key sample of China’s tech giants by mapping their major points of overseas presence
  • provide the public with analysis of the governance structures and party-state politics in which these companies have emerged, and are deeply entwined.

The Mapping China’s Technology Giants project is produced by researchers at ASPI’s International Cyber Policy Centre. The relaunch of this project, and associated research, was funded with a US$270,000 grant from the US State Department

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. 

If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published June 2021.
ISSN 2209-9689 (online),
ISSN 2209-9670 (print).

Cover image: ASPI ICPC, Nathan Attrill

Funding Statement: Funding for this report was provided by the US State Department.

  1. Mapping China’s Tech Giants, online. ↩︎
  2. Samantha Hoffman, Engineering global consent: the Chinese Communist Party’s data-driven power expansion, ASPI, Canberra, 14 October 2019, online. ↩︎
  3. Hoffman, Engineering global consent: the Chinese Communist Party’s data-driven power expansion. ↩︎

Mapping China’s Tech Giants: Reining in China’s technology giants

This report accompanies the re-launch of our Mapping China’s Technology Giants project.

This report is available for download in English and Arabic.

Other Reports that are part of this project include:

1. Introduction

Since the launch of ASPI ICPC’s Mapping China’s Technology Giants project in April 2019, the Chinese technology companies we canvassed have gone through a tumultuous period. While most were buoyed by the global Covid-19 pandemic, which stimulated demand for technology services around the world, many were buffeted by an unprecedented onslaught of sanctions from abroad, before being engulfed in a regulatory storm at home.

The environment in which the Chinese tech companies are operating has changed radically, as the pandemic sensitised multiple governments, multilateral groups and companies to their own critical supply-chain vulnerabilities. The lessons about national resilience learned from the pandemic are now being applied in many sectors, including the technology sector, where a trend towards decoupling China and the West was already well underway. As the geopolitical rivalry between the US and China has heightened, both sides increasingly see any reliance on the other for strategic commodities, such as rare-earth minerals and semiconductors, as dangerous vulnerabilities.

Supply-chain vulnerability has ignited work in Europe, North America and other regions to reduce dependence on China. Telecommunications companies such as Huawei and ZTE that are deemed ‘high risk’ by multiple countries are increasingly finding themselves locked out of developed markets. Amid the trade war between the US and China, which began in 2018, the Trump administration unleashed a relentless series of actions targeting Chinese companies in an effort to slow their advance. That onslaught has further convinced China’s leadership to redouble its efforts to dominate the commanding heights of technology as a source of strategic and economic power.

Among the measures meted out by the Trump administration were limits on investment by Chinese technology companies,1 blocks on the operations of Huawei and other Chinese telecom companies in the US,2 pressure on other countries to block Huawei’s operations,3 new export control regulations,4 tariffs on products benefiting from Beijing’s ‘Made in China 2025’ program5 and an attempt to ban ByteDance’s TikTok and Tencent’s WeChat apps.6 The effects of the actions have been uneven—dealing a major blow to Huawei, for example, while barely touching the major Chinese internet firms’ businesses.

For China’s leadership, the twin crises of the Covid-19 pandemic and the growing China–US strategic and technological competition highlighted the country’s need to achieve its long-held goal of ‘technological self-reliance’.7 The US’s ability to cut off China’s technology companies’ access to semiconductors, in particular, is seen by leaders from Xi Jinping down as an unacceptable ‘choke point’ holding back China’s progress.8 The 14th Five-Year Plan, unveiled in March 2021, reflected the Chinese Communist Party’s (CCP) sense of urgency. For the first time, it described technological innovation as a matter of national security, not just economic development.9

The now 27 Chinese technology firms that we cover on our Mapping China’s Technology Giants project (‘our map’) span sectors including biotechnologysurveillanceartificial intelligence (AI), e-commerce, finance, entertainment and telecommunications. All of them are set to play a key role in the coming years as Beijing ramps up major investments in strategic technologies such as 5G telecommunications, quantum computing and AI. Both state-owned and private businesses are being mobilised in a ‘whole country’ approach to reduce reliance on foreign technologies and seek breakthroughs in strategic science and technology projects.10 Beijing’s new goal is to increase R&D investment by 7% each year.11 Already, several of the companies featured on our map, including SenseTime, Huawei, ZTE, MegviiYITUCloudWalkBaiduAlibaba, Tencent and China’s three major telecommunications companies, have been recruited into a US$2 trillion ‘new infrastructure’ plan.12

Pushback on China’s technology giants didn’t just come from Washington, however; it also came from the CCP. Chinese regulators used the Covid-19 pandemic as an opportunity to tighten supervision over the companies, which had grown into behemoths with relatively light regulatory oversight in the past decade.13 The escalating geopolitical tensions with the US and the ensuing US–China trade war contributed to a government campaign to rein in Alibaba’s fintech affiliate Ant Group, as the Chinese state sought to head off risks in the banking system amid concerns that the stand-off with Washington could precipitate a financial crisis.14 Those concerns culminated in the abrupt cancellation of the company’s initial public offering (IPO), which was set to be the world’s largest ever, just two days before its launch in Shanghai and Hong Kong in late 2020.15

Since then, the CCP’s efforts to tighten state control over China’s internet companies have widened. In April 2021, Chinese e-commerce leader Alibaba Group was hit with a record US$2.81 billion antimonopoly fine, equivalent to around 4% of its 2019 domestic sales.16 A string of high-level resignations has followed as the government continues to seek to weaken the central authority of all the leaders of the major tech companies.17 China’s regulators, tasked with ‘tackling monopolies’ and ‘preventing disordered capital expansion’, have set their sights on a fundamental restructuring of the country’s biggest tech companies to ensure that they remain focused on technological innovation and align themselves even more closely with the strategic goals of the CCP.18

2. Covid-19

The Covid-19 pandemic has had a profound effect on the world economy. The International Monetary Fund estimates the global economy shrank by 4.4% in 2020, compared to a contraction of 0.1% in 2009 during the global financial crisis.19 China was no outlier in the first quarter of 2020, when its economy shrank by 6.8% in the first such contraction in at least 40 years.20 Yet, amid the turmoil, technology giants—particularly in the US and China—provided a rare bright spot as they seized the opportunity to expand aggressively.

As reliance on digital products grew during the pandemic, demand for US and Chinese technology giants’ products and services surged. The combined revenue of the largest US tech companies—Apple, Microsoft, Amazon, Google-parent Alphabet and Facebook—grew by a fifth to US$1.1 trillion, while their combined market capitalisation grew by half during 2020 to US$8 trillion.21 As of May 2021, the 27 companies we cover on our map had a combined market capitalisation of more than US$2.2 trillion, ranking them, in estimated nominal GDP terms, as equivalent to the world’s eighth largest economy, after France.22 Only three of the companies on our map—Huawei, Megvii23 and CloudWalk— experienced slowing year-on-year revenue growth.

Some of China’s internet companies, including Tencent, Alibaba, ByteDance, Huawei and biotechnology company BGI, attempted to turn the crisis into a public relations opportunity by providing financial or material assistance to countries struggling to control the Covid-19 pandemic (Figure 1). To take one example: Tencent’s Covid-19 donations from its US$100 million Covid-19 fund included medical equipment to sporting teams such as Football Club Barcelona24 and the New England Patriots25, cities such as Nashville (US)26, countries such as Ethiopia27, hospitals in Los Angeles (US)28 and Karachi (Pakistan)29, and the World Health Organization’s Covid-19 Solidarity Response Fund.30

Figure 1: China’s technology giants’ overseas donations

The Mapping China’s Technology Giants project currently counts a total of more than 130 donations by all tracked companies combined. Over eighty of those donations are Covid-19 monetary and medical donations from ByteDance, Tencent and Alibaba.

Tencent’s largesse was possible due to its oversized success. Supercharged by the pandemic, the company was able to exploit falling valuations to scoop up Norwegian game developer Funcom, take a stake in German developer Yager and make multiple investments in fintech start-ups, mainly in Europe and the US. The company currently sits on a portfolio worth roughly a quarter of a trillion dollars.31

As Chinese consumers ensconced themselves at home, Tencent’s music and video service subscriber numbers swelled to 43 million and 112 million, respectively, growing by 50% and 26% from June 2019 to 2020.32 WeChat, the company’s ubiquitous social media app, ballooned to over 1.2 billion users in the first quarter of 2020, up by more than 8% from 2019, as Tencent worked in collaboration with the Chinese Government’s National Development and Reform Commission to create the WeChat Health Code app used to verify people’s exposure to Covid-19.33 Tencent’s profit for the whole of 2020 stood at US$25.1 billion (Ұ159.8 billion), a year-on-year increase of 71%.34 At the time of writing, Tencent’s market capitalisation is around US$800 billion, making it China’s most valuable company.

Despite 13 companies on our map having been added to the US Government’s Entity List (see box below) and facing challenges while operating during the pandemic, many continued to report strong growth throughout 2020.

The Entity List

The US Department of Commerce’s Entity List was created in 1997 to address risks related to the proliferation of weapons of mass destruction. The US Government has since expanded its basis for adding entities to the list to include countering Chinese military activity, countering spying and addressing human rights concerns.35 Companies placed on the Entity List are banned from buying parts and components from US companies without government approval.

BGI, for example, saw its profits surge as Covid-19 spread around the world, despite the addition of two of its subsidiaries to the Entity List in July 2020. As of August 2020, BGI had already sold 35 million Covid-19 rapid-testing kits to 180 countries and built 58 labs in 18 countries (Figure 2).36 Due to its rapidly expanding global presence, the company experienced a net profit surge of 653% during 2020, and the value of its shares climbed by 87%.37 BGI’s operating income in the North American market even increased by 556.23%, making up 9.91% of the company’s total operating income in 2020.38 By March 2021, BGI’s market capitalisation on the Shanghai stock exchange had jumped to US$7.9 billion (Ұ50.83 billion), up from its March 2020 market capitalisation of US$5.26 billion (Ұ33.86 billion).39

Figure 2: BGI’s overseas presence

The Mapping China’s Technology Giants project currently counts more than 100 points of presence for BGI overseas, including commercial partnerships, Covid-19-related donations, investments, joint ventures, memorandums of understanding, overseas offices, research partnerships and subsidiaries.

WuXi AppTech Group is another biotech company that experienced growth during Covid-19, increasing its market capitalisation by 130%.40 Since the beginning of the pandemic, WuXi has been involved in the research and production of antibody treatments for Covid-19, and in January 2021 announced its plans to begin producing vaccine components for British–Swedish pharmaceutical company AstraZeneca at WuXi’s manufacturing facility in Germany.41

Three of our mapped internet companies were responsible for donating notable sums of money globally in the fight to combat Covid-19. ByteDance, Tencent and Alibaba ranked in the world’s top Covid-19 corporate financial donors, donating close to US$436 million, US$173 million and US$144 million, respectively.42 Those sums fall behind donations from only two leading US technology companies: Google and Cisco donated US$1.3 billion and US$226 million, respectively.43

The three Chinese companies also experienced significant growth in 2020:

  • ByteDance’s revenue more than doubled despite the challenges that its subsidiary TikTok faced, including a ban from the Indian market and attempts by the Trump administration to force TikTok’s sale to an American owner.44
  • Similarly, Alibaba has been referred to as ‘one of China’s biggest corporate winners of the coronavirus crisis’, as the company’s online traffic skyrocketed in 2020 and the Chinese Government increased its reliance on Alibaba’s cloud services in response to the pandemic.45
  • Ant Group, which is an affiliate of Alibaba, was essential in China’s initial Covid-19 response. Early in the pandemic, the company assisted the Chinese Government in developing and implementing the Alipay Health Code to facilitate contact tracing.46 Ant’s small-business lending platforms accumulated a US$300 billion credit balance, and its wealth management platform facilitated US$590 billion worth of investments.47

Similarly, HikvisionUniviewSenseTime,48 iFlytek (Figure 3),49DJIMeiya Pico50 and Ping An Technology51—a collection of surveillance, AI and technology companies—grew by developing technology used in response to Covid-19. Many of those technologies include temperature-screening products and contact-tracing systems. SenseTime claimed it has improved its facial-recognition algorithm to identify individuals wearing masks using just the person’s visible facial features.52

Figure 3: iFlytek’s Covid-19 impact

Source: This is an extract from one of our ‘Thematic snapshots’ on the Mapping China’s Technology Giants project website (under ‘Analysis’), online.

Surveillance company Hikvision’s revenue initially fell in the first quarter of 2020, but rebounded in the second quarter due to the company’s overseas revenue growth from its ‘fever cameras’.53 Uniview followed a similar pattern, first experiencing a sales and profit slowdown in the first half of 2020 and then recovering by the end of the year due to strong overseas growth in temperature-screening products, according to our map (Figure 4).54

Figure 4: Overseas expansion by Hikvision, Dahua and Uniview during the Covid-19 pandemic

The Mapping China’s Technology Giants project depicts the overseas expansion of Hikvision, Dahua and Uniview as overseas demand for their temperature-screening products increased during the Covid-19 pandemic. The map contains 65 data points of overseas presence relating to Covid-19 for the three companies, including donations, commercial partnerships and surveillance equipment.

Drones manufactured by technology company DJI proved useful in helping counter the spread of Covid-19. The company sold drones to countries, including France, Norway, Italy, the Philippines, Spain and Indonesia, and 22 states in the US to disinfect public areas and to patrol streets.55

Although China’s economic growth slowed to 2.3% by the end of 2020, its economy emerged as the only major economy expected to have grown in 2020 as a result of the pandemic.56 China’s digital economy, in particular, was positively affected by Covid-19, expanding by 9.7% from 2019.57 While China’s economic recovery had a head start, the International Monetary Fund expects the global economy to recover and grow by 6.1% in 2021, estimating 5.1% growth for advanced economies and 6.7% growth for developing economies.58

Despite external pressures amid tense US–China relations, Covid-19 provided the technology giants on our map with an opportunity to expand both domestically and overseas. High-profile donations of personal protective equipment from the tech giants helped to burnish their brands as well as deflect criticism of the Chinese state’s cover-up of the Covid-19 outbreak in its early days. China’s tech giants may have received a short-term boost from the pandemic, but over the longer term their prospects are less certain as many countries begin to address their dependence on China in critical sectors.59 As those countries make changes to reduce their reliance on China, the overseas growth that Chinese tech companies have experienced may slow.

3. US-China tech tensions

As factories in China were shut down and exports from the country ceased in China’s early response to the Covid-19 outbreak, the pandemic triggered countries and companies to move away from their supply-chain reliance on China. Before the pandemic, the US Entity List played a role in the Trump administration’s push to decouple the US economy from China. Cooperating with blacklisted companies on the Entity List raised fears among Western businesses about the data security and privacy risks associated with continued collaboration.60 As those concerns and Entity List designations began affecting business between US and Chinese companies, the ramifications of the listings spread globally, influencing the actions of other countries against some of the technology giants on our map.

The impacts of the US Entity List and ensuing global actions against the Chinese technology companies that we observed have varied drastically, significantly slowing Huawei’s overseas growth and overall expansion, while sparing major internet companies, including ByteDance, Tencent and Alibaba.61 The Entity List designation of telecommunications companies Huawei and ZTE prompted other countries, such as the members of the Five Eyes group and the EU, to implement policies aimed at limiting and in some cases excluding those companies from their 5G infrastructure. Although Covid-19 provided several surveillance and AI companies with an opportunity to neutralise such effects, many countries are still responding to security concerns associated with China’s tech giants, and the impacts of further global actions can be expected to shift in severity in coming years.

In the five years since the US first blacklisted ZTE in 2016—in a move that threatened the corporate viability of the Chinese telecommunications company62—Washington has widened its net to include a range of other Chinese companies, including 16 of the 27 featured on our map. As of April 2021, more than 400 Chinese companies, organisations and affiliates had been placed on the Entity List.63

In addition to placing various Chinese companies on the Entity List, the Trump administration also prohibited US companies and citizens from investing in the securities of dozens of companies included in the Pentagon’s list of ‘communist Chinese military companies’ operating in the US (the CCMC List),64 including seven of the technology companies featured on our map: China Electronics Technology Group (CETC)China MobileChina TelecomChina Unicom, Hikvision, Huawei and Inspur.65 The Trump administration also proposed new rules that sought to eject Chinese firms from US stock exchanges for failure to comply with US auditing standards (Figure 5).

Figure 5: Timeline of US listings and other measures affecting Chinese tech companies

Note: For more information and sources, refer to Appendix 1.

3.1 The ZTE case

In March 2016, the US Department of Commerce added ZTE to the Entity List after it found that the company had schemed to hide its re-exports of US-origin items to Iran and North Korea, both of which were under US sanctions.66 The restrictions prevented suppliers from providing ZTE with US equipment, threatening the company’s supply chain.

While the ban brought the company to the brink of collapse, Washington extended a series of lifelines to ZTE, allowing it to maintain ties to its US suppliers before it agreed to pay US$892 million in a plea deal in March 2017.67 In April 2018, the US announced a seven-year ban on American firms selling parts and software to the company after it was found to be shipping US goods to Iran in violation of its agreement.68

The ban had an immediate effect on ZTE, bringing the company’s production to a grinding halt. It announced in April 2018 that it was ceasing ‘major operating activities’.69 The following month, US President Donald Trump threw an unexpected lifeline to the company, tweeting that there would be ‘too many jobs in China lost’ due to the US Government’s actions against ZTE.70

ZTE went on to report revenue growth hitting a five-year high during 2020. The company’s operating revenue reached almost US$16 billion (Ұ101.45 billion), indicating a year-on-year increase of 11.8%.71 Its net profit experienced a year-on-year increase of 17.3%, totalling US$672 million (Ұ4.26 billion).72 While sales had declined in the US and Europe, the company was able to achieve sufficient growth in Asian markets and domestically, where it made over two-thirds of its revenue.

In August 2018, Washington reached for another tool. The annual Defense Authorization Bill barred government agencies from procuring equipment from five Chinese companies, including ZTE.73 The Bill covered any substantial or essential technology component of any system used by US Government agencies, and especially mentioned technology used to track or view user data. As a result of the Bill, all agencies that were already using equipment provided by the Chinese companies were directed to allocate specific funding to replacing it.74 When the Bill was enacted, it also targeted other Chinese companies, including Huawei and Hikvision.75

3.2 Huawei’s global struggles

Similarly to its competitor, ZTE, Huawei continues to experience turbulence due to its addition to the US’s Entity List. The company was first blacklisted on 16 May 2019 by the US Commerce Department’s Bureau of Industry and Security, together with 66 of its non-US affiliates.76 The bureau later added several other affiliated entities in August 201977 and August 2020.78

In addition to using the Entity List, the Trump administration blocked global chip supplies to Huawei in May 2020, further impeding the global expansion of the company’s business.79 As the crackdown on the company continued, Huawei was designated as a national security threat, together with ZTE, by the US Federal Communications Commission on 30 June 2020, which effectively barred them from receiving federal broadband subsidies to expand broadband access across the US.80 Finally, in November 2020, Huawei and 30 other Chinese companies were included in an executive order that designated them as being backed by China’s People’s Liberation Army.81

As the US has taken action against Huawei, it has also actively encouraged and publicly pressured other countries to adopt similar policies.82 But many countries have taken their own, and often different pathways, to arrive at their decisions on 5G over the last few years. And some, like Australia, made their decisions long before the United States.

The Five Eyes countries have responded with some of the toughest policies against Huawei. In 2018, Australia became the first country to exclude ‘high-risk vendors’ from its 5G networks.83 New Zealand similarly rejected Huawei’s first bid in the country in 2018 due to national security concerns.84 The UK most recently banned mobile providers from purchasing new Huawei 5G equipment and announced that providers must remove all Huawei 5G equipment from their networks by 2027.85 Although Canada hasn’t formally blocked Huawei, the country has delayed its decision long enough to effectively force its telecom companies to exclude Huawei equipment from their 5G networks.86

According to the Dell’Oro Group, countries representing more than 60% of the world’s cellular-equipment market are now considering or have already acted to restrict Huawei.87 The EU and several of its members have taken similar actions to block or limit Huawei’s presence in their 5G network deployments . In January 2020, the EU recommended that its members limit ‘high-risk 5G vendors’, including Huawei, stopping just short of recommending an outright ban of the company.88 Swedish regulators banned wireless carriers from using Huawei’s 5G equipment, citing national security concerns. In response, however, Huawei challenged the decision in Swedish courts and has since threatened to exclude Ericsson from participating in China’s 5G growth.89

Romania and Poland both enacted policies aimed at blocking Huawei from their 5G networks, although the policies didn’t explicitly ban Huawei.90 Huawei sent a letter to the EU competition chief, in which the company argued that Poland’s and Romania’s proposed 5G security rules were ‘predicated on several violations of EU law’.91 In its letter, Huawei also cited the involvement of the US in those actions against the company, referencing ‘joint declarations’ and ‘memoranda of understanding’— aimed at pushing out 5G suppliers subject to foreign interference—that the US signed with several European countries, including Romania, Poland, Estonia, Latvia, the Czech Republic, Slovenia, Slovakia, Cyprus, Bulgaria, North Macedonia and Kosovo.92

In 2020, as a result of global actions against it, Huawei reported its slowest annual revenue increase in a decade.93 Specifically, Huawei’s revenue increased year-on-year by 3.8%, totalling US$136.7 billion,94 which was a drastic decline from its 19% revenue growth during 2019 (Table 1).95 Although the company still managed to grow overall, China was the only region where it experienced positive revenue growth.96 The company’s carrier business, which is responsible for building its telecom networks, grew by only 0.2%.97 That stall was largely due to the decision of several Western countries to exclude Huawei’s 5G equipment from their networks.98

Table 1: Huawei’s 2020 business revenue, by region

Source: Huawei Investment & Holding Co. Ltd, 2020 annual report, 2021, online.

While Huawei’s decline in growth was most pronounced in North and South America in 2020, Europe, the Middle East and Africa collectively showed the next greatest decline, followed by the Asia–Pacific. This resulted in the company’s decision to pivot its priority industries to focus on developing software. In an internal memo made public in May 2021, Huawei founder Ren Zhengfei wrote that Huawei should strive to ‘lead the world’ in software as the company seeks growth beyond its hardware operations.99

Although Huawei’s deputy chairman, Eric Xu Zhijun, said in an interview that the company’s goal for 2021 is ‘to survive’, experts such as Dan Wang, an analyst with Gavekal, have speculated that Huawei may pivot to new businesses, such as self-driving and electric-vehicle technologies.100 Already, Huawei reportedly has plans to invest US$1 billion into researching self-driving and electric vehicles and is reportedly in talks to acquire a domestic automaker’s electric vehicle unit.101 Through investing in businesses that are less reliant on advanced chips and through strengthening its software business, Huawei is searching for new revenue sources.102

US sanctions have particularly affected Huawei’s access to international technologies, such as advanced chips, that are essential for the company’s products. When the US Government barred Huawei from purchasing semiconductors produced using US software or technology without a special licence, the move crippled Huawei’s smartphone business and resulted in the sale of its Honor budget smartphone brand.103 US sanctions also required Google to revoke Huawei’s Android licence, leaving the company without access to Google apps and services that have been critical for the functioning of Huawei’s smartphones.104

In response to losing its Android licence, Huawei created a ‘forked’ version of Android to serve as its own operating system, Harmony OS, which is likely to face challenges as it seeks to attract developers and create apps.105 If it’s successful, however, Harmony OS would provide Huawei with complete control over an operating system with potential implementation in smartphones internationally, enabling Huawei to control the information environment—including which apps are banned—outside of China’s borders.106

Despite losing access to several markets globally, Huawei has signed new 5G and cloud-computing agreements with countries in Africa, the Middle East and Southeast Asia (Figure 6). Access to those markets will be critical for Huawei’s future as the US and the EU move to confront their supply-chain dependence on China.107

Figure 6: Huawei’s 5G and cloud-related overseas presence

Note: The Mapping China’s Technology Giants project website contains 200 data points of overseas presence relating to 5G and cloud technologies for Huawei.

3.3 Sanctions for all

Similarly to Huawei, state-controlled surveillance technology company Hikvision was added to the US’s Entity List in October 2019.108 Along with Hikvision, six other technology giants on our map were added at that time, including surveillance company Dahua, AI companies iFlytek, Megvii, SenseTime, and YITU, and digital forensics and security company Meiya Pico.109

Although Hikvision’s growth was boosted by Covid-19, a March 2020 disclosure detailed the negative impacts of sanctions on the company’s overseas market and income. The disclosure stated that, as a result of its Entity List designation, Hikvision had increased its R&D costs significantly to allow for expanding upstream technology, changing materials and adjusting product designs.110 Additionally, Hikvision has been restricted in other countries, such as India, where the company is prohibited from bidding on government projects.111 The company also faces scrutiny in Australia, where, as recently as January 2021, the South Australian health department removed all cameras made by Hikvision from public hospitals and nursing homes.112

Predicting its addition to the Entity List in 2019, Hikvision stockpiled essential components in preparation, which proved helpful in mitigating the immediate impacts.113 As the global chip shortage continues to affect the technology industry, however, Hikvision’s president has indicated future uncertainties for the company if the situation persists.114

Among the companies we tracked, BGI Group—a key supplier of Covid-19 testing technology—experienced the greatest growth despite being blacklisted by the US. In July 2020, the US Department of Commerce placed two of BGI’s subsidiaries (Xinjiang Silk Road BGI and Beijing Liuhe BGI) on the Entity List.115 However, due to the company’s key role in providing Covid-19 testing equipment, BGI reported a surge in its net profit and share price during 2020.

Other Chinese tech companies on our map that were affected by US sanctions include DJI and Nuctech. The US Department of Defense first issued a ban on the purchase and use of DJI’s commercial drones on 23 May 2018 and later added the company to the export blacklist in December 2020.116 Although DJI continued to expand during 2020, it faced challenges in maintaining its large presence overseas, reportedly having to make sweeping cuts to its global sales and marketing teams.117 Despite its Entity List designation, DJI maintains control of more than 70% of the global drone market, and North America remains its largest market.118

China’s major telecommunications companies—China Telecom, China Unicom and China Mobile—have been targeted by Washington in several capacities (Figure 7). Most recently, in January 2021, the three companies were added to the Pentagon’s CCMC List, which triggered a series of delistings and relistings of the companies by the New York Stock Exchange, eventually resulting in the final delisting of all three.119 The companies were also among 31 Chinese companies included in a November 2020 executive order that designated them as being backed by the People’s Liberation Army.120 Before those designations, the US Federal Communications Commission had already begun taking action against China Telecom and China Unicom in April 2020.121 Despite being added to the lists, all three telecom companies experienced growth during 2020 as they expanded their 5G operations—especially in China.

Figure 7: Chinese telcos’ overseas presence

Note: The Mapping China’s Technology Giants project counts more than 480 points of overseas presence for China’s three major telecommunications operators (China Mobile, China Telecom and China Unicom) combined.

Apart from those tech giants, several major Chinese technology companies on our map have been largely spared US economic countermeasures, specifically Alibaba, Ant Group, Baidu, ByteDance and Tencent. There were, however, disparate attempts by the Trump administration to take action against those companies, which all eventually failed during Trump’s term of office.

In January 2021, for instance, the US Department of State and Department of Defense pushed to add Alibaba, Tencent and Baidu to the CCMC List, which would have banned US investors from holding stock in the three companies.122 Previously, in August 2020, Trump issued two executive orders prohibiting any American company or person from conducting transactions with ByteDance, which is TikTok’s parent company, and Tencent’s WeChat.123 The bans were halted a month later by a US federal judge, citing First Amendment rights.124 In October 2020, the US State Department proposed adding Ant Group to the Entity List, which was seen as a move to discourage US investors from taking part in Ant’s upcoming IPO in Shanghai and Hong Kong. The bid was later put on hold by the Trump administration.125 Any impacts of attempted bans on those companies were neutralised as demand for digital products skyrocketed during the Covid-19 pandemic.

Although the attempts to take action against Alibaba, Ant Group, Baidu, ByteDance and Tencent were unsuccessful, they attracted global attention to the data privacy and security risks associated with using products and applications developed by the Chinese technology giants. Following US attempts, India permanently banned 59 Chinese apps from its domestic market in January 2021, while Germany’s intelligence agencies warned consumers that personal data provided to Chinese technology companies could end up in the possession of the Chinese Government.126 As the US and other countries continue targeting China’s tech giants through various regulatory measures, they’re being pushed to address their reliance on China just as China is seeking to reduce its dependence on the US for critical technologies, particularly semiconductors.

4. Localising supply chains: from a ‘choke point’ to ‘dual circulation’

From the perspective of Beijing’s policymakers, 2020 was a year in which, as Vice Foreign Minister Le Yucheng put it, China experienced a ‘plot reversal’ and ‘turned a crisis into an opportunity’.127 ‘Rather than being a “Chernobyl moment”’ for China, the pandemic became a ‘highlight moment for socialism with Chinese characteristics’, Le told a think-tank forum in December 2020. The triumphalist note came as China’s ability to contain the spread of Covid-19 before other major economies allowed it to rebound faster and end 2020 on a high note as the only major economy to report positive growth, achieving an economic expansion of 2.3%.128

Despite their upbeat tone, China’s leaders also recognised that the combination of the Covid-19 pandemic and the US–China trade war had exposed the country’s fragility in technological innovation. In a speech to scientists in September 2020, Xi Jinping stressed the need for China to ensure secure and stable supply chains and to pursue indigenous innovation: ‘We must give full play to the significant advantages of our country’s socialist system that concentrate power on large undertakings, and successfully fight tough battles for the key core technologies,’ he instructed.129

While the Chinese state’s goal of achieving self-reliance in technology has been a longstanding policy, the combination of the Covid-19 pandemic and the ever-tightening technology blockade imposed by the White House put the issue front and centre for the Chinese leadership. In December 2020, China’s Central Economic Working Conference announced that science and technology work would be the top priority in 2021. The 14th Five-Year Plan, unveiled in March 2021, described technological innovation as a matter of national security, not just economic development, for the first time.130

4.1 Mobilising the tech industry

China’s technology companies are set to play a key role in addressing that fragility as they’re mobilised in what Beijing’s top policy official, Jiang Jinquan, calls a ‘whole country approach’ to reduce reliance on foreign technologies.131 That effort would seek breakthroughs in ‘strategic and fundamental key science and technology projects’ so that the country can overcome ‘choke points’ in its technological progression, Jiang said in his interpretation of an as yet unpublished keynote speech made by Xi to China’s provincial-level leaders in early January 2021. As part of the plan, the country will establish ‘national teams’ to strengthen scientific research and innovation, according to Jiang. The private sector will be encouraged to invest in R&D, and the state will reward companies through ‘state purchase of research results’.

Several of the companies featured on our map, including SenseTime, Huawei, ZTE, Megvii, YITU, CloudWalk, Baidu, Alibaba, Tencent and China’s three major telcos, have already been recruited in a US$2 trillion new infrastructure campaign that the Chinese state introduced in the early days of the pandemic to boost the economy and cushion the impact of the global slowdown. The campaign targets high-tech sectors such as 5G infrastructure, AI, big data centres, the industrial internet, ultra-high-voltage high-speed intercity rail and electric vehicle charging infrastructure.132 The plan is largely a continuation of the Made in China 2025 campaign that was launched in 2015, with some minor cosmetic changes.

Made in China 2025 targeted investments in 10 strategic industries now largely dominated by the US, including aerospace, semiconductors, information technology, robotics, green energy, electric vehicles, agricultural machinery, pharmaceuticals and advanced materials. The campaign attracted sustained criticism from the Trump administration for its attempt to capture market share from China’s foreign technology rivals. The new infrastructure campaign dropped any reference to that plan as well as any explicit requirements that core technology must be sourced domestically. The campaign is funded mainly by the private sector and local governments instead of the national government.133

China’s three national telecom carriers (China Unicom, China Telecom and China Mobile) collectively promised in March 2020 to invest around US$34 billion (Ұ220 billion) to build 5G base stations in China. Tencent said that it would invest US$77 billion (Ұ500 billion) over the following five years in new infrastructure technologies, such as cloud computing, and cybersecurity. Alibaba also pledged US$30 billion (Ұ200 billion) in new infrastructure investments over three years.

4.2 All about the chips

Over the long term, the success of the new infrastructure campaign hinges on China’s access to the world’s most advanced semiconductor chips, which are the basic building blocks for emerging technologies such as 5G, AI and autonomous vehicles, in which Beijing hopes to lead the world. China’s reliance on a globalised value chain to source semiconductor chips is seen by Chinese leaders from Xi Jinping down as a key obstacle to the country’s technological ambitions.

The Trump administration’s assault on China’s ability to source semiconductor chips resulted in a flurry of panic buying. Imports of semiconductors jumped by 33.6% to US$155.6 billion in the first three months of 2021—an increase of 77.6% from 2019.134 Beijing’s attempts at achieving self-sufficiency in semiconductors have been beset by setbacks, and large subsidies for semiconductor projects have failed to produce successes. China’s self-sufficiency ratio for semiconductors is expected to be only 19.4% in 2025.135

In an effort to achieve self-sufficiency, public and private entities in China have facilitated the organisation of several technology-focused alliances. In 2016, Huawei, ZTE, Inspur and the Ministry of Industry and Information Technology were among 27 entities that established China’s High End Chip Alliance, which aims to promote the production of, research into and collaborative innovation on chip technology.136 The National Integrated Circuit Standardisation Technical Committee was later proposed by the China Electronics Standardisation Institute in 2021. Huawei, Tencent and Alibaba are among 90 Chinese tech companies that joined the committee in an effort to strengthen the domestic semiconductor supply chain.137

Huawei’s addition to the US’s Entity List further spurred its efforts to create a domestic supply chain but it also served as a warning to other Chinese tech companies featured on our map, such as ByteDance, Baidu, Alibaba and SenseTime, that now view reliance on US technology as a vulnerability that must be eliminated. ByteDance is exploring the feasibility of developing its own AI chips.138 Baidu has completed one round of financing for its Kunlun AI chip unit and is considering commercialising its chip design capabilities.139 Alibaba has also unveiled an AI chip for its cloud-computing products.140 After being added to the Entity List in 2019, SenseTime began developing its own AI chips.141 Meanwhile, Huawei is reportedly constructing a dedicated chip plant in Shanghai that won’t use American technology.142

4.3 Dual circulation

The Covid-19 pandemic and the growing China–US strategic and technological competition also prompted a major rethink in economic policy for the CCP. A new strategy began to take shape in a series of key speeches and party documents as China emerged from its Covid-19 economic slump in early 2020. In April 2020, in a seminal speech on China’s economic development that was kept under wraps for six months, Xi Jinping said that the impact of the pandemic had exposed hidden risks in China’s industrial and supply chains and that the country ‘must strive to have at least one alternative source for key products and supply channels, to create a necessary industrial backup system’.143

Referred to as a need to speed up China’s ‘dual circulation’ growth model, the new economic strategybecame the focus of the 14th Five-Year Plan adopted on 11 March 2021, which charts a course for China’s economy from 2021 to 2025.144 It envisages a future in which Beijing steadily weans itself off high-end imports from industrialised nations while using the ‘powerful gravitational field’ of its economy to make other nations heavily reliant on China for high-tech supplies and as a market for raw materials. As Xi said in his April 2020 speech:

We must sustain and enhance our superiority across the entire production chain … and we must tighten international production chains’ dependence on China, forming a powerful countermeasure and deterrent capability against foreigners who would artificially cut off supply [to China].

By pursuing a strategy of ‘dual circulation’, Beijing hopes to build fully domestic supply chains while binding foreign companies to the Chinese market even more strongly. Over the long term, the aim is for a stronger China able to withstand economic coercion, but also for China to be in a stronger position to inflict coercion on other countries. The CCP’s use of economic coercion against countries such as Australia and companies such as Swedish retailer H&M foreshadow how the Chinese state is likely to use its enhanced power if its ‘dual circulation’ strategy is successful.

5. Reining in the tech giants: tougher regulation at home

China’s regulatory agencies have treated the country’s tech giants with a light touch for most of the companies’ history, favouring their pursuit of technological dominance and economic prosperity over the need for regulating their growing monopoly power.

In October 2020, the scales tipped in the opposite direction after Jack Ma, the co-founder of Alibaba and its fintech affiliate, Ant Group, made a public speech in Shanghai in which he levelled a scathing critique of financial regulators and implicitly rejected Xi Jinping’s signature campaign to combat financial risks.145 The speech reportedly infuriated the leadership in Beijing and prompted Xi to personally call off Ant Group’s impending US$34 billion IPO and order regulators to investigate risks posed by Ma’s business.146

Regulators cited the systemic financial risks posed by Ant Group as the reason for the company to reorganise itself as a financial institution, subject to oversight by the country’s central bank, the People’s Bank of China. Escalating geopolitical tensions with the US and the ensuing US–China trade war contributed to the regulator’s efforts to rein in Ant Group, as Beijing sought to head off risks in the banking system amid concerns that the stand-off with Washington could precipitate a financial crisis.

Ma’s speech served as a tipping point for agencies, such as China’s antitrust authority, the State Administration for Market Regulation (SAMR), that have now become much more assertive with their agenda to draw clear lines between tech companies and financial services companies—lines that Jack Ma was intending to further blur. As Ma removed himself from public view, the campaign widened out to other companies in late April 2020, when the People’s Bank of China and four other regulatory agencies told 13 firms, including Tencent and ByteDance, that their apps should no longer provide financial services beyond payments.147

Ma’s speech may have been a catalyst for some regulatory agencies, but the groundwork for action had been put in place much earlier. In January 2020, the SAMR proposed the first major revisions to the country’s 2008 antimonopoly law in over a decade, including provisions for large internet platforms.148 The regulatory push has been spearheaded by Vice Premier Liu He, who is Xi Jinping’s top economic adviser.149 The principles underlying the campaign—‘tackling monopolies’ and ‘preventing disordered capital expansion’—emerged during several high-level government meetings, including the Fifth Plenary Session of the 19th CCP Central Committee in October 2020 and the Central Economic Working Conference at the end of the year.150

Beijing’s effort to tame the outsized power of China’s internet companies has continued to widen. A week after Ant Group’s IPO was scuttled, the SAMR published draft rules to curb monopolistic behaviour in the country’s tech sector, immediately wiping US$280 billion from the market capitalisation of the internet giants Tencent, Xiaomi, Meituan and JD.com.151 In April 2021, Alibaba Group was hit with a record US$2.81 billion antimonopoly fine, which was equivalent to around 4% of the group’s 2019 revenue. An investigation into Tencent is currently underway, and some reports suggest that it, too, may be hit with a fine of at least US$1.54 billion (Ұ10 billion).152

The SAMR went on to summon 34 technology companies and warn them to ‘heed the warning’ provided by Alibaba’s case. The companies, which included Baidu, Tencent and ByteDance, were given one month to undergo ‘complete rectification’ to ensure that they weren’t in breach of anti-monopoly laws. In a statement, the monopolies regulator stressed that the companies must ensure that they’re not doing anything that ‘harms the interests of operators and consumers’ and that they should give ‘priority to national interests’.153 Between December 2020 and April 2021, the regulator fined 11 companies, including Tencent, Baidu, Alibaba and ByteDance, for failing to disclose past acquisitions and investments.154 As the government continues to clamp down on this sector, investors have grown nervous, leading to a plunge in the combined market capitalisation of 10 leading technology companies by over US$800 billion from its peak in February 2021.155

Beijing’s campaign, which is set to continue throughout 2021, comes at the same time as efforts in the West to rein in companies such as Facebook and Google have gained momentum. The efforts share some similar worries: regulators in the US, Europe and China all cite concerns that the technology giants have built market power that stifles competition, misuses consumer data and violates consumer rights. But, for China’s regulators, the need to discipline their country’s tech companies goes beyond those concerns to a broader sense that the companies’ interests aren’t sufficiently lined up with the CCP’s industrial policy or its goal of achieving technological self-sufficiency.

An editorial in the People’s Daily in December 2020 urged the country’s internet giants to focus on innovation instead of the ‘community group-buying’ market.156 ‘Internet giants with access to big data and advanced computing should have a greater responsibility, greater pursuits, and a greater role in scientific and technological innovation,’ the CCP mouthpiece wrote. The CCP has now moved on from merely chiding the tech companies to enforcing their adherence to its strategic goals. In January 2021, the head of the SAMR emphasised that one of his priorities for 2021 was to ‘promote the coordination of industrial policy and competition policy’.157

6. Conclusion

The Covid-19 pandemic may have been a short-term boon to many of China’s technology giants, but, for the CCP, the pandemic and the US–China trade war were a stark reminder of the country’s fragility in technological innovation. While the Chinese state’s goal of achieving self-reliance in technology has been a longstanding policy, the combination of the Covid-19 pandemic and the ever-tightening technology blockade imposed by the White House elevated the issue to a higher level of importance than ever before.

The onslaught of sanctions and other related measures from the US helped to further align the interests of China’s tech giants with the CCP’s goal of achieving technological self-sufficiency. A newly launched rectification campaign in the technology sector is designed to ensure that this alignment continues. The campaign, which looks set to continue throughout 2021 and beyond, is already bearing fruit as major internet companies warn investors that they’re preparing to funnel capital into areas that the Chinese state has identified as priorities, such as cloud computing, autonomous vehicles and AI.158

Already, a string of high-level resignations have taken place in various Chinese technology companies, including Ant Group, Pinduoduo and ByteDance, as the government seeks to weaken the central authority of all the leaders of the major technology companies.159 The Chinese state is embarking on a fundamental restructuring of the technology industry and the private sector more broadly so that, as CCP guidelines released in September 2020 put it, ‘ideological guidance’ is strengthened to ‘create a core group of private sector leaders who can be relied upon during critical times’.160

The Chinese state is more determined than ever to rein in China’s technology giants and push them, and the country, towards technological self-sufficiency.

Appendix 1: Timeline of US entity listings and other measures

For Appendix table, please download the full report.


Acknowledgements

Thank you to Danielle Cave and Cheryl Yu for all of their work on this project. We would like to also thank our external peer reviewers Lindsay Gorman, Kara Frederick and Chris Crowley. We’re also grateful for the valuable comments and assistance provided by Peter Mattis, Tom Uren, Michael Shoebridge and Fergus Hanson.

This research report forms part of Mapping China’s Technology Giants, which is a multi-year project mapping and analysing the overseas expansion of key Chinese technology companies. The project seeks to:

  • analyse the global expansion of a key sample of China’s tech giants by mapping their major points of overseas presence
  • provide the public with analysis of the governance structures and party-state politics in which these companies have emerged, and are deeply entwined.

The Mapping China’s Technology Giants project is produced by researchers at ASPI’s International Cyber Policy Centre. The relaunch of this project, and associated research, was funded with a US$270,000 grant from the US State Department

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.

The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. 

If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published June 2021.
ISSN 2209-9689 (online),
ISSN 2209-9670 (print).

Cover image: ASPI ICPC, Nathan Attrill

Funding Statement: Funding for this report was provided by the US State Department.

  1. Humeyra Pamuk, Alexandra Alper, Idrees Ali, ‘Trump bans US investments in companies linked to Chinese military’, Reuters, 12 November 2020, online. ↩︎
  2. ‘FCC designates Huawei and ZTE as national security threats’, news release, US Federal Communications Commission, 30 June 2020, online. ↩︎
  3. David E Sanger, Julian E Barnes, Raymond Zhong, Marc Santora, ‘In 5G race with China, US pushes allies to fight Huawei’, New York Times, 26 January 2019, online. ↩︎
  4. Jeanne Whalen, Ellen Nakashima, ‘US bans technology exports to Chinese semiconductor and drone companies, calling them security threats’, Washington Post, 18 December 2020, online. ↩︎
  5. James McBride, Andrew Chatzky, Is ‘Made in China 2025’ a threat to global trade?, Council on Foreign Relations, 13 May 2019, online. ↩︎
  6. Adam Segal, ‘Seizing core technologies: China responds to US technology competition’, China Leadership Monitor, 1 June 2019, online. ↩︎
  7. Nigel Inkster, Xi steers China towards economic and technological self-reliance, International Institute for Strategic Studies, 11 November 2020, online. ↩︎
  8. ‘习近平:在科学家座谈会上的讲话’ [Xi Jinping: Speech at the Symposium of Scientists], Xinhua, 11 September 2020, online.. ↩︎
  9. ‘中华人民共和国国民经济和社会发展第十四个五年规划和2035年远景目标纲要’ [The 14th Five-Year Plan for National Economic and Social Development of the People’s Republic of China and the outline of the long-term goals for 2035], Xinhua, 12 March 2021, online. ↩︎
  10. ‘江金权:把握构建国内大循环的着力点 ——学习习近平总书记在省部级专题研讨班上重要讲话精神的体会’ [Grasp the focus of constructing the domestic circulation—Learning the spirit of General Secretary Xi Jinping’s important speech at provincial and ministerial seminars], Study Times, 25 January 2021, online. ↩︎
  11. ‘China ramps up tech commitment in 5-year plan, eyes 7% boost in R&D spend’, Reuters, 5 March 2021, online. ↩︎
  12. Liza Lin, ‘China’s trillion-dollar campaign fuels a tech race with the US’, Wall Street Journal, 11 June 2020, online. ↩︎
  13. Rui Ma, ‘Old Extra Buzz post from Dec. 2020: Internet platforms: antitrust regulations are here’, Tech Buzz China, 11 December 2020, online. ↩︎
  14. ‘Playing by the rules’, Week in China, 16 April 2021, online. ↩︎
  15. Jing Yang, Serena Ng, ‘Ant’s record IPO suspended in Shanghai and Hong Kong stock exchanges’, Wall Street Journal, 3 November 2020, online. ↩︎
  16. Raymond Zhong, ‘China fines Alibaba $2.8 billion in landmark antitrust case’, New York Times, 9 April 2021, online. ↩︎
  17. Yuan Yang, Ryan McMorrow, Miles Kruppa, ‘ByteDance staff and investors shocked as founder steps back’, Financial Times, 22 May 2021, online. ↩︎
  18. ‘Xi focus: Xi chairs leadership meeting on economic work for 2021’, Xinhua, 11 December 2020, online. ↩︎

An Australian strategy for the quantum revolution

What’s the problem?

The world is now at the precipice of another technological and social revolution—the quantum revolution. The countries that master quantum technology will dominate the information processing space for decades and perhaps centuries to come, giving them control and influence over sectors such as advanced manufacturing, pharmaceuticals, the digital economy, logistics, national security and intelligence.

The power of quantum computing, quantum communications and other quantum-enabled technologies will change the world, reshaping geopolitics, international cooperation and strategic competition. The new United States administration is well aware of this. In his first weeks in office, President Biden signalled a major new policy focus on science and technology,1 including quantum technologies.2 This will involve new public investment, working closer with allies, and decisions such as re-establishing the President’s Council of Advisors on Science and Technology.3 The Covid-19 crisis has also seen quantum emerge as an investment vector for post-pandemic recovery: large capital investments have been made over the past year by such nations as China, Japan, Germany, France, South Korea and India.

While Australia benefited from the digital revolution of the 20th century, we missed our opportunity to play a major role in the computing and communications technology sector. A similar fate doesn’t have to befall us in the upcoming quantum revolution. We have a long history of leadership in quantum technology and we’re highly influential relative to our size. As geopolitical competition over critical technologies escalates, we’re also well placed to leverage our quantum capabilities owing to our geostrategic location and alliances with other technologically, economically and militarily dominant powers (most notably the Five Eyes countries) and key partnerships in the Indo-Pacific, including with Japan and India. While Australia is well placed to take full advantage of the quantum revolution, the status quo isn’t enough. We must build and capitalise on the immense potential of quantum technologies.

What’s the solution?

Australia needs a clear quantum strategy, political leadership and an organised effort, including policy focus and public investment. Without those things, we’ll be left behind. This report focuses on analysis—and building policy recommendations—to help Australia better leverage the quantum revolution. It also recognises that quantum is just one critical technology and that what’s needed is a step change in our current policy settings related to critical and emerging technologies more generally. Hence, this report makes broader policy recommendations that serve the dual purpose of supporting that much-needed step change, while also enabling a more strategic focus on Australia’s quantum opportunities.

The Prime Minister should appoint a dedicated and ongoing minister for critical and emerging technologies (that position could also inherit ‘cyber’). This minister’s focus should be technology, rather than ‘technology’ being added to a longer list of portfolio topics. This should be a whole-of-government role with the minister working across the relevant economic, national security, industry, research, defence and science agencies in the public service. The Australian Government should also immediately lay the groundwork for a post-Covid-19 $15 billion technology stimulus that should include a $3-4 billion investment in quantum technologies.4 The stimulus would be a game-changer for Australia and help the country diversify and deepen its technological and R&D base.5 It would also exploit our disproportionate concentration of world-class quantum expertise, ensuring the long-term growth and maintenance of this vital technological sector.

The government should move quickly in 2021 to develop and articulate a national technology strategy, of which quantum should form a key part. The relatively new but small Critical Technologies Policy Coordination Office in the Department of the Prime Minister & Cabinet (PM&C) should be expanded and elevated to become the ‘National Coordinator for Technology’. This division within PM&C—which is already developing a list of key critical technology areas6—should lead this whole-of-government technology strategy process. They should work closely with other parts of government, including the Department of Industry, Science, Energy and Resources (DISER), Office of the Chief Scientist, Defence, Home Affairs, DFAT, CSIRO, the Office of National Intelligence, the Australian Signals Directorate, as well as the research and civil society community and the private sector. Within the division, offices should be created to focus on a small number of key critical technology areas deemed most important to Australia and our place in the world. The first such office should be developed for quantum technology, while other offices could focus on, biotechnology7 and artificial intelligence, for example. A useful model for such appointments is the position of Assistant Director for Quantum Information Science at the White House Office of Science and Technology Policy in the US.

At the same time, the federal government should lead a national quantum initiative, in consultation with the states and territories and the private sector. This national initiative should form the ‘Australian Distributed Quantum Zone’—a large collaboration of universities, corporations and Australian-based quantum start-ups tasked with laying the foundations of a dedicated industry in Australia for quantum technology prototyping, development and manufacturing. Significant government investment should be used to help stimulate an economy emerging from the most severe crisis in decades. Australia’s favourable handling of Covid-19 presents a unique opportunity to attract new talent as well as to lure back Australians currently running foreign quantum programs, and further expansions to the government’s talent visa options should be considered. Once this groundwork is laid domestically, Australia will be in a strong position to assume a quantum technology leadership role in the Indo-Pacific region.

Introduction

Quantum technology—technology that takes advantage of the rules and behaviour of light and matter at their most fundamental level—has existed for nearly a century. Lasers, MRI machines8 and transistors all rely on the quantum mechanical properties of nature to function. In fact, quantum technology can be directly attributed to the medical and digital revolutions that occurred in the 20th century. Without lasers there would be no fibre-optic communication, without MRIs the entire field of high-resolution, non-invasive medical imaging wouldn’t be possible and without transistors there would be no digital electronics.

However, there’s a difference between those types of quantum technology and the devices we’re trying to build today. While lasers, MRIs and transistors exploit the quantum mechanical nature of reality to function, they don’t manipulate the exact quantum mechanical properties of individual quantum objects such as atoms or particles of light. The second generation of quantum technologies, which includes quantum computers, quantum communication networks and quantum sensors, manipulate single atoms or particles of light with exquisite precision. This leads to computational and communications systems that offer an extraordinary level of new technological power.

Timelines for the delivery of these technologies range widely:

  • 0–5 years for sensors for health, geosurveying and security
  • 5–10 years for quantum-secured financial transactions, hand-held quantum navigation devices and cloud access to quantum processors of a few thousands of qubits9
  • 10–15 years+ for the establishment of wide-ranging quantum communications and the integration of quantum sensors into everyday consumer applications, such as mobile phones
  • 15 years+ for a quantum computer capable of cracking public-key cryptosystems.

Those time frames could change if and when faster breakthroughs occur, but are at least broadly indicative of the pace and likelihood of quantum development. The quantum technology that birthed the digital revolution of the 20th century was just the beginning. On the one hand, this new class of technology could aid in the creation of new materials and drugs, adapt and secure communication networks, increase economic output and improve quality of life. On the other, quantum technologies also represent a significant long-term threat to our digital security, and the promise of computing technology that can scale exponentially in power in the hands of geostrategic adversaries. These new devices will create a knowledge gap in every piece of technology, from security to manufacturing to medicine and bioscience.

Part 1: Australia and quantum technology

Background: A long history of Australian leadership in quantum technology

Australia has played a pivotal role in the advancement of second-generation quantum technology since the technology’s emergence in the 1990s. The country nurtured the intellectual and technological backbone for what’s now a global and highly competitive network of academic and corporate research, as well as a rich global start-up ecosystem. However, as world powers are now recognising the urgency of dominating the quantum technology industry, Australia is at risk of losing its competitive edge.

Australia often achieves great things with scarce resources, including in the technology sector, yet we’re still small compared to the scientific powerhouses of the US, the UK, Germany, Japan and, in the past 20 years, China. We have a population of just over 25 million and an economy strongly reliant on primary industries, so our scientific research tends to focus on `areas of critical mass’ such as mining, agriculture and medical research. Therefore, it may be surprising that a major strength in Australian physics research is still quantum technology.

Australia’s expertise in quantum physics and quantum technology emerged thanks to significant research before 1990, as well as government policy and the country’s strengths in inexpensive innovation. Since at least the 1980s, Australia and New Zealand have had exceptionally strong representation in the field of quantum optics, for example. It’s also an artefact of a time when the fields of particle physics and condensed matter were dominated by the US and USSR. Quantum optics, on the other hand, was a ‘cheap and cheerful’ science in which real progress could be made with the limited resources available south of the equator.

Here’s a brief overview of how Australia currently maintains quantum research:

The Australian Research Council (ARC) Centres of Excellence program is considered the premiere funding vehicle for fundamental and applied research. Many of the (current and past) centres of excellence (CoEs) have a quantum technology aspect. The CoE for Quantum Computation and Communication Technology (CQC2T) has been both the most visible and the best funded of the CoEs since 1999. The vast majority of that investment is focused on the singular goal of designing and building a silicon-based quantum computer. Given the collaborative nature of the CoE, this has resulted in an exceptionally high level of output in the area of quantum computing. In parallel, the CoE for Engineered Quantum Systems (EQUS), funded from 2011 to 2024, has achieved groundbreaking research outcomes in a variety of other quantum technologies falling broadly under the category of quantum machines.

Australia has also hosted other CoEs with significant quantum physics research focused on technology and applications, but they haven’t always specifically labelled themselves as quantum technology centres, and many have been discontinued:

  • The Centre for Quantum-Atom Optics (ACQAO) combined theoretical and experimental groups to advance the rapidly developing field of quantum atom optics (discontinued in 2010).
  • The Centre for Ultrahigh Bandwidth Devices for Optical Systems (CUDOS) focused on photonic engineering and optical devices for communication (discontinued in 2017).
  • The Centre for Nanoscale BioPhotonics (CNBP) researched biomedical imaging applications and the control of light at the single photon level (discontinued in 2020).
  • The Centre for Future Low-energy Electronics Technologies (FLEET) focuses on low-energy electronics using novel materials, including two-dimensional films and topological insulators (funded until 2024).
  • The Centre for Exciton Science (ACEx) is researching the generation, manipulation and control of excitons in molecular and nanoscale materials for solar energy harvesting, lighting and security (funded until 2024).

Beyond ARC-funded schemes, there are other examples of large-scale investment in research in the quantum computing space in Australia. Microsoft has established a strong presence in quantum information and computing via its StationQ (now Microsoft Quantum) research team led by Professor David Reilly at the University of Sydney (also a member of EQUS). Just down the road, the University of Technology Sydney formed the UTS Centre for Quantum Software and Information in 2016 using a combination of university and ARC funding. Although these efforts are still largely university based, they’re indicative of the worldwide pivot towards the commercialisation of quantum computing technology by universities, governments and the private sector.

Since around 2016, we’ve started to see a nascent corporate and start-up sector in quantum technology grow locally. Yet, compared to the rest of the world, Australia is moving very slowly.

In 2008, Quintessence Labs was the first quantum technology company to emerge from an Australian university—spun out from the Australian National University (ANU) —and focused on commercial technology related to quantum key distribution systems and digital security.

In late 2014, QxBranch was founded as a joint spin-off of Shoal Group and the Tauri Group to focus on data analytics and quantum software.

In 2016, h-bar: Quantum Technology Consultants was formed by researchers at RMIT and UTS to service the rapidly expanding corporate and start-up sector.

In 2017, Q-CTRL was founded out of Sydney University and quickly attracted funding from Main Sequence Ventures (the fund associated with the CSIRO). As of 2020, Q-CTRL has secured more than$30 million in venture capital funding, employs approximately 40 scientists and engineers and has recently formed a partnership with the Seven Sisters collaboration to search for water on the Moon.10

While the figures were modest, given international developments, there was a sizeable boost in Australian Government funding for quantum between 2016 and 2019 (Figure 1). This was dominated by the renewal of EQUS and CQC2T and the establishment of Exciton Science and FLEET, funded until 2024, along with the establishment of Silicon Quantum Computing, a spin-off company of the University of New South Wales-led effort to build a silicon quantum computer, headed by Professor Michelle Simmons.

Figure 1: Estimated cumulative investment in quantum technology within Australia, including ARC centres and the private sector, 2000 to 2020



Source: Australian Research Council funding reports (1999-2019), Silicon Quantum Computing and abl.com.au.

Finally, it’s important to note that not all industry activity in quantum technology originates from academia. For example the Melbourne-based cybersecurity company Senetas, founded in 1999, has announced that it will distribute post-quantum encryption to customers in Australia and New Zealand.

While Australia has been comparatively slow to seize on the most recent quantum ‘boom’, there have been recent efforts to begin a coordinated effort in the National Initiative for Quantum Technology Development. In May 2020, the CSIRO released a report titled Growing Australia’s quantum technology industry. In summarising the current state of quantum technology development in Australia, the report argued that the country could tap potential global revenue of at least $4 billion and create more than 16,000 jobs in the new quantum sector. This is a first step in a national conversation on Australia’s future in quantum tech.

Today: Australia is now behind, as the rest of the world started to race in 2014

The pace of global quantum technology investment accelerated rapidly between 2015 and 2020, and Australia is falling behind. Before 2015, we ranked sixth in sovereign investment among the nine largest economies actively investing in quantum technology.11 Today, we’re last. Investment in the sector by China, the US, France, Germany, the EU as a whole, India and Russia now exceeds Australian investment by a factor of 10–100, even while Australia maintains a strong position in quantum talent.

Multiple nations have announced billion-dollar programs to develop their quantum technology industries. China has flagged over A$13 billion to set up a four-hectare quantum technology centre in Hefei.12 In October 2020, China also announced that quantum technologies would be included in its 14th Five-Year Plan (2021–2025).13 Japan has stepped up its investment in quantum computing by placing a functional error-corrected computer as one of its six ‘moonshot’ targets in a newly funded A$1.3 billion program.14 Japan was one of the major early investors in quantum technology, but it lost significant ground in the late 2000s and early 2010s because of a lack of confidence within government. If Australia doesn’t move quickly, we could lose the edge that we’ve cultivated since the turn of the century and unlike Japan, might not have the resources or talent to recover.

The Covid-19 crisis has also seen quantum technology emerge as an investment vector for post-pandemic recovery (figures 2 and 3). As part of a major stimulus injection, the German Government announced a A$3.15 billion investment into quantum technologies.15 In January 2021, France announced a five-year A$2.85 billion investment in quantum technologies intended to place it in the top three in the world, together with the US and China.16 Its investment strategy is broad: it includes funding for a universal quantum computer, quantum simulators and sensors, quantum communications, post-quantum cryptography, and support technologies such as cryogenics. The Israeli Government also announced a A$78 million program to build domestic quantum capacity, including the construction of a 30–40 qubit quantum computer through a contract that will be put out to tender later in 2021.17 As recently as April 2021, the Netherlands announced a A$960 million investment from the National Growth Fund to train 2,000 researchers and engineers, fund up to 100 new quantum start-ups and host three corporate R&D labs18.

Figure 2: Sovereign funding increases, 2015 to 2020 (A$ million)



Source: These figures are the same as quoted in footnotes (11-18), 2015 data is from The Economist,online. Please note that for the Netherlands and Canada, data has been used from early 2021 announcements.

Figure 3: Percentage increase in sovereign funding, 2015 to 2020



Source: derived from Figure 2.

The private sector’s involvement in both corporate investment and private equity funding of quantum start-ups has also boomed (Figure 4). Several start-ups in quantum technology are now valued at well over A$1 billion, and shares in at least two quantum tech companies are now publicly traded.19 Australia has again moved comparatively slowly in the start-up space: only one quantum computing hardware start-up and one software start-up have raised significant levels of funding.20 National R&D programs have been used extensively overseas to help incentivise private-sector engagement in quantum technology development, but that hasn’t been mirrored in Australia.

Figure 4: Quantum computing companies before 2015 and in 2020

In each of the recent examples, governments around the world have recognised that quantum science is no longer an academic field of research, but rather a burgeoning new technological industry. The difficulty faced by the Australian quantum industry is the translation of what, until recently, has been a mostly academically focused endeavour into a nascent new commercial sector.

Building a quantum society

Quantum technologies will affect many aspects of our society and economy, including health care, financial services, defence, weather modelling and cybersecurity.

One type of quantum technology—the quantum computer—presents a potentially dazzling range of applications. They include quantum chemistry simulation that will accelerate drug development, improved supply-chain optimisation and supercharged artificial intelligence. These quantum computing applications promise exciting benefits. Yet the history of technology development suggests we can’t simply assume that new tools and systems will automatically be in the public interest.21 We must look ahead to what a quantum society might entail and how the quantum design decisions being made today might affect how we live in the future.

Consider the use of quantum computing to advance machine learning and artificial intelligence (ML/AI). ML/AI technologies are already the subject of ethical frameworks designed to prevent harm and ensure the design of ethical, fair and safe systems.22 Those frameworks are vital, as potential harms could include the reproduction and amplification of existing socio-economic marginalisation and discrimination, and the reduction of personal privacy.

At this time, no ethical framework for quantum technologies exists in Australia, although the CSIRO Quantum Technology Roadmap calls for quantum stakeholders to explore and address social risks.23 As quantum technologies progress, such discussions should build literacy in the societal impacts of quantum technologies. This should be a collaborative effort between quantum physics and social science researchers, industry experts, governments and other public stakeholders, and be led by the proposed office of the minister for critical technologies.

An example of this discussion began at the World Economic Forum in 2020 through the launch of a global quantum security coalition,24 which is working to promote safe and secure quantum technologies. Australia should draw on such initiatives during the creation of a national quantum initiative to ensure the quantum technologies we develop work for the public good. In addition, two new legal organisations launched in 2020—the Australian Society for Computers and Law and the Digital Law Association—have identified quantum as a technology that needs engagement from the legal community in order to draft well-designed standards and regulations.

Quantum researchers and other stakeholders in the emerging quantum tech industry should review the potential impacts of quantum technologies on society.25 Establishing links between Australian publics and quantum researchers may help them in that review. To begin public engagement with quantum technologies, the quantum sector should invest in accessible information on quantum technologies and establish dialogue with Australian publics on a range of applications related to the new technologies. That will clarify societal expectations for the scientific community and policymakers and prompt work to address any concerns raised. Outcomes from these exercises should also inform the national quantum initiative.

Australia’s quantum talent leak

Australia’s long history in quantum technology means that our quantum technologists are high on the priority list for recruitment. Australians are some of the most successful start-up founders and leaders in the quantum industry. However, many are now working outside of Australia. Notable examples include the following:

  • Jeremy O’Brien and Terry Rudolph (UNSW and the University of Queensland) are founders of the photonics-based quantum computing start-up PsiQuantum located in Silicon Valley. They have raised over A$400 million in venture capital to date.
  • Jay Gambetta (Griffith University) is an IBM Fellow and Vice President of Quantum Computing at IBM, where he has spearheaded the massive growth in IBM’s investment in quantum computing.
  • Christian Weedbrook (University of Queensland) is the CEO and founder of Xanadu, an optics-based quantum computing start-up. Now located in Toronto, Xanadu has raised over A$40 million in venture capital funding.
  • Runyao Duan (the founding director of the Centre for Quantum Software and Information at UTS) is now the director of the Quantum Computing Institute at Baidu in Beijing.
  • Min-Hsiu Hsieh (a founding member of the Centre for Quantum Software and Information at UTS) is now the director of the Hon Hai Research Institute for Quantum Information Science (a division of Foxconn) in Taiwan.

Australia must prioritise plugging the quantum industry’s talent leak over the next two years and attracting back the talent that has moved offshore and acquired new expertise. Without a strong quantum computing sector and without significant mechanisms to train and retain highly qualified personnel, the significant investment that Australia has made in such talent will be lost. The uncertainty about H-1B visas in the US—notwithstanding the recent partial lifting by the Biden administration of the 2020 suspension by the Trump administration26—offers an opportunity for Australia to pursue skilled recruitment (in quantum, for example), given our favourable handling of the Covid-19 crisis.

The need to build quantum talent, education and literacy in a post-Covid world

We’re all now familiar with the term ‘digital literacy’: the necessity for the workforce of the 21st century to work with classical computational infrastructure. As quantum technology develops, quantum literacy will become similarly instrumental.

The creation of a talent pipeline of students who can understand and speak the language of quantum technology is a necessity—especially given the explosion of quantum start-ups and corporate teams— and will be strategically critical in the near future as the technology begins to be integrated into global information processing and telecommunications infrastructure.

One promising initiative by the NSW Government, the Sydney Quantum Academy (SQA), brings together the four main research universities in Sydney with strong quantum technology programs. Founded to provide higher degree research training at the masters and PhD levels in a coordinated way between UNSW, Sydney University, UTS and Macquarie University, the SQA is expected to amalgamate a large amount of the teaching and training efforts in quantum technology in the state. With an initial five-year investment from the NSW Government of A$35 million, it’s expected to teach a student cohort of approximately 500 PhD students and is mandated to facilitate outreach and entrepreneurship in the Sydney area—a level of coordination for quantum training that’s never before existed in Australia.27

While the SQA is a promising first step, efforts in providing education and training programs to build quantum literacy should be expanded nationwide. The talent pipeline for a quantum technology industry requires integration with graduate, undergraduate and even high-school programs across disciplines such as physics, engineering, computer science, mathematics and business. Just as digital literacy begins in school and becomes more specialised as a student progresses through university, quantum literacy programs should be similarly designed. The US and the EU are already rapidly accelerating their development of quantum education programs at all levels of education, targeting both domestic and international markets.28

Education and training should be an immediate focus for Australian investment and leadership to market the country as a leading quantum educator. Establishing educational services internationally, especially in the Asia–Pacific region, should also be a high priority.

Notable targets include the Indian and Taiwanese markets. India has indicated an intention to invest A$1.4 billion into quantum technology, but doesn’t have the required domestic expertise to exploit that level of national investment.29 Australia has the potential to provide those services to burgeoning global quantum industries.30

Similarly, Taiwan has indicated that it may more aggressively expand its efforts in quantum technology. Foxconn has established the new Hon Hai Research Institute, which has a dedicated program in quantum computing and there have been rumours that a more concerted government-backed effort may be emerging in Taipei. While the current level of domestic talent in Taiwan is significantly larger than in India, it still represents a market opportunity for Australia to provide training, education and R&D collaboration.

The local quantum talent present in Australia and initial pilot programs31 should be expanded and developed into a federally coordinated effort in which state-level initiatives—such as the SQA—take a strong leading role. It’s expected that states such as Victoria and Queensland will attempt to mirror the SQA model, but a lack of a critical mass of academics outside Sydney will make other state efforts difficult unless more quantum talent is hired or efforts are coordinated across state borders.

Part 2: How quantum technology will shape the world

Quantum will reshape not only technology, but also geopolitical strategy

The race to build quantum technologies is not only one of science and commerce. It’s a race for geopolitical leadership. Attempts to predict the impact of future technology have been notoriously inaccurate. Famous underestimates include the prediction in 1943 by Thomas Watson, then-president of IBM, that ‘there is a world market for maybe five computers.’ Clearly, there was a view that computational power was nothing more than a minor scientific tool or curiosity, when it has instead dictated geopolitical power and economic growth over the past 80 years. With that in mind, we outline three scenarios in which quantum technologies could significantly affect geopolitics.

First, there are immediate consequences for relations between Western allies and China, particularly in quantum education and technology transfer. A US senator recently claimed the US had trained some Chinese nationals to ‘steal our property and design weapons and other devices’, and that ‘they don’t need to learn quantum computing and artificial intelligence from America.’32 The mention of quantum computing wasn’t incidental. The publicity over Chinese government-sponsored quantum technology, starting with the 2017 demonstration of satellite-based quantum communications, hasn’t gone unnoticed by policymakers in Washington.33

The US Department of Energy has requested a 2021 budget that includes A$56 million to accelerate the development of the quantum internet34 on the back of a 2021 budget request, initially by the Trump administration, of A$312 million for quantum technologies.35 That complements the A$1.6 billion quantum investment signed into law in 2018.36 Xi Jinping’s government is spending A$13 billion on China’s National Laboratory for Quantum Information Sciences.37 In recognition of the national security implications of this technology, Australia has already identified ‘quantum cryptography’ and ‘high performance quantum computers’ as controlled technologies in the Defence and Strategic Goods List.38

Second, there’s potential for quantum technology to tip the balance between regional powers. Some possible scenarios include the following:

  • In early 2020, India committed A$1.4 billion for quantum computing research over five years.39 Access to enhanced imaging provided through satellite-based quantum sensing and enhanced image processing could enable the identification of underground nuclear installations in neighbouring Pakistan.
  • Conflict-ridden areas of the Middle East have experienced periods in which even vastly outnumbered insurgents have been able to maintain strategic footholds using improvised explosive devices (IEDs). While IEDs are relatively cheap to produce, technology to respond to counter-IED tools evolves quickly. Quantum technology could benefit either side. For example, extremely precise quantum magnetometers can detect large mobile metal equipment as targets or detect IEDs themselves, and photonic chips could operate even in the presence of an electromagnetic pulse that would knock out conventional electronics.
  • China’s Belt and Road Initiative, launched in 2014, had signed up about 65 countries, including 20 from Africa, by 2019.40 Many of its key projects are being financed by mined minerals from sub-Saharan Africa. Quantum gravimeters could significantly improve the accuracy of drilling by sensing density fluctuations that indicate oil and mineral deposits with a precision not possible with classical devices. Increasing access and raw material yields in nations within China’s sphere of influence could reduce demand for Australian exports.

Finally, quantum tech will disrupt digital economies. Cryptocurrencies are being used increasingly by institutional and private investors and have a current market value of over A$2 trillion. One significant threat to cryptocurrencies is from quantum computer attacks on the digital signatures used to secure transactions between untrusted parties. That would allow a malicious agent to steal crypto tokens like bitcoin undetected. In fact, up to one-third of all bitcoin, worth hundreds of billions of dollars, is estimated to be vulnerable to such theft.41 This type of threat, whether realised or not, has the potential to undermine confidence in all contemporary blockchain-based systems. The solution is to use so-called post-quantum cryptography that’s thought to be immune to attack using quantum technology. That technology is already used by some cryptocurrencies, such as HyperCash and Quantum Resistant Ledger.42 It will be a matter of economic security to frequently test and verify that coming post quantum cryptographic standards are met.

Quantum’s role in national security, defence and intelligence

The defence and intelligence implications of quantum technology can be broken down into several categories, depending on the underlying technology: quantum computing, quantum communications and quantum sensing.

1. Quantum computation

The increased power of quantum computing affects a wide range of national security applications, from materials science to logistics, but the most direct application of interest to the defence and intelligence community is in cryptography. Quantum computers applying artificial intelligence to enormous datasets at speeds that create strategic and operational advantage have direct impact in the field for two key reasons:

  • The entire security backbone of the internet is built using encryption that’s vulnerable to quantum computing. That includes everything from internet banking to the domain name system security certificates that are used to verify whether ‘google.com’ is really Google.com, instead of a hacker. The development of a quantum computer without changing the current encryption standards that underpin the entire classical internet would be catastrophic to network security.
  • While a quantum computer able to break this type of encryption won’t be around for at least a decade or two, a large amount of encrypted information crossing networks, some of which is being intercepted by malicious actors, needs long-term security. Medical records, client data held by insurance companies and nuclear weapons stockpile information are just some examples. While hackers might not have the ability to break encryption today, saved copies of encrypted data could quickly be decrypted when quantum computers become available. To prepare for that scenario, policymakers, businesses and researchers need to consider three key questions:
    1. For how many years does the encryption need to be secure, if it’s assumed data is intercepted and stored?
    2. How many years will it take to make our IT infrastructure safe against quantum attacks?
    3. How many years will it be before a quantum computer of sufficient power to break encryption protocols is built?

As anticipated by many, the first realisation of quantum computing technology has occurred in the cloud, as users log onto dedicated hardware over the classical internet. These types of ‘quantum in the cloud’ systems began with the connection of a two-qubit photonic chip to the classical internet by the University of Bristol in 201343 and accelerated significantly in 2016 with IBM’s introduction of its Quantum Experience platform. We now see both free and paid services offered by IBM, Microsoft, Amazon, Xanadu and Rigetti using a variety of hardware modalities for small-scale quantum computing chipsets with capacities of up to 65 physical qubits. This has spurred the so-called noisy intermediate-scale quantum (NISQ) field of algorithm and hardware research.44 However, we’ve only just begun to understand how these machines will be constructed and used, and their technological development is continuing to accelerate.

For a detailed explanation of quantum computing threats to cryptographic systems, see Appendix 1 on page 24.

Quantum communications platforms

Quantum technology has progressed rapidly in recent years and will have a significant impact on communication technology. The largest investment in quantum communications technology is currently being made by the Chinese Government.45

China has two major quantum networking initiatives geared towards building a quantum key distribution (QKD) infrastructure46—a technology that solves some of the security problems, discussed above, that quantum computing creates for public-key cryptography.

The first program in the Quantum Experiments at Space Scale (QUESS) program culminated in the 2016 launch of China’s Micius platform, which was a proof-of-concept platform that allowed for the distribution of entangled pairs of photons to elevated telescopic ground stations separated by thousands of kilometres. The QUESS program is designed to use a potential constellation of quantum-enabled satellites. It will provide secure cryptographic keys between multiple ground stations to secure classical communications channels using strong symmetric encryption, with keys provided by a quantum backbone network. The exact amount of funding for the QUESS program is currently unclear; however, based on a 651 kilogram payload and estimates of prices for commercial launches into low Earth orbit at that time, the cost of this technology demonstrator could easily approach A$100 million.47

The QUESS program is part of a broader quantum communications effort in China. A second major component is the Beijing-to-Shanghai optical QKD link. This is a 32-node optic-fibre-based link that’s built along the high-speed train line between the two cities, in which each node is located in secure facilities at particular stations.

These two technology demonstrators have recently been amalgamated into a national QKD network, combining more than 700 optical fibres on the ground with two ground-to-satellite links to achieve QKD over a total distance of 4,600 kilometres for users across China.48 That level of investment and technology deployment is significantly more advanced than in any other nation that’s building quantum communications systems.

Other countries have instituted similar programs or are planning to do so. For instance, a government-funded quantum repeater network is to be built between four cities in the Netherlands. There’s also a A$410 million program authorised in the US for the initial development of technology for a future US quantum internet.49 There are even discussions within Australia about a space-based quantum communications centre of excellence in collaboration with the Australian Space Agency. However, Australia is significantly behind China in technological development and it isn’t clear, from a scientific and technical perspective, whether replicating what China has done is the most appropriate way to proceed.

For a more detailed explanation of the major quantum communications systems being deployed worldwide, see Appendix 2 on page 29.

3. Quantum sensing and its applications for the resources sector and defence

Quantum sensing is seen as one of the three main pillars of quantum technology development, along with quantum computing and quantum communication systems. Applications that provide positioning, navigation and timing could potentially benefit from quantum effects, especially when combined with a quantum communications network. Quantum sensing may be the first technological application to be widely adopted in markets.

Three types of quantum sensors have direct applications in multiple sectors, including mining and defence:

  • Quantum sensors to detect magnetic fields with high precision (magnetometry): In principle, this can be used for the undersea detection of magnetically discernible materials. The most promising candidates in this area are diamond-based quantum sensors, and significant effort at Melbourne University, Macquarie University and the ANU is focused on developing that technology.
  • Increased timing precision (atomic clocks): The GPS and inertial guidance positioning, navigation and timing are intricately linked to precise clocks. While atomic clocks have been commercialised for more than 30 years, the ability to miniaturise and package atomic clocks based on technology such as ion traps may be instrumental in even wider adoption.
  • Quantum sensors for ultra high precision measurement of gravitational fields (gravitrometry): By measuring small deviations in ‘little g’ (the acceleration due to the Earth’s gravitational field), we can possibly detect anomalous underground structures, which could be hidden subterranean bases or large oil and mineral reserves.

None of those platforms requires the hardware resources needed for quantum computing or communications systems, so they’re comparatively easier to build and test. However, their superiority over highly precise classical systems isn’t as well understood, so they’ll need to show a competitive advantage in both price and portability before they’re adopted at scale.

The UK, the EU, the US and Canada all have extensive research programs in the quantum sensing space as well as numerous start-ups. In Australia, sensing is most likely to find markets within the minerals sector.

Part 3: What we need to do

Drivers for action: Time for strategic investments

The world is racing to develop quantum technology for business as well as for security and defence. It’s now a crucial moment. Australia reacted exceptionally well in the late 1990s and early 2000s as quantum technology became a substantial area of research within academic physics, computer science and engineering departments. The investment in ARC fellowships, special research centres and centres of excellence tied to quantum computing and related technologies ensured that we were at the forefront of development during the 2000s and early 2010s. Yet, in the years since, there’s been no acceleration of national funding for quantum technology. Consequently, there’s been little movement from the private sector to get involved in the field.

Australia doesn’t have the capital needed to build a complete R&D infrastructure and manufacturing base to control a large share of the future quantum technology market. However, that shouldn’t stop us making strategic moves to become a major player in some of the more lucrative aspects of this new industry. We already possess the technical know-how to invent, develop and prototype some of the critical components needed for large-scale quantum technologies. We can also set up companies, research centres or even government-backed entities to build up large intellectual property portfolios across a variety of physical hardware platforms.

Australia has a significant level of expertise in software and hardware and could develop and manufacture critical components domestically. Of the major hardware systems for large-scale quantum computing, Australia has a near-monopoly on the most advanced technology for silicon (CQC2T and its spin-off company, Silicon Quantum Computing). We were also the pioneers and maintain a very high level of hardware expertise in optical quantum computing platforms, and we have significant capacity in diamond-based systems.

While Australia has the talent and ideas, there’s no mechanism to focus that capacity for the benefit of the Australian quantum technology sector. We can no longer rely solely on academia to lead our approach to quantum technology. Private-sector investment must be boosted. As we’ve seen in the US and the EU, investment comes when the private sector sees the establishment of strong, technology-focused initiatives. Arguably, large quantum efforts at companies such as Microsoft and IBM exist, in part, because those companies were corporate partners in US defence and intelligence funding set up by the Defense Advanced Research Projects Agency and the Intelligence Advanced Research Projects Activity in the 2000s and early 2010s.

In August 2020, for example, the US launched its national quantum research centres as part of its National Quantum Initiative. This should be a particular motivator for Australia, and particularly the Australia–US alliance, as it provides an opportunity for enhanced engagement and cooperation. Five new research centres focused on computing, communications, sensing and simulation have been established and funded to the tune of A$150 million. The centres build in major collaborations between US national labs, universities and, most importantly, quantum technology companies. The level of private–public engagement involved in the research centres is something that Australia needs to replicate.

While world-leading R&D is occurring in Australia, when it benefits private-sector interests, it benefits offshore quantum computing programs. That doesn’t happen in other nations. In the US, for example, Amazon has made a multimillion-dollar investment to set up Amazon Web Services’ quantum division in collaboration with Caltech in California. Likewise, partnerships with IBM link university research centres and other corporations interested in quantum technology, such as Goldman Sachs, and multi-institutional collaborations are taking advantage of funding incentives made available through the National Quantum Initiative. Such incentives don’t currently exist in Australia, and we’re being crowded out of the private–public collaborative space that’s taking shape.

Australia requires a strategic investment in dedicated research programs that are focused on technology development (unlike the centres of excellence, which mainly have a remit for basic research) to remain relevant on the global stage. This could take the form of a dedicated centre or program for the development of a small-to intermediate-scale quantum computer using optical systems or diamond technology that Australia has significant experience with, or it could be a major initiative to develop key quantum software components.50 If done correctly, that could reassert a level of Australian leadership in the quantum technology sector that has degraded over the past decade. An initial $3–4 billion national quantum strategy will be needed over the next five years to ensure that Australia can benefit from this new technological revolution.

Policy recommendations

1. A new minister

At the earliest opportunity, the Prime Minister should appoint a dedicated and ongoing minister for critical and emerging technologies (this position could also inherit ‘cyber’). This minister’s focus should be technology, rather than ‘technology’ being added to a longer list of portfolio topics. This should be a whole-of-government role with the Minister working across the economic, national security, industry, education, defence, research and science agencies in the public service. The minister would play a key role in the implementation of many of the policy recommendations made here.

2. A national technology strategy

The government should move quickly this year to initiate a whole-of-government technology strategy process led by PM&C, of which quantum should form a key part. By authorising PM&C to lead this initiative, this strategy necessarily recognises that there is no one lens through which to view technology and that its emergence and deployment will impact everything, including our society, the economy and industry, national security and human rights. This strategy should include consideration of appropriate ethical frameworks for critical and emerging technologies such as quantum. PM&C should work closely with other parts of government including the DISER, Office of the Chief Scientist, Defence, Home Affairs, DFAT, CSIRO, the Office of National Intelligence, the Australian Signals Directorate as well as the research and civil society community and the private sector. The new minister for critical and emerging technologies would be responsible for delivering the strategy to the Australian public by 2022.

3. Expand and elevate PM&C’s whole-of-government leadership role on technology policy

There is positive momentum in government and growing knowledge on critical and emerging technologies (like quantum) in departments such as Defence, DISER, CSIRO and PM&C. However, there’s currently no clear government lead on ‘technology’, and that lack of leadership and coordination is preventing policy progress. Critical and emerging technologies present a myriad of opportunities, challenges and threats, and PM&C is the only department with the whole-of-government perspective to balance them in our economy, society and national security. The relatively new but small Critical Technologies Policy Coordination Office in PM&C—the creation of which was a welcome move by the government—should be immediately expanded and elevated to become the National Coordinator for Technology.

The expanded division should work with Australia’s new minister for critical and emerging technologies to support the delivery of the recommended national technology strategy.

Within the new PM&C division in 2021, small offices focusing on key critical technology areas should be created. Quantum technology should be the first such office developed, and other small offices could be built to focus on biotechnology51 and artificial intelligence, for example. A useful model for such appointments is the Assistant Director for Quantum Information Science at the White House Office of Science and Technology Policy in the US.

The government should search for individuals to lead these offices who can serve as catalysts, working across government (including with the military and intelligence agencies), business, the research sector and internationally, to deliver a post-Covid-19 technology stimulus and build a pipeline of focus, policy and investment that should last decades. These leaders will need to engage globally and strengthen relationships with our key partners in the Indo-Pacific and work across key groupings such as the Quad (US, India, Japan, Australia). Investments in quantum technology, for example, require careful consideration of our interdependence with our strategic allies, which we’re currently well placed to cooperate with and piggyback on, and of our likely adversaries.

4. A$15 billion post-Covid-19 technology stimulus

The Australian Government should immediately lay the groundwork for a multi-year $15 billion post-Covid-19 technology stimulus that would also be informed by the delivery of a new national technology strategy. This stimulus should include a $3-4 billion investment in quantum technologies. The stimulus would be a game-changer for Australia and help the country diversify and deepen its technological and R&D base. It would also exploit our disproportionate concentration of world-class quantum technology expertise, ensuring the long-term growth and maintenance of this vital technological sector. The following recommendations describe what this stimulus could look like from a purely quantum perspective.

5. Establish an ‘Australian distributed quantum zone’

A national quantum R&D initiative should be a key part of the government’s post-Covid-19 technology stimulus. This could be established with a multibillion-dollar national funding initiative that would leverage the seed investments Australia has already made over the past 30 years. This initiative could be akin to a special economic zone—a place for quantum-related economic activity that wouldn’t sit with one city or state but instead be distributed nationally across universities and research institutes. The Melbourne Biomedical Precinct provides an attractive blueprint for the development of such a national initiative.52 Given the diversity of expertise and capabilities across the country, a distributed quantum zone not tied to a capital city or state is preferable.

The commercialisation of university-developed intellectual property is currently a major roadblock in building a quantum ecosystem in Australia beyond university research. Researchers are often actively disincentivised from spinning out academic research into new start-ups because of the administrative overhead in extracting relevant intellectual property. Universities should be encouraged to ensure that they foster collaboration, entrepreneurship and commercialisation in the quantum space. The newly announced A$5.8 million University Research Commercialisation Scheme scoping study should be encouraged to address the commercialisation of quantum technology.

6. Lure Australian talent back home and attract foreign talent

Australia’s favourable handling of Covid-19 presents a unique opportunity to attract new technology talent as well as to lure back Australians currently running quantum programs in other countries. This could involve increasing the accessibility, scope and clarity of R&D tax incentives, especially for small and medium-sized enterprises and further expansions and tweaks to the government’s ‘Global Talent Independent Program’, including for example, lowering the expected salary requirements below A$153,600/year.53

7. Build global cooperation and increase direct involvement in quantum development by the defence and intelligence communities

The Australian defence and intelligence communities, when compared to their counterparts in the Five Eyes alliance, are disengaged from the quantum technology community.

The Chief Scientist (Cathy Foley) and the Chief Defence Scientist (Tanya Monro) have strong backgrounds in quantum. Their expertise should be immediately tapped to create a quantum defence and intelligence working group, connecting stakeholders within government to the quantum technology community in order to identify key national security priorities that can benefit from quantum technology.

Australia should focus quantum technology work related to national security and defence through a formal partnership with the US, using the precedent of cooperation in other areas of science and technology. The national security and defence implications of quantum technology are clear enough to make this area of development a new core element of the Australia–US alliance. Formalising this partnership, in a similar manner to the US–Japan Tokyo statement on quantum cooperation,54 will also enable academic and industry contributions to contribute to and draw from the partnership. We support the similar policy recommendation in ASPI’s defence-focused report, The impact of quantum technologies on secure communications, which argues for the formalisation and prioritisation of Australia–US cooperation on quantum technology.55

Quantum experts should be encouraged and aided to gain the security clearances needed to be read into programs that may benefit from quantum technology. This should occur initially in an advisory context, but expand as projects are identified.

8. Eliminate uncertainty by developing a national framework outlining national security and defence policy covering quantum technology

The explosion of investment around the world and the unique expertise that Australia has open up tremendous opportunities for incoming investment from overseas. However, both the private sector and Australian research centres are in many cases timid or hostile to such partnerships due to the expected nature of a future national policy covering technology transfer in the quantum space. There are already examples of multimillion-dollar deals that have been rejected at the university level because of perceived future problems with export controls and their ability to work with certain nations, which isn’t yet enshrined in any articulated policy. This uncertainty needs to be rectified as soon as possible. This new national framework should involve the Department of Defence and other parts of government who work on export controls.

9. Expand the role of education and training within Australia

The coordinated national quantum initiative should include establishing major training hubs for quantum technology in Australia, which will assist the university sector in its post-Covid-19 recovery. This would also help build quantum literacy in Australia and throughout the Indo-Pacific region.

  • Establish a national quantum academy: The Sydney Quantum Academy is the first step in this direction, and it ought to be expanded to a tightly integrated national quantum academy, providing education and training at all levels to service future demand for quantum technology intellectual capital, both domestically and globally.
  • Build initial education and training partnerships abroad: With a particular focus on the Indian and Taiwanese markets, establish bilateral partnerships with their emerging quantum sectors and build domestic talent, research expertise and collaboration with the Australian quantum sector.
  • Enter the school sector, building quantum literacy: Initiate a pilot program that brings together stakeholders from state and federal departments of education, school teachers, students and members of the Australian quantum community to create entry-level educational material that introduces core concepts taught in high-school physics, chemistry, mathematics and computer science through the lens of quantum technology.

Appendix 1: Quantum computing threats to cryptographic systems

In broad terms, there are two types of classical cryptosystem that are commonly used throughout the world for a variety of applications: symmetric-key cryptosystems and public-key (or asymmetric) cryptosystems.

The most commonly known example is one-time pad symmetric encryption. One-time pads are provably secure against any attack (quantum or classical) if implemented perfectly: a caveat that’s arguably impossible to meet practically and economically. Symmetric-key cryptosystems use the same key to both encrypt and decrypt data. This offers the advantage of more secure message transmission but suffers from the downside of how to distribute keys to both the sender and receiver in a secure manner. For symmetric-key cryptosystems, there are secure protocols against quantum attacks.

Public-key cryptosystems use two separate keys that are mathematically related. One is used for encryption and one for decryption. One of the keys is publicly advertised (for example, a PGP or ‘pretty good privacy’ key, that some people attach to their email signature), while the other needs to remain completely secret and secure. Public-key cryptosystems are used for the vast majority of encrypted traffic traversing publicly accessible channels, such as the global internet, Wi-Fi, Bluetooth and microwave transmissions. While all public-key cryptosystems work on the same mathematical principles, the most well-known example is the RSA cryptosystem, in which security is based on the difficulty in factoring large composite numbers.

For factoring, the state of the art in classical algorithms remains the general number field sieve. Figure A1 (below) shows the year in which various bit-sizes (L) for the RSA cryptosystem were factored as part of the RSA challenge and an estimate of the computational time needed to factor a specific L-bit number using the scaling of the number field sieve for 100 PCs in 2003 and 2018. Once L becomes bigger than about 1,000, the time needed to complete the computation becomes prohibitively long. Currently, for online encryption, an L of 2,048 is commonplace.

Peter Shor, a professor in applied mathematics at Massachusetts Institute of Technology, completely changed the discussion by showing that a hypothetical (as it was in 1994) quantum computer allowed for a computationally efficient solution to factoring. Finding an efficient quantum algorithm to solve the foundational problems underpinning public-key cryptography opens up an irreconcilable security flaw in these protocols. Regardless of whether you think it will ever be practical to build a quantum computer, the fact that this fundamental mathematical result exists is a significant problem: any cryptosystem can’t have such a flaw even in theory, as this result underpins everything else.

The existence of an efficient algorithm for factoring adds a new curve to the scaling figures. Figure A1 illustrates the importance of the concept of computational complexity or algorithmic scaling. The new curve takes the scaling of Shor’s factoring algorithm and overlays the time to break the RSA. As Shor’s algorithm is a polynomial algorithm, computational times increase more slowly as the key length increases, compared to the classical number field sieve. Consequently, even key lengths of 10,000 bits or more are factorable in acceptable time frames using quantum computers of moderate to fast physical speed.

The existence of a quantum computer makes public-key protocols such as RSA insecure, as simply increasing key sizes can be easily overcome by a commensurate increase in quantum computing capability.

A potentially more immediate threat is posed by quantum attacks on digital signatures. A digital signature is like an electronic fingerprint appended to data, which proves to the receiver that a document was sent by the signer. It can be done in a completely public manner over the internet. Such signatures are routinely used for financial transactions and have a broad use case for blockchain-enabled technologies such as smart contracts for insurance and cryptocurrency trading. The signature is secured using trusted algorithms such as elliptic-curve cryptography, which make forging by stealing the sender’s private key exponentially hard for classical computers. However, due to another quantum algorithm discovered by Peter Shor for calculating discrete logs, quantum computers can quickly hack the message to learn the private key. Such an attack is in fact easier for quantum computers than breaking RSA cryptography, and could be possible within 15 years using around 1 million qubits.56

While the theoretical nature of Shor’s algorithm poses a security problem for public-key cryptography in a world where quantum computers exist, there’s still the practical question of when such machines of sufficient size to threaten current public-key cryptosystems can be built. Errors in quantum computing systems (due to both fabrication and control imperfections) require the use of extensive error correction, which requires more and more physical qubits within the chipset.

While there’s been remarkable progress both from the theoretical perspective (resource costs for Shor’s algorithm have dropped by a factor of nearly 1,000 since 2012) and from an experimental perspective (qubit chipsets of approximately 50 qubits with error rates of less than 1% are now possible), there’s still a long way to go before a machine of sufficient size to break public-key cryptosystems will be available on any hardware platform.

The current state of quantum computing systems

Blueprints for large-scale quantum computing systems were developed only in the late 2010s, and the current estimate of the resources needed for a fully error-corrected implementation of Shor’s factoring algorithm to break RSA-2048 is approximately 20 million superconducting qubits over a computational time of approximately eight hours. This assumes:

  • reliable gate error rates for each qubit of 0.1% (this should be achievable in experimental systems in the next 3–5 years)
  • significant ability to mass manufacture cheap qubits
  • the solution of several major engineering and infrastructure challenges to allow for chip sizes of the order of tens of millions of qubits.

The data that has been presented shows the current state-of-the-art knowledge in the theoretical and experimental space for implementing cryptographic-related protocols on quantum computing systems, but the future is open to speculation. We’ve focused specifically on Shor’s algorithm as it has been the most well-studied and optimised large-scale algorithm of interest to the non-scientific community. It should be noted that shorter timelines are certainly possible, particularly in the case of a quantum-assisted side channel attack. That is, one taking advantage of leaked information in cryptographic transactions, which would require fewer quantum resources than a full-blown Shor attack.

Certainly, quantum system developers are attempting to replicate a type of Moore’s law for quantum computing, doubling power every 18–24 months, but it’s unclear whether that will eventuate. Consequently, when classical cryptosystems will come under threat from quantum computers is subject to debate; that is, we don’t yet know when we’ll be able to close the gap between the requirements of breaking RSA-2048 and the size and quality of the chipsets than can be built in the laboratory.

The direct simulation of quantum mechanical systems for use in bioscience, material science and other fields has also been studied in depth. However, the size of a physical machine to provide unambiguous quantum advantage in these spaces is often larger than that of a useful factoring machine.57

At the smaller scale, corporations marketing new NISQ-based quantum cloud systems have been aggressive in soliciting the Australian quantum community and other markets in adopting access packages for those systems. This has included the establishment of the University of Melbourne’s IBMQ Hub in 2017 to coordinate access to IBM hardware in Australia.58 The accessibility of these services in Australia and access by Australian researchers will be a critical tool for quantum computing R&D into the future, but we should remain cautious to ensure that diversification in online providers is maintained and that we use these tools to augment Australian R&D efforts, rather than substituting the use of subscription services offered by international corporates for building sovereign capacity in the quantum space.

Figure A1: Estimated times required for RSA factoring on quantum and classical hardware



Source: R. Van Meter, PhD thesis, online, online.

Figure A2: Physical error rates required in quantum hardware to implement Shor’s algorithm without active quantum error correction. Insert: historical decreases in qubit error rates from 1996 to 2020.

Figure A3: Decrease in qubit resources for Shor’s algorithm between 2011 and 2020.



Source, online, online.

Figure A4: Historical demonstration of small qubit chip-sets in four major quantum hardware platforms.



Source, online.

Appendix 2: The status of quantum communications

Quantum communication systems, like their classical counterparts, use several types of hardware. The major ones being developed and deployed worldwide are as follows:

  • Quantum repeater systems: Unlike classical fibre optics, quantum states can’t be copied. Consequently, overcoming losses in fibre optics requires the use of what are effectively mini-quantum computers to relay quantum information at regular intervals across the link.
  • Quantum free space systems: Developed primarily by researchers in Austria, with prototype systems deployed in the Canary Islands, free space quantum systems work by beaming a particle stream of photons (light particles) from source to receiver using a direct line of sight. Developed as a precursor to quantum satellite systems, free space quantum transmission isn’t as aggressively pursued as it once was and might be useful only for ‘last mile’ type applications in quantum communications.
  • Quantum satellites: These systems are now the favourite for multiple nations and research groups. Spearheaded by the Chinese Micius platform, launched in 2014, quantum satellites beam either a single particle stream of photons (or a pair of entangled particle streams) to ground stations that can be separated by thousands of kilometres. This platform holds the record for longest distance quantum communications protocols.
  • Quantum memory units (sneakernet): A new model that’s still only theoretical, quantum memory units use the classical principle of sneakernet communications (physically transporting hard drives from point A to point B to achieve a communications link) but overcome the biggest downside of classical sneakernets: long latency times in information transport. Built using the same underlying technology as quantum computers.

The requirements of a quantum communication system are highly dependent on the desired application. The constraints that hardware must satisfy for quantum secured authentication tokens or the distribution of quantum secured keys for symmetric cryptosystems are different from those of a global quantum internet that connects quantum computing systems for distributed computation or blind server/client-based quantum computing. The tendency for people to conflate applications and speak of a quantum key distribution system in the same breath as a quantum internet doesn’t reflect the reality of what applications require and what current quantum communications hardware can do.


Acknowledgements

Thank you to Danielle Cave for all of her work on this project. Thank you also to all of those who peer reviewed this work and provided valuable feedback including Dr Lesley Seebeck, Lachlan Craigie, David Masters, Fergus Hanson, Ariel Bogle, Michael Shoebridge, Rebecca Coates, David Douglas and Justine Lacey. Finally, we are grateful for the valuable feedback we received from anonymous peer reviewers who work in the fields of quantum academia and policy. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. No specific funding was received to fund the production of this report.

Important disclaimer: This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.


First published May 2021. ISSN 2209-9689 (online), ISSN 2209-9670 (print).

Funding Statement: No specific sponsorship was received to fund production of this report.

  1. US$180 billion of Biden’s US$2 trillion infrastructure plan is earmarked for technologies of the future like quantum computing. See Martin Giles, Forbes, 1 April 2021, online. ↩︎
  2. ‘AI, quantum R&D funding to remain a priority under Biden’, Wall Street Journal, 9 November 2020, online. ↩︎
  3. ‘Fact sheet: President Biden takes executive actions to tackle the climate crisis at home and abroad, create jobs, and restore scientific integrity across federal government’, The White House, 27 January 2021, online. ↩︎
  4. This technology stimulus would of course be spread over multiple years. ↩︎
  5. See Germany’s June 2020 €50 billion ‘future-focused’ technology stimulus for an example of how other countries have managed and deployed such technology-focused investments: Eanna Kelly, ‘Germany unveils €50B stimulus for “future-focused” technologies’, Science Business, 4 June 2020, online. ↩︎
  6. Ben Packham, ‘PM’s department developing list of research, technology to shield from foreign interests’, The Australian, 12 March 2021, online. ↩︎
  7. See John S Mattick, Biodata and biotechnology: opportunity and challenges for Australia, ASPI, Canberra, 27 August 2020, online. ↩︎
  8. MRI = Magnetic resonance imaging. ↩︎
  9. Qubit = A Quantum Bit (Qubit) is the fundamental element of quantum information. Analogous to classical bits, a qubit is formed from two-level quantum mechanical systems such as the spin state of an electron or the polarisation state of a single particle of light—a photon. ↩︎

Family De-planning: The Coercive Campaign to Drive Down Indigenous Birth-rates in Xinjiang

In this report, we provide new evidence documenting the effectiveness of the Chinese government’s systematic efforts to reduce the size of the indigenous population of Xinjiang through a range of coercive birth-control policies.
 
Using the Chinese government’s own publicly available statistics, we have compiled a dataset of county-level birth-rates (natality) across 2011-2019. We then marshal this data to analyse trends across nationalities and spatial regions in Xinjiang, before and after the 2016 crackdown, and comparatively with other countries as recorded in the UN population dataset. Finally, we place these statistics in context through our analysis of county-level implementation documents and other official Chinese language sources which have been previously overlooked.
  
In 1979, Deng Xiaoping launched the “one child policy” and created a complex set of bureaucratic institutions and practices for controlling population growth. Party officials rather than women would decide what they did with their bodies.
 
The one-child policy has seen a dramatic drop in China’s fertility rate and unleashed new concerns about a looming demographic crisis. Yet the instinct to control remains. As Party officials are loosening family-planning rules on Han women, they are simultaneously cracking down on the reproductive rights of Uyghur and other indigenous nationalities in Xinjiang Uyghur Autonomous Region (XUAR) over perceived fears of instability and uneven growth.
 
In the name of stability and control, the CCP under President Xi Jinping is seeking to fundamentally transform the social and physical landscape of Xinjiang. This includes the construction of hundreds of prison-like detention centres and the mass internment of Uyghurs, Kazakh and other indigenous nationalities; a regime of highly intrusive and near constant surveillance; the erasure of indigenous culture, language and religious practices and sites; and mandatory job assignments that are indicative of forced labour; among other now well-documented human rights abuses.
 

Key Findings

Beginning in April 2017, Chinese Communist Party authorities in Xinjiang launched a series of “strike-hard” campaigns against “illegal births” with the explicit aim to “reduce and stabilise a moderate birth level” and decrease the birth-rate in southern Xinjiang by at least 4.00 per thousand from 2016 levels. This followed years of preferential exceptions from family-planning rules for indigenous nationalities.
 
The crackdown has led to an unprecedented and precipitous drop in official birth-rates in Xinjiang since 2017. The birth-rate across the region fell by nearly half (48.74 percent) in the two years between 2017 and 2019.
 
The largest declines have been in counties where Uyghurs and other indigenous communities are concentrated. Across counties that are majority-indigenous the birth-rate fell, on average, by 43.7 percent in a single year between 2017 and 2018. The birth-rate in counties with a 90 percent or greater indigenous population declined by 56.5 percent, on average, in that same year.
 
In 2017, the Chinese government’s approach to birth control among minority nationalities shifted from “reward and encourage” towards a more coercive and intrusive policing of reproduction processes. Hefty fines, disciplinary punishment, extrajudicial internment, or the threat of internment were introduced for any “illegal births.” Family-planning officials in Xinjiang were told to carry out “early detection and early disposal of pregnant women found in violation of policy.”
 
While the Chinese government argues it has adopted a uniform family-planning policy in Xinjiang, the county-level natality data suggests these policies are disproportionately affecting areas with a large indigenous population, meaning their application is discriminatory and applied with the intent of reducing the birth-rate of Uyghurs and other religious and ethnic minorities. This policy also stands in stark contrast to the loosening of birth control restrictions elsewhere in China.
 
Policy implementation documents from Xinjiang explicitly set birth-rate targets that are among the lowest in the world, and the birth-rate has declined from a rate similar to those in neighbouring countries such as Mongolia or Kazakhstan to only slightly higher than that of Japan, where the low birth-rate is seen as a “national crisis.” 
 
The sharp drop in birth-rates in Xinjiang (a region with a population of nearly 25 million) is proportionally the most extreme over a two-year period globally since 1950. Despite notable contextual differences, this decline in birth-rate is more than double the rate of decline in Cambodia at the height of the Khmer Rouge genocide (1975-79).
 
The 1948 Convention on the Prevention and Punishment of the Crime of Genocide, to which China is a signatory, prohibits states from “imposing measures intended to prevent births within the group,” as an aspect of the physical element to genocide. Our analysis builds on previous work and provides compelling evidence that Chinese government policies in Xinjiang may constitute an act of genocide; however further research is required to establish the intent and mental element of this crime. We call for the Chinese government to give researchers, journalists and human rights experts full and open access to Xinjiang.

Download full report

Readers are encouraged to download the report to access our full findings.


Acknowledgements

We would like to thank our external peer reviewers, Dr Timothy Grose, Dr Adrian Zenz, Dr Stanley Toops, and Peter Mattis, for their comments and helpful suggestions. Darren Byler, Timothy Grose and Vicky Xu also generously shared with us a range of primary source materials. We’re also grateful for the comments and assistance provided within ASPI by Michael Shoebridge, Fergus Hanson, Danielle Cave, Kelsey Munro and Samantha Hoffman and for crucial research assistance from Tilla Hoja and Daria Impiombato. This research report forms part of the Xinjiang Data Project, which brings together rigorous empirical research on the human rights situation of Uyghurs and other non-Han nationalities in the XUAR. It focuses on a core set of topics, including mass internment camps; surveillance and emerging technologies; forced labour and supply chains; the CCP’s “re-education” campaign and deliberate cultural destruction and other human rights issues.

The Xinjiang Data Project is produced by researchers at ASPI’s International Cyber Policy Centre (ICPC) in partnership with a range of global experts who conduct data-driven, policy-relevant research. The project is predominantly funded by a January 2020-October 2021 US State Department grant. The Xinjiang Data Project also hosts ASPI ICPC projects funded by the UK Foreign and Commonwealth Office (such as ‘Uyghurs for Sale’ in March 2020) and projects with no core funding (such as ‘Strange Bedfellows on Xinjiang’ in March 2021). The work of the ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on.

If you would like to support the work of the centre please contact: icpc@aspi.org.au

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2021

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published May 2021. ISSN 2209-9689 (online), ISSN 2209-9670 (print).

Funding statement: Funding for this report was provided by the US State Department.

The impact of quantum technologies on secure communications

This ASPI report examines the impact of quantum technologies on secure communications. It provides an overview of the key technologies and the status of the field in Australia and internationally (including escalating recent developments in both the US and China), and captures counterpart US, UK and Canadian reports and recommendations to those nations’ defence departments that have recently been released publicly.

The report is structured into six sections: an introduction that provides a stand-alone overview and sets out both the threat and the opportunity of quantum technologies for communications security, and more detailed sections that span quantum computing, quantum encryption, the quantum internet, and post-quantum cryptography. The last section of the report makes five substantive recommendations in the Australian context that are implementable and in the national interest.

A key message on quantum technologies relates to urgency. Escalating international progress is opening a widening gap in relation to Australia’s status in this field. It is critical that, in addition to its own initiatives, the Defence Department transitions from a largely watching brief on progress across the university sector and start-up companies to a leadership role—to coordinate, resource and harness the full potential of a most capable Australian quantum technologies community to support Defence’s objectives.

Devolved data centre decisions: Opportunities for reform?

Data has been referred to as the ‘new oil’ or ‘new gold’, but it’s more than that. Most organisations can’t function without it. That applies equally to government.

Government data creation, collection, storage and analysis has grown and continues to grow, as does government reliance on it. With continued government policy directions promoting increased outsourcing of data storage, processing and cloud storage, the value and protection that disaggregation and diversification generate may be lost in the absence of appropriate oversight.

In this report, ASPI’s Gill Savage and Anne Lyons provide an overview of the current state, the implications of the panel arrangements and the resulting challenges. They review the unintended consequences of the Australian Government’s data centre procurement arrangements, first introduced over a decade ago, and suggest areas for reform. The aim is to shape a better conversation on issues, challenges and factors to consider relating to arrangements for the provision of outsourced data centres.

Tag Archive for: Cyber

Hacking for ca$h

In 2015 then-US President Barack Obama metaphorically arm-wrestled Chinese President Xi Jinping into agreeing to stop engaging in commercial cyber espionage. Since then, China has made a similar pact with G20 members and made bilateral declarations with countries like Australia and Germany.

Now, three years on, ASPI has worked with counterparts in the US and Germany to see whether the Chinese Communist Party (CCP) is adhering to these commitments. Spoiler alert: it isn’t.

The US played the lead-up to the deal with Xi cleverly, slowly ratcheting up the pressure. In 2013, a high-level Commission on the Theft of American Intellectual Property estimated that the theft of IP totalled US$300 billion (A$413 billion) annually, and that 50–80% of the theft was by China. The same year  cybersecurity firm Mandiant released a blockbuster report that tracked commercial cyber espionage to a People’s Liberation Army (PLA) unit.

The next year the FBI indicted five PLA hackers for engaging in commercial cyber espionage and in April 2015, the US put economic sanctions on the table when the president signed an executive order that would allow for such measures. The CCP caved in September 2015 in the face of this astute diplomatic legwork.

At first it looked like China was honouring its commitments, but our review found this was likely coincidental with internal factors that temporarily reduced commercial cyber espionage. As Adam Segal, who authored the US section, wrote:

First, soon after taking office, Xi launched a massive and sustained anticorruption campaign. Many hackers were launching attacks for private gain after work, misappropriating state resources by using the infrastructure they had built during official hours. Hacking for personal profit was caught up in a broad clampdown on illegal activities.

Second, the PLA was engaged in an internal reorganisation, consolidating forces and control over activities. Cyber operations had been spread across 3PLA and 4PLA units, and the General Staff Department Third Department had been managing at least 12 operational bureaus and three research institutes. In December 2015, China established its new Strategic Support Force, whose responsibilities include electronic warfare, cyber offence and defence, and psychological warfare. In effect, PLA cyber forces were told to concentrate on operations in support of military goals and move out of industrial espionage.

However, these internal changes didn’t put an end to commercial cyber espionage. Instead responsibility for it shifted from the PLA to units connected with the Ministry of State Security, which is reported to have significantly better tradecraft than its PLA colleagues.

In the three countries we examined, the amount of publicly available evidence varied, but in all three countries it was found that China was clearly, or likely to be, in breach of its agreements.

The United States Trade Representative’s March 2018 investigation stated that ‘Beijing’s cyber espionage against US companies persists and continues to evolve’. In Germany, the digital industry association found in July 2017 that 53% of German companies are affected by cyber espionage, with losses worth €55 billion (A$89 billion) annually. The German Interior Ministry identifies China alongside Russia and Iran as the primary countries responsible for espionage and cyberattacks against it. And in Australia, in 2012 (before the China–Australia agreement) it was revealed by the MI5 director-general that a Chinese cyberattack had cost a UK-based company—later reported to be Rio Tinto—an estimated £800 million (A$1.44 billion).

Since Australia’s agreement with China to cease its commercial cyber espionage, China has been implicated in the attack on the Australian National University. The 2009–10 annual report of the Australian Security Intelligence Organisation (ASIO) stated that ‘cyber espionage is an emerging issue’. Since then ASIO’s annual reports have consistently mentioned that cyber espionage affecting Australian commercial interests and for commercial intelligence purposes is taking place, although without explicitly naming China.

ASPI’s report summarises the current situation this way: ‘China appears to have come to the conclusion that the combination of improved techniques and more focused efforts have reduced Western frustration to levels that will be tolerated. Unless the targeted states ramp up pressure and potential costs, China is likely to continue its current approach.’

The question is how to ramp that pressure back up. The approach taken by Obama managed to precipitate an agreement with the CCP that distinguished between (legitimate) traditional political–military espionage and (illegal) espionage to advantage commercial companies. However, it only modified rather than stopped the bad behaviour.

To get cyber espionage back on the agenda with China requires both the steady escalation of the issue (the Obama playbook, which Trump seems to be following in his own unique style) and the plausible threat of costs, like sanctions, if the CCP fails to keep its word.

For a country like Australia, it’s time we name China as a perpetrator of commercial cyber espionage and work in coalition with other states to escalate pressure until the Chinese leadership decides the costs are too high for it to keep orchestrating the theft of intellectual property.

US moves to expose North Korea’s malicious cyber activity

Late last week, the US Department of Justice filed a criminal complaint against a North Korean hacker—who allegedly acted on behalf of the North Korean government—in connection with a series of cyberattacks, including the cyber intrusion and attack against Sony Pictures in 2014. Among other things, this individual, along with other unidentified hackers, is alleged to be part of the Lazarus Group, which has been implicated in a wide range of malicious cyber activities—including the destructive WannaCry 2.0 worm that affected computers around the world in 2017 and the attempt to steal hundreds of millions from the Bangladesh Bank in 2016.

This is the first time that the US has criminally charged a North Korean government hacker and, like the indictment of five PLA officers for intellectual property theft a few years ago, it’s extremely unlikely that the charged individual (who apparently is in North Korea) will ever see the inside of a US courtroom. The charges are also unlikely to have any real effect on the malign cyber behaviour of North Korea. Unless other measures are brought to bear, North Korea isn’t really susceptible to being ‘shamed’, even when called out in such detail.

Nevertheless, the criminal complaint and supporting affidavit serve an important purpose. They demonstrate that, although it may take time, the US will expose malicious nation-state activity, including the individuals responsible and their tradecraft, for the world to see. Though more is required to achieve effective deterrence, this development sends an important foundational message, particularly when many doubt that effective attribution is possible.

I was part of the US government when we were dealing with the Sony attack in 2014. In one of the first instances of US government attribution of cyber conduct to a nation-state, President Barack Obama called a news conference and announced that North Korea was responsible. Shortly thereafter, he imposed sanctions on North Korea because of that and other activity. It was a watershed moment— to make public attribution at the highest level of our government sent a strong message that malicious state cyber activity would not be tolerated.

The move was coupled with extensive diplomatic outreach to allies and partners around the world to share our views and build support. Indeed that, and our outreach to partners in response to the Iranian distributed denial-of-service attacks against many of our financial institutions, served as the basis for our work to build a collective response by countries against shared cyber threats that continues today.

Still, the experience was also somewhat frustrating. Although nearly every commentator and researcher had said that North Korea was behind the Sony attack before Obama’s landmark press conference, many voiced doubts once the president and the US government went on the record. They challenged the evidence we put forth publicly as incomplete and instead offered a variety of alternative, often conspiratorial, theories.

The US government released far more corroborating information than it normally would, particularly when, as was the case then, no public criminal charges were brought. But it’s unreasonable to expect the US, or any government, to release all the information it has that led to attribution, especially when that information is particularly sensitive or could compromise sources and methods that are important in tracking and preventing future activity. This practice is no different from how attribution is handled for physical-world incidents. At the end of the day, in cyberspace or the physical world, attribution is a political (small p) decision based on all the information available. Countries nevertheless want to be highly confident that they’re right, because being wrong undermines future credibility and action.

Russian government representatives also tried to cast doubt on the attribution of North Korea, making the self-serving claim (especially in light of all the malicious cyber and physical activity they’re responsible for) that if one country is going to accuse another, the attribution must be essentially 100% ironclad based on publicly released evidence.

The Russian position fits in with Moscow’s practice of denying its involvement in everything from election interference to NotPetya in the cyber world, and from the UK poisonings to the Ukraine incursions in the physical one. Even when I was a federal prosecutor, the standard of proof when an individual’s liberty was at stake was never absolute but was instead beyond a reasonable doubt. Demanding absolute proof is a convenient way to deny malicious actions even when it’s clear who the perpetrator is. It’s also used as a subterfuge for getting insights into the information held by other countries to evade detection in the future.

The complaint and 179-page supporting affidavit in this case should help lay to rest a lot of the groundless claims that there wasn’t a strong factual basis for accusing North Korea. The affidavit is remarkable in its thoroughness and detail. I agree with those who have said that it reads like a thorough threat intelligence report with a criminal charging overlay. My former Justice and law enforcement colleagues deserve a lot of credit for all the work that went into the investigation. In any event, it tells a compelling story of the scope and scale of North Korean cyber activity. The fact that it fingers individuals (one by name) and organisations, and that it lays bare at least some of North Korea’s tradecraft in detail, alone make the document important.

The targeted sanctions imposed concurrently on the defendant and on a Chinese firm that employed him are also helpful. Though China and the US differ on many things, and we rightly remain concerned about Chinese malicious cyber activity, I think there’s some opportunity for common ground with China, assuming that it wouldn’t want rogue actors from other countries operating from its soil and, potentially, causing instability or exposing it to blame.

The criminal complaint and sanctions, though good, are still unlikely to deter North Korean actions in the future. For that to happen, they need to be part of a comprehensive plan that, among other things, includes putting pressure on the North Korean regime. Like with Russia, or any state adversary, that will require consistent, high-level messaging from the top. Sadly, that is lacking.

I’ve written before that, regardless the activities the US takes to hold Russia accountable for its malicious cyber activity, those efforts are undermined when the president himself not only refuses to publicly endorse them but undercuts those actions by casting doubt on Russia’s involvement. With North Korea, I fully understood why cyber issues wouldn’t be prominently raised during the first US–North Korea summit given the importance of denuclearisation, but thought it needed to be embedded in future dialogue with North Korea. Of course, the talks with North Korea seem largely on the rocks, but whatever their fate, it doesn’t seem likely that cyber matters will be raised despite last week’s charges. Worse yet, on the very morning that the criminal charges were announced, President Donald Trump tweeted about how well he and Kim Jong-un get along — hardly the messaging, on at least this topic, that’s likely to provoke North Korea to stop its activity.

Until we can do a better and more comprehensive job of pushing back on North Korea’s and other nation-states’ cyber activities, the use of criminal charges and other tools can only help lay an important foundation. But they will not, without more, deter our adversaries.

Time for an about-face? Flaws in facial recognition plan

Search for news articles about the face identification service and you won’t find much. At one level, that’s curious because it’s about to usher in a potentially far-reaching change to law enforcement and Australian society. On another level, the lack of focus is understandable because of the complexity of the scheme and draft implementing legislation.

Major holes in the proposed legislation have been identified in various parliamentary submissions, and the Parliamentary Joint Committee on Intelligence and Security will hold another round of public hearings later this month. But these concerns have so far failed to attract much attention. Two of the biggest problems with the current draft bill are the loose wording that allows the use of biometric facial matching for purposes as diverse as ‘preventing’ crime and ‘road safety activities’; and the ability of states and territories to use biometric facial matching for any crime or petty offence (subject to state and territory laws).

The genesis of the proposal was a Council of Australian Governments agreement in October 2017, when the prime minister and state and territory leaders agreed to establish national facial biometric matching services. The emphasis was placed squarely on the counterterrorism potential, not the two most likely future uses of the capability: general policing and digital identity (the latter is covered in a forthcoming policy brief from ASPI’s International Cyber Policy Centre). As the prime minister said at the time: ‘Imagine the power of being able to identify, to be looking out for and identify a person suspected of being involved in terrorist activities walking into an airport, walking into a sporting stadium … This is a fundamentally vital piece of technology.’

The national facial biometric matching capability is actually made up of two systems:

  1. The face verification service (FVS): ‘a one-to-one, image-based verification service that can match a person’s photo against an image on one of their government records (such as a passport photo) to help verify their identity’
  2. The face identification service (FIS): ‘a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. Access to the FIS will be limited to police and security agencies, or specialist fraud prevention areas within agencies that issue passports, and immigration and citizenship documents.’

The FVS and FIS will be made possible through the creation of a Commonwealth-run hub that connects various photographic identity databases run by states and territories (e.g. driver’s licences) and by the Commonwealth (e.g. passports).

The legislation that will allow for its creation is the Identity-matching Services Bill 2018. For a scheme so amenable to overreach, the bill is remarkably loosely worded. Reading the COAG agreement that the bill implements, you could be forgiven for thinking at least some controls are in place. For example, the COAG agreement states:

Agencies with access to the FIS may only use the FIS for one or more of the following permitted purposes: … (b) General law enforcement—the prevention, detection, investigation or prosecution of an offence under Commonwealth, state and/or territory laws carrying a maximum penalty of not less than three years imprisonment.

In reality, this three-year threshold (which is omitted from the draft bill) applies only to use of the FIS between jurisdictions (e.g. NSW police running a biometric search on a Victorian resident). In practice, state police will mostly be investigating residents of their own jurisdictions. So, for the overwhelming majority of cases, the three-year rule won’t apply. It’s up to states and territories to decide what, if any, minimum threshold applies before biometric matching can be used.

The institutional logic for police forces around the country is to seek permission to use the FIS for as many activities as possible to create internal efficiencies; for state and territory governments, it’s to save money. With the increasing use of CCTV and improvements in biometric matching, expect a lot more automated policing for ever less serious offences. For those interested in civil liberties, the question will become what threshold for use of the FIS is tolerable—automated fines for double parking, littering, jaywalking?

Unfortunately, the problems with the FIS are not isolated. As the My Health Record controversy suggests, it is part of a growing pattern where digitisation initiatives are built with the wrong user in mind. The convenience for a government department is prioritised over the citizens they serve. Repeatedly, Australians are assured everything is fine, only to discover they have been hoodwinked. Opt-in becomes opt-out. Safe and secure, it is later discovered, means warrantless police access.

And each time the public’s trust is broken, it becomes harder to roll out other digitisation initiatives that are essential to a 21st-century economy and society. Getting things back on track won’t be easy. It requires a complete overhaul in approach: putting citizens at the centre.

Rethinking our approach to open-source data

Open-source data is built on the foundation of long-term useability, authenticity and reliability. Its public nature means that it can be accessible anywhere with an internet connection.

Yet when we talk about the government data that needs to be protected for national security reasons, classified information—related to defence and intelligence services—often takes precedence. But what about the protection of unclassified, open-source government data?

Websites like data.gov.au, Trove and Parl Info Search host a broad range of data that collectively documents the political, social and cultural history of Australia. Over time, this data accumulates to paint a detailed picture of our country. It’s a high-value dataset given the trends big data analytics can reveal.

The Department of Communications and the Arts has estimated that the value of open government data is $25 billion per year—which represents 1.5% of Australia’s GDP. To give that some context, Australia is budgeting to spend 1.91% of its GDP on defence in 2018–19.

As outlined in the Attorney-General’s Department’s Protective Security Policy Framework, simply increasing the classification level of data isn’t enough to ensure its protection. The department recommends that agencies consider the potential business impact if something were to happen to their data. The policy framework outlines risks to aggregate data, including unauthorised disclosure and inconspicuous copying, modification or dissemination of information. And it warns of possible operational, reputational or monetary impacts for an individual agency or the government as a whole.

In an era of technological disruption, all it takes is the dissemination of disinformation to undermine national security.

Governments and private companies around the world are already starting to implement technologies and software to address data security. We’re now seeing the powerful combination of traditional information security, relating to controlled access to information and security of ICT systems, with the application of principles of long-term data preservation.

One example is Preservica, a software platform that incorporates the key data-preservation principles of useability, accessibility, security and authenticity. Once digital data has been created and stored, it is continually checked not only to prevent the obsolescence of file formats, but also to confirm the integrity of the data and metadata and ensure it hasn’t been manipulated. Preservica is being used by the UK National Archives, the European Commission and the Provincial Archives of New Brunswick in Canada.

Swedish company Enigio Time is based on similar principles. Its aim is to ‘provide proof of the truth’ and digital data integrity in what it calls a ‘#PostTruth era’. Enigio Time software generates a timestamp on a digital document, leaving unchangeable proof of the content of the document when it was created.

Another technology that could also contribute to data integrity is blockchain. Blockchain is commonly associated with Bitcoin and cryptocurrencies, but it could also contribute to data integrity. It creates a record of data that is stored permanently in multiple locations. Despite some scepticism about it, governments around the world have already begun testing and implementing blockchain technology.

The Netherlands, Georgia, Sweden, the UAE, Canada and Estonia either use blockchain or have piloted blockchain projects for a variety of government services.

One example that stands out is the Chilean government’s use of blockchain for the preservation and security of its environmental data.

Earlier this year, the Chilean National Energy Commission launched a project called Energia Abierta (Open Energy). It aims to increase the security, integrity and traceability of energy information by storing publicly available data, such as national electric capacity, energy prices and emission levels, on the Ethereum blockchain technology. The commission says that public information, particularly related to energy, is critical for investment decisions and shaping policies.

Chile’s emissions data could, for example, be manipulated by foreign actors who could then criticise the government for not meeting its commitment to the Paris climate agreement, which Chile has ratified. A discrepancy in the information held by energy providers, the energy commission and other national agencies could severely undermine trust in Chile’s governance.

In Australia, blockchain is starting to appear on the government’s agenda. Last year CSIRO’s Data61 conducted research into blockchain and its potential applications in the government and business sectors. Its report Distributed ledgers: scenarios for the Australian economy over the coming decades, concluded that blockchain technology can enhance the trust, accountability and auditability of data storage.

In the 2018–19 budget, the Australian government allocated $700,000 to the Digital Transformation Agency to research how blockchain could be used to support government services. And only last week the government signed a five-year agreement with technology company IBM to help further its digital transformation agenda.

Data accessibility is also on the government’s agenda, as seen by the Productivity Commission’s 2017 report into data availability and use, the data sharing for innovation agenda, and the 2015 public data policy statement.

The value of accurate, reliable and verifiable open-source information shouldn’t be underestimated. Australia needs to take advantage of new technologies as they emerge and reframe its approach to the security and preservation of open-source data.

China’s quest for political control and military supremacy in the cyber domain

The People’s Republic of China seeks to contest information dominance (制信息权) and discursive dominance (话语权) in cyberspace. For the Chinese Communist Party (CCP), cybersecurity is integral to comprehensive state security (国家安全). That’s distinct from ‘national’ security in that it focuses on preserving stability and legitimacy to ensure the regime’s survival. Xi Jinping has said that ‘without cybersecurity, there is no state security’.

In this concept of cybersecurity, information security and control take priority. Indeed, for the CCP, threats to cyber sovereignty (网络主权) are seen as existential in nature. For that reason, the People’s Liberation Army (PLA) is actively building its capabilities to engage in ‘military struggle’ (军事斗争) in the cyber domain.

The CCP has long believed itself to be engaged in an ideological contest in cyberspace. It has sought to counter foreign ‘hostile forces’ (敌对势力) through censorship and propaganda. It blames those influences for popular protests that have overthrown authoritarian governments, as in the Arab Spring.

Tellingly, a research centre with the Cyberspace Administration of China has written, ‘If our party cannot traverse the hurdle represented by the internet, it cannot traverse the hurdle of remaining in power for the long term.’

So far, China has defied initial, utopian expectations for the future of the internet. Instead, the CCP has sought to reshape and harness the internet as a tool to enhance its social control, while still allowing a vibrant digital economy to thrive within certain parameters.

Xi Jinping articulated the objective for China to become a ‘cyber superpower’ (网络强国), to be not only the world’s largest nation in cyberspace, but also the most powerful. His own consolidation of power has included gaining absolute control over the PLA, in line with Mao’s maxim that the ‘Party commands the gun’.

China’s 2015 national defence white paper on military strategy—which included the PLA’s commitment ‘to remain a staunch force for upholding the CCP’s ruling position’ and to preserve ‘social stability’—also called for the PLA to ‘expedite the development of a cyber force’ and to enhance its capabilities in ‘cyberspace situation awareness’ and cyber defence. The stated objectives of these forces are ‘to stem major cyber crises, ensure national network and information security, and maintain national security and social stability’.

At a basic level, the PLA’s approach to employing military cyber forces should be understood as another piece in China’s strategy of ‘active defence’ (积极防御). In essence, that means, ‘We will not attack unless we are attacked, but we will surely counter-attack if attacked.’

When applied to the cyber domain, this logic implies that offensive operations at the tactical and operational levels would be consistent with a defensive orientation at the strategic level.

At the strategic level, the question of what constitutes an ‘attack’ is likely to be decided according to political and ideological factors, particularly in cyberspace. According to an authoritative text on information operations, the PLA should emphasise active defence if facing a ‘formidable enemy’, but might pursue an ‘active offensive’ against a weaker enemy in order to achieve rapid battlefield information superiority.

PLA concepts of cyber conflict are informed by Chinese strategic culture. For the US and most Western militaries, there’s a clear distinction between ‘peace’ and ‘war’. In contrast, the PLA appears to place these along a spectrum. In the Science of military strategy, PLA thinkers discuss the dynamics of military struggle in the cyber domain, highlighting the functional ‘integration’ of peacetime and wartime in cyberspace.

The PLA’s official dictionary of military terminology defines military struggle as ‘the use of military methods in order to advance the struggle among nation states or political groups to achieve a definite political, economic or other objective; the highest form is warfare’. This concept has Marxist and Maoist antecedents consistent with the CCP’s tradition of combined political and military struggle. That includes its history of political warfare that today provokes concerns about Beijing’s interference in democracies.

Notably, the PRC’s pursuit of a national strategy of military–civil fusion (军民融合) not only seeks to leverage synergies between commercial and defence developments, but also intends to take advantage of civilian personnel in defence and force development. The Science of military strategy argues that:

In light of the ambiguous boundaries between peacetime and wartime in cyber countermeasures, and the characteristic that military and civilian attacks are hard to distinguish, persist in the integration of peace and war [and] in military–civil integration; in peacetime, use civilians to hide the military; in wartime, the military and the people, hands joined, attack together ….

The Central Military–Civil Fusion Development Commission, under the leadership of Xi Jinping himself, established the Cyberspace Security Military–Civil Fusion Innovation Centre (网络空间安全军民融合穿心中心). Qihoo 360, a major cybersecurity enterprise, will lead the centre. The new centre will seek to improve national cyber defences and could even explore the creation of ‘cyber militia and teams’.

Looking forward, the PLA sees space, cyberspace and the electromagnetic domain as critical ‘strategic frontiers’ (战略边疆) and the ‘commanding heights’ (制高点) of future warfare. In particular, the PLA is concentrating on ‘information operations’ (信息作战) that include cyberwarfare, electronic warfare and psychological warfare.

Traditionally, core aspects of PLA strategic thinking have included the focus on seizing ‘information dominance’ (制信息权) through strikes against key nodes in an adversary’s command and control systems using integrated information and firepower assaults. Unsurprisingly given the perceived dominance of offensive attacks in this domain, the PLA is believed to prefer seizing the initiative through a first strike (先发制人).

Increasingly, the PLA considers cyber capabilities a critical component in its overall integrated strategic deterrence posture, alongside space and nuclear deterrence. PLA thinkers highlight that ‘blinding’, ‘paralysing’ and ‘chaos-inducing’ methods of deterrence in cyber, space and other domains will ‘probably possess even more ideal deterrence outcomes’.

The establishment of the Strategic Support Force (战略支援部队) in 2015 integrated the PLA’s space, cyber, electronic and psychological warfare capabilities in order to enhance its capability to achieve dominance in these new commanding heights of future warfare.

Is Indonesia catching up in cyberspace?

Indonesia is one of the most dynamic economies in the region and is poised to become one of the region’s largest and most vibrant digital economies.’ That was Prime Minister Malcolm Turnbull’s message to the Indonesia–Australia Digital Forum (IADF), held in Jakarta on 31 January and 1 February. At the same event, President Joko ‘Jokowi’ Widodo said that ‘the digital age increasingly present[s] challenges for [Indonesia] from a social, economic and governance perspective. This era demands that everything be digitalised with increased speed and efficiency.’

This was one reason that Jokowi ordered the establishment of the National Cyber and Encryption Agency (Bandan Siber dan Sandi Negara, or BSSN) last May. Its nearest Australian counterpart might be the Australian Signals Directorate (ASD). The BSSN combines the former national encryption agency, the Indonesia Security Incident Response Team on Internet Infrastructure and some resources from the Ministry of Communications and Informatics (KOMINFO). The BSSN is set to become the central authority for coordinating and driving improved cybersecurity in Indonesia.

Like Australia, Indonesia is reshuffling its bureaucratic machinery that deals with cyber issues. Three years ago, a presidential decree mandated that the Coordinating Ministry for Political, Legal and Security Affairs (POLHUKAM) would lead on cyber issues. Over the last few years, Australia and other nations have been working intensively with the Cyberdesk at POLHUKAM to develop a national cybersecurity strategy for Indonesia.

The new division of responsibilities and reporting lines are still being fleshed out. But the move raises some fundamental questions. For example, will policy development and executive functions be separated? Will cybersecurity be organised in a decentralised way or pushed down from the president’s office? Will the necessarily secretive culture of cryptographers be opened up so that BSSN serves as a cybersecurity centre for government, industry and Indonesian citizens?

As Jokowi noted, cyber presents a multitude of challenges and opportunities for Indonesia. The archipelago has more than 130 million users who access the internet primarily through mobile phones and Facebook. In the region, Indonesia is one of the greatest sources of cyberattacks, as well as the largest target of attacks, as a result of its developing internet infrastructure (it ranked 73rd of 139 countries in the World Economic Forum’s 2016 Network Readiness Index), combined with narrowly applicable regulations and lax cyber hygiene standards. Even so, Indonesia’s IT industry and internet-based start-ups are booming. At the IADF, Indonesian leaders proudly pointed to billion-dollar start-ups GO-JEK (transport), Tokopedia and Bukalapak (online marketplaces), and Traveloka (online bookings).

While there’s an important economic angle to Indonesia’s cyber engagement, the government’s main focus seems to be on threats rather than opportunities. Last January when he was appointed head of the BSSN, Major General Djoko Setiadi emphasised that his priority would be to counter internet hoaxes and fake news. At a capacity-building workshop for Indonesian officials organised by ASPI’s International Cyber Policy Centre in late January, similar online threats were identified as the primary concerns for Indonesian society. Cybercrime, the vulnerability of critical infrastructure and privacy loss remain second-order priorities for the moment.

Like in many other developed and developing states, the government has introduced more robust legislation and giving greater power to security agencies. Indonesia’s well-known, and all too often referred to, Electronic Information and Transactions Law from 2008 was only revised in 2016. It authorises the Ministry for Communications and Informatics  to terminate access to online material—by blocking websites or ordering internet service providers to do so—containing immoral content, hate speech, insults or defamation.

Indonesia will figure prominently in Australia’s international cyber agenda. DFAT’s international cyber engagement strategy, which ‘champions an open, free and secure cyberspace’, targets the entire Indo-Pacific region. The Indonesia–Australia Cyber Dialogue, inaugurated in 2017, serves as a channel to discuss issues of mutual concern. But there’s the bigger question as to how much Australia can support Indonesia in promoting a free, open and secure cyberspace while accommodating Jakarta’s concern about exercising sovereignty.

During the IADF, the head of the Australian Cyber Security Centre (ACSC) welcomed the opportunity to work with BSSN. This is an obvious bond to be cultivated. Both ASD (under which the ACSC sits) and BSSN will face similar challenges in transitioning from running high-secrecy operations to serving as a platform for collaboration between government, industry and civil society.

At the policy level, the situation is blurrier. It’s unclear whether Indonesia’s strategic direction will come from the president’s office or from the agency itself. If it’s the agency, which will also implement the strategy, that would surely affect the checks and balances within the administration and the parliament’s ability to exercise oversight. Alternatively, the remaining skeleton desk at the Coordinating Ministry for Political, Legal and Security Affairs could play a role.

While the roles and responsibilities of Indonesia’s domestic agencies are being debated (and challenged), opportunities are slipping away. As a country that’s forecast to rocket into the world’s top global economies, Indonesia will gain enormous benefits if it can provide conditions that foster a free, open and secure internet. Its tech-savvy population and sizeable e-market are already flourishing, but the growth of its e-economy could dramatically accelerate if the government gets its settings right.

In broader strategic terms, Indonesia is also vital. If it chooses a stifling Chinese approach, it would be hugely damaging to efforts to keep the internet in the region dynamic, open and secure. Handily, as a young, vibrant democracy, an open approach makes much more sense.

Apple, Face ID and privacy

I’ve seen a number of crazy media pieces arguing that Apple’s Face ID technology has privacy implications and will enable government mass surveillance.

I disagree, and I think there’s a more sensible way to think about Face ID, phones and privacy.

Smartphones contain a great deal of personal information that is worth protecting, but because they’re so portable they’re often lost or stolen. Ideally, a phone would work only for its legitimate owner and no one else.

Fundamentally, the problem that PINs, Touch ID and Face ID are trying to solve is whether you are the phone’s owner.

Teaching an inanimate object how to recognise someone is a difficult problem. So in the smartphone world we’ve relied on proxies for identity:

  • something you know, such as a PIN or a password
  • some property of you, such as your fingerprint (Touch ID) and maybe now your face (Face ID).

In the real world, we quite often use ‘something we have’ as an assertion of identity (for example, a passport, driver’s licence or access card), but I’m not aware of that being used for smartphone identification.

All of these mechanisms are actually proxies for who you are, and don’t necessarily guarantee anything. PINs and passwords are often forgotten but can also be shared, stolen or guessed. Fingerprints can be copied and spoofed. Identical twins and doppelgangers exist, and no doubt someone will spoof Face ID.

One big advantage that biometric authentication methods such as Touch ID and Face ID have, to my mind, is that they directly address the question of who I am by looking at me. Authentication by PINs and passwords, by contrast, relies on arbitrary shared secrets that have absolutely nothing to do with me.

In my own life I recognise people by looking at them and that seems to work out okay, so at first glance it seems at least plausible that facial recognition might be an acceptable way to arrive at identity.

Assuming that the Face ID implementation is good enough for the average person—that is, there’s a low false positive rate (unlocking for the wrong person) and it’s hard to spoof—what are the implications for mass government surveillance?

The most worrisome scenario is that governments would immediately be able to access all Face ID data instantly for all users. I don’t believe that scenario: Face ID and Touch ID data is kept only on phones in Apple’s Secure Enclave; Apple fought government efforts to get data from a single phone; and Secure Enclave hasn’t publicly been hacked. Even if states have exploits, they are likely to be very high value and therefore not widely deployed because every time an exploit is used there’s a risk of discovery.

However, let’s assume I’m wrong and all smartphone data is accessible by governments. In that scenario governments already have your location, photos, messages, emails, chats, contacts and more. What extra information does Face ID provide? What other privacy concerns are there?

Governments will have better models of the shape of your head and Face ID will make them more confident that you are actually in possession of your phone, at least compared to a PIN. It’ll be easier for them to identify you.

But there are limits. It’s not clear that Face ID data would help pick you out of a crowd; Face ID will be optimised for authentication (Are you Tom? Yes/no) rather than identification (Who is this person?).

Remember also that governments potentially already have access to large datasets—such as driver’s licences, passports and mugshots—that they already own and can use without the need to either compel Apple or somehow subvert Apple’s infrastructure. Australia’s federal government, for example, already has passport data and is reportedly seeking access to driver’s licence photos from state governments for a national facial recognition database.

Really, though, if you’re concerned about mass surveillance and government access to smartphone data you should be throwing away your phone rather than worrying about the incremental privacy problems of Face ID.

Personally, I’ll wait and see how well Face ID is implemented when the iPhone X is released. If it works well as an authentication mechanism, I’ll consider using it. But I won’t worry about mass surveillance.

Controlling cyber conflict

When cyber-security professionals were polled recently at their annual Black Hat conference in Las Vegas, 60% said they expected the United States to suffer a successful attack against its critical infrastructure in the next two years. And US politics remains convulsed by the aftermath of Russian cyber interference in the 2016 election. Are cyber-attacks the way of the future, or can norms be developed to control international cyber conflict?

We can learn from the history of the nuclear age. While cyber and nuclear technologies are vastly different, the process by which society learns to cope with a highly disruptive technology shows instructive similarities. It took states about two decades to reach the first cooperative agreements in the nuclear era. If one dates the cyber-security problem not from the beginning of the internet in the 1970s, but from the late 1990s, when burgeoning participation made the internet the substrate for economic and military interdependence (and thus increased our vulnerability), cooperation is now at about the two-decade mark.

The first efforts in the nuclear era were unsuccessful United Nations–centered treaties. In 1946, the US proposed the Baruch plan for UN control of nuclear energy, and the Soviet Union promptly rejected locking itself into a position of technological inferiority. It was not until after the Cuban Missile Crisis in 1962 that a first arms control agreement, the Limited Test Ban Treaty, was signed, in 1963. The Nuclear Non-Proliferation Treaty followed in 1968, and the bilateral US–USSR Strategic Arms Limitation Treaty in 1972.

In the cyber field, Russia proposed a UN treaty to ban electronic and information weapons (including propaganda) in 1999. With China and other members of the Shanghai Cooperation Organisation, it has continued to push for a broad UN-based treaty.

The US resisted what it saw as an effort to limit American capabilities, and continues to regard a broad treaty as unverifiable and deceptive. Instead, the US, Russia, and 13 other states agreed that the UN secretary general should appoint a Group of Governmental Experts (GGE), which first met in 2004.

That group initially produced meagre results; but, by July 2015, it issued a report, endorsed by the G20, that proposed norms for limiting conflict and confidence-building measures. Groups of experts are not uncommon in the UN process, but only rarely does their work rise from the UN’s basement to a summit of the world’s 20 most powerful states. But while the GGE’s success was extraordinary, last month it failed and was unable to issue a consensus report for 2017.

The GGE process has limitations. The participants are technically advisers to the UN secretary general rather than fully empowered national negotiators. Over the years, as the number of GGE member states increased from the original 15 to 20 and then to 25, the group became more unwieldy, and political issues became more intrusive. According to one diplomat who has been central to the process, some 70 countries have expressed interest in participating. But as the numbers expand, the difficulty of reaching agreement increases.

There are a wide range of views about the future of the GGE process. A first draft of a new report existed at the beginning of this year, and the able German chairman argued that the group should not rewrite the 2015 report, but try to say more about the steps that states should take in peacetime.

Some states suggested new norms to address data integrity and maintenance of the internet’s core structures. There was general agreement about confidence-building measures and the need to strengthen capacity. The US and like-minded states pressed for further clarification of the earlier agreement that international laws of armed conflict, including the right of self-defence, apply in cyber space, but China, Russia, and their allies were reluctant to agree. And the deterioration in US–Russian relations soured the political climate.

Moreover, whereas some states hope to revive the GGE process or enlarge it into a broader UN process, others are sceptical, and believe that future progress will be limited to discussions among like-minded states, rather than leading to universal agreements.

Norms that may be ripe for discussion outside the GGE process could include protected status for the core functions of the internet; supply-chain standards and liability for the ‘internet of things’; treatment of election processes as protected infrastructure; and, more broadly, norms for issues such as crime and information warfare. All of these are among the topics that may be considered by the new informal International Commission on Stability in Cyberspace established early this year and chaired by former Estonian Foreign Minister Marina Kaljurand.

Progress on the next steps of norm formation will require simultaneous use of many different formats, both private and governmental. For example, the 2015 agreement between China and the US to limit industrial cyber espionage was a bilateral accord that was later taken up by the G20.

In some cases, the development of norms among like-minded states can attract adherence by others at a later point. In others, such as the internet of things, norms for security standards may benefit from leadership by the private sector or non-profit stakeholders in establishing codes of conduct. And progress in some areas need not wait for others.

A regime of norms may be more robust when linkages are not too tight, and an overarching UN treaty would harm such flexibility at this point. Expansion of participation is important for the acceptance of norms, but progress will require action on many fronts. Given this, the failure of the GGE in July 2017 should not be viewed as the end of the process.

Cyber wrap

Don’t say stupid things online

It’s been a big week for advocates of online OPSEC. On Monday, a Google employee suffered a high-profile firing after he circulated a ‘manifesto’ railing against Google’s institutional ‘political bias’ against conservatives and the need to have an ‘honest discussion’. Google’s leaders—current and former—have universally taken issue with how consistently incorrect the manifesto is in its core argument (about how women aren’t biologically suited for tech jobs) and how damaging it has been to the company’s reputation and to the team. The fired employee is reportedly seeking any and all ‘legal remedies’; power to you, guy.

The Google anti-diversity memo is a great example of what the Australian Public Service Commission (APSC) was trying to protect against when it provided more detailed guidelines about what the APS Code of Conduct requires when it comes to making public comments, including on social media. Ironically, the APSC’s own communication about not staying stupid things online has become the latest example of poor online communication, and what was intended as guidance has been interpreted as a heavy-handed (and unconstitutional) gag order. Whether the confusion’s due to miscommunication or misrepresentation from the media isn’t clear, but it’s a reminder that confusion quickly escalates to fever pitch well before even the most eager 9-to-5 public servant has had their first coffee. And if it’s that hard to communicate guidelines on social media use, it might be impossible to raise cyber hygiene awareness (PDF) and practices.

Stop worrying and love AI

Two Tencent chatbots have been taken offline for revision after they provided politically inflammatory responses to queries about the Communist Party, insulting the party as ‘corrupt and useless’. The shutdown comes shortly after an (overblown) wave of concern about Facebook chatbots ‘inventing their own language’. The two stories seem to be being picked up as the ‘patient zero’ case studies for FUD (fear, uncertainty and doubt) about impending AI doom.

New South Wales is pushing ahead with autonomous vehicles anyway, greenlighting a program for a two-year trial program at Sydney Olympic Park. The trial will be going at a snail’s pace, though—the vehicles won’t be allowed to exceed 10 kilometres an hour along a closed-off road. Fingers crossed it all doesn’t go the way Tesla went at this year’s DEF CON.

The US Army has taken a far more cautious (but seriously belated) approach to semi-autonomous vehicles, issuing a memo mandating that all service members cease use of DJI drones, software applications, and other equipment.

Sharing is caring

The Australian Signals Directorate will be sharing threat intelligence with telcos and internet service providers, to help them provide, in turn, cost-effective cyber-security services for small to medium enterprises. This directly addresses the vulnerability to hacking of small and medium enterprises, which have been identified by both the government and the opposition as being sorely in need of protection, but without necessarily having the resources or expertise to protect themselves. Weirdly, however, this initiative ignores anti-virus and security software vendors—the companies that are perhaps best placed to immediately use this data to protect customers.

In similar research, Telstra has launched the Australian Digital Inclusion Index 2017, which has surveyed digital access disparities between socioeconomic classes and found that Australia’s getting better at digital inclusion, which could translate into better cyber-security outcomes for Australia. (For the final word on that, keep your eyes peeled for the latest edition of ASPI’s cyber maturity report later this year.)

The federal government has announced that it’ll be building a single ‘super logon’ to consolidate across the dog’s breakfast of government accounts, which currently saddles users with managing 10 to 30 accounts. It’s not clear from that exclusive interview whether the initiative is the same one as the ‘GovPass’ and ‘Tell Us Once’ initiatives announced in the 2017 budget. It’d be ironic if there were two separate programs under development to consolidate logins and accounts.

Regardless, work on GovPass continues unabated, and Airtasker, Travelex, Credit Union Australia and the Queensland Police Service have signed up for AusPost’s Digital ID service, which is currently serving as a pilot program for later reconciliation with the wider GovPass program. Gavin Slater, the CEO of the Digital Transformation Agency, which is managing the GovPass program, has announced that he’s been working to repair relationships with government agencies, after the then Digital Transformation Office became too ‘disruptive’ for the APS’s tastes.

The Australian Digital Health Agency published Australia’s National Digital Health Strategy (PDF) and outlined an action plan to make sure all Australians have a My Health record by 2018. The aim is to improve the protection of healthcare data and interoperability between healthcare organisations. However, privacy activists are concerned that the consolidated health data will present an increased privacy risk, which is why it’s a good thing that the agency will be establishing a Digital Health Cyber Security Centre to make sure Australia’s health data security is at the cutting edge of international best practice.

Open data dashboards tied up with strings

Open data dashboards have been popping up like daisies this week. The Alliance for Securing Democracy has launched a new online dashboard, Hamilton 68, tracking bot networks and troll accounts linked (after three years of observing) with Russian influence operations on Twitter. The top hashtag used by these accounts was MAGA, or Make America Great Again, the campaign slogan of US President Donald Trump. As with most social media analysis projects, the transparency of the methodology has been criticised.

Black hats, white hats, and cyber diplomats

US ‘cyber-diplomat’ Christopher Painter has signed off, writing a parting note on Medium about the continuing importance of diplomacy in cyberspace. Even after working for 26 years in this (highly depressing) space, he’s reportedly still passionate, calling cyber ‘the new black’.

Famed ‘hero’ and supposedly white-hat hacker @MalwareTechBlog, aka Marcus Hutchins, was arrested at Las Vegas Airport shortly after Black Hat and DEF CON 2017. The FBI has accused Hutchins of creating, distributing and updating ‘Kronos’ (the banking trojan that was designed to infect computers and grab online banking credentials for profit) in 2014 and 2015. Hutchins has ponied up US$30,000 in bail, and is set to face a Nevada court on 14 August.

Five fifth-generation warfare dilemmas

The future of the ADF is ‘fifth generation’, or at least the Chiefs of Army, Navy and Air Force think so. It might’ve been just a passing fad, given that the term originated as a company marketing slogan selling a long-delayed fast jet. But in recent years the expression has morphed into a useful buzzword encapsulating several deeper concepts. At its core, ‘fifth generation’ is all about ideas, about how we conceive of waging tomorrow’s wars—and preparing for them. It encompasses four major approaches:

  • Networks. Modern war uses extensive digital networks. Conceptually, four interconnected and interdependent virtual grids—information, sensing, effects and command—overlie the operational theatre. The various force elements are interacting nodes on the grids that can each receive, act on and pass forward data.
  • Combat cloud. Working together, the grids can form a virtual combat cloud—akin to commercial cloud computing—that allows users to pull and add data as necessary. The result is longer-range tactical engagements. It’s no more, ‘Fire when you see the whites of their eyes’, but rather, ‘Engage when a symbol labelled “adversary” appears on a shared display’.
  • Multi-domain battle. There are five operational domains: land, sea, air, space and cyber. The key animating idea is cross-domain synergy, where force is applied across two or more domains in a complementary manner (PDF) to achieve an operational advantage.
  • Fusion warfare. The fusion warfare concept addresses command and control concerns arising from additional information flows, software incompatibilities and intrinsic vulnerabilities to attack and deception.

The order of these approaches mostly reflects the sequence in which they’ve been incorporated into the concept of fifth-generation warfare. The oldest is network-centric warfare, dating from the mid-1990s; the others have become increasingly prominent over the last several years. The progression highlights that commercial information technology has often led military developments in the fifth generation. Cloud computing, for example, was initially implemented in the mid-2000s but it was not until the mid-2010s that the concept was embraced by military thinkers.

Each of these four conceptualisations is important, but in fifth-generation warfare they don’t exist individually; they function together as an integrated, interdependent ‘system of systems’ whose whole is greater than the sum of its parts. Fifth-generation warfare is accordingly a dynamic way of war, constantly evolving as the context changes and new demands arise.

Moving to fifth-generation warfare has several implications.

First, there are obviously two in-built technical vulnerabilities. Digital systems are inherently susceptible to cyber intrusions that may steal, delete or change data, or insert false data that can quickly spread across the network. While cybersecurity techniques are steadily improving, so are cyber intrusion methods, with neither remaining in the ascendancy for long. But it’s more than just cyber: electronic and information warfare techniques are designed to deliberately input false data into hostile networks that spreads to all users, confusing and distorting the shared picture.

Moreover, fifth-generation warfare relies on datalinks. Emitters are inherently vulnerable to detection; network participants can be located and tracked—and thereby targeted by precision-guided weapons. Some datalinks are harder to detect than others; however, as with cyber, technology continually improves. Cybersecurity and datalink emission tracking will require constant effort for the operational life of fifth-generation warfare. They are serious Achilles’ heels.

Second, modern wars inevitably involve coalition operations, so on any network there may be actors from many different countries. All involved will be doing their best, but within each country’s forces, and within the coalition overall, there’ll be elements using different intelligence sources, different threat libraries and different electronic signature data to make decisions about the identity and location of hostile and friendly forces, and neutral entities. The operational perils implicit in the ‘garbage in, garbage out’ aphorism suggest that some force elements will be more trusted than others in fifth-generation warfare. ‘Balkanised’ networks (in which some nodes are disregarded or receive degraded data) are likely, leaving some nodes to potentially fight their own separate wars instead of being part of a coherent, carefully coordinated application of coalition military force.

Reducing a force to a collection of small, independent networks undercuts the Metcalfe’s law logic of fifth-generation warfare, which asserts that the ‘power’ of a network is proportional to the square of the number of nodes in the network. The probability of blue-on-blue engagements also increases as the location of friendly forces becomes less certain to all coalition participants.

Third, individual national sovereignty is diminished, especially in the combat cloud concept, since information is pulled from the digital cloud with perhaps only limited knowledge of its source. Using such off-board information—rather than that derived from one’s own onboard sensors as happens today—to engage targets inherently reduces each nation’s responsibility and accountability. A senior ex-RAF officer complained that ‘this slaughters [the UK’s] legal stance on a clear, unambiguous and sovereign kill chain’.

Fourth, the fifth-generation warfare idea relates to what Edward Luttwak called ‘the technical dimension of strategy’. Technology influences how we fight wars, but there’s more to being successful than technology. Leading-edge technology was insufficient to win the Vietnam, Iraq and Afghanistan wars—and fifth-generation warfare so far doesn’t appear any different.

And lastly, the end of fifth-generation warfare may be in sight. In the 1990s, futurists Alvin and Heidi Toffler argued that ‘how we make war reflects how we make wealth’. They foresaw that the information technology age would necessarily compel changes in warfare. In many respects, fifth-generation warfare is the working out of that idea. Now some see another industrial revolution approaching that will change the way wealth is made. If the Tofflers are right, warfare may change again. Third offset, anyone?

Tag Archive for: Cyber

Nothing Found

Sorry, no posts matched your criteria

Tag Archive for: Cyber

Bitcoin Can’t Save World’s Autocrats From the Sanctions Squeeze

Bloomberg’s David Tweed discusses Bitcoin with Tom Uren, visiting fellow with ICPC

Think about how many U.S. dollars are in circulation and how much each bitcoin would have to be worth to match that value — it would be a ludicrously big number.

Read the full story here

Notorious website with naked photos of Aussie schoolgirls returns months after being shut down

Fergus Hanson of the ICPC talks with Channel 7 News.

Meltdown CPU bug

Sky News spoke to Tom Uren about the recent revelations that the Meltdown CPU flaws are widespread and pose significant threats to virtually all computer systems worldwide if unaddressed. 

Watch the interview here

Report reveals growing cyber threat in Asia Pacific

Thomas Oriti of the ABC’s The World Today speaks with lead author Tom Uren on the recently released ICPC report Cyber Maturity in the Asia-Pacific 2017.

http://www.abc.net.au/radio/programs/worldtoday/report-reveals-growing-cyber-threat-in-asia-pacific/9250494

Cyber Security: Are we doing enough?

The Australian Cyber Security Centre released their Annual Threat Report on Tuesday.

It paints a bleak picture for Australian Cyber Security in both the public and private sectors.

The Government insists this is not a serious issue but some experts argue we still have a long way to go to keep Australia safe.

In this interview, Fergus Hanson talks with Fran Kelly of ABC Radio National. 

Hacked Defence contractor hadn’t changed its passwords from their default

f

Fergus Hanson speaking on the ABC 7:30 report about the recent cyber incident which saw a Defence contractor hacked.

Video here: http://www.abc.net.au/7.30/hacked-defence-contractor-had-changed-its/9045122

North Korean Hack of U.S. War Plans Shows Off Cyber Skills

Fergus Hanson interviewed by Bloomberg Technology on the recent North Korean cyber hacks.

There is no doubt that they are using their capability in creative ways, said Fergus Hanson, head of the International Cyber Policy Centre at the Australian Strategic Policy Institute in Canberra.

“Stealing battle plans is obviously a good idea from a military point of view and they’re also monetizing their capability to get around sanctions.”

Full report at Bloomberg Technology.

Federal Government launches three year cyber strategy

The Australian Government is warning that the internet risks becoming a “dark space”, if there are not strict rules in place to govern how it is used.

The Foreign Minister, Julie Bishop, has today launched the Government’s International Cyber Engagement Strategy, outlining its cyber affairs agenda over the next three years.

In this interview, Thomas Oriti of the ABC’s “The World Today” program talks to Foreign Minister Julie Bishop and Fergus Hanson. 

http://www.abc.net.au/radio/programs/worldtoday/federal-government-launches-three-year-cyber-strategy/9014742

Australia’s cyberspace policy

Australia is renewing its push for new rules governing how nations deal with each other in cyberspace.

Foreign Minister Julie Bishop has launched the government’s three-year International Cyber Engagement Strategy.

In this video, Beverley O’Connor of ABC’s “The World” program speaks to Fergus Hanson, head of the International Cyber Policy Centre at the Australian Strategic Policy Institute. 

http://www.abc.net.au/news/programs/the-world/2017-10-04/australia-cyberspace-policy/9016844

Experts question Malcolm Turnbull’s terror crackdown on encrypted messages

Experts have warned Prime Minister Malcolm Turnbull’s bid to force social media companies to give access to encrypted messages for terror investigations is unrealistic with the pace and breadth of technological change making it too hard for law enforcement to keep up.

Fergus Hanson speaks with Andrew Tillett

Full article here: http://www.afr.com/news/experts-question-malcolm-turnbulls-terror-crackdown-on-encrypted-messages-20170626-gwyfg3#ixzz4yZRjOTbf