Tag Archive for: Cyber

Working smarter, not harder

Leveraging government procurement to improve cybersecurity and supply chains

What’s the problem?

Australian governments are the nation’s largest spenders on ICT, but they’re failing to maximise the leverage that market power gives them to drive improved cybersecurity and more secure supply chains. Government can harness its spending power to not only improve its own cybersecurity, but to drive better cybersecurity throughout the wider economy. However, current approaches are fragmented and having limited impact, so a concerted national effort is needed, underpinned by major strategic changes in approach.

What’s the solution?

The Australian Government and the state and territory governments should establish a single coherent set of security standards expected from suppliers. The standards need to be more than just a tick-the-box exercise to set a minimum standard—they should provide multiple levels through which suppliers can seek to progress by continuous improvement. In order to protect sensitive data, secure managed enclaves should be used to minimise exposure to the risks of individual suppliers’ ICT systems.

Procurement frameworks need to provide commercial incentives for suppliers to improve their security. In limited areas where there’s a compelling strategic benefit to Australia from building capability, those frameworks should also be linked to a sovereign capability framework to ensure that preference is given to Australian companies.

Introduction

It’s forecast that this year there will be more than two and a half times more connected devices than there are people.1 Securing those devices and networks is critical but increasingly challenging— in 2018–19, the Australian Cyber Security Centre (ACSC) responded to 2,164 incidents,2 while data from the ReportCyber network suggests that more broadly across Australia there are approximately 150 cybercrime incidents per day.3

The Australian Government allocated an average of $65 million per year to its cybersecurity strategy over the past four years, but that figure is dwarfed by broader federal government ICT procurement, and even more so by the combined ICT spend by the three levels of Australian government. The amount spent annually by the federal government alone has grown significantly from $5.9 billion in 2012–13 to almost $10 billion now.4 State and local governments are also big spenders on ICT: the NSW Government IT budget is over $3 billion per year.5

Such scale means that government ICT procurement has significant market power. This paper explores how that procurement could be leveraged as part of the updated cybersecurity strategy currently being prepared for the next four years. The paper starts by examining supply-chain risks and opportunities, before looking at the key barriers and challenges and suggesting how they could be addressed. This study is based on interviews with key stakeholders in government and industry and a review of openly available material on government procurement approaches. While the focus is on Australian Government procurement, state and local government procurement is considered where appropriate.

Supply-chain risks and opportunities

Supply chains are integral to cybersecurity. Almost all end users of ICT systems rely on hardware, software or services built or delivered by someone else. Where a supplier becomes a critical node in the supply chain, integral to a large part of the ICT ecosystem, security failures have the potential to generate major systemic cyber and operational risks. We rely on suppliers exercising due diligence in their development, management and operational activities to avoid deliberate or accidental compromise (see box).

Supply-chain assurance risks

The first priority for government ICT procurement should be to ensure the security of the supply chain. However, it’s clear that supply-chain assurance can mean different things to different people. Generally, it can be considered under three main themes, which aren’t mutually exclusive:

  • Trust in the supplier company or organisation: Who owns, controls or influences the supplier? For nationally sensitive cases, there may be a preference or mandate for Australian-based capabilities. For example, the Digital Transformation Agency hosting strategy sets standards for data sovereignty and facility ownership, not just when contracts are signed, but throughout the lives of contracts.6
  • Security of the supplier’s IT systems: What controls does the supplier have in its IT systems to protect data received from the government customer or generated as part of delivering the contract? This can become important when suppliers are given access to the customer’s IT systems even for limited purposes. One of the highest profile data breaches—the loss of 70 million credit card details by Target in the US in 2013—occurred through the compromise of the IT systems of one of Target’s refrigeration contractors, which had access to a supplier portal for submitting invoices.
  • Security of the products and services being delivered by the supplier: Assuring the ownership of a company and its internal IT doesn’t necessarily mean that the products and services delivered won’t have security vulnerabilities. That will depend on the supplier’s security design and the assurance applied in their delivery. For example, this is critically important when procuring cloud services—the security of any applications that are run ‘in the cloud’ depends on the security of those individual applications.

The problem is that, in a market economy, the market often doesn’t provide the right incentives to suppliers. No one buys telecommunications services based on security, and how many consumers even think about the security options provided by their internet-connected doorbell? Governments are reluctant to directly intervene in the market, due not only to the cost and complexity of doing so, but also the moral hazard created by taking responsibility for decision-making away from the private sector and creating the perception that government is responsible for any residual risk.

However, government does interact with the private sector through its very significant procurement activities. Its position as a major buyer potentially provides significant market power that could be used to address some of these challenges. In an environment in which resources for cybersecurity are very limited, this could have the advantage of leveraging other existing budgets for ICT procurement. Of course, the priority should be to ensure security for the direct purposes of the procurement, but government also has an opportunity to leverage its market power to provide for broader benefits to the Australian economy and society.

Setting security standards expected from its suppliers may help to lift standards across the board. Companies will be incentivised to lift their standards in order to qualify to do business with the government, and it will often be easier for them to apply those standards across their whole enterprises rather than just for their government contracts. One example from a parallel field is the implementation of quality management systems brought about by government departments mandating ISO 9001 certification for suppliers. That has encouraged companies to implement quality management systems and to have them regularly audited and certified. This has created a vibrant market for auditors and consultants to help with designing and implementing appropriate systems and benefited the companies’ other customers through better quality assurance of their products and services. In the construction industry, the government has gone even further: companies are obliged to comply with the requirements of the Code for the Tendering and Performance of Building Work 2016 across their businesses or risk being barred from bidding for federally funded projects.7

With the right approach, there’s a real opportunity to stimulate innovation and new developments. If government can define the security outcomes required, that can encourage suppliers to compete to develop the most effective and value-for-money approaches to delivery. The most innovative approaches can then provide a market differentiator for the supplier that helps them to build business in the private sector, the export market, or both.

Challenges and barriers

Challenges and barriers to effective ICT supply-chain security include lack of coordination, unclear standards, a fragmented approach to security accreditation, uneven access to the market for suppliers and the need to comply with requirements to provide value for money.

Lack of a coordinated approach

Government procurement of ICT covers a vast range of products and services with different security implications, from commodity hardware for everyday use to highly sensitive specialist defence and national security systems. The Australian Government’s ICT expenditure is also spread across approximately 200 departments and agencies, which typically make their own procurement decisions based on their requirements and priorities. Overall governance is provided by the Department of Finance (for example, through the Commonwealth Procurement Rules8). The Digital Transformation Agency (DTA) has also negotiated government-wide contracts with key global suppliers,9 although departments and agencies are not compelled to use those suppliers. This fragmentation hinders efforts to use the combined market power of government procurement. In seeking more coordinated approaches, care will be needed to avoid the pitfalls that the DTA has faced in trying to set up government-wide frameworks.

Security standards and requirements

The Commonwealth Procurement Rules mandate the consideration of security risks in procurement, and it appears that the mandate is being applied. A study by IDC of global procurements for IT hardware showed that Australia performs better than many of its peers, and notably was the only country where there were no examples of ICT hardware procurements that didn’t specify any security requirements.10 Analysis for this report (see box) supports that conclusion but also shows that suppliers need to be ready to comply with a broad range of requirements. It also shows room for improvement for tenders that aren’t for direct ICT procurement but may have a key dependency on the security of suppliers’ systems to protect sensitive data.

Those working on defence projects often face the most significant risks and sophisticated threats, so for many years the Defence Industry Security Program has been in place to provide assurance of defence suppliers. The program has recently been overhauled to address the market barriers that it created and to implement options for different levels of assurance for different aspects of security, such as personnel, facilities and ICT, appropriate to the nature and sensitivity of the work.

Outside of Defence, requirements are generally more ‘light touch’, reflecting the different level and nature of risk, but are also much more fragmented and complex. From our analysis the standards that vendors may be asked to comply with, or at least be aware of, include the following:

  • The Protective Security Policy Framework (PSPF),11 issued by the Attorney-General’s Department, articulates government protective security policy, covering not just information security but also governance, personnel and physical security. This is quite high level, articulating five principles and 16 requirements to achieve the desired outcomes.
  • The Information security manual (ISM),12 issued by the ACSC, is a detailed cybersecurity framework for IT and security professionals. It consists of more than 180 pages and includes hundreds of controls tailored for different levels of government classified material, from ‘OFFICIAL’ to ‘TOP SECRET’.
  • Other guidance from the ACSC includes the Essential Eight Maturity Model,13 which is intended to provide a more manageable list of the top 8 recommended measures that can be implemented to improve cybersecurity, which are themselves a subset of 38 proposed strategies.14
  • ISO 27001 is an international standard for an information security management system (rather than specific controls).15
  • PCI-DSS is a specific set of standards for the secure storage and processing of payment card information.16

Review of government tender documents 

On one day in February 2020, 126 open approaches to the market were published and available on the Australian Government’s AusTender website.17 Of those, 18 were for the procurement of ICT products and services. All of them had some mention of security in the requirements, but the level of detail and approach differed:

  • Two didn’t specifically mention the PSPF or the ISM, and included vague, very high-level statements; one referred to no security requirements other than personnel screening.
  • Twelve specified the ISM and, in most cases, the PSPF. They were supplemented by additional requirements generally appropriate for the nature of the project. However, confusingly, sometimes specific ISM requirements were also called out as separate requirements. Of those 12, four included specific requirements for suppliers to ensure the security of their own supply chains; six were Defence projects referencing specific Defence security frameworks and requirements.

Other standards mentioned included other Australian Signals Directorate (ASD) guidance such as Strategies to mitigate cyber security incidents, ASD cryptographic evaluation, NIST–801 and ISO 27001. There were also a number of general statements about the required level of security, which varied from ‘reasonable efforts’ to mandated use of the ‘best available security’. There was inconsistency within individual tenders; for example, in one case requirements for security patching were mentioned in six different places, but the required timescales were variously described as ‘48 hours’ or ‘as required’ or weren’t specified.

Many of the other open approaches to market that were not directly ICT related still appeared likely to involve sensitive data being handed over to the successful contractor to allow it to deliver the required outcomes. Four were selected for review based on the likelihood that they involved the most sensitive data (financial data, personnel data for training, personal details of customers and health data). Of those, one had no security requirements, one mentioned only the need for personnel security screening, one mentioned a general need for compliance with the PSPF and awareness of the ISM, and one required compliance with a number of other standards, including PCI-DSS.

While these standards often have the same objectives, they take different approaches; for example, in whether they specify governance approaches, technical controls or expected security outcomes. It’s expensive and time-consuming for suppliers to go through a different process for each tender to prove compliance. A more efficient approach that would improve market dynamics would be to shift to a smaller, simplified set of standards. The DTA has tried to bring some standardisation into digital service delivery by government but has made limited forays into security.18 However, that may be appropriate, given DTA’s procurement focus; cybersecurity requirements should be specified by the appropriate experts and supported by procurement processes, not vice versa.

Furthermore, to be effective, the practical implementation challenges should be considered when choosing appropriate standards. In an attempt to find quick solutions from a buyer’s point of view, it appears that standards may be being recycled in different contexts. For example, many of the strategies recommended by ASD were originally formulated as recommendations for government departments and agencies. Although they’ve subsequently been broadened and recommended to businesses, too, applying them in a small business that doesn’t have the governance, policy and processes of a public-sector organisation can be very difficult. The Defence Industry Security Program requires even its smallest suppliers to comply with all of the ‘top 4’ controls, yet Australian National Audit Office reports regularly show that even many government departments can’t meet that threshold.19 ASD does provide specific guidance for small businesses,20 although we haven’t seen that guidance mentioned in the context of requirements for a government procurement.

There will be a need for experts who understand the practical implementation of the standards, both in the organisation that’s procuring the services and in the supplier that’s seeking to comply with the standards. Without that advice, expecting suppliers to simply follow the standards is unlikely to achieve the required security outcomes.

Security assurance of products and services procured

While assurance of suppliers and their IT systems is important, especially where sensitive data is being handed over to suppliers, the above standards still don’t really provide assurance when purchasing a product or service that it will be secure. This can be addressed by including specific requirements in the contract, but that doesn’t address the problem of verifying compliance. For more basic systems, it may be straightforward to verify configurations, safeguards, features and so on, but that’s more difficult for complex solutions, including software applications and cloud services. What about cybersecurity products themselves—how can buyers be assured that they behave as claimed and will have the desired security impact?

ASD has for the past few years awarded certification to some cloud services providers for processing data at ‘UNCLASSIFIED-DLM’ and ‘PROTECTED’ levels.21 This was a positive initiative by the appropriate technical experts in government to inject cybersecurity checks into the supply chain, and it has undoubtedly helped the take-up of cloud services by government departments by providing a ‘stamp of approval’. However, as it expanded beyond the initial focus on ‘infrastructure as a service’ into more complex cloud services such as ‘platform and software as a service’, demand seems to have exceeded the resources that ASD can provide, and it’s recently been confirmed that the scheme is being wound down.22 The announcement from ASD suggests that this will improve opportunities for local Australian businesses by removing a potential barrier. While the current list includes major multinational hyperscale cloud companies, we understand that some smaller providers have been waiting several years to go through this process, and the list hasn’t been updated for over a year. However, pushing the onus onto individual agencies and departments to make their own individual assessments runs the risk of fragmentation.

ASD also runs the Australasian Information Security Evaluation Program (AISEP), which certifies products in order to protect systems and information against cyber threats and lists them on the Certified Products List. This scheme uses an internationally recognised standard, the Common Criteria,23 with different levels of assurance based on impact, and ASD is also committed to the development of collaborative ‘protection profiles’ to further broaden the applicability of this scheme.

Product vendors must fund their own evaluations, which are carried out by an independent accredited test facility, and ASD oversees the process. However, where cryptographic evaluation is required, that’s done internally by ASD, and this can act as a bottleneck in the process due to a shortage of ASD resources. Given the importance of sovereign assurance of this aspect, additional resources should be found, potentially through engaging an external partner if one isn’t available internally.

Access to market

Cybersecurity is emerging as one of Australia’s most promising growth opportunities and has produced a number of vibrant companies and innovative ideas.24 Those companies need to connect with initial customers to validate their capabilities and provide a credible customer reference for broader sales efforts. Government contracts could be a good opportunity to do that and are potentially even better than grant funding, but it’s difficult for smaller companies, especially new entrants, to gain visibility and access to market opportunities. Many procurements are made through inflexible panel arrangements, forcing procurement to be routed through a handful of suppliers, and panel refreshes take place seldom, if at all, during a 3–5 year time frame. Procurement initiatives to reduce numbers of vendors and the bundling of projects as large integrated work packages are also factors that limit the ability of smaller players to directly tender for work. This means that small businesses may need to sell through a major prime, giving up 15–20% of revenue, which might be the difference between profitable and unprofitable work.

Even if they do get access to respond directly to requests for quotes, smaller companies may struggle to get brand recognition, while decision-makers prefer recognised brand names. Of course, to some extent this is in recognition of the fact that large multinationals can invest heavily in security, but it’s notable that many security companies that receive large venture capital investments seem to spend much of them on marketing, such as airport display advertising. There needs to be an even playing field to allow government buyers to assess and compare the security of the products and services being offered by companies of different types and sizes, by assessing against common standards and avoiding ratings based just on perceived brand reputation.

The value-for-money challenge

The Commonwealth Procurement Rules mandate value for money, but it’s currently difficult, if not impossible, to put a value on security. Agencies can stipulate minimum mandatory security requirements, but that doesn’t allow suppliers to differentiate themselves—customers and suppliers said that their expectation was that normally the winner would be the lowest cost solution that meets the minimum standards. Of course, for the most sensitive projects there may be more weighting on the security assessment, but that appears to be the exception rather than the rule. If providers believe they have differentiating security capabilities, their only realistic route is to lobby buyers before tender documents are drafted to get their preferred requirements included in the specification (once again, something that’s easier for larger established companies to do).

A better alternative would be a mechanism that mandates that security should always be explicitly included in the evaluation. One suggested option has been to explicitly include security as a ‘fourth pillar’ in evaluating proposals, alongside cost, quality and timescales, although this then leaves subjectivity about how to measure security and weight it against the other criteria. A better approach would be an effective pricing mechanism, reflecting the fact that better security should equate to lower financial risk. We understand that governments have been looking at how to value cybersecurity risk and found it challenging, so little progress has been made on this to date.

Of course, there’s a well-established market that provides a mechanism for consolidating data, sharing risk and best practice, helping organisations to manage and reduce risk, and putting a price on the residual risk—the insurance industry. However, the market for cybersecurity insurance, particularly in Australia, is currently poorly developed.25 Major players are still working out how traditional insurance concepts work in a cyber world where there are different threats (from petty criminals to nation states), attribution is difficult and collateral impacts can be significant. One example is the case of Mondelez v. Zurich Insurance, in which the insurer refused to pay out for the costs of a major cyberattack attributed to nation-state conflict, citing ‘act of war’ exemption clauses.26 There could be concerns that having insurance cover might make companies more complacent about security, and even make them more attractive targets for attackers if it’s known that they’re covered to pay out ransoms to recover encrypted data.

Recommendations for improvement

We recommend specific actions in the areas of assurance standards; testing and certification; cyber insurance; building sovereign capability; and securing government data.

Supplier assurance standards

There’s a need for a single set of standards for the assessment of supplier security to be used across government procurement. Further work is needed to define exactly what this should be, but the key characteristics should include the following:

  • Cover more than just technical IT controls by also including trust in the owners and employees of the supplier and a physical security component. The Defence Industry Security Program provides a good model for this, although required controls should be tailored to the level of risk.
  • Go beyond a single pass/fail level by providing a number of graduated levels. This will allow buyers to tailor the minimum level they require based on the nature of the project, but also gives suppliers a chance to show how they may exceed the minimum level, which may be considered an advantage in the evaluation process.
  • Encourage independent certification to build credibility, combined with efforts to build the pool of available assessors, for example through ASD accrediting assessors and ongoing quality control through reviews of randomised samples of work.
  • Ensure that, at the lower levels, it will be feasible for a large number of suppliers to be accredited in a short period of time. This will require ensuring that the criteria (for example, the existence of specific IT controls) can be readily evaluated.
  • Ensure that, at the higher levels, the assurance criteria are based more on risk and outcomes, encouraging suppliers to take a mature approach and to put in place continuous ongoing improvement plans.

Where possible, we should aim to learn from and leverage the experience of other countries. While the Australian market and customers may have some specialised requirements, it should be carefully considered whether those requirements are worth the costs of diverging from a standard used by another major country. Apart from the direct costs and benefits of reusing something that works for one of our allies, export opportunities will be improved if local companies that are getting certified for the local market automatically have a certification recognised overseas.

One example to consider is the UK Cyber Essentials Scheme.27 At the basic level, the scheme involves five basic controls that can be readily verified, and there’s an enhanced ‘Plus’ level that also includes an independent security test of the company’s systems. The UK Government has recently partnered with a commercial organisation to run the scheme and is reviewing the need for additional levels above and/or below those two levels.28

The US is getting ready to roll out CMMC (cybersecurity maturity model certification).29 Although CMMC is specifically defence focused, it is aimed at ‘controlled unclassified data’, which can be a common requirement across all of government. It combines recommended practices from existing US federal procurement regulations, international standards and even ASD’s ‘Essential Eight’, providing a graduated scale from level 1 with 17 specified practices through to level 5 with 10 times that number.

It includes a requirement for independent certification even at the lowest level and is designed to scale across the whole US defence supplier base (more than 300,000 companies) using a phased transition plan. Guidance material is still being developed, but it generally mandates outcomes rather than specific technical controls, so vendors may need technical advice to implement it effectively. 

Testing and certification processes

As noted above, assuring the security of a supplier and its systems is important, and that may be a sufficient safeguard when the potential risks concern sensitive data being handed over for processing or use by the supplier. However, where an IT product or service is being procured, supplier assurance in itself does not mean that the product or service is secure.

For hardware, particularly commodity hardware, customers may trust the vendor to do product assurance. This would require confirmation of the vendor’s processes for assuring its own supply chains. For example, how does the supplier ensure the traceability of components and products, verify chains of custody, and track any discovered vulnerabilities back to their point of origin? If there’s concern over specific products having targeted backdoors for a given customer, the customer could insist on choosing the items themselves from general stock in a warehouse. As an additional safeguard against any interference in transit, delivery systems could have their entire software (including firmware, BIOS etc.) rebuilt from verified images provided by the manufacturer. Some government departments have well-established procedures for this, which could be shared across other departments and agencies to build capability and scale.

These approaches can work for ‘commodity’ hardware (products that are manufactured and sold in significant quantities globally) and where the manufacturer is trusted. A different approach is needed for more specialised systems, smaller or untrusted vendors, and particularly software, which is inherently more complex and susceptible to security vulnerabilities. Assurance may be from a combination of design assurance and testing of the delivered product.

ASD has run schemes to centrally evaluate and test commercial products and services, such as the Certified Cloud Services List (CCSL) and Certified Products List. However, those schemes have suffered from resource constraints, particularly the CCSL, which hasn’t been updated for over a year. This has left government customers with the option of accepting self-certification from the vendor, with all the obvious risks and uncertainty that entails, or carrying out their own testing, which is likely to lead to, at best, duplication of effort among departments but more likely to the risk of inconsistent standards and potential failings due to the lack of specialist skills in each agency. A quick win would be to set up some sort of centralised library of evaluations carried out by individual departments, so that another department looking to use the same product could see and potentially reuse work already done.

Of course, care would be needed to ensure that a prior evaluation isn’t reused without considering the relevance of the context. It would also be preferable if there were some independent oversight or review, such as by the ACSC, to apply a common standard across agencies to ensure that vendors can’t ‘game’ the system by shopping around for the most favourable evaluation. This potential risk may be exacerbated by the recent decision for the ACSC to no longer maintain a list of certified cloud services and thus put the onus on individual departments. That announcement also suggested unspecified enhancements and uplift of the Information Security Registered Assessors Program. This could usefully include the suggestion that ASD accredits the certifiers and also provides some ongoing quality control through regular checking of a sample of the work undertaken.

However, ultimately, there needs to be an independent test and evaluation facility. If the ACSC doesn’t have the resources or capabilities to run such a facility, it could seek a partner to implement it and provide some specialist staff to support and accredit the processes being used. AustCyber has proposed a ‘sandbox’ that could be used for general proving of capabilities to potential government clients.30 Such a facility needs to be funded by the companies that are using it in order to ensure that it’s appropriately resourced and used when it can add value. It’s recognised that this could become a barrier to entry for small and medium-sized enterprises, but existing mechanisms (such as AustCyber’s role in identifying companies with commercially viable propositions and in providing targeted grants) could address that problem.

The ACSC has announced plans to establish consultative forums with industry, the first of which focuses on cloud security.31 The broader requirements for security testing and evaluation would be a suggested topic for a subsequent forum. However, it’s recommended that there be greater transparency about how industry representatives can be nominated and are selected—the announcement seems to suggest that the ACSC will select and invite representatives as it sees fit. When the Department of Home Affairs announced the establishment of an industry advisory panel for the 2020 Cyber Security Strategy, consisting of current or past executives of leading telecoms companies plus a representative of a US defence prime,32 that appeared to lack diversity and, in particular, to exclude any representation of small and medium-sized businesses.

Mandatory cybersecurity insurance for suppliers

For all government procurements of IT products and services, suppliers should be mandated to have appropriate cybersecurity insurance cover, thereby ensuring that there’s a price signal for risk. We’ve noted the problem that current mechanisms don’t provide an incentive to spend more on better security. In other spheres, we see that insurance provides this incentive—those that behave in less risky ways and take steps to mitigate their risk are rewarded with lower premiums. For example, household insurers typically offer discounts for houses that are normally occupied during the day and have good locks and monitored alarm systems.

This would be similar to existing obligations for public liability insurance and in some cases professional indemnity insurance that are commonly found in government tender requirements. Insurance should cover incident response, resilience resources and third-party breach liability. Government customers often insert such obligations in contractual clauses, but this would provide assurance that the company can have access to the right people and has the financial resources to meet these commitments, irrespective of the size and nature of the business—thereby removing an implicit preference for larger established brands.

It’s recognised that at present a number of factors are holding back the creation of an effective, functioning cybersecurity insurance market. Mandatory insurance would be a major factor in maturing the market, by ensuring sufficient demand to create economies of scale and building the overall volume of data that can be used for effective underwriting.

However, the market will require transitional support to manage the initial impact. Ideally, this move could be coordinated with Australia’s allies to build global scale and critical mass, but it’s unlikely to be practicable to achieve consensus without wasting the opportunity. If Australia is a global ‘first mover’ to make such a change, we’ll need to ensure that this provides opportunities for local insurers while insulating local suppliers from any initial systemic shocks. Other countries will seek to learn from our experience, and we need to ensure that there’s flexibility to also adapt in order to learn these lessons. The supplier assurance scheme, with graduated levels of assessment, should be designed to also meet the needs of insurers to help them with assessing risk. Appropriate risk-weighted premiums will be vital to ensure that insurance doesn’t effectively encourage risky behaviour or a false sense of comfort. The government may also need to regulate or even set up its own insurer to ensure that all companies have access to affordable cover in the short term. There’s a precedent for this: the government established Medibank to keep the private health insurance providers honest, and when the market was working well was then able to privatise the company.

In the longer term, there may still be a need for the government to be a last-resort reinsurer for major nation-state attacks, in a role analogous to its role in terrorism incident reinsurance.

Building sovereign capability

We’ve seen that cybersecurity represents a great economic opportunity for Australian industry, and that supplier trust is important. This means that, especially for the most sensitive applications, the development of sovereign industry capability should be encouraged. The government should establish a sovereign capability framework, identifying which technologies it’s strategically important to develop locally, and using that to guide more targeted mandated procurement and investment. An openly published framework would also help industry to prioritise its research and development to deliver in those areas. This would be analogous to the approach currently underway for the defence industry capability. This approach would effectively modify current procurement rules to allow government buyers to make decisions to prefer local suppliers where there’s a compelling need for a sovereign capability.

The US has for many years gone much further under the Buy American Act, which mandates government to prefer local suppliers in all cases unless the price premium is more than 25%. Applying such a blunt approach in Australia would make government spending less efficient and risk conflicting with international trade agreements. However, at the very least, the government should ensure that there’s a level playing field on which local companies of all sizes are able to have access to the market on an equal basis with global multinationals. There are arguments for a more measured ‘Buy Australian’ approach (for example, a target of, say, 5% of the IT spend on Australian companies) to be considered as a further step if sovereign capability development is slow to take off. This could act as a strong signal to those making procurement decisions about the importance of considering local suppliers.

Securing government data Where sensitive government data is provided to suppliers, assurance that the confidentiality and integrity of that data will be protected is needed. There are numerous examples of breaches, such as fighter aircraft plans being stolen from a small defence contractor’s network.33 Also, even if no information is passed to the contractor, the data that the contractor generates and delivers (for example, detailed blueprints for designs that it produces under the contract) may be sensitive.

While there’s a well-developed framework of security requirements for classified material, there can be significant risks involving unclassified but sensitive material that’s generally less well protected.34

We also see small businesses struggling to implement security on their IT systems to meet the requirements of the ISM with their limited budgets. While significant improvements can be made by improved basic cyber hygiene, for situations in which more sensitive data that may be of interest (for example, to nation-state attackers) is being processed, it’s difficult to implement advanced monitoring and the required defence in depth.

To address this, the government should establish a secure cloud-based environment that contractors can use for projects under contract to the government. This would allow companies to process, use and generate data using suitable technologies to assure separation from the host systems of the supplier. The environment would need to be fully functioning and have the range of ‘infrastructure as a service’ and ‘platform as a service’ offerings that companies would need. In order to avoid the overheads, and the moral hazard, of a government department trying to set up and run the assured environment, a better approach would be to license a small number of cloud vendors to provide it and to mandate suppliers to use one of those licensed services.

This approach should not only provide better assurance of data privacy and integrity but, by reducing the overheads of individual businesses implementing their own controls, should reduce the costs effectively charged by suppliers to government for compliance.

Conclusions

As the Australian Government looks to refresh its cybersecurity strategy in 2020, while end-user awareness and education will be important, the onus needs to be on the government and the private sector to uplift security across the board and make the lives of adversaries in cyberspace more difficult.

Government has limited human and financial resources and so needs to use them as effectively as possible. The significant overall ICT procurement spend by government represents an opportunity to do so, but is currently hampered by a fragmented approach, differing standards and regulations, and procurement approaches that don’t facilitate value being attached to innovative security approaches and sovereign capability.

Our main policy recommendations to address these challenges are as follows:

  • The Australian Government, working with the state and territory governments, should include in government procurement strategies consideration of how governments can use their market power to encourage better cybersecurity in what they purchase, and use that approach to encourage suppliers to improve the security of their offerings in all customer sectors.
  • Simplify the current array of supplier standards to a single set that provides multiple levels that can be used for different risk levels and also allow suppliers to demonstrate progress and enhanced levels of security.
  • Address gaps in the market for independent testing and certification, allowing buyers to be confident about the security of products and services and companies to be able to demonstrate and prove innovative approaches.
  • Follow up the recent announcements on the future of the CCSL and Information Security Registered Assessors Program by establishing a framework to standardise and assure the quality of work of independent assessors to provide a viable alternative, and ensure that industry consultations on future requirements are fully inclusive.
  • Ensure that risks to security are effectively factored into supplier quotes by investigating how a mandatory insurance regime could operate.
  • Develop and implement a sovereign capability strategy to ensure market opportunities for Australian companies of all types and sizes in order to build local capability in the most sensitive areas and to exploit the global economic opportunity that the cybersecurity market provides for local industry.
  • Use shared services approaches to ensure that consistent best practice is applied for the secure handling of sensitive data by government suppliers, without duplication of cost and effort.

Appendix: Detailed review of tender documents

Please download the report PDF to access the Appendix. 

Launch video

Minister for Industry, Science and Technology, the Hon Karen Andrews MP joins this ASPI webinar to provide a keynote address for the launch of the International Cyber Policy Centre’s report ‘Working smarter, not harder’.

The keynote is followed by a panel discussion and Q&A with report author and ASPI Fellow, Rajiv Shah, CEO for AustCyber, Michelle Price, Managing Director & Co-Founder, Macquarie Government, Aidan Tudehope and moderated by Director of ASPI’s International Cyber Policy Centre, Fergus Hanson.


Acknowledgements

The author would like to acknowledge the support of several Australian Government departments that were consulted for this study,in particular the Department of Human Services, along with other industry stakeholders who took time to share their experiences and perspectives. ASPI’s International Cyber Policy Centre receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. ASPI would like to acknowledge Macquarie Government for supporting this research project.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise. To develop capability in Australia and our region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published August 2020

Cover image: Illustration by Wes Mountain. ASPI ICPC and Wes Mountain allow this image to be republished under the Creative Commons License Attribution-Share Alike. Users of the image should use the following sentence for image attribution: ‘Illustration by Wes Mountain, commissioned by the Australian Strategic Policy Institute’s International Cyber Policy Centre.’

Funding for this report was provided by Macquarie Government.

  1. Rob van der Meulen, ‘Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016’, Gartner, 7 February 2017, online. ↩︎
  2. Australian Signals Directorate (ASD), Annual report 2018–19, Australian Government, 2019, online. ↩︎
  3. ASD, Australian Cyber Security Centre (ACSC), Cybercrime in Australia: July to September 2019, Australian Government, no date, online. ↩︎
  4. Henry Belot, ‘Federal government’s $10b IT bill now rivalling Newstart Allowance welfare spend’, ABC News, 28 August 2017, online. ↩︎
  5. Justin Hendry, ‘NSW govt IT spending tops $3bn’, ITNews, 1 August 2018, online. ↩︎

Clean pipes: Should ISPs provide a more secure internet?

Introduction

One of the largest online challenges facing Australia is to provide effective cybersecurity to the majority of internet users who don’t have the skills or resources to defend themselves.

This paper explores the concept of ‘Clean Pipes’, which is the idea that internet service providers (ISPs) could provide security services to their customers to deliver a level of default security.

The Australian Government looks to be implementing a version of Clean Pipes: on 30 June 2020 the Prime Minister announced a funding commitment to ‘prevent malicious cyber activity from ever reaching millions of Australians across the country by blocking known malicious websites and computer viruses at speed’.1

This paper examines arguments for Clean Pipes and possible implementation roadblocks.

Background

Australia’s 2016 Cyber Security Strategy recognised the opportunities and risks that come with cyberspace and committed to ‘enabling growth, innovation and prosperity for all Australians through strong cyber security’.2

Despite that strategy, however, the online security environment has continued to deteriorate.

There have already been several significant and newsworthy attacks3 so far this year:

  • Toll Group was affected by ransomware in both February and May.4
  • BlueScope Steel’s operations were affected by ransomware in May.5
  • MyBudget, a money management company, had outages caused by ransomware in May.6
  • Lion Australia, a beverage giant, was crippled by ransomware in June.7

However, most attacks aren’t publicly reported, so these incidents are undoubtedly just the tip of the iceberg.

A 2018 estimate that included broader direct costs calculated the potential loss to the Australian economy at $29 billion per year.8

During the Covid-19 crisis, there’s also been significant domestic and international concern about the vulnerability of critical infrastructure such as hospitals and the health sector to cyberattacks. Interpol warned that cybercriminals were targeting critical healthcare institutions with ransomware, and the Cyber Peace Institute issued a call for all governments to ‘work together now to stop cyberattacks on the healthcare sector’.9

This also rose to the highest levels of international diplomacy—the Department of Foreign Affairs and the Australian Cyber Security Centre (ACSC) issued a joint statement on ‘unacceptable malicious cyber activity’, and US Secretary of State Mike Pompeo warned of consequences for malicious cyber activity affecting hospitals and healthcare systems.10

This high-level diplomatic concern emphasises not only that cybersecurity is critically important, but that our current approaches to protecting Australia have failed to adequately protect all of our critical infrastructure.

The Problem

Providing resilient cybersecurity isn’t an inherently intractable task—for those who have the necessary skills and resources.

Individual organisations can and do make significant improvements in their cybersecurity posture when they’re motivated to prioritise security and invest the resources required, but when cybersecurity is viewed as an economy-wide challenge, there are significant sectors of the economy that do not, and probably never will, have the ability to successfully defend themselves.

Unfortunately, the motivation, capability and resources to provide robust cybersecurity are not aligned within the Australian internet ecosystem. Currently, too few businesses in Australia are motivated and capable of providing for their own security.

These are businesses that understand the risk to their operations that arise from failing to address security. Their business model demands that this risk be addressed, and, accordingly, they’ll pay to mitigate it. Some parts of the Australian business community could provide for their own cybersecurity but don’t give the task sufficient priority. Government should employ strategies that encourage them to invest in their own security. However, the bulk of Australian people and businesses fall into a third category: they would like to defend themselves online but don’t have the expertise or the resources to do so.

Large parts of the Australian economy and community can’t protect themselves online because they don’t have the skills or resources to do so.

Criminals, meanwhile, are agnostic about their targets and will attack whoever it is profitable to attack. As weaknesses in security in one area of the economy get shored up, other avenues are explored. If the top end of town is too tough, criminals will ransack those with relatively poor security—individuals and small and medium-sized enterprises.

They also take a ‘belt and braces’ approach to extracting money from their victims. In the May 2020 Toll Group ransomware attack, for example, the criminals first attempted to extract money with ‘traditional’ ransomware—encrypting IT systems to disrupt operations. When Toll refused to pay the ransom, the criminals changed to the exact opposite tactic and threatened to publicly release corporate data unless they were paid.11

Given that malicious actors seek out weakness and vulnerability wherever it exists in the economy, and that some parts of the economy will never have the sophistication and ability to protect themselves, we need to develop initiatives that provide ‘default security’ and bring resources and skills to those who don’t have them—who are generally small and medium-sized enterprises and consumers.

There are already initiatives that bring default security to groups that don’t have the skills or resources to protect themselves. 

They occur at different ‘layers’ of the architecture of the internet: at the hardware level, in operating systems, in some of the services that underpin the operation of the internet, and in the software applications that people use to access the internet (see Table 1).

Table 1: Current default security protections occur at different layers

At the most fundamental level, chip manufacturers have invested in the development of more secure computing architectures.12

Building upon those hardware improvements, operating system manufacturers have also baked default security into their products. This includes features such as automatic updates that make it easier to patch vulnerabilities, built-in anti-malware features such as Windows Defender and architectural features that make it more difficult for hackers to seize control, such as address space layout randomisation and data execution prevention.13

At the internet services layer, a number of Domain Name System (DNS; the system that converts human-readable internet addresses into internet protocol addresses) providers also include default security protection: Quad9, OpenDNS,14 Comodo Secure DNS15 and CleanBrowsing,16 among others. For example, Quad9 states in its FAQ that it ‘uses threat intelligence from a variety of public and private sources and blocks access to those malicious domains when your system attempts to contact them’.17

Google’s Safebrowsing18 and Microsoft’s SmartScreen,19 for example, are web-scanning, anti-phishing and anti-malware systems built into their respective browsers and operating systems to prevent users from visiting potentially dangerous web pages. As users browse the web, the pages they visit are compared to a list of ‘known-bad sites’ that have been confirmed to be hosting phishing or malware. If a user tries to visit one of those sites, instead of taking them directly there the user is shown a warning. These protections are imperfect, as the user can ignore the warning and click through to the site, and criminals and hackers are constantly trying new techniques to evade them, but they have very broad reach. Safebrowsing is used in Google’s Chrome, Mozilla’s Firefox and Apple’s Safari browsers, and together with SmartScreen in Microsoft Edge these systems protect billions of users by default. Google’s Transparency report statistics show that the SmartBrowsing system issued in the order of 5–10 million warnings per week so far this year up to late May 2020.20

These security improvements have occurred at different ‘layers’ of the internet—in browsers, in operating systems and in the underlying plumbing of the internet. They are also ‘high-leverage’ initiatives, in that these investments can improve security for millions to billions of internet users.

There have been improvements in default security in some aspects of online security over the past two decades, but there’s still a very long tail of vulnerability that we must cope with for the foreseeable future. Additionally, other developments threaten to undermine those improvements. The proliferation of the ‘internet of things’ (IoT)—internet-connected but poorly secured and increasingly ubiquitous consumer devices—threatens to introduce a large vector of insecurity that could drastically affect overall cybersecurity.21

Given the success of previous default-security initiatives, what other initiatives could have a widespread positive impact on the cybersecurity of millions of users?

Clean Pipes

One proposal that could help provide advanced capabilities to internet users is that ISPs be required or encouraged to perform ‘due diligence’ to protect their users from malicious traffic. This concept has been called ‘Clean Pipes’, drawing an analogy to water utilities providing clean drinking water.

Clean Pipes could involve ISPs using a variety of technologies to provide default security to their clients. At the conceptual level, this would involve:

  1. positively identifying threats, which could be, for example
    • internet locations that host malware or phishing
    • malware command and control
    • bogus traffic that can be used in attacks that try to overwhelm a service
    • ‘spoofed’ traffic that claims to originate from somewhere it doesn’t
  2. having some capability to proactively protect from different threats, such as
    • blocking and warning users who are attempting to navigate to dangerous locations, such as ones that host malware or phishing
    • removing bogus or spoofed traffic
  3. being able to adjust this blacklist dynamically and alter it through customer feedback if a location is inadvertently blacklisted.

These kinds of capabilities are already deployed around the world, in corporate networks, by British Telecom22 and recently by Telstra.

The Advantages

The key advantage of Clean Pipes is that it brings advanced scalable protection to an ISP’s entire customer base, which is particularly important to that majority of customers who don’t have the skills and resources to provide for their own security.

It’s also highly leveraged—although in a well-organised protection system the entire workforce involved in identifying malicious internet sites may be thousands of people, the knowledge they generate can be used to provide protection to potentially millions of ISP customers.

There are other advantages. ISPs also have a unique position in the network and are able to see all of the internet protocols that are being used, not just the very few that are used in web browsing. This means that ISPs can see different indicators of malicious behaviour than can, say, operating systems manufacturers, browser manufacturers, DNS providers, or even the anti-malware systems that work on individual computers. Each of these different vantage points into the internet has a different view and can be used to detect or even interrupt different kinds of activity. Browser-based protection, for example, can warn users of malicious websites but can do nothing to stop malware command and control once a computer is compromised.

Not only do ISPs get different views, they also get to act on those other protocols, blocking or redirecting them if need be. This is already standard practice where ISPs need to protect their networks from activity that could degrade or disrupt the network23 or where there’s already an established mechanism to block illegal content.24 ISPs could protect users from threats that can’t be tackled by the other default security providers previously mentioned.

There’s no legal impediment to ISPs providing some level of protection to their customers (excepting techniques that would be privacy-invading). Telstra has already implemented some customer protection under a Cleaner Pipes initiative and has blocked the ‘command and control communications of botnets and malware and [stopped] the downloading of remote access trojans, backdoors and banking trojans’.25 These initiatives can be written into terms-of-service contracts, although perhaps an ideal position would be to provide users with the ability to opt out if they don’t want default protection. For example, Google Safebrowsing and Microsoft SmartScreen both provide warnings that users are still able to navigate past.

ISPs already operate security operations centres and have security teams to protect their own networks’ integrity, so there are already skills and expertise resident within their organisations, although skill levels can vary significantly between ISPs. Providing default security to customers may require additional investment in resources, but it requires that an existing capability be grown rather than a new one created from scratch.

Additionally, ISP-level protections could be particularly useful in mitigating the risk from poorly secured IoT devices. Those devices can’t take advantage of some of the other default security advances that have taken place over recent years, such as improvements in browsers or operating systems, but they still communicate over the internet and do so in relatively standard ways, such that anomalous behaviour can be detected and at least some malicious behaviour blocked. That is, ISPs providing Clean Pipes could help mitigate one of our potential looming security threats.

Although ISPs providing default security protection has many benefits and could significantly reduce the damage caused by malicious traffic, it isn’t a panacea for all the ills of the internet. As with protections built into operating systems and browsers, malware, phishing and other threats will break through and cause harm to internet users.

ISP-level concerns and blockers

In Australia, ISPs, other than Telstra, don’t provide extensive default security protections to their customers. There are several reasons for this that fall into four categories:

  1. costs and ISP security expectations
  2. capability to detect and act
  3. understanding harms
  4. reputational risk.

Costs and security expectations

Possibly the underlying reason that most ISPs don’t invest significantly in Clean Pipes is that enhanced security costs more money and neither customers nor ISPs expect that an ISP should provide increased levels of default security.

Related to this, ISPs don’t believe that their customers value a more secure service, so there’s no potential profit available to justify a business case to provide these security services; therefore, no resources are allocated.

Additionally, there’s been no legal or regulatory obligation that has pushed ISPs to provide enhanced default security services.

Capability to detect and act

All ISPs have some level of security capability, which they need to protect their own networks. However, providing increased levels of default security to customers requires more extensive and more advanced capability to both detect malign behaviour and to act on it.

All ISP security operations must prioritise self-protection and they might not have additional capacity to detect malicious activity that doesn’t directly threaten their own operations. Without a clear view of malicious activity that affects their customers (or even third parties), ISPs are unable to act on it.

Any individual ISP would be able to identify some threats on its network, but a collaboration with multiple partners provides a more comprehensive and effective picture of both the threats and effective mitigations. Holistically understanding threats requires collaboration with multiple partners in the security ecosystem, including providers of threat intelligence, other industry verticals and competitor ISPs. Each organisation provides a different slice of the view so that the overall picture is far more complete than any individual organisation can develop on its own.

This industry collaboration would require two separate forms of trust:

  • Competitors would have to trust that companies within the same industry would not seek to gain competitive advantage through security collaboration. This is relatively straightforward within the information security community, as competitive advantage is seen to lie outside security, and effective security is generally perceived as a precondition for competition rather than as a basis for it.26
  • Companies need to trust the technical competence of collaborators. This is currently based on reputation and past performance, and there’s no formal process for technical trust to be built or certified.

The two forms of trust affect both the ability and willingness to share reliable information and to act effectively on information received. Discussions with stakeholders have indicated that significant skill and capacity differences exist between the security operations within different ISPs, and that those differences may make it difficult to engage in effective widespread information sharing across Australian ISPs.

Beyond merely detecting malicious activity, ISPs also need to have the ability to act on it. Acting on malicious behaviour requires additional financial investment beyond detecting it, so, even if ISPs see damaging activity, they may have decided that the costs of implementing default security for customers are simply too high. At the ISP level, most customers don’t pay extra for security services, so investment in providing improved security might not be seen as an economically viable return on investment.

Understanding harms

Beyond merely detecting malicious activity is understanding the harm that it causes. What malicious activity that ISPs see on their networks causes the most harm to customers? For activity that damages their own networks, that harm is easy for ISPs to understand, but quantifying damage caused to customers is very difficult.

Understanding the harms to customers could be improved by information sharing about the costs of cybercrime from government mechanisms such as ReportCyber, from NGOs such as IDCARE,27 or even from other industry verticals that collate information about the most damaging cybercrimes affecting their customer bases.

Some ISPs, particularly smaller ones, might not be able to detect malicious activity and don’t understand the harms it causes their customers. In such cases, ignorance is bliss—once an ISP sees malicious activity and understands that it causes harm to its customers, it faces its own version of the ‘trolley problem’. Do they intervene to protect their customers from dangerous activity on the internet, even though that may come at some financial cost?

Reputational risk

ISPs could also be concerned about the reputational risks involved in attempting to provide default security.

A key reputational concern is that ISPs may inadvertently block legitimate traffic. Although terms and conditions can mitigate legal concerns, ISPs still have to strike a balance between providing enhanced security and the risk that false positives will affect service quality. Importantly, there are harms to customers that occur when ISPs accidentally block non-malicious traffic and when ISPs allow customers to be harmed by malicious traffic. An ideal balance would minimise both harms while preserving online freedom, but this balance is inconsistently applied across different ISPs and is therefore probably suboptimal.

ISPs may also be concerned about the perception that default security requires them to compromise customer privacy. Certainly, government internet initiatives have focused on law enforcement and intelligence requirements, and Australia’s metadata retention laws28 and the Assistance and Access Act 201829 have been controversial.30 Telstra’s recent announcement regarding Cleaner Pipes, however, hasn’t so far been the subject of any significant level of controversy about privacy. In any case, whether through lack of obligation, understanding, capability or a business case, there’s no broad-based, ISP-led effort to provide default security to Australian internet users.

Government challenges

The challenges facing government mirror those facing ISPs.

The Australian Government hasn’t tried to lead a broader effort to provide default security to Australian internet users through a Clean Pipes initiative involving ISPs. In some sense, it hasn’t accepted that leading this kind of initiative is its job. In the absence of an industry consensus that ISPs should be providing some level of default security, the absence of government leadership or direction probably means that this status quo will continue.

A significant concern may be the controversies over privacy, censorship and surveillance that have accompanied previous internet initiatives, such as an internet filter proposed in 201231 and the previously mentioned metadata retention legislation and Access and Assistance Act. Those former initiatives have been focused on supporting law enforcement or preventing access to harmful content, rather than on providing secure internet access to consumers.

Concerns about privacy, censorship and surveillance could be mitigated by government initiatives having:

  1. a clear focus on threat filtering, with a clear and explicit goal of protecting internet users
  2. government leadership that doesn’t necessarily include government implementation
  3. actions focusing exclusively on cybersecurity threats rather than falling into mission creep and including other online harms (such as child exploitation) that are being tackled through other avenues (such as the e-Safety Commissioner)32
  4. transparency about how default security provisions are enacted and what they achieve
  5. a default system with an opt-out for those who don’t want to participate.

The cost of cybercrime isn’t well understood, and that makes it difficult to appropriately allocate resources. One of the most quoted estimates for cybercrime (a Microsoft-commissioned report from Frost and Sullivan) estimated in 2018 that cybercrime could cost Australia $29 billion per year,33 whereas a 2019 ACSC report estimated $328 million in annual losses.34

The ACSC report was based mostly on incidents self-reported to the ReportCyber platform and so is likely to be an underestimate of the cost, but the 100-fold difference between the estimated and measured values shows that the level of uncertainty is high. More comprehensive data would be helpful, and a granular understanding of the cyber threats that are causing the most harm would provide an economic justification for security investments that would be required to mitigate that harm.

Conclusion

This paper has documented some of the arguments for Clean Pipes initiatives in which ISPs deploy their security capabilities to provide default cybersecurity for their customers, and the potential difficulties in implementing such initiatives.

Large portions of the Australian economy and community aren’t capable of effectively providing for their own cybersecurity, and there are significant opportunities for wide-ranging and effective improvements in the security environment for all internet users.

Those approaches would be additional to other broad-based security improvements that have occurred in recent years and could go some way to mitigating the threat from the proliferation of poorly secured IoT devices.

Road Map

Currently, these opportunities aren’t being taken up because the Australian Government has yet to set a clear policy direction and because industry doesn’t see this as a business obligation. Recently announced government funding, including over $35 million to develop a ‘new cyber threat-sharing platform’ and over $12 million towards ‘strategic mitigations and active disruption options’ is an opportunity to change this status quo.35

The Australian Government should:

  • clearly articulate its position on ISPs providing default security services in its 2020 Cyber Security Strategy (Home Affairs)
  • raise the baseline of ISP security operational expertise by facilitating technical workshops (funding is available to support technical tools, but skilled cybersecurity personnel are also needed to both provide validated information and to make effective use of threat information) (ACSC)
  • investigate providing incentives to ISPs to implement improved default security (this could include technical training to improve capacity, funding for new capabilities, or even regulation or legislation to encourage adoption) (Home Affairs)
  • convene closed-door consultations with ISPs to discuss how the government could support and encourage the delivery of default security to customers (Home Affairs)
  • require transparency reports in which ISPs report on their efforts to provide safe and secure networks (Australian Communications and Media Authority)
  • more comprehensively quantify the cost of cybercrime in Australia through surveys and by engaging directly with Australian industry (Home Affairs).

ISPs should:

  • work with government to centralise and expand upon existing industry-wide efforts in collaboration, intelligence sharing and coordinated action. 

Australian industry, beyond ISPs, should:

  • increase the sharing of technical indicators of compromises that are affecting its customers (a government-supported centralised clearing house for information would support this)
  • measure the cost of cybercrime and share information, within intelligence-sharing bodies, about the most damaging cybercrime techniques
  • factor in consideration of the cost and risk of failing to manage security issues in supplying their services.

Acknowledgements

ASPI’s International Cyber Policy Center receives funding from a variety of sources including sponsorship, research and project support from across governments, industry and civil society. There is no sole funding source for this paper.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published July 2020.
ISSN 2209-9689 (online),
ISSN 2209-9670 (print)

Funding Statement

There is no sole funding source for this paper.

  1. Scott Morrison, ‘Nation’s largest ever investment in cyber security’, media release, 30 June 2020, online. ↩︎
  2. Department of Home Affairs (DHA), Australia’s Cyber Security Strategy, Australian Government, May 2016, online. ↩︎
  3. The underlying cause of these attacks is not public, so it isn’t possible to say whether ISPs providing Clean Pipes would have prevented them. ↩︎
  4. Ry Crozier, ‘Toll Group “returns to normal” after Mailto ransomware attack’, iTnews, 18 March 2020, online; Ry Crozier, ‘Toll Group suffers second ransomware attack this year’, iTnews, 5 May 2020, online. ↩︎
  5. Ry Crozier, ‘BlueScope confirms a “cyber incident” is disrupting its operations’, iTnews, 15 May 2020, online. ↩︎
  6. Bension Siebert, Shuba Krishnan, ‘MyBudget blames hack for outage affecting thousands of customers’, ABC News, 15 May 2020, online. ↩︎
  7. Ben Grubb, ‘Drinks giant Lion hit by cyber attack as hackers target corporate Australia’, Sydney Morning Herald, 9 June 2020, online. ↩︎
  8. Swetha Das, ‘Direct costs associated with cybersecurity incidents costs Australian businesses $29 billion per annum’, Microsoft News Centre Australia, 26 June 2018, online. ↩︎
  9. Interpol, ‘Cybercriminals targeting critical healthcare institutions with ransomware’, news release, 4 April 2020, online; ‘CyberPeace Institute—call for government’, CyberPeace Institute, 26 May 2020, online. ↩︎
  10. Michael Pompeo, ‘The United States concerned by threat of cyber attack against the Czech Republic’s healthcare sector’, press statement, US Department of State, 17 April 2020, online; Department of Foreign Affairs and Trade, Australian Cyber Security Centre (ACSC), ‘Unacceptable malicious cyber activity’, news release, Australian Government, 20 May 2020, online. ↩︎
  11. Toll Group, ‘Toll IT systems update’, 29 May 2020, online. ↩︎
  12. For example, investment in trusted platform modules, Apple’s Secure Enclave in iOS devices. ↩︎
  13. Microsoft, ‘The most secure Windows ever’, no date, online. ↩︎
  14. OpenDNS, ‘Why users love OpenDNS’, 2020, online. ↩︎
  15. Comodo Cybersecurity, ‘Secure internet gateway’, 2020, online. ↩︎
  16. CleanBrowsing, ‘Browse the web without surprises’, no date, online. ↩︎
  17. Interestingly, when customers use these optional DNS services their ISP loses visibility and can no longer detect malware and assist them; ‘FAQ: DNS need to know info’, Quad 9, 2019, online. ↩︎
  18. Google, ‘Google safe browsing’, 2019, online. ↩︎
  19. Microsoft, ‘Microsoft Defender SmartScreen’, 27 November 2019, online. ↩︎
  20. Google, ‘Google safe browsing’, 2019, online. ↩︎
  21. Eliza Chapman, Tom Uren, The Internet of Insecure Things, ASPI, Canberra, 19 March 2018, online. ↩︎
  22. Dave Harcourt, ‘BT’s proactive protection: supporting the NCSC to make our customers safer’, National Cyber Security Centre, UK Government, 25 October 2018, online. ↩︎
  23. Such as, for example distributed denial of service (DDoS) attacks that attempt to overwhelm networks or websites. ↩︎
  24. For example, Interpol’s ‘Worst of’ provides a list of domains carrying child abuse material; Interpol, ‘Blocking and categorizing content’, 2020, online. ↩︎
  25. Andrew Penn, ‘Safer online and the new normal’, Telstra Exchange, 6 May 2020, online. ↩︎
  26. Even within the cybersecurity industry competitors collaborate, and the Cyber Threat Alliance serves as a model for competitors sharing information about threats. There are also many effective information-sharing initiatives overseas and in Australia (for example, see ‘Member ISACs’, National Council of Information Sharing and Analysis Centers, 2020, online). ↩︎
  27. ‘National identity and cyber support’, IDCARE, 2020, online; ACSC, ‘ReportCyber’, Australian Signals Directorate, Australian Government, 2020, online. ↩︎
  28. DHA, ‘Data retention’, Australian Government, March 2020, online. ↩︎
  29. DHA, ‘The Assistance and Access Act 2018’, Australian Government, September 2019, online. ↩︎
  30. For example, see Elise Scott, ‘Senate passes controversial metadata laws’, Sydney Morning Herald, 27 March 2015, online; Damien Manuel, ‘Think your metadata is only visible to national security agencies? Think again’, The Conversation, 5 August 2019, online; Stilgherrian, ‘Home Affairs report reveals deeper problems with Australia’s encryption laws’, ZDNet, 29 January 2020, online. ↩︎
  31. Ry Crozier, ‘Conroy abandons mandatory ISP filtering’, iTnews, 8 November 2012, online. ↩︎
  32. There are already mechanisms to block objectionable material, such as the Sharing of Abhorrent and Violent Material Act 2019, and those mechanisms should remain separate from security provisions. See Attorney-General’s Department, ‘Abhorrent violent material’, Australian Government, no date, online. ↩︎
  33. Frost and Sullivan, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, 2018. ↩︎
  34. ACSC, Cybercrime in Australia—July to September 2019, Australian Signals Directorate, Australian Government, 2019, online. ↩︎
  35. Morrison, ‘Nation’s largest ever investment in cyber security’. ↩︎

Retweeting through the Great Firewall

A persistent and undeterred threat actor

Key takeaways

This report analyses a persistent, large-scale influence campaign linked to Chinese state actors on Twitter and Facebook.

This activity largely targeted Chinese-speaking audiences outside of the Chinese mainland (where Twitter is blocked) with the intention of influencing perceptions on key issues, including the Hong Kong protests, exiled Chinese billionaire Guo Wengui and, to a lesser extent Covid-19 and Taiwan.

Extrapolating from the takedown dataset, to which we had advanced access, given to us by Twitter, we have identified that this operation continues and has pivoted to try to weaponise the US Government’s response to current domestic protests and create the perception of a moral equivalence with the suppression of protests in Hong Kong.

Figure 1: Normalised topic distribution over time in the Twitter dataset

Our analysis includes a dataset of 23,750 Twitter accounts and 348,608 tweets that occurred from January 2018 to 17 April 2020 (Figure 1). Twitter has attributed this dataset to Chinese state-linked actors and has recently taken the accounts contained within it offline.

In addition to the Twitter dataset, we’ve also found dozens of Facebook accounts that we have high confidence form part of the same state-linked information operation. We’ve also independently discovered—and verified through Twitter—additional Twitter accounts that also form a part of this operation. This activity appears to be a continuation of the campaign targeting the Hong Kong protests, which ASPI’s International Cyber Policy Centre covered in the September 2019 report Tweeting through the Great Firewall and which had begun targeting critics of the Chinese regime in April 2017.

Analysing the dataset as a whole, we found that the posting patterns of tweets mapped cleanly to working hours at Beijing time (despite the fact that Twitter is blocked in mainland China). Posts spiked through 8 a.m.–5 p.m. working hours Monday to Friday and dropped off at weekends. Such a regimented posting pattern clearly suggests coordination and inauthenticity.

The main vector of dissemination was through images, many of which contained embedded Chinese-language text. The linguistic traits within the dataset suggest that audiences in Hong Kong were a primary target for this campaign, with the broader Chinese diaspora as a secondary audience.

There is little effort to cultivate rich, detailed personas that might be used to influence targeted networks; in fact, 78.5% of the accounts in Twitter’s takedown dataset have no followers at all.

There’s evidence that aged accounts—potentially purchased, hacked or stolen—are also a feature of the campaign. Here again, there’s little effort to disguise the incongruous nature of accounts (from Bangladesh, for example) posting propaganda inspired by the Chinese Communist Party (CCP). While the takedown dataset contains many new and low-follower accounts, the operation targeted the aged accounts as the mechanism by which the campaign might gain traction in high-follower networks.

The operation has shown remarkable persistence to stay online in various forms since 2017, and its tenacity has allowed for shifts in tactics and the narrative focus as emerging events—including the Covid-19 pandemic and US protests in May and June 2020—have been incorporated into pro-Chinese government narratives.

Based on the data in the takedown dataset, while these efforts are sufficiently technically sophisticated to persist, they currently lack the linguistic and cultural refinement to drive engagement on Twitter through high-follower networks, and thus far have had relatively low impact on the platform. The operation’s targeting of higher value aged accounts as vehicles for amplifying reach, potentially through the influence-for-hire marketplace, is likely to have been a strategy to obfuscate the campaign’s state-sponsorship. This suggests that the operators lacked the confidence, capability and credibility to develop high-value personas on the platform. This mode of operation highlights the emerging nexus between state-linked propaganda and the internet’s public relations shadow economy, which offers state actors opportunities for outsourcing their disinformation propagation.

Similar studies support our report’s findings. In addition to our own previous work Tweeting through the Great Firewall, Graphika has undertaken two studies of a persistent campaign targeting the Hong Kong protests, Guo Wengui and other critics of the Chinese Government. Bellingcat has also previously reported on networks targeting Guo Wengui and the Hong Kong protest movement.

Google’s Threat Analysis Group noted that it had removed more than a thousand YouTube channels that were behaving in a coordinated manner and sharing content that aligned with Graphika’s findings.

This large-scale pivot to Western platforms is relatively new, and we should expect continued evolution and improvement, given the enormous resourcing the Chinese party-state can bring to bear in aligning state messaging across its diplomacy, state media and covert influence operations. The coordination of diplomatic and state media messaging, the use of Western social media platforms to seed disinformation into international media coverage, the immediate mirroring and rebuttal of Western media coverage by Chinese state media, the co-option of fringe conspiracy media to target networks vulnerable to manipulation and the use of coordinated inauthentic networks and undeclared political ads to actively manipulate social media audiences have all been tactics deployed by the Chinese Government to attempt to shape the information environment to its advantage.

The disruption caused by Covid-19 has created a permissive environment for the CCP to experiment with overt manipulation of global social media audiences on Western platforms. There’s much to suggest that the CCP’s propaganda apparatus has been watching the tactics and impact of Russian disinformation.

The party-state’s online experiments will allow its propaganda apparatus to recalibrate efforts to influence audiences on Western platforms with growing precision. When combined with data acquisition, investments in artificial intelligence and alternative social media platforms, there is potential for the normalisation of a very different information environment from the open internet favoured by democratic societies.

This report is broken into three sections, which follow on from this brief explanation of the dataset, the context of Chinese party-state influence campaigns and the methodology. The first major section investigates the tactics, techniques and operational traits of the campaign. The second section analyses the narratives and nuances included in the campaign messaging. The third section is the appendix, which will allow interested readers to do a deep dive into the data.

ASPI’s International Cyber Policy Centre received the dataset from Twitter on 2 June and produced this report in 10 days.

The Chinese party-state and influence campaigns

The Chinese party-state has demonstrated its willingness to deploy disinformation and influence operations to achieve strategic goals. For example, the CCP has mobilised a long-running campaign of political warfare against Taiwan, incorporating the seeding of disinformation on digital platforms. And our September 2019 report—Tweeting through the Great Firewall—investigated state-linked information campaigns on Western social media platforms targeting the Hong Kong protests, Chinese dissidents and critics of the CCP regime.

Since Tweeting through the Great Firewall, we have observed a significant evolution in the CCP’s efforts to shape the information environment to its advantage, particularly through the manipulation of social media. Through 2018 and 2019 we observed spikes in the creation of Twitter accounts by Chinese Ministry of Foreign Affairs spokespeople, diplomats, embassies and state media.

To deflect attention from its early mishandling of a health and economic crisis that has now gone global, the CCP has unashamedly launched waves of disinformation and influence operations intermingled with diplomatic messaging. There are prominent and consistent themes across the messaging of People’s Republic of China (PRC) diplomats and state media: that the CCP’s model of social governance is one that can successfully manage crises, that the PRC’s economy is rapidly recovering from the period of lockdown, and that the PRC is a generous global citizen that can rapidly mobilise medical support and guide the world through the pandemic.

The trends in the PRC’s coordinated diplomatic and state-media messaging are articulated as a coherent strategy by the Chinese Academy of Social Sciences, which is a prominent PRC-based think tank. The academy has recommended a range of responses to Western, particularly US-based, media criticism of the CCP’s handling of the pandemic, which it suggests is designed to contain the PRC’s global relationships. The think tank has offered several strategies that are being operationalised by diplomats and state media:

  • the coordination of externally facing communication, including 24 x 7 foreign media monitoring and rapid response
  • the promotion of diverse sources, noting that international audiences are inclined to accept independent media
  • support for Chinese social media platforms such as Weibo, WeChat and Douyin
  • enhanced forms of communication targeted to specific audiences
  • the cultivation of foreign talent.

The party-state appears to be allowing for experimentation across the apparatus of government in how to promote the CCP’s view of its place in the world. This study suggests that covert influence operations on Western social media platforms are likely to be an ongoing element of that project.

Methodology

This analysis used a mixed-methods approach combining quantitative analysis of bulk Twitter data with qualitative analysis of tweet content. This was combined with independently identified Facebook accounts, pages and activity including identical or highly similar content to that on Twitter. We assess that this Facebook activity, while not definitively attributed by Facebook itself, is highly likely to be a part of the same operation.

The dataset for quantitative analysis was the tweets from a subset of accounts identified by Twitter as being interlinked and associated through a combination of technical signals to which Twitter has access. Accounts that appeared to be repurposed from originally legitimate users are not included in this dataset, which may potentially skew some analysis.

This dataset consisted of:

  • account information for 23,750 accounts that Twitter suspended from its service
  • 348,608 tweets from January 2018 to 17 April 2020
  • 60,486 pieces of associated media, consisting of 55,750 images and 4,736 videos.

Many of the tweets contained images with Chinese text. They were processed by ASPI’s technology partner in the application of artificial intelligence and cloud computing to cyber policy challenges, Addaxis, using a combination of internal machine-learning capabilities and Google APIs before further analysis in R. The R statistics package was used for quantitative analysis, which informed social network analysis and qualitative content analysis.

Research limitations: ASPI does not have access to the relevant data to independently verify that these accounts are linked to the Chinese Government. Twitter has access to a variety of signals that are not available to outside researchers, and this research proceeded on the assumption that Twitter’s attribution is correct. It is also important to note that Twitter hasn’t released the methodology by which this dataset was selected, and the dataset doesn’t represent a complete picture of Chinese state-linked information operations on Twitter.

Download full report

Readers are warmly encouraged to download the full report (PDF, 62 pages) to access the full and detailed analysis, notes and references. 


Acknowledgements

ASPI would like to thank Twitter for advanced access to the takedown dataset that formed a significant component of this investigation. The authors would also like to thank ASPI colleagues who worked on this report.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published June 2020.

ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

Winning hearts and likes

How foreign affairs and defence agencies use Facebook

What’s the problem?

For defence and diplomacy, digital media, and specifically social media, have become an unavoidable aspect of their operations, communications and strategic international engagement, but the use of those media isn’t always understood or appreciated by governments.

While the Department of Foreign Affairs and Trade (DFAT) and the Department of Defence (DoD) both use social media, including accounts managed by diplomatic posts overseas and by units of the ADF, both departments can improve how they reach and engage online. It’s important to note, however, that their use cases and audiences are different. DFAT’s audience is primarily international and varies by geographical location. Defence has a more local audience and focus.

More importantly than the content, online engagement is dependent on the strength of the ties between the senders or sharers and the recipients of the content. For both departments, improving those online ties is vital as they seek to influence.

What’s the solution?

The Australian Government should use social media far more strategically to engage international audiences—particularly in the diplomatic and defence portfolios. Both DFAT and Defence should review outdated digital strategies, cross-promote more content and demonstrate transparency and accountability by articulating and publishing social media policies.

Both departments should create more opportunities for training and the sharing of skills and experiences of public diplomacy staff. They should refrain from relying solely on engagement metrics as success measures (that is, as a measure of an individual’s, usually senior staff’s or heads of missions’, level of ability or achievement).

Instead, by changing the emphasis from the producers of social media content to the audiences that interact with it, the engagement data can be usefully regarded as a proxy for attention and interest. This can tell us what kinds of audiences (mostly by location) are engaged, and what types of content they do and don’t engage with. This information indicates the (limited) utility of social media; this should guide online engagement policy.

This report also highlights and recognises the value of social media for the defence community — especially as a means of providing information and support for currently serving personnel and their families—by supporting the use of Facebook for those purposes by all defence units.

DFAT should remove the direction for all Australian heads of mission overseas to be active on social media. While this presence is indeed useful and boosts the number of global government accounts, if our ambassadors aren’t interested in resourcing those accounts, the result can be sterile social media accounts that don’t engage and that struggle to connect with publics online. Instead, both departments should encourage those who are interested in and skilled at digital diplomacy to use openness, warmth and personality to engage.

Introduction: the global rise of Facebook

This report examines DFAT’s and the DoD’s use of one social media platform—Facebook—and evaluates current practices to identify how, where and for what purposes Facebook has impact. 

The focus on Facebook reflects the platform’s global reach and its popularity as an everyday, essential medium for accessing and sharing information. Besides notable exceptions (such as China), in most places (such as some Southeast Asian countries), Facebook is so popular that it’s often roughly synonymous with ‘the internet’. This is a symptom of the platform’s ubiquity and utility as well as a consequence of Facebook’s heavily promoted services, including the Free Basics internet access service, which provides limited online access via a Facebook application.1

In order to generate lessons learnt, this report makes comparisons between Australian Government pages and their counterparts in the US, the UK, New Zealand and Canada. The analysis of Facebook use for diplomatic purposes is based on 2016–17 data extracted from Facebook pages of the diplomatic missions of eight ‘publisher’ nations (the five that are the subject of this report, as well as India, Israel and Japan) in 23 ‘host nations’.2 More recent data couldn’t be used because access is no longer available, but a review of the pages suggests that the analysis stemming from the data extracted during that period remains relevant.

The underlying design of Facebook deeply influences and limits its use by publishers and users. The Facebook newsfeed—the most commonly used feature for getting regularly updated information — prioritises posts from accounts that are either closely associated through a history of user activity, including liking, sharing, commenting and messaging, or are boosted through paid promotion.

One of the main consequences is that the more a Facebook user interacts with content that they prefer, the more likely they are to receive that type of material in their newsfeeds, which they’re in turn more likely to interact with and so on. Successful content has emotional appeal, or is useful, and comes from a Facebook page that’s been frequented by the user or been shared with a close member of a user’s Facebook network of friends. As this cycle continues, Facebook ‘gets to know its users better and better’.3

In other words, it isn’t enough to make engaging (meaning fun, compelling or relevant) content. Online engagement is dependent on the strength of the ties between the senders or sharers and the recipients of the content, at least as much and very probably more than the nature of the content. Understanding this is vital for governments as they seek to influence online.

But, as a social media network, Facebook brings with it complications for public diplomacy and defence social media strategies. For example, Facebook’s utility is limited by its underlying algorithm architecture and the habits and preferences of individual Facebook users, which are influenced by in-country patterns of social media usage and internet access. These issues need to be factored into departmental communications policies and social media strategies.
 

Online content, classified

Facebook posts can be classified into four types, according to their apparent function or purpose: outward-facing publicity (including propaganda), inward-facing publicity, engagement, and diplomacy of the public.4 The categories often overlap: content may be both inward- and outward-facing, for example. An analysis of these four types of content can be very useful for creating a strategy for effective DFAT and DoD Facebook use.

1. Outward publicity

Outward-facing publicity is the most common. It’s characterised by its evident target being the broader public of the country in which it’s posted, or a section of that public, such as overseas students, potential immigrants or, less commonly, large expatriate populations. It therefore uses the language of the local population and locally popular themes and topics. Content varies but usually involves the provision of information, publicity for events, branding exercises or the posting of trivia (such as pictures of koalas). Posts can also be warm and personal and include one of the internet’s maligned features—cuteness.

The most popular Facebook post recorded during this research displays many of those features. It’s a video of two American embassy ‘diplokids’ playing the Indian national anthem on the occasion of India’s Independence Day.5 It’s been viewed 2.53 million times and shared more than 125,000 times (as of January 2020).

Many popular posts are practical and transactional, such as information about employment, scholarships, funding opportunities and visa applications. The US Embassy in Mexico, for example, published a series of videos outlining the procedures for various visa classes. The Australian Consulate in Hong Kong published a sequence of posts targeting Australian citizens in the lead-up to the 2016 Australian federal election with information about how to vote, and—taking advantage of Facebook’s potential to target specific audiences—paid to promote them.

Posts announcing employment opportunities at the embassy or consulate for locally engaged staff are consistently among the most popular, especially in small and developing countries. These posts can serve as more than mere job ads. One such post, on the American Facebook page in Iraq, prompted an enquiry via the comment feed from a potential applicant who feared he might be too old to apply. The American page administrator replied, assuring this applicant that his application would be welcome and reiterating American policies against age-based discrimination in a way that promoted US values and demonstrated respect for an older Iraqi man, which in return inspired several positive comments in the thread.

Other popular outward-facing promotional posts include commemorations on significant memorial days and on the occasion of tragedies such as natural disasters. Noting these days of significance on Facebook should out of respect be considered obligatory, as they largely appear to be. Posts announcing support in the aftermath of disasters are often very well received (as indicated by numbers of shares and supportive comments) and suggest that Facebook can have a useful role in promoting aid and relief efforts. For example, the Australian Embassy in Fiji posted about assistance efforts after Tropical Cyclone Winston in 2016; those posts had engagement figures in the thousands (the mean engagement figure for 2016 was 29).6

Facebook posts promoting military activity elicited significant support in other contexts. US Facebook posts in support of Iraqi soldiers serving as part of the American-led coalition against Daesh, for example, were widely shared and commented on, almost entirely positively.

How important are ambassadors and consuls-general as proponents of outward-facing publicity? The research suggests that they’re significant assets where they’re personable and relatable and embrace the community and nation where they’re posted. Speaking the local language, either proficiently or with evident effort, is a major asset. While most posts are typically published in the local language (often as well as in English), publishing videos of heads of mission speaking the language seems to have additional audience appeal. One of the few Australian Facebook pages that increased its levels of engagement from 2016 to 2017 was that of the Embassy in Paris. Australia’s Ambassador to France, Brendan Berne, a fluent French speaker, features in a number of posted videos, including media appearances and official speeches.

In one popular video post, Ambassador Berne introduced changes in Australian law to legalise same-sex marriage and then popped the question to his unsuspecting partner, Thomas.7 This was acknowledged as unorthodox but was a calculated risk that paid off, increasing the profile of the Ambassador and thereby providing him with further platforms, including popular mainstream broadcast media, on which to promote the bilateral relationship.

Former US Consul-General in Hong Kong, Clifford Hart, exemplified how the personal can empower public diplomacy, to the extent that he was known as Clifford Baby (or ‘Clifford BB’).8 His very popular farewell video post featured Hart reflecting in Cantonese on his favourite places and dishes in Hong Kong. The video also uses catchphrases from Stephen Chow (an iconic actor in Hong Kong), which, while meaningless for those unfamiliar with his work, carried immense appeal for Hong Kongers.

2. Inward-facing publicity

Inward-facing publicity is related to outward-facing publicity but has an internal focus by appealing to smaller audiences—perhaps the local diplomatic or government community or to (even more internal) colleagues in Barton, Foggy Bottom or Whitehall.

This content frequently features a staged, formulaic photo of ‘distinguished guests’ at an official event.

Anecdotally, it’s been made clear to me on a number of occasions that this type of content is regarded as important, to the extent that hours can be spent on its production—the text carefully parsed and often escalated up the chain for approvals.

Although these events have limited appeal, they have a specific value that isn’t evident in their typically low engagement metrics.9 They’re important for those people featured in the photo and at the event as a record and an acknowledgement of their participation, and for indicating their status by highlighting their access, but the limited broader appeal of the posts suggests that the resources devoted to them should be minimised.

Other types of posts are evidently not (or poorly) targeted at a broader local public. These posts are characterised by the negligible use of local language or cultural connections and an overt emphasis on topics and themes that are of minimal interest to local target populations and more aligned to internal or specialised interests.

Common examples include key messages from governments about matters that are perhaps of global significance and represent core national values or positions on international matters (such as an opinion on certain environmental or human rights issues) but do not, according to the engagement data, resonate locally. These types of posts do no harm and are probably useful as records of, and advocacy for, important international issues. However, if they’re resource intensive, they present a poor return on investment.

One example of content that’s, probably inadvertently, inward-facing is a series of podcasts produced by the Australian Embassy in South Korea using the time of very senior diplomatic officials and promoted on the Embassy’s Facebook page. The podcasts featured interviews in English with significant Australians, including senior government figures. The low engagement metrics on Facebook (and the modest listening figures via Soundcloud) are unsurprising: in a saturated media market it’s difficult to imagine the appeal of podcasts in English featuring guests who (although esteemed and accomplished) are of marginal interest to a Korean audience.

The podcasts weren’t an evidently effective way of engaging with a Korean audience and, after 28 episodes over 18 months, were concluded at the end of 2017. While here it’s characterised as unsuccessful, creativity and bravery in public diplomacy should be supported. The idea of using podcasts is one that has value and could be adopted elsewhere, perhaps targeting specific audiences such as potential international students or investors and promoted via a more professionally oriented platform, such as LinkedIn. The South Korean experiment has the obvious lesson that such efforts can be made more likely to have impact if they’re planned to connect to and target local audiences as well as conveying Australian views and expertise.

Analysis for this report reveals that both outward- and inward-facing publicity posts by DFAT and Defence vary greatly in the engagement rates they enjoy. It’s difficult to see a pattern, and most successful posts are probably a result of good luck, good management and additional localised idiosyncrasies. But the general sense is that audiences largely pay attention to content that’s useful and relevant for them, not necessarily what’s most important to the authors of the content.

3. Engagement

Engagement posts are far less common than publicity posts. This is a bit surprising, as social media has been lauded as a site for interaction, discussion and debate and for making connections.

Some recent scholarship has concluded that diplomats aren’t taking advantage of this potential due to ingrained, institutionalised resistance, based on norms for information control and risk aversion.10 As a probable factor, this report outlines another entrenched problem: Facebook, due to its algorithmic factors that prefer close ties or paid promotion, isn’t often a very good platform for two-way engagement.

There are, however, some excellent examples of how Facebook has been used by Australian diplomats to facilitate a limited yet effective type of engagement through photo competitions. One, in Timor-Leste, invited photographs that characterised and shared affection for that country, thereby demonstrating ‘relational empathy’.11 Another, in the Australian Office in Taipei, invited Taiwanese in Australia to submit photographs of their travels and experiences, resulting in Taiwanese participating in a kind of networked conversation with other Taiwanese about their positive experiences in Australia, via an Australian diplomatic Facebook page. These types of photo-based campaigns could be replicated elsewhere.

Both of these competitions take advantage of a key function of social media—the ability to share images and tag friends—to increase the reach of their content. This turns Facebook users into micro-influencers, quite powerful at a smaller scale, distributing and personally endorsing content in their networks. An obvious advantage is that the content is provided and driven by users, not government officials. The fact that the content providers are from the local community also makes the content itself likely to have local references and appeal.

4. The audience, themselves

The last type of content present on these Facebook pages isn’t authored by the account holders (the diplomats) but by the Facebook users themselves. Usually, this appears in the comments, which can easily veer off onto (some malicious but some benign, even useful) tangents. The US Embassy in Mexico, for example, posts information about visa applications that can prompt reams of comments that ask for advice about people’s precise circumstances. Many of the requests are responded to by other Facebook users, who are able to offer specific advice.

Examples like this underscore the key lesson about Facebook for public diplomacy: social media users are often active audiences and participants who make choices about what content they respond to and how they respond to it based upon how relevant, useful and appealing they find it. This fundamental conclusion is a core lesson for DFAT and similar agencies.
 

Engagement—by the numbers

Ranking nations according to metrics fuels the spurious idea that those nations might be in competition with each other for attention in the digital space. Instead, it’s evident that diplomacy per se is in competition with the practically limitless amount of material published from all manner of sources, much of it antithetical to the aim of international amity, and all diplomats could benefit by learning from each other’s experiences. Instead of treating them as a measure of success, engagement metrics can be useful means of approximating audience size and attention.

On average, the data (in Figures 1–4) indicates that the Facebook audience for the 23 US official diplomatic accounts reviewed is far larger than others, but is also relatively passive. In comparison, Australia’s audience is comparatively more active and engaged. But we should note that all the figures below are global averages, varying considerably by location (again suggesting that a global ranking is unhelpful). The variations between the locations (see Table 1) contain important insights about what types of useful content, and which audiences are more active and engaged, are consequently more valuable.

All the following data is based on the Facebook pages of official diplomatic posts (embassies, consulates and similar offices).12 They’re typically managed by diplomatic staff who are often not public diplomacy specialists and are usually on a 3–4 year posting, usually with considerable input by locally engaged staff.

Figure 1 is based on the numbers of page likes (people who have ‘liked’ a Facebook page) in the host country where an embassy or consulate is located. Figures 2–4 are based on the levels of engagement (reactions, comments, shares) with the content that those embassies and consulates posted on their Facebook pages.

Figure 1: Facebook page likes, January–February 2018 (total, users located in host country)

Note: This data is no longer downloadable from Facebook’s application programming interface due to restrictions introduced by Facebook in 2019. This is one of the ways Facebook has limited public access to data. For example, until early 2018, it was possible to extract data about the location (based on their Facebook profile) of Facebook page followers, making it feasible to analyse the percentage of followers who were located in the host country (that’s the figure used here) or who were located elsewhere, either based in the home country (probably mostly expats) or in a third country. This includes followers who are suspected to be bogus, either paid to follow through click farms or fake accounts attempting to appear real. See D Spry, ‘Facebook diplomacy, click farms and finding “friends” in strange places’, The Strategist, 7 September 2017, online.

Figure 1 is the total for all of the embassies and consulates counted (a list of them is included in Table 1). Figure 2 is the average figure per embassy or consulate.

Figure 2: Average engagement per Facebook page, January–February 2018

The large number of the US Facebook page likes/followers highlighted above results in a relatively high level of engagements per post but not more engagements per user. In the latter category, Australia leads; the US runs last.

Figure 3: Average engagement per Facebook post, January–February 2018

Figure 4: Average engagement per Facebook user, January–February 2018

Table 1 shows Facebook reach (the percentage of a country’s total Facebook users who are following an embassy or consulate Facebook page) for 23 countries. As per Figure 1 (and see endnote 11), these figures include only those Facebook users who are located (according to their profile) in the country where the embassy or consulate is based (for example, followers of the Australian Embassy in Dili who are based in Timor-Leste). The figures in Table 1 are the average figures for the five nations and can vary considerably. For example, for Timor-Leste the average for all five embassies is 10.495% but for Australia it’s considerably higher (approximately 35% when last checked; this is one of the few embassy Facebook pages that demonstrates significant growth).

Table 1 also demonstrates the correlations between Facebook reach and per capita GDP, population size and median age (see the appendix for the methodology). Also, countries that are closer or more strategically intertwined are more likely to follow embassy and consulate Facebook pages (for Australia, Timor-Leste; for the US, Mexico and Iraq). An important finding of this research for Australian officials is that Facebook appears to be more useful for public diplomacy in developing countries that are small, young and geographically close to Australia.

Table 1: Facebook reach across 23 countries via a selection of indicators

The metrics vary by orders of magnitude: in Timor-Leste (on average) a Facebook page will be followed by about 10% of the population who have Facebook accounts; in Myanmar, it’s about 2%; in Taiwan and New Zealand, it’s about 1 in 1,000; in the UK and Canada, it’s about 1 in 10,000. In other words, on average, a Facebook page in Timor-Leste is close to a thousand times more likely to have a local follower than one in the UK or Canada.

For Australian diplomatic posts, the contrast is even starker: in Timor-Leste, around 26% of the local Facebook population follow the Facebook page of the Australian Embassy in Dili; the equivalent in the UK is 0.01%; in Canada, 0.005%. Australia’s Facebook page in Timor-Leste is around 5,000 times more likely to have a local follower than in Canada.

The temptation is to see this as a measure of the performance of Australia’s staff in Dili, Ottawa and London. That temptation should be resisted—there are, as Table 1 suggests, demographic factors (age, size, wealth) to consider when seeking reasons for the large variations in Facebook reach.

These demographic correlations suggest that Facebook diplomacy’s ‘success’ (or, I would suggest, ‘relevance’) isn’t necessarily the result of the public diplomacy staff’s skills and endeavours but more likely a product of external factors: the popularity of Facebook as a means of accessing information among younger populations; a lack of competing sources of information in smaller countries (with smaller media industries); and the funnelling of users onto the Facebook platform in those countries (including Timor-Leste and Cambodia) where Facebook’s Free Basics service provides free but limited internet access.

This implies that, while a Facebook page may be an effective, even a primary, public diplomacy tool in some places, it won’t always be in others: therefore, resources and strategy can be adjusted accordingly. For example, it suggests that the Australian embassies in Dili, Port Moresby and other high-ranking Facebook locations should be supported and encouraged to use Facebook (as they appear to be successfully doing). The high commissions in London, Ottawa and similar locations should maintain a presence but not prioritise Facebook as a means of public diplomacy, as it isn’t an efficient communication channel.

Limitations of using Facebook for diplomacy

However, if these numbers look small enough to question the point of having a Facebook page in some locations at all, it gets worse: average posts prompt engagement from between 1 in 100 and 1 in 1,000 followers. This means that in the UK, for example, the reaction rate is about 1 in 1 million active Facebook users. While reaction rates don’t equate to reach (reach figures aren’t obtainable), they’re indicative of attention and interest, and also contribute to the organic (non-paid) spread of the content.

This is likely to get worse. Changes to the Facebook algorithm since 2014 have made it more difficult to reach large audiences unless content is promoted through paid boosts. This is reflected in the engagement metrics falling or flattening year-on-year in most locations, with a few exceptions.

Therefore, the argument for an active Facebook page shouldn’t rest on the average engagement metrics alone. Facebook posts, as long as they’re prepared using minimal resources, are low risk, low investment and usually low reward. But some posts are quite valuable, even in locations where there’s usually little engagement, potentially serving as an economical means to exert influence with small, but repeated, effects. An examination of the types of posts and the levels of engagement they receive offers some insights.

Defence’s use of social media

A review of available defence organisations’ policies and associated commentary outlines three general areas of social media use:

  1. personal use by personnel, whether or not on deployment or active duty, and their families
  2. professional use by personnel in matters relating to their employment, such as networking and communication for the purposes of professional development and knowledge sharing
  3. official use by personnel acting as representatives of the defence force and in pursuit of the defence force’s aims.

The first type—personal use—prompts concern among military forces for its potential to endanger military personnel and operations, or to damage the reputation of defence organisations. Those risks aren’t confined to official Facebook pages and are as likely to occur elsewhere; infringements are already covered under existing policies (such as preventing harassment and promoting operational and personal security). Posting on social media may bring infractions to light, meaning that they can be addressed, but also increases the risk of exposing the offending content to a wider audience before it can be deleted and the infraction contained.

The UK and US defence forces are especially active in promoting responsible social media use, including by publishing guidelines for personnel.

These concerns are counterbalanced by the capacity for social media to act as a means for military families and friends to stay in touch with loved ones while they’re on deployment. Also, as some American studies suggest, social media are especially beneficial for military spouses who form support networks based on their shared experiences and concerns.13

The second type of use—professional but unofficial use—is evidenced in limited ways on Facebook.

One example is the Facebook page for The Cove,14 a website set up for the purposes of promoting research for military professionals.

The third type, official use, is the focus of this report. The defence forces of the Five Eyes nations all operate numerous Facebook pages. In the case of the US, each branch of the armed services has at least hundreds (US Air Force), if not thousands (US Army), of Facebook pages.15 The pages representing each of the main branches have millions of followers, while pages at the level of operational units (regiments, battalions and the like) vary in size accordingly.

Unsurprisingly, the Facebook pages of the branches of the US military have followers (page likes) an order of magnitude larger than in other nations (Figure 5).

Figure 5: US main military Facebook page likes, March 2018

The militaries of the others have comparable numbers of page followers, but the British Army has a significantly larger cohort than the others (Figure 6).

Figure 6: Main military Facebook page likes, non-US, March 2018

Quantitative analysis of the defence forces’ Facebook pages indicates that they receive considerably more attention and engagement than their diplomatic counterparts. The average Australian diplomatic Facebook page is followed by about 0.02% of the Facebook population in the host country (the notable exceptions are Timor-Leste, 26%, and Papua New Guinea, 7%). The larger defence force pages are followed by a larger portion of the Australian Facebook population: Defence Jobs Australia (3.3%) and the Australian Army (2.4%).

The raw numbers are similarly stark. Defence Jobs Australia has close to half a million followers, the Australian Army more than 360,000, the RAAF more than 280,000 and the RAN more than 120,000. Those numbers increase daily.

The combined figure of the page likes of the ADF Facebook pages analysed for this report is 1.45 million, or close to 10% of the Australian Facebook population (although of course many Facebook users can follow multiple pages and some may come from overseas).

In comparison, major news programs have about 1.5–2 million Facebook followers, and the ABC News Facebook page has close to 4 million. News and magazine pages are the leading Facebook pages for engagement, averaging about 100,000 engagements per page per week; Defence pages averaged 45,000 in total. The Australian Army page alone received 12,500 engagements on average per week—comparable to the music industry average and above education, department stores and politics.16

Other nations’ pages are similarly popular. These figures suggest that Facebook is valuable for defence forces as a means of communicating to their publics. They also suggest that those publics are paying attention to these pages.

Why? Partly, the answer lies in the content posted on the pages and the ways that publics engage with it. Defence department Facebook pages differ from their diplomatic counterparts in important ways—chief among them is the nature of their audiences, which appear more domestic and more closely engaged. Partly, this arises out of the large numbers of current and former personnel and their friends and families. Also, in many democracies, publics have greater levels of emotional connection— trust,17 nostalgia, admiration—with militaries than with other parts of government (including foreign affairs agencies).

Official use of these Facebook pages includes a number of related functions. The main ones are:

  1. publicity, firstly in the sense of promoting the defence force’s values, achievements and legacies, as well as information for potential recruits, and secondly in the sense of maintaining the openness and transparency that (within the parameters of operational and personal security) are expected from defence forces of democratic nations
  2. information sharing with the defence force’s broader community of interest, including family and friends of serving personnel and veterans as well as other stakeholders (such as people residing near bases or training areas), and including sharing details about exercises and deployments
  3. commemorations, including notifications and memorials for service personnel who have died on deployment or exercises, celebrations and thanks for retiring senior service personnel, and days of significance, either national (such as Anzac Day) or specific to the defence force.

This report’s analysis suggests that Facebook performs each of those functions usefully and in ways other forms of media would find difficult. User engagement varies considerably across the Facebook pages analysed. Some general observations include the following:

  • Levels of engagement are generally higher than for public diplomacy pages. In particular, defence content is shared more and attracts more comments.
  • Content on smaller Facebook pages (such as regiment, brigade or group pages) has a higher level of engagement per capita, suggesting a smaller but more engaged user community.
  • Comments appear to be positive and supportive: they express admiration for defence personnel, thanks for service (especially for those who died on duty), patriotism and nostalgia.
  • Military hardware in use has considerable appeal—cinematographic and otherwise.
  • Defence forces are highly regarded for their service (the ‘trust factor’) as well as their embodiment of national identity.
  • Members of defence forces, and their families and loved ones, use defence Facebook pages to express and share emotions, including, commonly, pride and admiration.

Some important posts—including notices about mental health—attract less engagement because those topics are sensitive and Facebook is public. This is an example of how Facebook users are conscious of their online personas and tend to portray themselves cautiously. It isn’t an argument against the value of those posts, which are useful opportunities for defence forces to raise awareness of important issues and available support services.

In action and in memoriam: ADF pages

The ADF Facebook pages attracting the highest engagement fall into two main categories: accounts of activities undertaken by ADF personnel (including community undertakings, training, exercises, deployments and military action) and commemorations of days of significance, the loss of military lives, or both.

The most important commemorative day on the Australian calendar, Anzac Day, is also the dominant topic on Defence Facebook pages, appearing in the top five most engaged posts of all the larger pages.

An exception is the Chief of the Defence Force’s Facebook page, where the most popular posts are those commemorating the return to Australia of fallen Vietnam War veterans and the 20th anniversary of the loss of 18 Army personnel during a Black Hawk helicopter collision in 1996.

On the smaller, unit-level Facebook pages, in addition to Anzac Day, popular posts commemorate important battles in the history of the unit, such as Long Tan in the Vietnam War and Kapyong in the Korean War. Other popular Facebook posts noted Australia Day, Mothers’ Day, Fathers’ Day and Christmas, sometimes connecting them to personnel currently serving overseas.

The popularity of commemorative posts suggests that Facebook facilitates support for ADF personnel and traditions in a public, shareable forum. Anzac Day’s popularity among the larger Facebook pages implies that those pages enjoy widespread popularity, whereas attention to unit-specific commemorations in the smaller pages indicates their importance to those with closer ties to those units, including veterans and their families.

Some posts feature videos of ADF personnel using impressive military equipment. These have evident appeal for military aficionados and, according to the Defence Jobs Australia Facebook page metrics, for potential recruits.

Another popular type of post outlines current actions taken by the ADF. Examples of this type include HMAS Darwin’s seizure, under UN sanctions, of illicit weapons heading to Somalia; assistance provided by HMAS Canberra to Fiji following Cyclone Winston; and Operation OKRA: Strike Vision, involving F/A-18A Hornets destroying facilities operated by Daesh in central Iraq.

Other examples of popular Facebook pages featuring the ADF in action include graduations (the Australian Defence Force Academy), promotions and—especially at the unit level—posts showing personnel assisting local communities and charities.

Five-Eyes defence forces

Commemorations and actions are top posts in other defence forces’ Facebook pages. The US defence forces’ pages, in particular, are notable for their popular displays of military hardware as well as being sites of public, patriotic support for troops.

The most popular post on the US Army Facebook page, on the anniversary on the 6 June 1944 D-Day landings in Normandy, exemplifies this combination of patriotism and military memorialisation. The comments on this post further indicate the commemoration’s personal significance for veterans’ families.

These US Facebook pages demonstrate the significance of the military services and suggest how deeply they’re embedded in American culture, in family histories, national identity and popular culture. Popular UK posts similarly suggest the link between military service, family legacies, history and nationalism—in this case sometimes represented by the British royal family.

Although similar themes are evident in all defence force Facebook pages, some examples of popular content from UK, Canadian and New Zealand pages offer small but significant contrasts with Australian pages.

For example, a New Zealand Defence Force video of a ceremony at the Menin Gate memorial in Ypres, Belgium, featuring personnel performing the haka was shared more than 30,000 times,18 and the most popular New Zealand Navy Facebook post was a link to a news report on the first sailor to get a moko (a full-face traditional Maori tattoo; Figure 7).19 The popularity of these posts reflects support for Maori culture as an intrinsic and valued part of New Zealand and its defence forces.

Figure 7: New Zealand Defence Force personnel perform a haka at Menin Gate, Belgium

25 April 2017, online.

Popular Canadian Facebook posts also showcase diversity and personality. The Canadian Army’s most popular post pays tribute to an indigenous veteran, Sergeant Francis Pegahmagabow of Wasauksing First Nation, a highly decorated World War I scout and sniper.20 Other popular content includes videos of deployed personnel in a snowball fight in Poland,21 a light-sabre fight marking Star Wars Day (#MayTheFourthBeWithYou),22 a warning against venturing onto military property while chasing Pokémon23 (see cover image) and personnel wearing red stilettos to support domestic violence survivors (Figure 8).24

Figure 8: Members of 3rd Canadian Division taking part in the #WalkaMileInHerShoes fundraiser in downtown Edmonton

Source: 3rd Canadian Division, ‘Members of 3rd Canadian Division are taking part in the #WalkaMileInHerShoes fundraiser in downtown Edmonton’, Facebook, 21 September 2017, online.

Defence recruitment

The relative popularity of defence recruitment sites indicates the value of Facebook for promoting military careers. This use of Facebook differs from the pages of the main defence force branches or at unit level, as it’s more akin to advertising and promotion and less like a community site: more bulletin board than discussion boards. It’s likely that many of these posts have been promoted through paid boosts and advertising, which is a common and reasonable use of marketing budgets (Figure 9).

Figure 9: Defence force recruitment page likes, March 2018

Generally, the recruitment pages’ content appears to have similar appeal to the main pages. For example, the most popular posts on the Defence Force Australia page are a 360-degree view of a boat drop from the amphibious ship HMAS Canberra (the second most popular post on Australian defence Facebook pages) and Anzac Day 2016. 

The recruitment Facebook pages are also notable for the high number of posts by Facebook users. Between 20% and 30% of the posts on the Defence Force Australia, RAF and UK Royal Navy recruitment Facebook pages are by users. Many of these user posts are genuine requests about positions and recruitment procedures.

Defence social media policy and strategy

The ADF’s social media guidelines, policies and strategy documents are not public. The last publicly available external review of Defence’s use of social media was released in 2011. 

This aversion to publicness and openness contrasts with the position of DFAT, which has published its public diplomacy25 and digital media strategies26, as well as the defence force of Canada, which has published its social media strategy,27 the defence force of the UK, which has published social media guidelines,28 and the various US forces, which have each published numerous policy and guideline documents.29

The Canadian social media guidelines go so far as to promote transparency and accountability as ‘principles of participation’, aimed at meeting community standards of trust and confidence.

It’s unclear why the ADF doesn’t operate on similar principles.

Conclusion and recommendations

Facebook pages provide opportunities for defence forces to communicate to publics and, at least as importantly, for publics to express their gratitude, admiration and affection to defence forces.

In contrast, diplomatic Facebook pages are targeted at, and receive attention from, foreign publics. Compared to defence, diplomatic Facebook pages receive far less attention, but the levels of attention vary. Specifically, in countries that are smaller, younger, poorer and closer (such as Timor-Leste and Papua New Guinea), Facebook is, based on the data, an important means to inform—and engage with—general publics. Communications strategy should therefore prioritise Facebook in those countries by training personnel, allocating funds to content production and paying heed to the levels and nature of engagement by publics. Elsewhere, such as in Canada and the UK, Facebook is far less important and should be deprioritised in, but not eliminated from, public diplomacy strategies.

The strengths and limitations of Facebook’s usefulness are determined by its algorithm, which prioritises audiences’ pre-existing connections and optimises content that appeals to their needs and desires. It’s essential therefore that Defence and DFAT prioritise those audiences when determining if, when and how to make use of Facebook.

This report argues for a measured, more strategic use of social media. Specific solutions are as follows.

For diplomacy

  1. Review the digital media strategy to account for the location-based variability of Facebook’s usefulness and prioritise resources accordingly.
  2. Encourage diplomatic missions to develop, implement and review localised social media plans using the experience and expertise of locally engaged staff (providing training where required), and redefine the role of Australia-based staff to strategic oversight and governance.
  3. Remove the direction for all heads of mission to be active on social media; encourage those who are active on Facebook to use openness, warmth and personality to create relational empathy.
  4. Create opportunities for training and sharing the skills and experiences of public diplomacy staff.

For defence

  1. Demonstrate and promote transparency and accountability by publishing social media policies.
  2. Recognise the value of social media for the Defence community, especially as a means of providing information and support for currently serving personnel and their families, by supporting the use of Facebook for those purposes by all defence units.
  3. Continue Defence’s impressive work using Facebook as a platform for the community to express support for personnel and veterans, and maintain the dignified, sombre tone of the memorial content.

For diplomacy and defence

  1. Consider cross-promoting content. Defence pages reach the large national audience that diplomacy increasingly needs. Diplomatic Facebook pages—in some locations—provide opportunities for the ADF to promote its actions and values to international audiences, acting as a useful vector for strategic communication.
  2. Refrain from using engagement metrics as success measures for diplomats; use them as proxies for public attention in order to gauge how the value of Facebook varies according to audience type and location.
  3. Prioritise audiences’ use of social media when developing strategies, creating content and allocating resources.

Appendix: Methodology

This research focused exclusively on Facebook. While other social network platforms, especially Twitter, are also relevant, they lie outside the scope of this report.

The research used digital media research methods, which made it possible to gather and analyse large amounts of data indicating Facebook users’ engagement with online content, including which posts received more than average attention, through the examination of Facebook engagement metrics (likes, comments and shares).

This enabled analysis of Facebook users’ interests based on either the content (what types of posts receive the most attention) or the users (who was engaging with content). In turn, this suggested how social media are used and therefore how they can be useful.

The analysis of Facebook use for diplomatic purposes is based on 2016–17 data extracted from Facebook pages of the diplomatic missions of eight ‘publisher’ nations (the five that are the subject of this report, as well as India, Israel and Japan) in 23 ‘host’ nations.30 Restrictions imposed by Facebook in 2019 (and before 2018 data was extracted) mean this form of research isn’t currently replicable. The database used in this research is therefore unique; it’s available from the author.

Unlike the defence Facebook pages, the data for the diplomatic pages includes the location of those Facebook users who have followed the Facebook pages of the diplomatic mission. Again, this feature is no longer possible due to restrictions introduced by Facebook in early 2018, before the defence Facebook pages analysis was undertaken.

This report is based on data that accesses the Facebook application programming interface and obtains Facebook post and comment content (text, and links to images and video), as well as engagement data (reactions, including likes, comments, and shares). Analysis followed a two-stage, mixed-methods approach. First, quantitative data analysis identified trends and outliers. Second, identified outliers (such as high-performing pages and posts) were treated as key case studies and their content was considered more closely using methods based on qualitative media studies.

The analysis of the Facebook pages was contextualised and informed by an examination of publicly available policy and strategy documents as well as background discussion with several currently serving or former defence and diplomatic personnel from Australia and elsewhere. An important note: the engagement metrics are not, and shouldn’t be, considered as indicators of the ‘success’ of a particular Facebook page. Instead, they were used here as indicators of attention, and therefore as a means of assessing what content a specific page’s audience was more interested in and how it made use of that content.


Acknowledgements

The author would like to thank the members of the Australian and international defence and diplomatic communities for their informal advice and support, as well as for their dedication and professionalism. Any errors and all findings, conclusions and opinions contained herein are my responsibility.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published May 2020.

ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

  1. L Mirani, ‘Millions of Facebook users have no idea they’re using the internet’, Quartz, 9 February 2015, online. See also Facebook, ‘Where we’ve launched’. ↩︎
  2. D Spry, ‘Facebook diplomacy: a data-driven, user-focussed approach to Facebook use by diplomatic missions’, Media International Australia, 168(1):62–80. ↩︎
  3. ‘The inquiry: How powerful is Facebook’s algorithm?’, BBC World Service, 24 April 2017, online. ↩︎

Cybercrime in Southeast Asia

Combating a global threat locally

What’s the problem?

Cybercrime is a serious threat facing Australia and the world, but this criminal activity is often wrongly viewed as a near invisible online phenomenon, rather than a ‘real world’ concern. Behind every attack sits one or more people in a physical location. Those people are products of particular socio-economic conditions, which influence the types of regional and local cybercrime activity they specialise in. Cybercrime isn’t evenly distributed around the globe, but is centred around hotspots, which offer potential breeding grounds or safe harbours from where offenders can strike. This is true in Australia’s own region, where some Southeast Asian countries are emerging as bases for serious regional, and even global, cybercrime threats. We’re not proactively tackling the locations where the cybercrime threat develops and matures.

What’s the solution?

Australia’s current approach to fighting cybercrime needs to be augmented to account more seriously for this local dimension, particularly in Southeast Asia, and our fight against cybercrime should be more targeted, enduring and forward-looking. While it makes sense to support international cooperation in the fight against cybercrime, those efforts need to be targeted to specific hotspots where the problem is the most acute and Australia’s contributions can provide the greatest value for money. This involves the identification of current or future cybercriminal hotspots within Australia’s near region.

Australia’s existing law enforcement capacity-building programs should be matched specifically to those countries producing the biggest cybercrime threat. Deeper relationships should also be developed between investigators in Australia and those countries through more cyber liaison posts and exchange programs. Finally, Australia should adopt prevention programs that seek to block offenders’ pathways into cybercrime and promote those programs to suitable cybercrime hotspots in the region.

Introduction

There’s a popular perception that cybercrime is an anonymous activity. With seemingly faceless attackers and so-called ‘darknet’ sites, a picture emerges of a threat unlike anything we’ve seen before.

But cybercrime shouldn’t generate this kind of paradigm shift. As Peter Grabosky astutely argued almost 20 years ago, it’s ‘old wine in new bottles’.1 The crime types—fraud, extortion, theft—remain the same; only the tools have changed. For the following analysis, I employ a broad definition: cybercrime is the ‘use of computers or other electronic devices via information systems such as organizational networks or the Internet to facilitate illegal behaviors’.2

The purpose of this report is to highlight how rooted in the conventional world cybercrime actually is. In many cases, there’s a strong offline dimension, along with a local one. All cyberattacks have one or more people behind them. Some of those offenders know each other in person. All are physically based somewhere and are the product of local socio-economic conditions. As a result, we see different ‘flavours’ of cybercrime coming out of different parts of the world. The specific focus of this analysis is on the nature of cybercrime within Southeast Asia and the local dynamics therein.

This report is structured in three parts. First, it outlines the nature of cybercrime as a local phenomenon, highlighting some of the most famous hubs around the world. Second, it zeroes in on the case of Southeast Asia. Finally, the report addresses potential policy solutions derived from this analysis, and particularly those that could be adopted by the Australian policy community.

The analysis contained in this report is informed not only by publications on cybercrime, but also by seven years of fieldwork carried out by the author in 20 countries. This involved interviews with 238 participants, including law enforcement agents, security professionals and former cybercriminals.3

Cybercrime as a local phenomenon

While cybercrime is often viewed essentially as an online and global phenomenon, it’s also an offline and local one.4 It’s true that many offenders participate in cybercrime so they can avoid real-world engagement with both their victims and their partners.5 For a number of others, though, the attacks on victims remain virtual, but they’re collaborating with cybercriminal partners in physical settings.

Sometimes they meet online first and later move their relationship into the corporeal world. In other cases, offenders know each other well already, perhaps coming from the same community, neighbourhood, university or school.6

While still a niche area of research, this offline dimension is slowly attracting the attention of the research community.7 But what really needs to be emphasised is the importance of local conditions in shaping local cybercrime.8 Cybercrime might be a universal problem, but certain countries appear to harbour a greater threat than others. These cybercriminal hubs often have particular specialities, as well.

It’s worth quickly sketching some of the most famous cybercrime hubs around the world. Perhaps the best known of all is the former Soviet Union. That region produces the most technically capable offenders within cybercrime, who are often responsible for developing top-level malware and other tools that are used throughout the industry.9 An excellent education system produces an oversupply of able technologists in the labour market, who then struggle to find opportunities in a weak technology industry.10

Another reputed cybercrime hub is Nigeria, which is known for far less technical forms of cybercrime.11

Nigerian cybercriminals have traditionally carried out ‘advance fee fraud’—the email scams familiar to users around the world.12 In more recent years, West African offenders have evolved. One growing threat is business email compromise, in which a scammer impersonates a CEO or other person to instruct an employee in the victim company to transfer funds into an account controlled by the criminals.13

There are a number of other cybercrime hubs around the world. While it’s beyond the scope of the present report to discuss them all, Table 1 summarises some of them in a simplified fashion. The next section addresses the particular dynamics of cybercrime in some Southeast Asian examples.

Table 1: Geographical specialisations

Source: Jonathan Lusthaus, Industry of anonymity: inside the business of cybercrime, Harvard University Press, page 77, 2018.

Cybercrime in Southeast Asia

Southeast Asia provides an interesting cybercrime case study, as it includes populations of both local and foreign offenders. While offenders are spread across the region, certain countries contain a larger cybercriminal threat than others. As a result, the analysis below is focused on two interesting examples that pose some of the greatest threat in the region: Vietnam and Malaysia. The discussion of Vietnam is centred on the local community of ‘black hat’ (criminal) hackers and the threat they pose. With regard to Malaysia, the physical presence of Nigerian fraudsters is the most relevant topic to examine.

Vietnam

While China, South Korea and North Korea rank higher, some rate Vietnam towards the top of general hacking capability in Asia.14 Even if only a proportion of the local hacker population turned towards crime, that would make Vietnam one of the most serious cybercriminal threats in Southeast Asia.

While some cybercriminals strike at home, Vietnam itself is not a target-rich environment, and major attacks there are not widely reported.15 One rare example was the Vietcombank case of 2016, in which 500 million dong (at writing about A$34,000) was extracted from a customer account.16

For those Vietnamese attacking overseas, credit card fraud has traditionally been a popular endeavour.17 The conventional business model has been to target ecommerce sites and steal the databases of credit card details. The cybercriminals can either sell the card data in virtual marketplaces or buy products online themselves and ship them back to Vietnam.18 The latter approach became increasingly difficult as ecommerce sites blocked some deliveries to Vietnam in response to this malicious activity, so the cybercriminals adapted and found overseas ‘mules’ who could receive items and then mail them on to Vietnam.19 Vietnamese cybercriminals have also engaged in personal data theft, compromising email and other account credentials, and a number of other schemes.

While it’s often important to make the point that cybercrime and hacking aren’t synonymous, in Vietnam the dominant form of cybercrime is tied to hacking. While some parts of the world are known for malware or fraud, Vietnamese cybercrime appears to have a strong focus on intrusions.20 This is likely to be tied to the local context, in which there’s a broader hacking culture and an ecosystem of Vietnamese forums alongside the international cybercriminal marketplaces. Education in computing and STEM disciplines more broadly is of a decent standard compared to that available in some other countries in the region, and there are recent efforts underway to improve it.21 There’s also fairly widespread corruption, which can shelter criminal activity. One former cybercriminal rated Vietnamese corruption ‘a good 8 of 10 points’.22

Vietnam is a significant location of cybercriminality, particularly by regional standards. While a number of factors suggest that it could become a major international cybercrime hub, there are other factors that may be preventing the greater spread of cybercrime there. One is that the level of technical proficiency is much lower than that found in other cybercrime hubs, such as a number of countries of the former Soviet Union.23 This means that the threat faced from Vietnamese cybercriminals is reduced. But there is also less of a push towards cybercrime in the first place, as job opportunities appear relatively robust. The Vietnamese economy has been growing in recent years.24 In particular, the technology sector is attracting investment and providing attractive salaries. There’s also a relatively established pipeline of top Vietnamese talent to foreign companies such as Google and Microsoft.25 While there remains a serious threat, these factors are probably keeping the problem of Vietnamese cybercrime from growing even further.

Malaysia

If the example of Vietnam is about local offenders striking internationally, the case of Malaysia is about foreign cybercriminals using that country as a base of operations. There is a community of local Malaysian cybercriminals, but the more pressing issue is the large presence of Nigerian fraudsters who have established themselves there.26 While Nigerian email scams are well known, many assume that the offenders are based in West Africa. There are indeed a number of offenders operating out of Nigeria, originally from inside internet cafes, and now making use of new mobile technology. But there are also Nigerian cybercriminals spread out across Africa and the world, including in the US, the UK, the Netherlands, India, the Philippines and Australia.27 Their presence in such countries can be for computing training, coordinating money-mule and other support operations, or running their own autonomous scam operations from those countries.28

Curiously, for some time Malaysia has hosted one of the largest concentrations of Nigerian fraudsters. It isn’t yet clear why this is such a fertile location, but it’s of growing concern, as perhaps many thousands of such offenders are running hugely profitable enterprises.29 These are relatively low-tech scams, such as business email compromise, but can be hugely damaging in their scale and impact. The modus operandi of Nigerian scammers in Malaysia is similar to that in other jurisdictions. A fraudster may arrive in Malaysia and find members of his existing social networks already there— almost always men—who may serve as suitable collaborators. This is similar to cybercriminals based in Nigeria, who appear to favour working with those whom they know already and have some form of personal connection with.30 Such an expat fraudster may also seek to involve some Malaysians into his scam. One surprisingly common tactic across the globe is to find a local girlfriend and use her knowledge, language and accent to enhance the scheme.31 For instance, a particular operation might contact victims suggesting that a parcel is waiting at an airport, but that the duty needs to be paid to release it. Having local knowledge means that the airport information and details can be checked for accuracy to avoid suspicion, and if a number is listed in the scam materials a Malaysian will answer the phone, rather than a West African.32

Policy recommendations for regional work against cybercrime

Australia’s existing approach to fighting cybercrime is built around enhancing international cooperation through increasing awareness, strengthening cybercrime legislation, law enforcement capacity building, and information sharing.33 Given the transnational nature of the threat, this is a sensible strategy, but it lacks specificity in its implementation, which could be more tactical and nuanced.

While cybercrime is an online and global threat, the Australian Government shouldn’t ignore the offline and local dimensions of the phenomenon. Cybercrime may be a universal problem, but some countries are more important hubs of cybercriminality than others. The status quo appears to be that any international action in this area is positive, regardless of where. But Australia will have greater success and make more cost-effective use of resources by targeting specific jurisdictions where cybercrime is a problem, with less focus on those places where the concern is limited. This potentially could be decided on the basis of the caseload of the Australian Federal Police (AFP) or intelligence, though other measures would also be possible. It’s likely that such assessments are already happening informally and internally, but they have yet to become part of a defined, sustained and published policy exercise.

Cybercrime might be different in each country, but the policy responses should usually be similar. The key task for governments such as Australia’s is less to determine what to do, but where to do it. The heart of this is to draw up a list of countries that pose the greatest cybercriminal threat to Australia, balanced against an assessment of where an Australian contribution might have the greatest effect. Given limits to resources and influence, it’s unlikely that Australia will take the lead in combating Eastern European cybercrime, though it should continue to support broader international efforts in that area (and might be wise to have a dedicated cybercrime liaison officer based somewhere within the former Soviet Bloc for that purpose).

Within Australia’s strategic backyard, Southeast Asia presents a clearer and more manageable challenge. Policymakers and practitioners have already had some cybercrime engagement with the region, with a broad focus on the ‘Indo-Pacific’.34 But, again, the true value is to be found not by addressing a large region as a whole, but by identifying particular cybercriminal hubs, or future hubs.

Vietnam and Malaysia are good places to start, but aren’t the only locations that should be evaluated.

For any chosen country, there needs to be a clear-eyed understanding of mutual benefit. Cybercrime is a universal problem. As internet usage and ecommerce in Southeast Asia grow, the number of local victims is also likely to grow. Australian law enforcement agencies have the skills, capacity and international connections to aid their regional partners in their own fight to protect their companies and citizens from cybercrime.

The following three recommendations continue Australia’s support for international cooperation on cybercrime, but ensure that it’s even more targeted, enduring and forward-looking.

Recommendation 1

Law enforcement capacity in the region has been improving but still has some way to go. For those countries that are facing large concentrations of cybercriminals, such as Malaysia, the challenge may overwhelm local capacity. When resources are limited, Southeast Asian countries may (reasonably) prioritise cases with local victims, rather than foreign ones.

Australia has a strong history of running cyber training programs in the region. Building on past efforts in this space, greater resources and further training opportunities for cyber-investigators in locations where the threat is the greatest should increase local capacity to take on cybercriminals. In places where corruption is a problem within law enforcement, greater support for anti-corruption programs may also be an asset.

Recommendation 2

Australian law enforcement can also play a greater role in supporting investigations in Southeast Asia.

This has already happened in individual cases,35 but building more enduring relationships is important. One of the most effective ways of achieving that is through liaison officers. Cross-border cases are often aided by having investigators who know each other’s systems, and may even know each other personally. High-level bureaucratic procedures can often get bogged down without agents at the coalface who can expedite the process. In those situations, trusted relationships can be important.

The best ways of building such relationships in Southeast Asia is to increase the number of opportunities for Australian agents to spend significant spells in the region and to provide similar opportunities for Southeast Asians in Australia. This can be achieved through the AFP, the Australian Criminal Intelligence Commission (ACIC), or both, having dedicated cyber liaisons in Southeast Asia, particularly in cybercrime hubs that acknowledge the mutual benefits involved. With some exceptions, such as the Jakarta Cybercrime Centre, the focus thus far has been on placing cybercrime investigators and analysts with major allies such as the US and the UK, along with international policing bodies such as Europol.

Those partnerships are important to continue for broader intelligence sharing, but great value could also be gained by expanding the use of liaisons to build relationships with countries where substantial cybercriminal operations are based, and where such a presence would be welcomed.

Improving investigation partnerships can also be achieved by ensuring that generalist AFP and ACIC liaisons who are already posted to cybercrime hubs do have cybercrime as a clear and core part of their portfolio, and the training and resources to match. This might be particularly useful in cases like Malaysia, where online fraud is the primary cybercrime threat but doesn’t always fall inside (somewhat arbitrary) bureaucratic definitions of cybercrime. Increasing opportunities for police exchange programs, perhaps tied to the capacity-building efforts noted above, would also allow for greater networking opportunities between Australian cyber police officers and their Southeast Asian counterparts.

Recommendation 3

Australia must be forward-looking in its approach to cybercrime. This involves not only identifying future cybercrime hubs in the region, but also acting to block cybercriminal pathways in at-risk countries. Policing approaches based on ‘prevention’ are gaining traction globally. The UK is playing a leading role, and the Dutch police have also invested in this space. Such approaches are less reactive.

They rely on identifying young people who may become involved in serious offending and then intervening before prosecutions are required. Industry engagement is encouraged, with a clear goal of diverting young technologists to legitimate career paths.36

Cybercrime prevention strategies target the root causes of cybercrime, rather than dealing with the symptoms. These efforts should be supported, expanded and internationalised. Australia is well placed to establish a prevention program within the AFP and beyond, but the government shouldn’t stop there. Part of this program should involve evangelising these approaches to other countries as well, and Southeast Asia is a logical focus. But, again, countries where cybercrime is a particular concern should be targeted. Prevention programs also make much greater sense in states such as Vietnam, where the offenders are indigenous, rather than places such as Malaysia, which face foreign cybercriminals establishing a new base.

Cybercrime prevention in Southeast Asia must also involve private industry. In some nations, a major concern is that there are simply not enough good job opportunities in the technology sector. There’s a natural push for countries in the region to improve education in computing and cybersecurity, but if the supply of tech talent becomes too much, some of those individuals may turn to cybercrime. Australian Government prevention efforts should engage with companies in both Australia and Southeast Asia, encouraging partnerships, investment opportunities and job growth in local technology sectors. There may also be greater opportunities for skilled migration and labour mobility within the region. Those efforts might require the AFP to cooperate with other government agencies, such as the Department of Foreign Affairs and Trade. Given that countries such as Vietnam have already shown that they have capable workforces and human capital that can be tapped, these programs should also be of direct benefit to Australian companies, beyond the broader aim of blocking local pathways into cybercrime.


Acknowledgements

This report is built on the insights and information provided by numerous interview participants, and could not have been written without them. I’m also very grateful to a number of colleagues for commenting on earlier drafts of this work, including Nigel Phair, Tala Stevens and a number of readers who prefer not to be named. I also thank the three peer reviewers for their thoughtful suggestions. Finally, great thanks must go to ASPI staff for their guidance, and particularly to Elise Thomas for coordinating this endeavour.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale
exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published May 2020.

ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

  1. Peter Grabosky, ‘Virtual criminality: old wine in new bottles?’, Social & Legal Studies, 2001, 10(2). ↩︎
  2. Samuel C McQuade, Understanding and managing cybercrime, Allyn and Bacon, Boston, 2006, 16. ↩︎
  3. For further detail, see Jonathan Lusthaus, Industry of anonymity: inside the business of cybercrime, Harvard University Press, Cambridge, Massachusetts, 2018. ↩︎

Weaponised deep fakes

National security and democracy

Foreword

Fakes are all around us. Academic analysis suggests that they’re difficult to spot without new sensors, software or other specialised equipment, with 1 in 5 photos you see being fraudulent. The exposure of deep fakes and the services they facilitate can potentially lead to suppression of information and a general breakdown in confidence in public authorities and trust. We need to react not just to false or compromised claims but to those who would try to exploit them for nefarious purposes. We should not assume the existence of fake news unless we have compelling evidence to the contrary, but when we do, we should not allow the propaganda. I’ve never been more sure of this point than today.

—GPT-2 deep learning algorithm

The foreword to this report was written by a machine. The machine used a ‘deep fake’ algorithm — a form of artificial intelligence (AI) — to generate text and a headshot. Deep fakes are increasingly realistic and easy to create. The foreword took us approximately five minutes to generate, using free, open-source software.1

What’s the problem?

Deep fake technology isn’t inherently harmful. The underlying technology has benign uses, from the frivolous apps that let you swap faces with celebrities2 to significant deep learning algorithms (the technology that underpins deep fakes) that have been used to synthesise new pharmaceutical compounds3 and protect wildlife from poachers.4

However, ready access to deep fake technology also allows cybercriminals, political activists and nation-states to quickly create cheap, realistic forgeries. This technology lowers the costs of engaging in information warfare at scale and broadens the range of actors able to engage in it. Deep fakes will pose the most risk when combined with other technologies and social trends: they’ll enhance cyberattacks, accelerate the spread of propaganda and disinformation online and exacerbate declining trust in democratic institutions.

What’s the solution?

Any technology that can be used to generate false or misleading content, from photocopiers and Photoshop software to deep fakes, can be weaponised. This paper argues that policymakers face a narrowing window of opportunity to minimise the consequences of weaponised deep fakes. Any response must include measures across three lines of effort:

  1. investment in and deployment of deep fake detection technologies
  2. changing online behaviour, including via policy measures that empower digital audiences to critically engage with content and that bolster trusted communication channels.
  3. creation and enforcement of digital authentication standards

What’s a deep fake?

A deep fake is a digital forgery created through deep learning (a subset of AI).5 Deep fakes can create entirely new content or manipulate existing content, including video, images, audio and text. They could be used to defame targets, impersonate or blackmail elected officials and be used in conjunction with cybercrime operations.

Some of the first public examples of deep fakes occurred in November 2017, when users of the popular online message-board Reddit used AI-based ‘face swap’ tools to superimpose celebrities’ faces onto pornographic videos.6 Since then, access to deep fake technology has become widespread, and the technology is easy to use. Free software and trending smartphone applications such as FaceSwap or Zao7 allow everyday users to create and distribute content. Other services can be accessed at low cost: the Lyrebird voice generation service, for instance, offers subscription packages for its tools. In short: deep fake technology has been democratised.

Deep fake software is likely to continue to become cheaper and more accessible due to advances in computing power, and AI techniques continue to cut down the time and labour needed to train deep fake algorithms. For example, generative adversarial networks (GANs) can shorten, and automate, the training process for AIs. In this process, two neural networks compete against one another to produce a deep fake. A ‘generator’ network creates fake content. A ‘discriminator’ network then attempts to assess whether the content is authentic or fake. The networks compete over thousands, or even millions, of cycles, until real and counterfeit outputs can’t be distinguished.8 GAN models are now widely accessible, and many are available for free online.

The deep fake advantage

Not all digital forgeries are deep fakes. Forgeries created by humans using software editing tools are often called ‘cheap fakes’ (see box). Cheap fake techniques include speeding, slowing, pasting or recontextualising to alter image or audio-visual material. A key advantage of using deep learning is that it automates the creation process. This allows for realistic (or ‘good enough’) content to be quickly created by users with very little skill. Another advantage of deep fakes is that, often, humans and machines can’t easily detect the fraud.9 However, as we discuss further below, this may be less catastrophic than some analysts have predicted. Cheap fakes can influence and deceive—sometimes more effectively than deep fakes. Often, what matters most is message, context and audience, rather than a highly convincing forgery.

Deep or cheap?

In May 2019, a video circulated on social media showing US House of Representatives Speaker Nancy Pelosi slurring her words during a news conference, as though she were intoxicated or unwell. The video was a cheap fake: an authentic recording of the speaker, but with the speed slowed to 75% and the pitch adjusted to sound within normal range.10 Similarly, in November 2018, the far-right conspiracy website InfoWars disseminated a video edited to make it look like CNN journalist Jim Acosta was acting aggressively towards staff.

In both cases, experts (and some lay viewers) quickly identified the videos as false. Nonetheless, they had impact. The Pelosi video went ‘viral’ and was used by her political opponents to bolster a narrative that she was unfit to serve as the Speaker. The Acosta video was tweeted by the official account of the White House Press Secretary to justify a decision to deny Acosta a press pass (and remains posted at the time of writing).11

Audio-visual cheap fakes even pre-date the digital age. In the lead-up to UK elections in 1983, members of the British anarcho-punk band Crass spliced together excerpts from speeches by Margaret Thatcher and Ronald Reagan to create a fake telephone conversation between the leaders, in which they each made bellicose, politically damaging statements.

Common deep fake examples

Deep fake processes can be applied to the full spectrum of digital media. Below, we describe seven common deep fake tools. This isn’t an exhaustive list; nor are the categories exclusive. Deep fakes are often amalgams of several tools.

1. Face swapping

Users insert the face of a target onto another body. This process can be applied to both still images and video. Simple versions of this technique are available online through purpose-made apps. 

Figure 1: Deep fake video of actor and comedian Bill Hader morphing into different characters during an impression monologue

Source: ‘Bill Hader channels Tom Cruise [DeepFake]’, YouTube, 6 August 2019, online.

2. Re-enactment

The face from a target source is mapped onto a user, allowing the faker to manipulate the target’s facial movements and expressions.

Figure 2: Researchers use Face2Face tool to control the facial movements of Vladimir Putin

Source: TUM visual computing lab. Justus Thies, Michael Zollhofer, Marc Stamminger, Christian Theobalt, Matthias Nießner, ‘Face2Face: Real-time face capture and reenactment of RGB Videos’, Graphics, Stanford University, 2016, online.

3. Lip syncing

Users copy mouth movements over a target video. Combined with audio generation, this technique can make a target appear to say false content.

Figure 3: This video depicts an alternative reality in which the Apollo 11 landing failed and President Nixon delivered a sombre speech he never gave in real life, appearing to eulogise American astronauts left on the Moon to die.

Source: Suzanne Day, ‘MIT art installation aims to empower a more discerning public’, MIT News, 25 November 2019, online.

Figure 4: A video produced by AI think tank Future Advocacy depicts UK politicians Jeremy Corbin and Boris Johnson endorsing each other as the preferred candidate for the 2019 UK election

Source: ‘Deepfakes’, Future Advocacy, 2018, online.

4. Motion transfer

The body movements of a person in a source video can be transferred to a target in an authentic video recording.

Figure 5: Video depicts artist Bruno Mars dance routine mapped to a Wall Street Journal reporter through motion transfer technology.

Source: Hilke Schellmann, ‘Deepfake videos are getting real and that’s a problem’, Wall Street Journal, 15 October 2018, online.

5. Image generation

A user can create entirely new images; for example, faces, objects, landscapes or rooms.

Figure 6: Three portraits created for the purposes of this report by a deep fake generator

Source: ‘This person does not exist’, online.

6. Audio generation

Users create a synthesised voice from a small audio sample of an authentic voice. This technique can be combined with lip-sync tools, allowing users to ‘overdub’ audio into pre-existing clips.

Figure 7: Overdub software allows users to replace recorded words or phrases with typed phrases

Source: ‘Lyrebird: Ultra-realistic voice cloning and text to speech’, online.

Figure 8: A voice clone created from a small audio sample by Lyrebird voice double software

Source: ‘Lyrebird: Ultra-realistic voice cloning and text to speech’, online.

7. Text generation

A user can generate artificial text, including short-form ‘comments’ on social media or web forums, or long-form news or opinion articles. Artificially generated comments are particularly effective, as there’s a wide margin for acceptable error for this type of online content

Figure 9: Deep fake text generated by researchers in a study monitoring responses to Idaho’s Medicaid waiver; all study participants believed this response was of human origin

Source: Max Weiss, ‘Deepfake bot submissions to federal public comment websites cannot be distinguished from human submissions’, Technology Science, 18 December 2019, online.

Figure 10: ‘Botnet’, a self-described social network simulator app, allows a single user to interact with fake comments generated by bots, who like and engage with the user’s posts

Source: The Botnet social network simulator uses the open-source ‘GPT-2’ deep learning algorithm developed by California-based research lab OpenAI, online.

Weaponised deep fakes

Deep fake technology is not inherently dangerous. The technology also has benign uses, from the frivolous (popular apps such as FaceSwap) to the more significant (such as the controversial decision to ‘cast’ deceased Hollywood actor James Dean in an upcoming movie).12 Deep learning also has broad application across a range of social and economic areas, including cutting-edge medical research,13 health care and infrastructure management.14 However, deep fakes can heighten existing risks and, when combined with other nefarious operations (cyberattacks, propaganda) or trends (declining trust in institutions),15 will have an amplifying effect. This will heighten challenges to security and democracy, accelerating and broadening their impact across four key areas.

1. Cyber-enabled crime

Deep fakes will provide new tools to cyberattackers. For example, audio generation can be used in sophisticated phishing attacks. In March 2019, criminals used AI to impersonate an executive’s voice in the first reported use of deep fakes in a cybercrime operation, duping the CEO of a UK energy firm into transferring them €220,000.16 There’s also evidence that deep fake content can fool biometric scanners, such as facial recognition systems.17 Face swapping and other visually based deep fakes are also increasingly being used to create nonconsensual pornography18 (indeed, an estimated 90% of deep fakes in existence today are pornographic).19

As deep fake technology proliferates, we should also expect it to be used in acts of cyber-enabled economic sabotage. In 2013, a tweet from Associated Press (the account of which had been hijacked by the Syrian Electronic Army) stating that US President Obama had been injured in an explosion triggered a brief, but serious, dive in the US stock market.20

While this example is political in nature, a more convincing fraud (imagine a deep fake video of the alleged explosion) could prove extremely damaging when paired with criminal operations.

2. Propaganda and disinformation

Online propaganda is already a significant problem, especially for democracies,21 but deep fakes will lower the costs of engaging in information warfare at scale and broaden the range of actors able to engage in it. Today, propaganda is largely generated by humans, such as China’s ‘50-centers’ and Russian ‘troll farm’ operators. However, improvements in deep fake technology, especially text-generation tools, could help take humans ‘out of the loop’.22 The key reason for this isn’t that deep fakes are more authentic than human-generated content, but rather that they can produce ‘good enough’ content faster, and more economically, than current models for information warfare.

Deep fake technology will be a particular value-add to the so-called Russian model of propaganda, which emphasises volume and rapidity of disinformation over plausibility and consistency in order to overwhelm, disorient and divide a target.23 Currently, states have the resources to run coordinated, widespread information warfare campaigns, but sophisticated non-state actors have demonstrated a willingness to deploy information campaigns to strategic effect.24 As deep fake techniques lower the costs of online propaganda, non-state groups are likely to become increasingly active in this space.

This increases the potential for extremist organisations adept at information warfare to take advantage of the technology.

Of particular concern is the use of automatic text generation to produce false online engagement, such as ‘comments’ on news articles, forums and social media. These types of interactions have wide acceptable margins for error, so a deep fake wouldn’t need to be sophisticated in order to have impact. Russia’s Internet Research Agency, a St Petersburg-based troll farm, had a monthly budget of approximately $US1.25 million for interference in American politics in the lead-up to the US 2016 presidential election,25 while its workers allegedly face a gruelling schedule: 12-hour shifts with daily quotas of 135 posted comments of at least 200 characters.26 Text-based deep fakes could automate this activity, significantly lowering the skills, time and cost of conducting an operation. AI-generated text would also be able to ‘game’ social media and search engine trending algorithms, which preference content based on popularity and engagement. This method is already leveraged in Russian influence campaigns.27

Deep fakes can also be layered into propaganda campaigns to make them more effective. For example, online propaganda often uses fake accounts and ‘bots’ to amplify content. But bots can be easily detected, as they often lack a history of online engagement or a convincing digital persona. Deep fake generated images and text can help bridge that gap. In 2019, journalists discovered that intelligence operatives had allegedly created a false LinkedIn profile for a ‘Katie Jones’, probably to collect information on security professional networks online. Researchers exposed the Katie Jones fake through technical photo analysis and a rather old-fashioned mechanism: asking the employer listed on LinkedIn (the Center for Strategic and International Studies) if such a person worked for it.28

Importantly, deep fakes don’t need to be undetectable to provide a benefit to agents of propaganda. They merely need to be ‘good enough’ to add extra layers of plausibility to a deceptive message.

Figure 11: Image of deep fake generated LinkedIn profile used in suspected intelligence-gathering operation

Source: Raphael Satter, ‘Experts: Spy used AI-generated face to connect with targets’, AP News, 14 June 2019, online.

Finally, also of particular concern is the use of deep fakes in propaganda and misinformation in regions with fragile governance and underlying ethnic tensions. Misleading content spread via social media, such as decontextualised photos and false claims, has fuelled ethnic violence and killings in countries including India, Myanmar and Sri Lanka.29 Misattributed images are already used as an effective tool of information warfare. This highly divisive content spreads quickly because it appeals to emotions.

3. Military deception and international crises

Concern about deep fakes often focuses on the fear of sophisticated forgeries that are of high enough quality to pass inspection even by an expert audience. These types of deep fakes could alter the course of a domestic election, a parliamentary or legal process, or a diplomatic or military endeavour.

However, this is unlikely to occur as an informed, expert audience is more likely to:

  • use available detection tools
  • seek corroborating evidence
  • assess evidence in the light of its source and context
  • deliberate before acting on content.

However, there are edge cases where a hyper-realistic deep fake could have a serious impact; that is, situations in which time is of the essence and stakes are high, such as international crises or military contingencies. Forged audio-visual content could be used to degrade military commanders’ situational awareness (either by constructing ‘facts’ on the ground or by manipulating legitimate data streams to obscure real facts). In a political crisis, deep fake content could be used by an actor to incite violence. Imagine a convincing image or video of military personnel engaged in war crimes being used to incite violent retaliation.30

4. Erosion of trust in institutions

In May 2018, Belgium’s Socialistische Partij Anders became the first political party to use deep fake technology to influence public debate. The party posted a video to Facebook allegedly showing US President Trump encouraging Belgium to withdraw from the Paris Agreement on climate change.31

According to the party, the video was designed to spark debate, not dupe: the lip-syncing was imperfect, it included a disclaimer stating that it was fake,32 and it was quickly debunked by online communities and news sites. There’s no evidence that the deep fake affected the Belgian election.

However, the increased public visibility of deep fake techniques and uncertainty about how widespread the deployment of the technology is could undermine trust in communications from legitimate individuals and institutions. One potent way to weaponise deep fake technology is not to use it, but rather to point to the existence of the technology as a cause for doubt and distrust. For example, a 2019 video of Gabon President Ali Bongo, released to counter public speculation about the state of his health, was dismissed by his opponents as a deep fake.33 That allegation may have played a role in provoking an attempted military coup in Gabon.34

Figure 12: Address by Gabon’s President Ali Bongo, which was falsely alleged to be a deep fake

Source: ‘Gabon 24’, Facebook, 31 December 2018, online.

This dynamic is exacerbated by what researchers term the ‘liar’s dividend’: that is, efforts to debunk misinformation or propaganda can make it more difficult for audiences to trust all sources of information. This underscores the need for effective policy responses to weaponised deep fakes. Governments must act early to reassure the public that they’re responding to the challenges of weaponised deep fakes, lest panic or credulity outstrip the impact of the fakes.

Recommendations

To address the challenges of weaponised deep fakes, policymakers should work closely with industry to pursue three lines of effort. Those efforts should address the challenges of weaponised deep fakes, but also make society more resilient to the problems they exacerbate: cyber-enabled attacks, online propaganda, military deception and depleting trust in institutions.

1. Detection technologies

Tools are available to detect some deep fake processes.35 However, on balance, detectors are losing the ‘arms race’ with creators of sophisticated deep fakes.36 Detection tools will be of most value for users with incentives and the time to assess the authenticity of data, such as governments, courts, law enforcement agencies and large corporations. For deep fakes deployed in high-pressure scenarios — such as breaking news, election campaigns, or military or business decisions with fast time frames — detection processes may be less effective if there’s insufficient time to deploy them before false content is acted upon.

Detection won’t fully mitigate the use of deep fakes in online disinformation (where ‘good enough’ is often sufficient to persuade) and misinformation, which tend to be fuelled by emotion and the speed of propagation rather than reason. Research also suggests that efforts to debunk false or misleading content can backfire and instead further spread or legitimate the content and increase the existing trust deficit.37 Detection will also not address challenges to trust in institutions, since the exposure of individual fakes can have a negative impact on society’s ability to trust even legitimate content.38

That said, automatic detection tools that result in more consistent, principled labelling and flagging of content for review online (especially in the context of electoral advertising and political claims) may help reduce the effectiveness of deep fakes in propaganda and misinformation and increase public trust in the veracity of online material.

Governments, in collaboration with industry, should:

  • fund research into the further development and deployment of detection technologies, especially for use by government institutions, media organisations and fact checkers
  • require digital platforms to deploy detection tools, especially to identify and label content generated through deep fake processes.

2. Behavioural change

Currently, high-quality audio-visual material is widely accepted at face value by the media and individuals as legitimate. In other words, seeing is still believing. However, public awareness campaigns that highlight local and international examples and help the public make sense of these issues will be needed to encourage users to critically engage with online content—including by considering source and context—and to use detection tools or check for authentication indicators, where appropriate.

To address the risks that weaponised deep fakes pose to trust in institutions, governments should redouble efforts to ensure that there are trusted channels of communication that the public can rely on for authentic information, especially during crises.

Governments, in collaboration with industry, should:

  • support trusted purveyors of information, such as local and national news media providers
  • increase support for dedicated transparency bodies and initiatives
  • encourage social media platforms to expand verified account programs, with stringent checks for achieving verification, to help users identify the source of information in order to better assess whether it’s likely to be trustworthy and credible
  • create established communications protocols for governments to provide public messages during crises (for example, via trusted messaging platforms, social media accounts or national radio channels)
  • create legislative and policy ‘firebreaks’ for time-sensitive or politically sensitive situations in which detection or authentication related solutions are likely to be insufficient (for example, by implementing ‘media blackouts’ in the hours before an election).

3. Authentication standards

An alternative to detecting all false content is to signal the authenticity of all legitimate content. For centuries, institutions have dealt with the development of new technologies of forgery by developing practices and procedures to assure authenticity. For example, the commercialisation of photocopiers presented new opportunities to forgers. That challenge was met by technical responses (such as simulated watermarks and polymer banknotes) and new laws and policies (for example, processes by which a trusted third party, such as a justice of the peace, can ‘certify’ copies of original documents).

Over time, it’s likely that certification systems for digital content will become more sophisticated, in part mitigating the risk of weaponised deep fakes. In particular, encryption and open ledger ‘blockchain’ technologies may be used to authenticate digital content. Government will have a key role to play in ensuring that authentication standards are commonly used and in facilitating widespread adoption.

Governments, in collaboration with industry, should:

  • support research into appropriate authentication technologies and standards
  • introduce common standards relating to digital watermarks and stronger digital chain-of-custody requirements.

Additional media

Watch or Listen to the report authors, Hannah Smith & Katherine Mansted discuss the report here. 

Webinar:

Podcast:


Acknowledgements
The authors would like to thank the support of the National Security College at the Australian National University. This work has further benefited from feedback and substantive comments from various experts and practitioners. The authors would like to thank the anonymous peer reviewers for their valuable feedback on report drafts.

What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published May 2020.
ISSN 2209-9689 (online)
ISSN 2209-9670 (print)

  1. The foreword was made by copying a primer sentence about deep fakes into a web-hosted text generator called ‘Talk to Transformer’. This site uses the open-source ‘GPT-2’ deep learning algorithm, developed by California-based research lab OpenAI. The headshot was created by a deep fake generator, online. ↩︎
  2. Allan Xia, Twitter, 1 September 2019, online. ↩︎
  3. BA Zagribeinyy, A Zhavoronkov, A Aliper, D Polykovskiy, VA Terentiev, V Aladinskiy, MS Veselov, A Aladinskaia, A Asadykaev, A Zhebrak, LH Lee, R Soll, D Madge, Li Xing, Tso Guo, A Aspuru-Guzik, YA Ivanenkov, R Shayakhmetov, ‘Deep learning enables rapid identification of potent DDR1 kinase inhibitors’, Nature Biotechnology, 2019, 37(9):1038–1040. ↩︎
  4. ‘AI catching wildlife poachers’, Silverpond, 2018, online. ↩︎
  5. Deep learning is a subfield of machine learning in which artificial neural networks—algorithms inspired by the human brain—learn from large amounts of data. Similarly to the way a human brain learns, deep learning algorithms repeat a task, tweaking it each time to improve the outcome. ↩︎
  6. Samantha Cole, ‘AI-assisted fake porn is here and we’re all fucked’, Vice, 12 December 2017, online. ↩︎
  7. ZAO app, online. ↩︎
  8. Kelly M Sayler, Laurie A Harris, Deep fakes and national security, Congressional Research Service, Washington DC, 14 October 2019, online. ↩︎

Uyghurs for sale

‘Re-education’, forced labour and surveillance beyond Xinjiang.

What’s the problem?

The Chinese government has facilitated the mass transfer of Uyghur and other ethnic minority1 citizens from the far west region of Xinjiang to factories across the country. Under conditions that strongly suggest forced labour, Uyghurs are working in factories that are in the supply chains of at least 82 well-known global brands in the technology, clothing and automotive sectors, including Apple, BMW, Gap, Huawei, Nike, Samsung, Sony and Volkswagen.

This report estimates that more than 80,000 Uyghurs were transferred out of Xinjiang to work in factories across China between 2017 and 2019, and some of them were sent directly from detention camps.2 The estimated figure is conservative and the actual figure is likely to be far higher. In factories far away from home, they typically live in segregated dormitories,3 undergo organised Mandarin and ideological training outside working hours,4 are subject to constant surveillance, and are forbidden from participating in religious observances.5 Numerous sources, including government documents, show that transferred workers are assigned minders and have limited freedom of movement.6

China has attracted international condemnation for its network of extrajudicial ‘re-education camps’ in Xinjiang.7 This report exposes a new phase in China’s social re-engineering campaign targeting minority citizens, revealing new evidence that some factories across China are using forced Uyghur labour under a state-sponsored labour transfer scheme that is tainting the global supply chain.

What’s the solution?

The Chinese government should uphold the civic, cultural and labour rights enshrined in China’s Constitution and domestic laws, end its extrajudicial detention of Uyghurs and other Muslim minorities in Xinjiang, and ensure that all citizens can freely determine the terms of their own labour and mobility.

Companies using forced Uyghur labour in their supply chains could find themselves in breach of laws which prohibit the importation of goods made with forced labour or mandate disclosure of forced labour supply chain risks.8 The companies listed in this report should conduct immediate and thorough human rights due diligence on their factory labour in China, including robust and independent social audits and inspections. It is vital that through this process, affected workers are not exposed to any further harm, including involuntary transfers.

Foreign governments, businesses and civil society groups should identify opportunities to increase pressure on the Chinese government to end the use of Uyghur forced labour and extrajudicial detentions. This should include pressuring the government to ratify the International Labour Organization’s (ILO) Convention on Forced Labour, 1930 (No. 29) and Protocol of 2014 to the Forced Labour Convention.9 Consumers and consumer advocacy groups should demand companies that manufacture in China conduct human rights due diligence on their supply chains in order to ensure that they uphold basic human rights and are not complicit in any coercive labour schemes.

Executive summary

Since 2017, more than a million Uyghurs and members of other Turkic Muslim minorities have disappeared into a vast network of ‘re-education camps’ in the far west region of Xinjiang,10 in what some experts call a systematic, government-led program of cultural genocide.11 Inside the camps, detainees are subjected to political indoctrination, forced to renounce their religion and culture and, in some instances, reportedly subjected to torture.12 In the name of combating ‘religious extremism’,13 Chinese authorities have been actively remoulding the Muslim population in the image of China’s Han ethnic majority.

The ‘re-education’ campaign appears to be entering a new phase, as government officials now claim that all ‘trainees’ have ‘graduated’.14 There is mounting evidence that many Uyghurs are now being forced to work in factories within Xinjiang.15 This report reveals that Chinese factories outside Xinjiang are also sourcing Uyghur workers under a revived, exploitative government-led labour transfer scheme.16 Some factories appear to be using Uyghur workers sent directly from ‘re-education camps’.

The Australian Strategic Policy Institute (ASPI) has identified 27 factories in nine Chinese provinces that are using Uyghur labour transferred from Xinjiang since 2017. Those factories claim to be part of the supply chain of 82 well-known global brands.17 Between 2017 and 2019, we estimate that at least 80,000 Uyghurs were transferred out of Xinjiang and assigned to factories through labour transfer programs under a central government policy known as ‘Xinjiang Aid’ (援疆).18

It is extremely difficult for Uyghurs to refuse or escape these work assignments, which are enmeshed with the apparatus of detention and political indoctrination both inside and outside of Xinjiang.19 In addition to constant surveillance, the threat of arbitrary detention hangs over minority citizens who refuse their government-sponsored work assignments.20

Most strikingly, local governments and private brokers are paid a price per head by the Xinjiang provincial government to organise the labour assignments.21 The job transfers are now an integral part of the ‘re-education’ process, which the Chinese government calls ‘vocational training’.22

A local government work report from 2019 reads: ‘For every batch [of workers] that is trained, a batch of employment will be arranged and a batch will be transferred. Those employed need to receive thorough ideological education and remain in their jobs.’23

This report examines three case studies in which Uyghur workers appear to be employed under forced labour conditions by factories in China that supply major global brands. In the first case study, a factory in eastern China that manufactures shoes for US company Nike is equipped with watchtowers, barbed-wire fences and police guard boxes. The Uyghur workers, unlike their Han counterparts, are reportedly unable to go home for holidays (see page 8). In the second case study of another eastern province factory claiming to supply sportswear multinationals Adidas and Fila, evidence suggests that Uyghur workers were transferred directly from one of Xinjiang’s ‘re-education camps’ (see page 18). In the third case study, we identify several Chinese factories making components for Apple or their suppliers using Uyghur labour. Political indoctrination is a key part of their job assignments (see page 21).

This research report draws on open-source Chinese-language documents, satellite imagery analysis, academic research and on-the-ground media reporting. It analyses the politics and policies behind the new phase of the Chinese government’s ongoing repression of Uyghurs and other Muslim minorities. It provides evidence of the exploitation of Uyghur labour and the involvement of foreign and Chinese companies, possibly unknowingly, in human rights abuses.

In all, ASPI’s research has identified 82 foreign and Chinese companies potentially directly or indirectly benefiting from the use of Uyghur workers outside Xinjiang through abusive labour transfer programs as recently as 2019: Abercrombie & Fitch, Acer, Adidas, Alstom, Amazon, Apple, ASUS, BAIC Motor, Bestway, BMW, Bombardier, Bosch, BYD, Calvin Klein, Candy, Carter’s, Cerruti 1881, Changan Automobile, Cisco, CRRC, Dell, Electrolux, Fila, Founder Group, GAC Group (automobiles), Gap, Geely Auto, General Motors, Google, Goertek, H&M, Haier, Hart Schaffner Marx, Hisense, Hitachi, HP, HTC, Huawei, iFlyTek, Jack & Jones, Jaguar, Japan Display Inc., L.L.Bean, Lacoste, Land Rover, Lenovo, LG, Li-Ning, Mayor, Meizu, Mercedes-Benz, MG, Microsoft, Mitsubishi, Mitsumi, Nike, Nintendo, Nokia, Oculus, Oppo, Panasonic, Polo Ralph Lauren, Puma, SAIC Motor, Samsung, SGMW, Sharp, Siemens, Skechers, Sony, TDK, Tommy Hilfiger, Toshiba, Tsinghua Tongfang, Uniqlo, Victoria’s Secret, Vivo, Volkswagen, Xiaomi, Zara, Zegna, ZTE. Some brands are linked with multiple factories.

The data is based on published supplier lists, media reports, and the factories’ claimed suppliers. ASPI reached out to these 82 brands to confirm their relevant supplier details. Where companies responded before publication, we have included their relevant clarifications in this report. If any company responses are made available after publication of the report, we will address these online.

ASPI notes that a small number of brands advised they have instructed their vendors to terminate their relationships with these suppliers in 2020. Others, including Adidas, Bosch and Panasonic, said they had no direct contractual relationships with the suppliers implicated in the labour schemes, but no brands were able to rule out a link further down their supply chain.

The report includes an appendix that details the factories involved and the brands that appear to have elements of forced Uyghur labour in their supply chains. It also makes specific recommendations for the Chinese government, companies, foreign governments and civil society organisations.

Citations and notes

Readers are encouraged to download the PDF to access the full and extensive citations and notes that accompany this report.

Forced Uyghur labour

The ILO lists 11 indicators of forced labour.24 Relevant indicators in the case of Uyghur workers may include:

  • being subjected to intimidation and threats, such as the threat of arbitrary detention, and being monitored by security personnel and digital surveillance tools
  • being placed in a position of dependency and vulnerability, such as by threats to family members back in Xinjiang
  • having freedom of movement restricted, such as by fenced-in factories and high-tech surveillance
  • isolation, such as living in segregated dormitories and being transported in dedicated trains
  • abusive working conditions, such as political indoctrination, police guard posts in factories, ‘military-style’ management, and a ban on religious practices
  • excessive hours, such as after-work Mandarin language classes and political indoctrination sessions that are part of job assignments.25

Chinese state media claims that participation in labour transfer programs is voluntary, and Chinese officials have denied any commercial use of forced labour from Xinjiang.26 However, Uyghur workers who have been able to leave China and speak out describe the constant fear of being sent back to a detention camp in Xinjiang or even a traditional prison while working at the factories.27

In factories outside Xinjiang, there is evidence that their lives are far from free. Referred to as ‘surplus labour’ (富余劳动力) or ‘poverty-stricken labour’ (贫困劳动力), Uyghur workers are often transported across China in special segregated trains,28 and in most cases are returned home by the same method after their contracts end a year or more later.29

Multiple sources suggest that in factories across China, many Uyghur workers lead a harsh, segregated life under so-called ‘military-style management’ (军事化管理).30 Outside work hours, they attend factory-organised Mandarin language classes, participate in ‘patriotic education’,31 and are prevented from practising their religion.32 Every 50 Uyghur workers are assigned one government minder and are monitored by dedicated security personnel.33 They have little freedom of movement and live in carefully guarded dormitories, isolated from their families and children back in Xinjiang.34 There is also evidence that, at least in some factories, they are paid less than their Han counterparts,35 despite state media claims that they’re paid attractive wages.36

The Chinese authorities and factory bosses manage Uyghur workers by ‘tracking’ them both physically and electronically.37 One provincial government document describes a central database, developed by Xinjiang’s Human Resources and Social Affairs Department and maintained by a team of 100 specialists in Xinjiang, that records the medical, ideological and employment details of each labourer.38

The database incorporates information from social welfare cards that store workers’ personal details. It also extracts information from a WeChat39 group and an unnamed smartphone app that tracks the movements and activities of each worker.40

Chinese companies and government officials also pride themselves on being able to alter their Uyghur workers’ ideological outlook and transform them into ‘modern’ citizens, who, they say, become ‘more physically attractive’41 and learn to ‘take daily showers’.42

In some cases, local governments in Xinjiang send Chinese Communist Party (CCP) cadres to simultaneously surveil workers’ families back home in Xinjiang43— a reminder to workers that any misbehaviour in the factory will have immediate consequences for their loved ones and further evidence that their participation in the program is far from voluntary.

A person with knowledge of a Uyghur labour transfer program in Fujian told Bitter Winter, a religious and human rights NGO, that the workers were all former ‘re-education camp’ detainees and were threatened with further detention if they disobeyed the government’s work assignments.44 A Uyghur person sent to work in Fujian also told the NGO that police regularly search their dormitories and check their phones for any religious content. If a Quran is found, the owner will be sent back to the ‘re-education camp’ for 3–5 years.45

The treatment of Uyghurs described in this report’s case studies is in breach of China’s Constitution, which prohibits discrimination based on ethnicity or religious belief,46 as well as international law. While we are unable to confirm that all employment transfers from Xinjiang are forced, the cases for which adequate detail has been available showcase highly disturbing coercive labour practices consistent with ILO definitions of forced labour.

Case study 1: Uyghur workers making Nike sneakers in Qingdao

Figure 1: Uyghur workers at Taekwang Shoe Manufacturing waving the Chinese flag, October 2019

Source: ‘Strengthening patriotism education and building a bridge of national unity’ (加强爱国主义教育搭建民族团结连心桥), China Ethnic Religion Net (中国民族宗教网), 7 November 2019, online.

In January 2020, around 600 ethnic minority workers from Xinjiang were employed at Qingdao Taekwang Shoes Co. Ltd (青岛泰光制鞋有限公司).47 Taekwang’s primary customer is the American multinational company Nike Incorporated.48 The Xinjiang workers are mostly Uyghur women from Hotan and Kashgar prefectures, which are remote parts of southern Xinjiang that the Chinese government has described as ‘backward’ and ‘disturbed by religious extremism’.49

At the factory, the Uyghur labourers make Nike shoes during the day. In the evening, they attend a night school where they study Mandarin, sing the Chinese national anthem and receive ‘vocational training’ and ‘patriotic education’.50 The curriculum closely mirrors that of Xinjiang’s ‘re-education camps’.51

The sprawling Taekwang factory compound is located in Laixi City, to the north of Qingdao in China’s Shandong province, and is owned by the Taekwang Group, a South Korean chemical and textile conglomerate (chaebol). Taekwang’s Laixi factory is one of the largest manufacturers of shoes for Nike,52 producing more than seven million pairs for the American brand annually.53

Figure 2: Taekwang supply chain

Source: A Laixi government committee press release stated that 9,800 Uyghur workers were transferred to Qingdao Taekwang Shoes in ‘more than 60 batches’ since 2007. ‘Strengthening patriotism education and building a bridge of national unity’ (加强爱国主义教育搭建民族团结连心桥), China Ethnic Religion Net (中国民族宗教网), 7 November 2019, online.

In June 2019, at the opening ceremony of the Taekwang night school, a government official from the local United Front Work Department54 office called on Uyghur workers to strengthen their identification with the state and the nation.55 The school is called the ‘Pomegranate Seed’ Night School (Figure 3), referencing a speech by Chinese President Xi Jinping in which he said ‘every ethnic group must tightly bind together like the seeds of a pomegranate.’56

Figure 3: Opening ceremony of ‘Pomegranate Seed’ Night School for ethnic minorities at Taekwang factory, June 2019

Source: ‘Municipal United Front Work Department’s “Pomegranate Seed” Night School: a look into Qingdao Taekwang’s Mandarin classes’ (市委统战部’石榴籽’夜校 走进青岛泰光举办普通话培训班), Laixi United Front (莱西统一战线), WeChat, 1 July 2019, online.

The Washington Post has reported that Uyghurs working at the factory were not allowed to go home for holidays.57

The newspaper also reported that Uyghur workers at the factory were sent there by the Xinjiang government, they did not choose to come to Qingdao, and that they were unable to practice their religion.

Photographs of the factory in January 2020 published by the newspaper show that the complex was equipped with watchtowers, razor wire and inward-facing barbed-wire fences. Uyghur workers were free to walk in the streets around the factory compound, but their comings and goings were closely monitored by a police station at the side gate equipped with facial recognition cameras.

The Uyghur workers at the Taekwang factory speak almost no Mandarin, so communication with locals is largely non-existent, according to the newspaper. They eat in a separate canteen or a Muslim restaurant across the road from the factory, where the ‘halal’ signs have been crossed out. They live in buildings next to the factory that are separate quarters from those of the Han workers.58

ASPI found evidence that inside the factories, the workers’ ideology and behaviour are closely monitored. At a purpose-built ‘psychological dredging office’ (心理疏导室), Han and Uyghur officials from Taekwang’s local women’s federation conduct ‘heart-to-heart’ talks, provide psychological consulting and assist in the uplifting of the ‘innate quality’ (素质) of the Uyghur workers—in order to aid their integration.59 Those offices and roles are also present in Xinjiang’s ‘re-education camps’.60

Figure 4: A study room called ‘Home of the Youth’ for ethnic minority workers at the Taekwang factory

Source: ‘Blessed are those who work here in Laixi!’ (在莱西这里上班的人有福了!), In the palm of Laixi (掌上莱西), WeChat, 21 July 2019, online.

Top Chinese government officials see the use and management of ethnic workers at Taekwang as a model worth emulating. Politburo Standing Committee member Wang Yang and China’s Minister for Public Security, Zhao Kezhi, sent a commendation memo to the management, according to a local media report in late 2019.61 From 2017 to 2018, according to official statistics, 4,710 Uyghur workers were transferred from Xinjiang to Shandong (almost double the government’s own target).62

The workers are closely monitored by party authorities. Officials from the local offices of the Public Security Bureau and United Front Work Department hold regular meetings with Shandong companies that hire “Uyghurs” to discuss the workers’ ‘ideological trends and any issues that have emerged’.63

Those agencies also have representatives stationed inside factories like Taekwang to report daily on the ‘thoughts’ of the Uyghur workers, manage any disputes and guard against spontaneous ‘mass instances’.64 In 2018, a recruitment notice said that Qingdao was looking for auxiliary police who are fluent in minority languages.65 In Xinjiang, auxiliary police officers are responsible for bringing people to detention camps and monitoring them when they are in detention.66

Figure 5: A July 2018 ‘farewell ceremony’ before 176 Uyghur workers left Qira county, Xinjiang for Qingdao to work at Taekwang Shoes Co. Ltd and Fulin Electronics Company

Source: ‘Qira county organises 176 labourers for stable employment at Shandong enterprises’ (策勒县组织176名务工人员赴山东企业稳定就业), Pomegranate Garden (石榴园), WeChat, 5 July 2018, online.

In January 2018, local Hotan media published a ‘letter of gratitude’ from 130 Uyghur workers at Taekwang to the Hotan Prefecture government.67 In the letter, which was written in Mandarin, the Uyghur workers described themselves as being mired in poverty before being sent to Qingdao and express gratitude that they were now able to earn a monthly salary of Ұ2,850 (US$413, above the minimum wage in China).68 ASPI could not verify the wages received by the workers or the authenticity of the letter. The letter goes on to say that, since arriving in Qingdao, the workers had learned the dangers of religious extremism and now see a ‘beautiful life ahead of them’.69

Rendering ‘Xinjiang Aid’ (援疆)

Working arrangements that uproot Uyghurs and place them in factories in eastern and central China are not new. Since the early 2000s, the Chinese government has mobilised wealthier coastal provinces and cities to develop frontier regions such as Xinjiang and Tibet, and actively encouraged the movement of workers in the name of promoting ‘inter-ethnic fusion’ (民族交融) and ‘poverty alleviation’ (扶贫).70

Uyghur workers’ participation in those programs is rarely voluntary. Even in the 2000s, well before the ‘re-education camp’ system was created, working and living conditions for transferred Uyghur workers were often exploitative, if not abusive.71 Rights groups criticised the programs as coercive, highlighting how they intentionally removed Uyghurs from their homes and traditional way of life, only to force the workers to endure the long working hours, poor conditions, predatory bosses and discriminatory attitudes of their Han co-workers.72

Concerned factory bosses significantly reduced the use of Uyghur labour after violent clashes between Han and Uyghur workers in a Guangdong factory led to a deadly riot in Xinjiang’s regional capital of Urumqi in July 2009.73

In response to the unrest, the Chinese government began holding regular national ‘Xinjiang Aid’ conferences in 2010.74 Financial subsidies and political inducements were offered to mobilise wealthier provinces and cities to pair up with cities and prefectures in Xinjiang in order to ‘aid’ the region’s development and stability.75

Provinces have since been encouraged to contribute to the aid scheme in various ways: “‘medical Xinjiang Aid’ (医疗援疆), ‘technology Xinjiang Aid’ (科技援疆), ‘educational Xinjiang Aid’ (教育援疆) and ‘industrial Xinjiang Aid’ (产业援疆).76

Following further violence and the mass detention of Uyghurs in early 2017,77 the ‘Xinjiang Aid’ agenda became a top political priority.78 Local governments and corporations were strongly encouraged to find employment opportunities for newly ‘re-educated’ Uyghurs, under a policy termed ‘industrial Xinjiang Aid’.79

‘Industrial Xinjiang Aid’ seeks to assign work to ‘idle’ Uyghurs in the name of poverty alleviation, but it also shares the same indoctrination aims as the ‘re-education camp’ system: factory bosses are expected to fundamentally alter Uyghur workers by reforming their ‘backward qualities’ and sinicising them.80 In exchange, Uyghur workers are required to show ‘gratitude’ to the Communist Party and their Han ‘elder sisters and brothers’.81

Companies across China can participate in industrial ‘Xinjiang Aid’ in two ways:

  • opening up ‘satellite’ factories (卫星工厂) or workshops inside Xinjiang to absorb ‘surplus labour capacity’ (富余劳动力).82 According to China’s Xinhua News Agency, in the past few years, ‘Xinjiang Aid’ has seen some 4,400 enterprises set up in Xinjiang, providing nearly a million local jobs.83
  • hiring Uyghur workers for their factories elsewhere in China through a range of labour transfer schemes.

Some companies, such as Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司)—a garment company headquartered in Anhui province that claims to supply Fila (Italy/South Korea) and Adidas (Germany)—are engaged in both those forms of industrial aid.84

By late 2018, cheap labour emerging from the ‘re-education camps’ had become an important driver of Xinjiang’s economy, according to an official statement by the Xinjiang Development and Reform Commission.85 There is now a direct pipeline of Uyghur workers from ‘vocational training’ and political indoctrination in Xinjiang to factory work across China. ‘For every batch (of workers) that is trained, a batch of employment will be arranged and the batch will be transferred’, a 2019 government work report from Karakax county reads.86 In some cases, labour transfers outside of Xinjiang are organised even before vocational training and political indoctrination start—to ensure ‘100% employment rate’ for the ‘trained’ Uyghurs.87

Xinjiang’s labour transfer program

Data collected from Chinese state media and official government notices indicates that more than 80,000 Uyghur workers were transferred out of Xinjiang between 2017 and 2019. ASPI has mapped the available data on these transfers. The larger the arrow in Figure 6, the greater the number of people being transferred. Dotted lines represent known direct county-to-factory transfers. The diagram shouldn’t be considered comprehensive, but gives a sense of the scale and scope of the program.88

Figure 6: Uyghur transfers to other parts of China from 2017 to 2020

Source: ASPI’s International Cyber Policy Centre, which used a range of data sources, including local media reports and official government sources.

The Chinese government’s official data on labour transfer includes transfers from southern Xinjiang to northern Xinjiang, transfers from Xinjiang to other provinces, and transfers to local factories. Depending on the county, labourers sent outside Xinjiang count for anywhere between 10%89 to 50%90 of all Xinjiang transfers.

In recent years, transfers from Xinjiang to other parts of China have increased steadily. In 2017, according to state media reports, 20,859 ‘rural surplus labourers’ from Xinjiang were transferred to work in other provinces.91 Based on ASPI’s analysis of published data, an estimated 28,000 people were transferred for employment in 2018.92 In 2019, an estimated 32,000 people were transferred out of the region.93

Xinjiang authorities also claim to have repeatedly exceeded their labour transfer targets.94 The 2017 target was set at 20,000 and exceeded by 4%.95 In 2019, the target was set at 25,000 and reportedly exceeded by about 25%.96

ASPI analysed the volume of results returned by the Chinese search engine Baidu97 when we searched for keywords related to labour transfer schemes. Figure 7 illustrates a steady increase since 2014 (the year in which the so-called ‘Strike Hard Campaign against Violent Extremism’ was launched in Xinjiang), and an even more dramatic increase from 2017 as the ‘re-education’ process ramped up. This is a further suggestion that the labour transfer program has become an increasingly important political priority for the Chinese government in recent years.

Figure 7: Number of Baidu search results for a variety of keywords relating to Xinjiang labour transfers, 2005 to 2019

Source: ASPI’s International Cyber Policy Centre

Aside from political incentives, the business of ‘buying’ and ‘selling’ Uyghur labour can be quite lucrative for local governments and commercial brokers. According to a 2018 Xinjiang provincial government notice, for every rural ‘surplus labourer’98 transferred to work in another part of Xinjiang for over nine months, the organiser is awarded Ұ20 (US$3); however, for labour transfers outside of Xinjiang, the figure jumps 15-fold to Ұ300 (US$43.25).99 Receiving factories across China are also compensated by the Xinjiang government, receiving a Ұ1,000 (US$144.16) cash inducement for each worker they contract for a year, and Ұ5,000 (US$720.80) for a three-year contract.100 The statutory minimum wage in Urumqi, Xinjiang’s regional capital, was Ұ1620 (US$232.08) a month in 2018.101

In recent years, advertisements for ‘government-sponsored Uyghur labour’ also began to appear online. In February 2019, a company based in Qingdao published a notice advertising a large number of ‘government-led … qualified, secure and reliable’ Uyghur workers for transfer to some 10 provinces in China (Figure 8).102

Figure 8: Advertisement published by Qingdao Decai Decoration Co. claiming to supply government-sponsored Uyghur workers from Xinjiang to other provinces.

Note: The ad features a caricature of two dancing Uyghurs in traditional clothing.
Source: ‘Our company provides a large number of government (sponsored) Xinjiang workers – labour dispatching company’ (我司提供大量政府新疆工人劳务派遣公司), Qingdao Human Resources Website (青岛德才人力资源网), online. Translated from Chinese by ASPI.

Another new advertisement claimed to be able to supply 1,000 Uyghur workers aged 16 to 18 years. It reads: ‘The advantages of Xinjiang workers are: semi-military style management, can withstand hardship, no loss of personnel … Minimum order 100 workers!’. The advertisement also said that factory managers can apply for current Xinjiang police to be stationed at their factory 24 hours a day, and that the workers could be delivered (along with an Uyghur cook) within 15 days of the signing of a one-year contract (Figure 9).

Figure 9: Labour-hire advertisement offering young Uyghur workers under ‘semi-military style management’

Source: ‘1,000 minorities, awaiting online booking’ (1000少数民族,在线等预约), Baidu HR Forum (百度 HR吧), 27 November 2019, online. Translated from Chinese by ASPI.

Case study 2: From ‘re-education camps’ to forced labour assignments

New evidence indicates that ‘graduating’ detainees from Xinjiang’s ‘re-education camps’ have been sent directly to factories to work in other parts of China. In such circumstances, it is unlikely that their work arrangements are voluntary.

The Haoyuanpeng Clothing Manufacturing Co. Ltd (浩缘朋制衣有限公司, HYP) participates in ‘Xinjiang Aid’ both through its satellite factory103 in Xinjiang (established in 2018) and by exporting Uyghur workers to Anhui province, where it is headquartered. On HYP’s corporate website, it advertises strategic partnerships with the Italian–South Korean fashion label Fila, German sportswear companies Adidas and Puma, and Nike.104

In February 2018, HYP transferred 63 workers from Xinjiang to its Anhui factory in eastern China with plans to eventually transfer 500 in total.105 The transferred workers were all ‘graduates’ of the Jiashi County Secondary Vocational School (伽师县中等职业学校), according to a government report.106

ASPI’s analysis of satellite imagery and official documents suggest the ‘school’ had operated as a ‘re-education camp’ since 2017. The compound increased in size, adding new dormitories and factory warehouses while significant security features were added through the introduction of secure ‘military-style management’ (see Figure 10).107

Figure 10: Satellite image of Jiashi Vocational School, January 2018, with security infrastructure added since 2017 highlighted in orange.

Note: Multiple dormitory buildings and a teaching building appear to be completely fenced in and isolated in a style that resembles other political indoctrination camps. Additionally, five small factory warehouse buildings have been constructed in the enclosed area. Source: ASPI’s International Cyber Policy Centre.

A spokesperson from Adidas said the company does not have an active relationship with HYP and that they will further investigate the use of the Adidas signage.

The transfer of Uyghur labour to Anhui was part of a ‘Xinjiang Aid’ project organised by the Guangdong government, which also involved HYP setting up a highly secure factory in Xinjiang’s Shule (Yengixahar) county (Figure 11).108

Figure 11: Satellite image of HYP’s factory in Shule (Yengixahar) county, Xinjiang

Note: The factory is fully enclosed by perimeter fencing and has several residential dorm buildings further isolated by fencing. In addition there are several security posts throughout the facility. Source: ASPI’s International Cyber Policy Centre.

In a recent interview, HYP President Zeng Yifa (曾亿法) told state media that he established a factory in Xinjiang because it was difficult to find young workers in other parts of China, or even abroad, concluding that: ‘Although the quality of North Korean workers is good, I’m reluctant to spend money on foreign workers. In the end, I chose Xinjiang.’109

HYP’s factory in Xinjiang, which has a large Adidas billboard on its facade (Figure 13), is surrounded by a 3-metre-high fence. The two entrances to the factory are guarded by security checkpoints, and at least five more security posts monitor the rest of the facility’s perimeter. It is unclear whether HYP’s factory in Anhui province has similar security features.

Figure 12: HYP’s supply chain

Source: ASPI ICPC. See Appendix for supply chain information.

Figure 13: Hao Yuanpeng’s Kashgar, Xinjiang factory.

Source: Photos of company(企业展示), Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司)’, online.

Case study 3: ‘Re-educating’ Uyghur workers in Apple’s supply chain

In December 2017, Apple’s CEO Tim Cook visited one of the company’s contractors—O-Film Technology Co. Ltd (欧菲光科技股份有限公司)110—and posted a picture of himself at the company’s Guangzhou factory on the Chinese social media platform Weibo.111

O-Film manufactured112 the ‘selfie cameras’ for the iPhone 8 and iPhone X. The company also claims on its website to manufacture camera modules and touchscreen components for a number of other well-known companies including Huawei, Lenovo and Samsung.113

Figure 14: Tim Cook’s Weibo post from O-Film’s Guangzhou factory in December 2017

Tim Cook’s post on Chinese social media: ‘Say cheese! Getting a closer look at the remarkable, precision work that goes into manufacturing the selfie cameras for iPhone 8 and iPhone X at O-Film’. Source: online.

Prior to Cook’s visit, between 28 April and 1 May 2017, 700 Uyghurs were reportedly transferred from Lop county, Hotan Prefecture, in Xinjiang to work at a separate O-Film factory in Nanchang, Jiangxi province.114

As with other labour transfers from Xinjiang described in this report, the work assignments for the Uyghurs sent to Jiangxi were highly politicised. The workers were expected to ‘gradually alter their ideology’ and turn into ‘modern, capable youth’ who ‘understand the Party’s blessing, feel gratitude toward the Party, and contribute to stability,’ a local Xinjiang newspaper wrote.115 Once in Jiangxi, they were managed by a few minders sent by Lop county who were ‘politically reliable’ and knew both Mandarin and the Uyghur language.116

According to a now deleted press release,117 Cook praised the company for its ‘humane approach towards employees’ during his visit to O-Film, asserting that workers seemed ‘able to gain growth at the company, and live happily.’118

Five months later, in October 2017, the Hotan government in Xinjiang contacted O-Film, hoping to supply another 1,300 workers.119 On 12 December 2017, a Uyghur worker who claimed to have worked at O-Film said that there were more than a thousand Uyghur workers at the O-Film factory in Jiangxi.120

Figure 15: O-Film Supply Chain

Source: ASPI ICPC. See appendix for supply chain source information.

O-Film is not the only Chinese factory using Uyghur labour to make parts for Apple and its suppliers.

This report identifies three other factories in Apple’s supply chain.

A local government document from September 2019 said that 560 Xinjiang labourers were transferred to work in factories in central Henan province—including Foxconn Technology (Foxconn)’s Zhengzhou facility.121 Foxconn, a Taiwanese company, is the biggest contract electronics manufacturer in the world, making devices for Apple, Dell and Sony, among others.122 The Zhengzhou facility reportedly makes half of the world’s iPhones and is the reason why Zhengzhou city is dubbed the ‘iPhone city’.123

It is unclear how the Uyghur workers are treated at the Zhengzhou facility. However, a September 2019 report by New York-based China Labour Watch said contract workers at Foxconn’s Zhengzhou factory—which includes Uyghur workers—put in at least 100 overtime hours a month.124 Over the past decade, Foxconn has been marred by allegations of worker exploitation and even suicides, including recently at its Zhengzhou facility.125 The company has also actively participated in the ‘Xinjiang Aid’ scheme.126

Figure 16: Uyghur workers arriving at Hubei Yihong Precision Manufacturing Co. Ltd

Uyghur workers with Hubei Yihong Precision Manufacturing Co. Ltd on their transfer between Xinjiang and Xianning, Hubei. This photograph was taken outside of Wuchang train station in Wuhan, Hubei’s provincial capital, in May 2018. Source: online.

On 17 May 2018, 105 Uyghur workers were transferred from Keriya county, Xinjiang, to Hubei Yihong Precision Manufacturing Co. Ltd (湖北奕宏精密制造有限公司, Hubei Yihong) in Xianning, Hubei province.127 Upon the workers’ arrival, a senior communist party official visited the Hubei Yihong factory. In a speech, he put forward three demands: for the workers to exercise gratitude to the Communist Party, for the managers to increase surveillance and intensify patriotic education, and for the workers to quickly blend in.128

Hubei Yihong makes backlights and battery covers129. It is a subsidiary of Dongguan Yidong Electronic Co. Ltd (东莞市奕东电子有限公司), whose website claims that its end customers include Apple and Huawei130. While neither Hubei Yihong nor its parent company is included in Apple’s supplier list, Hubei Yihong’s website lists GoerTek, which directly supplies Apple with AirPods, as one of their customers131.

Figure 17: Hubei Yihong Supply Chain

Source: ASPI ICPC. See appendix for supply chain source information.

In 2017, another electronics company that claims to make components for Apple’s supplier, Hefei Highbroad Advanced Material Co. Ltd (翰博高新材料(合肥)股份有限公司, Highbroad) signed a contract with the Hotan government to take in 1,000 Uyghurs each year for the next three years, according to the company’s vice president.132 Later that year, more than 500 Uyghurs from rural Guma county in Hotan Prefecture were transported to Hefei in Anhui province to begin work in Highbroad’s electronics factory.133

In 2018, 544 Uyghurs were transferred from Guma county to a Highbroad subsidiary, also in Hefei, called Fuying Photoelectric Co. Ltd (合肥福映光电有限公司).134 At Fuying, according to state media, Aynur Memetyusup, a young Uyghur woman, learned to improve her Mandarin and workplace discipline and to take daily showers that made ‘her long hair more flowing than ever.’ She is quoted as saying, ‘Like President Xi has said, happiness is always the result of struggle.’135

Figure 18: A picture of Aynur Memetyusup (first from left) in an after-work Mandarin class at Highbroad Advanced Material Co. Ltd in Hefei, Anhui province

Source: ‘Uyghur girl helps her mom’s big dream come true’, China Daily, 6 August 2019, online.

According to the company’s 2018 annual report,136 Highbroad’s main products are components for flat panel displays—the LCD and OLED screens used in many smartphones, tablets and computers. Highbroad notes that 79.19% of its operating revenue comes from sales to the Beijing-based multinational company BOE Technology Group Co. Ltd (京东方), which is one of the world’s largest producers of electronic displays. BOE is currently a major screen supplier to Huawei137 and is set to become Apple’s second-largest OLED screen supplier by 2021.138 BOE is currently listed on Apple’s supplier list.139

According to Highbroad’s website their customers include Japan Display Inc. and LG Display.140 Highbroad’s hiring ads141 and a Chinese LCD industry directory142 also claim that Highbroad’s end customers include other well-known companies including Dell, Lenovo, Samsung and Sony, and automobile manufacturers such as BMW, Jaguar, Land Rover, Mercedes-Benz and Volkswagen (Figure 18). Jaguar Land Rover says it investigated its supply chain and found it does not source directly from Highbroad, and was assured by its suppliers they do not source from the company.

Figure 19: Highbroad supply chain

Source: ASPI ICPC. See Appendix for supply chain information.

Implications for the global supply chain

The rapid expansion of the nationwide system of Uyghur labour presents a new challenge for foreign companies operating in China. How do they secure the integrity of their supply chains and protect their brands from the reputational and legal risks of being associated with forced, discriminatory or abusive labour practices? Interwoven supply chains and the mixed nature of their workforces, which draw on both Han and Uyghur workers, make it particularly difficult for companies to ensure that their products are not associated with forced labour. These labour transfer schemes also present a challenge to the reputation of Chinese brands overseas.

In all, ASPI’s research has identified 82 foreign and Chinese companies potentially directly or indirectly benefiting from the use of Uyghur workers outside Xinjiang through abusive labour transfer programs: Abercrombie & Fitch, Acer, Adidas, Alstom, Amazon, Apple, ASUS, BAIC Motor, Bestway, BMW, Bombardier, Bosch, BYD, Calvin Klein, Candy, Carter’s, Cerruti 1881, Changan Automobile, Cisco, CRRC, Dell, Electrolux, Fila, Founder Group, GAC Group (automobiles), Gap, Geely Auto, General Motors, Google, Goertek, H&M, Haier, Hart Schaffner Marx, Hisense, Hitachi, HP, HTC, Huawei, iFlyTek, Jack & Jones, Jaguar, Japan Display Inc., L.L.Bean, Lacoste, Land Rover, Lenovo, LG, Li-Ning, Marks & Spencer, Mayor, Meizu, Mercedes-Benz, MG, Microsoft, Mitsubishi, Mitsumi, Nike, Nintendo, Nokia, Oculus, Oppo, Panasonic, Polo Ralph Lauren, Puma, SAIC Motor, Samsung, SGMW, Sharp, Siemens, Skechers, Sony, TDK, Tommy Hilfiger, Toshiba, Tsinghua Tongfang, Uniqlo, Victoria’s Secret, Vivo, Volkswagen, Xiaomi, Zara, Zegna, ZTE. Some brands are linked with multiple factories.

The data is based on published supplier lists, media reports, and the factories’ claimed suppliers. ASPI reached out to these 82 brands to confirm their relevant supplier details. Where companies responded before publication, we have included their relevant clarifications in this report. If any company responses are made available after publication of this report, we will address these online.

A further 54 companies are implicated in what could be forced labour schemes within Xinjiang itself (see appendix)—some of which overlap with the 82 companies linked to forced Uyghur labour outside of Xinjiang. It is important to note that not all companies have the same levels of exposure to Uyghur forced labour. Some finished products are directly manufactured by these workers, while others pass through complicated supply chains.

The appendix to this report lists 35 documented labour transfer programs under ‘Xinjiang Aid’ since 2017. The table includes the following information:

  • transfers to factories in central and eastern provinces of China
  • transfers to purpose-built factories within Xinjiang
  • the number of people moved to the factories
  • the products they make
  • the companies the factories claim they supply.

In the past three years, the ‘re-education camp’ system in Xinjiang has drawn international condemnation. Now the culture and ethos of ‘re-education’ is being exported well beyond Xinjiang and married with practices that likely amount to forced labour.

This report establishes that some workers employed through labour transfer schemes at factories across China are sourced directly from the ‘re-education camps’ in Xinjiang. Ethnic minority workers from Xinjiang who are not known to be former detainees may also be forced to work under threat of detention, the intimidation of family members and a range of restrictions on their freedom. The tainted global supply chain that results from these practices means that it is now difficult to guarantee that products manufactured in China are free from forced labour.143

We have found that a large number of Chinese and multinational companies are sourcing components or products from factories that proudly boast about their Uyghur workers, such as Taekwang144 and HYP.145 This situation poses new risks—reputational and legal—for companies and consumers purchasing goods from China, as products made in any part of the country, not just in Xinjiang, may have passed through the hands of forced labourers. This situation also creates new risks for investors in those companies—from private investors to wealth management funds—who may now find themselves indirectly linked to forced labour practices.

Recommendations

The response to the abuses identified in this report should not involve a knee-jerk rejection of Uyghur or Chinese labour. The problem is the policies that require Uyghurs to work under duress in violation of well-established international labour laws. It is vital that, as these problems are addressed, Uyghur labourers are not placed in positions of greater harm or, for example, involuntarily transferred back to Xinjiang, where their safety cannot necessarily be guaranteed. In light of this report’s findings, we make the following recommendations.

The Chinese government should:

  • give multinational companies unfettered access to allow them to investigate any abusive or forced labour practices in factories in China
  • uphold the rights of all workers in China, especially those from vulnerable ethnic minorities, to determine how their labour is deployed and the conditions under which they leave their place of residence
  • ratify the ILO International Labour Standards; structure a comprehensive grievance mechanism, including for the investigation of alleged cases of forced labour; provide victims with protection and remedies; and prosecute perpetrators
  • uphold the legitimate rights of China’s citizens, including by protecting ethnic and religious rights enshrined in the Chinese Constitution.146

Companies using forced Uyghur labour in their supply chains could find themselves in breach of laws which prohibit the importation of goods made with forced labour or mandate disclosure of forced labour supply chain risks.147

Each company listed in this report should: 

  • conduct immediate and thorough human rights due diligence on its factory labour in China, including robust and independent social audits and inspections. The audits and inspections should include a stocktake of the conditions and current and ongoing safety of vulnerable workers
  • if it finds that factories are implicated in forced labour, seek to use its leverage to address improper labour practices. In all cases where harm has occurred, it should take appropriate and immediate remedial action. Where it cannot, it should cease working with those factories
  • ensure that it is fully transparent as it seeks to address all potential harms, including by reporting its due diligence and audit findings publicly.

Foreign governments should:

  • identify opportunities to increase pressure on the Chinese government to end the use and facilitation of Uyghur forced labour and mass extrajudicial detention, including through the use of targeted sanctions on senior officials responsible for Xinjiang’s coercive labour transfers
  • review trade agreements to restrict commodities and products being produced with forced labour
  • identify opportunities to pressure the Chinese government into ratifying the Convention on Forced Labour, 1930 (No. 29),148 Abolition of Forced Labour Convention, 1957 (No.105)149 and the Protocol of 2014 to the Forced Labour Convention.150

Consumers and civil society groups, including NGOs, labour unions and consumer advocacy groups, should:

  • demand that companies that manufacture in China conduct due diligence and social audits to ensure that they’re not complicit in forced labour practices
  • advocate for the recognition of continual, multilayered surveillance and monitoring of workers and their digital communications—both in and outside work hours—as an emerging and under-reported indicator of forced labour and an important human rights violation
  • push brands to be more transparent about the make-up of their supply chains and the preventative measures they have put in place to ensure forced labour does not occur
  • demand that companies make new public commitments, uphold current commitments, or both, to not use forced and coerced labour in their global supply chains and that they act quickly and publicly when such cases are identified.

Appendix

Appendices, Citations and Notes

Readers are encouraged to download the PDF to access the appendix, full and extensive citations and notes that accompany this report. (See link at top of this page). 

Document History

First published 1 March 2020. The text on page 5 and in the appendix was updated on 3 March 2020 to reflect responses from some of the companies named in the report. The text on pages 5 and 24, Figure 17 on page 24, and the text on page 34 of the appendix were amended on 6 March to reflect responses from a company named in the report. The appendix on p39 was updated on 19 March to reflect a response from a company named in the report. The appendix on p31 was updated on 14 April to reflect a response from a company named in the report. The text in Figure 17 on page 24 and the appendix on pages 34, 36, and 39 was amended on 5 June to reflect a response from a company named in the report. The report was amended on 28 July 2020 to remove The North Face from the list of brands, given their association with the relevant factory had ceased before the evidence indicates the factory had received Uyghur workers on a transfer scheme. The text on p37 was amended on 13 August 2020 to reflect a response from a company named in the report. Endnotes from number 257 on pages 52 and 53 are re-numbered. The report was amended on 24 August 2020 to reflect a statement by a company named in the report; and to correct a broken web link. The text on page 32 and 39 was amended on 21 September 2020 to reflect a statement by a company named in the report. The text on page 38 and 39 was amended on 30 September 2020 to reflect a statement by a company named in the report. Figure 17 on page 24 and text on pages 5, 27 and 34 were updated on 20 October 2020 reflect a response from a company named in the report. The text on pages 5, 27, 36 and 52 was updated on 19 November 2020 to correct a translation error in a subsidiary company name. The text on page 31 and page 34 was changed on 18 December 2020 to reflect responses from companies named in the report. The text on page 25 and page 33 was changed on 11 January 2021 to reflect responses from companies named in the report. The text on page 42 was amended on 25 February 2021 to add cross-referencing between endnotes. The text on page 33 was amended on 16 March 2021 to reflect a response from a company named in the report. The text on page 34 was amended on 5 August 2021 to reflect a response from a company named in the report. The text on page 31 was amended on 20 October 2021 to reflect a response from a company named in the report. The text on page 37 was amended on 21 June 2022 to reflect a response from a company named in the report.


Acknowledgements

The authors would like to thank researchers Daria Impiombato, Sarah O’Connor and Emily Weinstein. A special thanks to Stephanie Zhang who spent an enormous amount of time on this project. We would like to thank all peer reviewers including Darren Byler, labour specialists and anonymous reviewers. Finally, we would like to thank ASPI’s International Cyber Policy Centre Director Fergus Hanson for his support and guidance.

The UK Foreign and Commonwealth Office provided ASPI with funding of £10,000, which was used towards this report.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale
exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2020

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published February 2020.

ISSN 2209-9689 (online),
ISSN 2209-9670 (print)

  1. The Chinese government’s ‘re-education’ policies have mainly targeted the Uyghurs but also other Turkic speaking Muslim minorities such as the Kazakhs, Uzbeks, Tartars, Tajiks, Kyrgyz and Hui. This report refers to them collectively as ‘Uyghurs’ or ‘ethnic minorities’ for brevity. ↩︎
  2. ‘Detention camps’ and ‘re-education camps’ are used interchangeably in this paper. ↩︎
  3. ‘Xinjiang Aid, to the hearts of the masses’ (对口援疆,做到群众心坎上), Anhui Guoyuan Financial Holdings Group Co. Ltd (安徽国元金融控股集团有限责任公司), 26 July 2018, online; ‘Hotan migrant workers find employment in Jiangxi Nanchang’s high-tech enterprises’ (和田外出务工人员在江西南昌高新企业就业掠 影), Hotan People’s government (和田市人民政府), 8 April 2019. ↩︎
  4. Yu Mingtong (于明彤), ‘Guangdong industry Xinjiang Aid: Helping Kashgar ethnic women find employment’ (广东产业援疆 助力喀什少数民族妇女就业), International Online (国际在线), 9 November 2018, online; “Xinjiang Aid”, to the hearts of the masses’ (对口援疆,做到群众心坎上), Anhui Guoyuan Financial Holdings Group Co. Ltd (安徽国元金融控股集团有限责任公司), 26 July 2018. ↩︎
  5. ‘Nilka, Xinjiang: Multiple measures to explore for improving model of organised rural labour transfer employment outside of Xinjiang’ (新疆尼勒克:多措并举探索提升农村劳动力疆外有组织转移就业新模 式), Xinjiang Public Employment Net (新疆公共就业服务网), 25 June 2019. ↩︎
  6. Guidelines for Guangdong enterprises to hire Xinjiang workers (trial) (广东企业招用新疆籍劳动者指引 (试用), Guangdong Employment Service Administration (广东省就业服务管理局), 18 January 2019, online. For additional details on the security measures and government minders, see section ‘Forced Uyghur Labour’. ↩︎
  7. Rick Noack, ‘In a first, 22 nations condemned China’s repression of Uigher Muslims. Without the US’, The Washington Post, 12 July 2019 ↩︎
  8. See the United State’s Tariff Act of 1930, online, and Australia’s Modern Slavery Act 2018. ↩︎
  9. Protocol of 2014 to the Forced Labour Convention, 1930. ↩︎
  10. Adrian Zenz, ‘Brainwashing, police guards, and coercive internment: evidence from Chinese government documents about the nature and extent of Xinjiang’s “vocational training internment camps”‘, Journal of Political Risk, July 2019, 7(7), online; Fergus Ryan, Danielle Cave and Nathan Ruser, Mapping Xinjiang’s ‘re-education’ camps, ASPI, Canberra, 1 November 2018. ↩︎
  11. James Leibold, ‘Despite China’s denials, its treatment of the Uyghurs should be called what it is: cultural genocide’, The Conversation, 24 July 2019. ↩︎
  12. Rob Schmitz, ‘Ex-detainee describes torturer in China’s Xinjiang re-education camp’, NPR, 13 November 2018. ↩︎
  13. Mu Xuequan, ‘China Focus: Xinjiang determined in counter-terrorism, deradicalization, maintaining development’, Xinhua Net, 10 December 2019. ↩︎
  14. ‘Trainees in Xinjiang education, training program have all graduated’, Xinhua, 9 December 2019. ↩︎
  15. In 2019, investigations conducted by the Australian Broadcasting Corporation and ASPI’s International Cyber Policy Centre revealed that Australian companies Cotton On and Target were at risk of using forced labour in their supply chains. Sophie McNeill, Jeanavive McGregor, Meredith Griffiths, Michael Walsh, Echo Hui, Bang Xiao, ‘Cotton On and Target investigate suppliers after forced labour of Uyghurs exposed in China’s Xinjiang’, Four Corners, ABC News, 17 July 2019, online; Nathan Ruser, ‘What satellite imagery reveals about Xinjiang’s ‘re-education’ camps and coerced labour’, The Strategist, 16 July 2019, online; Adrian Zenz, ‘Xinjiang’s new slavery’, Foreign Policy, 11 December 2019, online; Amy Lehr and Mariefaye Bechrakis, ‘Comnecting the Dots in Xinjiang: Forced Labour, Forced Assimilation and Western Supply Chains,’ A Report of the CSIS Human Rights Initiative, Center for Strategic and International Studies, October 2019. ↩︎
  16. Steve Hess, ‘Dividing and conquering the shop floor: Uyghur labour export and labour segmentation in China’s industrial east’, Central Asian Survey, December 2009, 28(4), 404. ↩︎
  17. The appendix lists all Chinese and global brands implicated, as well as the cities and provinces in China where the factories are known to be using Uyghur labour. ↩︎
  18. This estimate is based on data collected from Chinese state media and official government notices. ↩︎
  19. ‘Xinjiang Human Resources and Social Security Department: Strengthening labour cooperation in the region to promote long-term stable employment’ (新疆自治区人力资源和社会保障厅:强化区内劳务协作 促进长期稳定就业), Ministry of Human Resources and Social Security, People’s Republic of China (中华人 民共和国人力资源和社会保障部), 11 January 2019. ↩︎
  20. Chris Buckley and Austin Ramzy, ‘Inside China’s push to turn Muslim minorities into an army of workers’, New York Times, 30 December 2019. ↩︎
  21. Interim measures for the management of the Xinjiang Uyghur Autonomous Region’s rural surplus labour forces to transfer employment to reward funds (新疆维吾尔自治区农村富余劳动力转移就业以奖代补资金管理暂 行办法), online. ↩︎
  22. Bill Birtles, ‘China defends “vocational training centres” amid international pressure over mass Uighur detentions’, ABC News, 17 October 2018. See also endnotes 160, 207, 222, 223. ↩︎
  23. Work report of the People’s government of Moyu county in 2019 (2019年墨玉县人民政府工作报告), Moyu county government Network (墨玉县政府网), 12 November 2019. ↩︎
  24. Special Action Programme to Combat Forced Labour, ILO indicators of forced labour, International Labour Organization, 1 October 2012. ↩︎
  25. Under the 1930 Forced Labour Convention, forced labour is ‘all work or service which is exacted from any person under the threat of a penalty and for which the person has not offered himself or herself voluntarily’. The 2014 Forced Labour Protocol, Article 1(3), reaffirms the 1930 convention’s definition. See Convention Concerning Forced or Compulsory Labour, 1930 (No.29), online, and Protocol of 2014 to the Forced Labour Convention, 1930. ↩︎
  26. ‘Xinjiang Lop county: Leave as industrial workers, return as excellent public speakers’ (新疆洛浦县:外出 成产业工人 返乡是优秀宣讲员), Phoenix News (凤凰新闻), 12 December 2017, online. In March 2019, the press office of the Xinjiang Uyghur Autonomous Region government told AFP that there was ‘no labour contract between education and training centres and enterprises’ and that ‘no enterprise obtains labour from training centres’; Agence France-Press, ‘China turns Muslim ‘re-education’ camp detainees into cheap labour force, human rights group claims’, South China Morning Post, 4 March 2019. ↩︎
  27. Darren Byler, ‘How companies profit from forced labour in Xinjiang’, supchina, 4 September 2019, online; Ye Ling, ‘Released from Camps, Uyghurs Subjected to Forced Labor’, Bitter Winter, 23 December 2019. ↩︎
  28. Zhu Yongfeng (朱勇峰), ‘The first batch of 50 workers from Nilka county goes to Jiangsu KTK Group’ (尼勒克 县首批50名赴江苏今创集团务工), China Labour and Social Security News (中国劳动保障新闻网), 15 May 2019. ↩︎
  29. Yu Tao (于涛), ‘Xinjiang workers depart to return home to Xinjiang for the first time this winter’ (新疆今 冬首趟进疆务工人员返乡专列发车), Xinhua News (新华网), 7 November 2019, online. Before the 2017 crackdown, ‘surplus labour’ mostly referred to rural labour, but in recent years different types of labour transfer, including of rural labour and former detainees, have often been lumped together as ‘surplus labour’ to meet bigger targets. ↩︎
  30. Simaier Human Resources (斯麦尔人力), ‘Important notice’ (重要通知), Labour Dispatch Forum (劳务派遣 吧), Baidu, 27 October 2019, online; ‘1,000 minorities, awaiting online booking’ (1000少数民族,在线等预 约), Baidu HR Forum (百度 HR吧), 27 November 2019. The first batch of rural surplus workers from Bagqi Village in Aksu was transferred for employment’ (阿克苏巴格其村首批农村富余劳动力转移就业), Xinjiang News Online Network (新疆新闻在线网), 8 March 2018, online. [https://archive.fo/BcU4l#selection-431.3-431.10] See also endnote 28. ↩︎
  31. ‘Strengthening patriotism education and building a bridge of national unity’ (加强爱国主义教育搭建民族 团结连心桥), China Ethnic Religion Net (中国民族宗教网), 7 November 2019. ↩︎
  32. Nilka, Xinjiang: Multiple measures to explore for improving model of organised rural labour transfer employment outside of Xinjiang’ (新疆尼勒克:多措并举探索提升农村劳动力疆外有组织转移就业新模 式), Xinjiang Public Employment Net (新疆公共就业服务网), 25 June 2019. ↩︎
  33. Xinjiang Autonomous Region Human Resources and Social Security Department: Strengthening labour cooperation in the region to promote long-term stable employment (新疆自治区人力资源和社会保障厅:强 化区内劳务协作 促进长期稳定就业), Ministry of Human Resources and Social Security, People’s Republic of China (中华人民共和国人力资源和社会保障部), 11 January 2019, online; ‘Guidelines for Guangdong Enterprises to hire Xinjiang Workers (Trial)’ (广东企业招用新疆籍劳动者指引 (试用)), Guangdong Employment Service Administration (广东省就业服务管理局), 18 January 2019. See also endnotes 5, 171 and 248. ↩︎
  34. ‘To change a family’s destiny, these rural women workers from Xinjiang came to Qingdao. What did they experience?’ (伟改变家庭命运 这些新疆农村女工来到青岛 她们经历了什么?), CCTV News Public Account (央视新闻公众号) Sina Finance (新浪财经), 21 September 2016. The Suzhou Chamber of Commerce in Xinjiang has faced the difficulties and persisted in paving the way for poor areas in Xinjiang to become rich’ (新疆苏州商会 迎难而上 坚持不懈 为新疆贫困地区铺就致富之路), China’s Social Organisations (中国社会组织), online [https://archive.vn/0Qt4g]. See also endnotes 3, 6. ↩︎
  35. According to a report by CSIS, the Chinese government permits factories to pay Uyghur workers in Xinjiang significantly lower than minimum wage. In some instances they’re not paid at all. Amy K. Lehr & Mariefaye Bechrakis, ‘Connecting the Dots in Xinjiang: Forced Labor, Forced Assimilation, and Western Supply Chains’, A Report of the CSIS Human Rights Initiative, 16 October 2019. ↩︎
  36. Cao Siqi, ‘Vocational centers in Xinjiang will disappear when society no longer needs them: official’, Global Times, 12 March 2019. ↩︎
  37. ‘Hotan Prefecture’s innovative mechanism promotes labour transfer employment’ (和田地区创新机制助推 劳动力转移就业), Xinhua News (新华网), 23 May 2017. ↩︎
  38. ‘Hotan Prefecture’s innovative mechanism promotes labour transfer employment’ (和田地区创新机制助推 劳动力转移就业), Xinhua News (新华网), 23 May 2017 ↩︎
  39. A Chinese messaging app. ↩︎
  40. The language used in the Xinjiang Human Resources and Social Affairs Department document appears to be intentionally vague. The smartphone app used to record information about Uyghur workers is unnamed, and ASPI hasn’t been able to find relevant information to identify the app. ↩︎
  41. ‘To change a family’s destiny, these rural women workers from Xinjiang came to Qingdao. What did they experience?’ (伟改变家庭命运 这些新疆农村女工来到青岛 她们经历了什么?), CCTV News Public Account (央视新闻公众号) Sina Finance (新浪财经), 21 September 2016. ↩︎
  42. ‘Four prefectures in southern Xinjiang press the fast-forward button to fight poverty’ (南疆四地州按下脱贫 攻坚快进键), Smart Farm 361 (智农361), 20 September 2018. ↩︎
  43. Nilka, Xinjiang: Multiple measures to explore for improving model of organised rural labour transfer employment outside of Xinjiang’ (新疆尼勒克:多措并举探索提升农村劳动力疆外有组织转移就业新模 式), Xinjiang Public Employment Net (新疆公共就业服务网), 25 June 2019. ↩︎
  44. Ye Ling, ‘Released from Camps, Uyghurs Subjected to Forced Labor’, Bitter Winter, 23 December 2019. ↩︎
  45. Ye Ling, ‘Released from Camps, Uyghurs Subjected to Forced Labor’, Bitter Winter, 23 December 2019. ↩︎
  46. Article 4 of the Chinese Constitution states: ‘All nationalities in the People’s Republic of China are equal. The state protects the lawful rights and interests of the minority nationalities and upholds and develops the relationship of equality, unity, and mutual assistance among all of China’s nationalities. Discrimination against and oppression of any nationality are prohibited; any acts that undermine the unity of the nationalities or instigate their secession are prohibited. The state helps the areas inhabited by minority nationalities speed up their economic and cultural development in accordance with the peculiarities and needs of the different minority nationalities.’ The National People’s Congress of the People’s Republic of China, Constitution of the People’s Republic of China, 4 December 1982. ↩︎
  47. ‘Strengthening patriotism education and building a bridge of national unity’ (加强爱国主义教育搭建民族团结连心桥), China Ethnic Religion Net (中国民族宗教网), 7 Nov 2019. According to state media, by the end of 2019, there were around 800 Uyghur workers at Taekwang. According to the Washington Post, by January 2020, there were 600 Uyghur workers there. ↩︎
  48. ‘Group profile’, Jeongsan International, no date, online; ‘Nike Global Manufacturing data export—filters applied: ((none))’ Nike, August 2019. ↩︎
  49. ‘From here to a brand new life—Xinjiang Hotan, Kashgar Vocational Skills Education and Training Center’ (从这里,走向崭新生活—新疆和田,喀什职业技能教育培训中心见闻), Xinhua News (新华网), 5 November 2018. ↩︎
  50. ‘Strengthening patriotism education and building a bridge of national unity’ (加强爱国主义教育搭建民族团结连心桥), China Ethnic Religion Net (中国民族宗教网), 7 November 2019. ↩︎
  51. ‘Muslim minority in China’s Xinjiang face ‘political indoctrination’: Human Rights Watch’, Reuters, 10 September 2018. ↩︎
  52. Lauren Thomas, ‘70% of shoes sold in the US come from China. With new tariffs, the industry braces for a hit’, CNBC, 2 August 2019. ↩︎
  53. Nike has published policies prohibiting forced labour at its supplier facilities. In a 2019 company statement on forced labour and modern slavery it says it requires suppliers to address key risks of forced labour and lays out what it says are ‘minimum standards we expect each supplier factory or facility to meet’. ‘Company introduction’ (公司简介), Qingdao Taekwang Shoes Co. Ltd (青岛泰光制鞋有限公司), online; Nike, ‘Human Rights and Labor Compliance Standards’, online; Nike, ‘Statement on Forced Labor, Human Trafficking and Modern Slavery for fiscal year 2019’. Nike responded to the allegations in this report in a media statement, https://purpose.nike.com/statement-on-xinjiang ↩︎
  54. A department under the CCP’s Central Committee. ↩︎
  55. ‘Municipal United Front Work Department’s “Pomegranate Seed” Night School: a look into Qingdao Taekwang’s Mandarin classes’ (市委统战部’ 石榴籽’ 夜校 走进青岛泰光举办普通话培训班), Laixi United Front (莱西统一战线), WeChat, 1 July 2019, online. ↩︎
  56. ‘Xi Jinping: China’s ethnic groups should closely embrace one another like pomegranate seeds’ (习近平:各民族要像石榴籽那样紧紧抱在一起), China Communist Party News (中国共产党新闻网), 28 September 2015, online. ↩︎
  57. Anna Fifield, ‘China compels Uighurs to work in shoe factory that supplies Nike’, Washington Post, 29 February 2020, online. ↩︎
  58. Isolation of workers and abuse of their vulnerabilities (such as a lack of knowledge of the local language) are two indicators of forced labour, according to the ILO; International Labour Office, ILO indicators of forced labour, International Labour Organization, Geneva, 1 October 2012, online. ↩︎
  59. ‘Let the seeds of national unity be rooted in the heart—The Women’s Federation of the Municipality truly cares for minority female workers’ (让民族团结的种子根植心–市妇联真情关爱少数民族女工侧记), Discover Qingdao (发现青岛), Sohu, 9 October 2019, online. ↩︎
  60. Recruitment advertisements for staff in the internment camps reportedly state that experience in psychological training is a plus. Sigal Samuel, ‘China is treating Islam like a mental illness’, The Atlantic, 28 August 2018, online. ↩︎
  61. ‘The Party Committee of the Municipal Public Security Bureau organised a joint activity of the educational branch with the theme of ‘Don’t forget the original heart and keep the mission in mind’’ ((学习) 市公安局党委组织开展 ’不忘初心、牢记使命’ 主题教育支部联建活动), Laixi News (莱西新闻), WeChat, online. ↩︎
  62. ‘Interview with Yang Guoqiang, Chief Commander of Shandong Province and Deputy Secretary of Xinjiang Kashgar Party Committee’ (国家援疆新闻平台专访山东省援疆总指挥、新疆喀什地委副书记杨国强), China Development Network (中国发展网), 27 April 2018, online. ↩︎
  63. ‘Outstanding humanistic care, strengthening employment security; Qingdao’s Laixi county steadily carrying out service management work for Xinjiang ethnic minorities’ (突出人文关怀 强化就业保障 青岛莱西市扎实开展新疆籍少数民族人员服务管理工作), Qingdao Ethnicity and Religion Bureau (青岛市民族宗教局), 19 April 2017, online. ↩︎
  64. ‘Mass instances’ generally refers to any spontaneous or organised acts of unrest or rioting in Chinese. ‘Outstanding humanistic care, strengthening employment security; Qingdao’s Laixi county steadily carrying out service management work for Xinjiang ethnic minorities’ (突出人文关怀 强化就业保障 青岛莱西市扎实开展新疆籍少数民族人员服务管理工作), Qingdao Ethnicity and Religion Bureau (青岛市民族宗教局), 19 April 2017, online. ↩︎
  65. In China, auxiliary police are unarmed officers hired through contracts. Since 2017, Xinjiang has filled a large number of security-related positions, including auxiliary police officers. Gan, ‘Xinjiang’s police hiring binge comes from party boss’s Tibet playbook’; ‘Shandong Qingdao recruits 40 auxiliary policemen with a monthly salary of 4500, can sign up for specialized training’ (山东青岛招聘40名辅警月薪4500 专科就可以报名), Auxiliary Police Officers (警务辅助人员), WeChat, 19 January 2018, online. ↩︎
  66. Austin Ramzy, ‘He needed a Job. China gave him one: locking up his fellow Muslims’, New York Times, 2 March 2019, online. ↩︎
  67. ‘A letter of gratitude from Hotan workers: We are doing well in Shandong!’ (一封内地和田籍务工人员的感谢信:我们在山东挺好的!), NetEase (网易), 29 January 2018, online. ↩︎
  68. Alexander Chipman Koty, Qian Zhou, ‘A guide to minimum wages in China’, China Briefing, 2 January 2020, online. ↩︎
  69. The letter also mentions a ‘leading cadre’—likely a minder—who translates instructions and teaches the workers the spirit of the 19th Communist Party Congress after work. It appears that the minder was responsible for teaching Mandarin before the establishment of the Pomegranate Seed Night School. ↩︎
  70. James Leibold, ‘Ethnic policy in China: is reform inevitable?’, Policy Studies, 2013, no. 68, East–West Center, online. ↩︎
  71. According to the 2008 annual report of the US Congressional Executive Commission on China, ‘local officials, following direction from higher levels of government, have used ‘deception, pressure, and threats’ toward young women and their families to gain recruits into the labour transfer program.’ Congress-Executive Commission on China (CECC), 2018 Annual Report, 10 October 2018, online. ↩︎
  72. Steve Hess, ‘Dividing and conquering the shop floor: Uyghur labour export and labour segmentation in China’s industrial east’, Central Asian Survey, December 2009, 28(4), 404, online. ↩︎
  73. Tania Branigan, ‘Ethnic violence in China leaves 140 dead’, The Guardian, 6 July 2009, online. ↩︎
  74. ‘Successive ‘Xinjiang Aid’ conferences evidence of changes in Xinjiang’s governance strategy’, (历次援新疆会议 见证治疆政变迁), Sohu, 24 July 2014, online. ↩︎
  75. Li Yuhui, China’s assistance program in Xinjiang, Lexington Books, Lanham, Maryland, 2018. ↩︎
  76. Four years before the 2017 crackdown in Xinjiang, terms such as ‘vocational training’ and ‘strengthening and improving ideological and political education’ began appearing in ‘Xinjiang Aid’ conference materials. ‘Fourth National ‘Xinjiang Aid’ Conference held in Beijing’ (第四次全国对口支援新疆工作会议在北京召开), Central government Portal (中央政府门户网站), 24 September 2013, online; Fergus Ryan, Danielle Cave, Nathan Ruser, ‘Mapping Xinjiang’s ‘re-education’ camps’, ASPI, Canberra, 1 November 2018, online. ↩︎
  77. James Leibold, ‘The spectre of insecurity: the CCP’s mass internment strategy in Xinjiang’, China Leadership Monitor, 59 (Spring 2019), online. ↩︎
  78. See, for example, ‘‘Six batches’ boosted employment of 100,000 people in Kashgar’s Hotan in three years’ ( ’六个一批’ 助推喀什和田地区三年就业十万人), Xinhua News (新华网), 11 May 2017, online. ↩︎
  79. ‘Xinjiang focuses on 22 deeply impoverished counties (cities) planning to transfer 100,000 jobs in 3 years’ (新疆聚焦22个深度贫困县(市)计划3年转移就业10万人), Xinhua News (新华网), 10 January 2018, online. ↩︎
  80. Yan Hailong (闫海龙), Thoughts and suggestions on human resources development in the three regions of southern ‘Xinjiang Aid’ work (关于对口援疆工作中南疆三地州人力资源开发的思考与建议), Institute of Economic Research of Xinjiang Development and Reform (新疆维吾尔自治区发展和改革委员会经济研究院), 22 May 2012, online. ↩︎
  81. ‘Xianning opens ‘green channel’ for Xinjiang’s organised labour export’, (咸宁为新疆籍有组织劳务输出开辟’ 绿色通道’ ), United Front of Jingchu (荆楚统战), Headlines Express (看点快报), 18 May 2018, online. ↩︎
  82. Satellite factories are subsidiary company factories established in Xinjiang by parent companies throughout China. This paper will refer to them just as factories for brevity. ↩︎
  83. Han Qinyan (韩沁言), ‘Industry aids Xinjiang for development’ (产业援疆促发展), Xinhua News (新华网), 3 January 2020, online. ↩︎
  84. ‘Company introduction’ (公司简介), Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司), online. ↩︎
  85. Autonomous region’s economic structure is stable and has good development (自治区经济结构稳中有活 发展良好), Xinjiang Uyghur Autonomous Region Development and Reform Commission (新疆维吾尔自治区 发展和改革委员会), 5 December 2018, online. ↩︎
  86. Work report of the People’s government of Moyu county in 2019 (2019年墨玉县人民政府工作报告), Moyu county government Network (墨玉县政府网), 12 November 2019, online. ↩︎
  87. A 2017 report from local media in Kashgar stated that officials from the county’s bureau of human resources travelled to other Chinese provinces to negotiate employment placements prior to months of ‘Winter Youth Education and Training’—a form of re-education including political indoctrination and militarised discipline that usually lasts a few months. See ‘High level collaboration in Winter Youth Education and Training in Kashgar’ (高位推动 通力协作 喀什地区冬季青年教育培训工作如火如荼), Kashgar Zero Distance (喀什零距离), 16 February 2017, online. ↩︎
  88. Our research relied on publicly available notices of labour transfers reported by government sources and local media. Not all labour transfers are reported in media sources, and available numbers suggest that this map is incomplete. The actual numbers are likely to be far higher. ↩︎
  89. ‘Xinjiang’s Kashgar and Hotan Prefectures’ rural surplus labour transfer employment project has been implemented for two years now’ (新疆喀什和田农村富余劳动力转移就业工程实施两年来), Ningxia News (宁夏新闻网), 15 November 2018, online. ↩︎
  90. ‘Transfer employment 2,410 labourers in poverty from Southern Xinjiang’ (南疆2410名贫困劳动力转移就业), China Western Development Promotion Association (中国西部开发促进会), online. ↩︎
  91. ‘In 2017, 2.75 million rural surplus labourers were transferred for employment’ (2017新疆农村富余劳动力转移就业275万人次), Xinjiang Daily (新疆日报), 9 January 2018, online. ↩︎
  92. According to state media, by November of 2018, Xinjiang transferred 25,378 people to other provinces for employment that year. Extrapolating this figure for the full calendar year, ASPI estimates that 28,000 people would have been transferred out of Xinjiang in 2018 in total. ‘2.8 million rural surplus labor transfers for employment in the first 11 months (of the year) in Xinjiang’ (前11月新疆近280万人次农村富余劳动力转移就业), Xinjiang Daily (新疆日报), 26 December 2018, online. ↩︎
  93. According to state media, in the first half of 2019, the Xinjiang government organized transfers of 15,459 people to ‘Xinjiang Aid’ areas in eastern and central China. ASPI estimates that this puts the whole year’s figure at around 32,000. Xinhua (新华网), ‘Nearly 1.76 million Xinjiang rural surplus labour transfers in the first half of the year’ (新疆上半年农村富余劳动力转移就业近176万人次), China News (中国新闻网), 19 July 2019, online. ↩︎
  94. Information on targets and transfers for the years before 2017 is scarce. However, the limited data suggests that there’s been significant growth in recent years. From 2014 to mid-2018, Nilka, a small county in Xinjiang, reportedly transferred 390 people to work in other provinces of China. In the first six months of 2019, the county transferred 551 people outside of Xinjiang. ‘Transfer employment ‘transfers’ to a new life’ (转移就 业’ 转’ 出生活新气象), Nilka county government (尼勒克县政府网), 20 June 2019, online. ↩︎
  95. ‘In 2017, 2.75 million rural surplus labourers were transferred for employment’ (2017新疆农村富余劳动力转移就业275万人次), Xinjiang Daily (新疆日报), 9 January 2018, online. ↩︎
  96. ‘Multiple employment ‘dividends’ in Xinjiang help fight poverty’ (新疆多项就业 ’红利’ 助力脱贫攻坚), Xinhua News (新华网), 4 March 2019, online. ↩︎
  97. A Chinese search engine. ↩︎
  98. The labour transfer programs that have included former detainees have also been referred to in official sources as ‘rural surplus labour’. ‘The maximum salary is over 5,000 yuan, with a deposit of 30,000 a year. Jiashi students’ employment in the mainland shows results’, Foshan News Network, 25 April 2019, online. ↩︎
  99. ‘Interim measures for the management of Xinjiang’s Uyghur Autonomous Region’s rural surplus labour forces to transfer employment to reward funds’ (新疆维吾尔自治区农村富余劳动力转移就业以奖代补资金管理暂行办法), online. ↩︎
  100. ‘‘Six batches’ boosts employment of 100,000 people in Kashgar Prefecture and Hotan Prefecture in three years’ ( ’六个一批’ 助推喀什和田地区三年就业十万人), Xinhua News (新华网), 11 May 2017, online. The policies discussed in this notice include the ‘Organised transfer for employment for surplus labour in Kashgar and Hotan regions’ (喀什和田地区城乡富余劳动力有组织转移就业) and ‘Three-year poverty alleviation plan for poverty-stricken areas in four south Xinjiang prefectures’ (南疆四地州深度贫困地区就业扶贫三年计划) labour transfer initiatives, both of which include transfers inside and outside Xinjiang. ↩︎
  101. Chipman Koty, Zhou, ‘A guide to minimum wages in China’. ↩︎
  102. ‘Our company provides a large number of government workers to dispatching companies in Xinjiang’ (我司提供大量政府新疆工人劳务派遣公司), Qingdao Human Resources Network (青岛德才人力资源网), online. ↩︎
  103. Companies working with the Chinese government under the ‘Xinjiang Aid’ program receive incentives to open up ‘satellite factories’ (卫星工厂) or workshops inside Xinjiang to absorb ‘surplus labour capacity’ (富余劳动力). ↩︎
  104. ‘Despite earning a lot of money elsewhere, why did he travel so far to South Xinjiang to start a business?’ (在别处赚的盆满钵满,为何他要遣赴南疆开荒创业?), Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司), 15 October 2019, online; ‘Cooperative Brands’ (合作品牌), Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司), online. ↩︎
  105. ‘Guangdong’s aid to Xinjiang actively promotes the transfer of labour from the aided places to other provinces of China’ (广东援疆积极推动受援地劳动力向内地转移就业成效明显), Voice of Guangdong Aid (广东援疆之声), 23 June 2018, online. ↩︎
  106. ‘Guangdong’s aid to Xinjiang actively promotes the transfer of labour from the aided places to other provinces of China’ (广东援疆积极推动受援地劳动力向内地转移就业成效明显), Voice of Guangdong Aid (广东援疆之声), 23 June 2018, online. ↩︎
  107. Enrolment in the ‘vocational’ facility has had an abnormally rapid increase since 2017. Official figures show that the school went from 500 students in 2013 to more than 7,000 in 2019; ‘Thanks to Foshan’s ‘Xinjiang Aid’ team, this girl from Payziwat county, Xinjiang, who wanted to drop out of school, is now a university student’ (因为佛山援疆干部,这位曾想辍学的新疆伽师姑娘成了大学生), Tencent (腾讯网), online. A mobile police station was set up at the entrance and 11 additional security checkpoints were built around its perimeter, which is fully enclosed by a tall fence and solid brick walls. Beginning in early 2017, seven new dormitory-style buildings were constructed alongside five prefabricated factory buildings, strongly suggesting that the former school was converted into a re-education camp where ethnic minorities are arbitrarily detained and politically indoctrinated. In August 2018, the school advertised for new officials to oversee the implementation of ‘military-style management’ (军事化管理) at the school, as it sought to ‘foster discipline and more closely watch over students’. Recruitment brochure of Jiashi Secondary Vocational Technical School (伽师县中等职业技术学校招聘简章), Payziwat county Human Resources Service Centre (伽师人力资源服务中心), Sohu, 9 August 2018, online. Satellite image collection and analysis conducted by Nathan Ruser, researcher at ASPI’s International Cyber Policy Centre. ↩︎
  108. In its 2016–17 budget, the Guangdong government promised Ұ960 million for ‘Xinjiang Aid’ to bring 47,800 jobs to Xinjiang. The following year, the government brought in a number of companies, including HYP, to assist in opening satellite factories in Xinjiang. ‘Guangdong aids Xinjiang: letting people live and work in peace is most important to people’s livelihood’ (广东对口援疆:民生为重让百姓安居乐业), Xinjiang Morning Newspaper (新疆晨报), Sina Xinjiang (新浪新疆), 2 November 2018, online. ↩︎
  109. ‘Despite earning a lot of money elsewhere, why did he travel so far to South Xinjiang to start a business?’ (在别处赚的盆满钵满,为何他要赴南疆开荒创业?), Hao Yuanpeng Clothing Co. Ltd (浩缘朋服装有限公司), 15 October 2019, online. ↩︎
  110. Apple supplier responsibility: supplier list, Apple, 2019, online. ↩︎
  111. ‘Apple CEO Cook tours O-Film Technology Co. Ltd: iPhone X/8 selfie screams “cheese”‘ (‘苹果CEO库克参观欧菲光科技:iPhone X/8自拍大喊’茄子’), IT Home (IT之家), 6 December 2017, online; The original Weibo post can only be accessed with a Weibo login, online; ‘Apple CEO Cook visits and praises the technical level and cultural environment of our company’ (苹果CEO库克来访 点赞我司技术水平和人文环境), O-Film Technology Co. Ltd, 7 December 2017, online. ↩︎
  112. Apple supplier responsibility: supplier list, Apple, 2019, online. ↩︎
  113. ‘About us’, O-Film Technology Co. Ltd, online; ‘CMOS camera module’, O-Film Technology Co. Ltd, online. ↩︎
  114. ‘Over 1200 surplus labourers from Lop county heads to mainland China for work’ (洛浦县1200余名城乡富余劳动力赴内地务工), Hotan Daily Newspaper (和田日报) via China Xinjiang, 11 May 2017, online. ↩︎
  115. ‘Over 1200 surplus labourers from Lop county heads to mainland China for work’ (洛浦县1200余名城乡富余劳动力赴内地务工), Hotan Daily Newspaper (和田日报) via China Xinjiang, 11 May 2017, online. ↩︎
  116. ‘Over 1200 surplus labourers from Lop county heads to mainland China for work’ (洛浦县1200余名城乡富余劳动力赴内地务工), Hotan Daily Newspaper (和田日报) via China Xinjiang, 11 May 2017, online. ↩︎
  117. ‘Apple CEO Cook visits and praises the technical level and cultural environment of our company’ (苹果CEO库克来访 点赞我司技术水平和人文环境), O-Film Technology Co. Ltd, 7 December 2017, online. ↩︎
  118. ‘Apple CEO Cook visits and praises the technical level and cultural environment of our company’ (苹果CEO库克来访 点赞我司技术水平和人文环境), O-Film Technology Co. Ltd, 7 December 2017, online. ↩︎
  119. ‘Hotan migrant workers find employment in Jiangxi Nanchang’s high-tech enterprises’ (和田外出务工人员在江西南昌高新企业就业掠影), Hotan People’s government (和田市人民政府), 8 April 2019, online. ↩︎
  120. ‘Xinjiang Lop county: Leave as industrial workers, return as excellent public speakers’ (新疆洛浦县:外出成产业工人 返乡是优秀宣讲员), Phoenix News (凤凰新闻), 12 December 2017, online. ↩︎
  121. Henan aids Hami City, Xinjiang in advancing poverty alleviation’ (河南援疆助力哈密固提升脱贫攻坚), Hami City Party Building Net (哈密市党建网), 6 September 2019, online; David Barbosa, ‘How China Built ‘iPhone City’ With Billions in Perks for Apple’s Partner’, The New York Times, 29 December 2016, online. ↩︎
  122. Jamie Condliffe, ‘Foxconn Is Under Scrutiny for Worker Conditions. It’s Not the First Time.’, The New York Times, 11 June 2018, online. ↩︎
  123. ‘Demystifying Zhengzhou’s Apple City: Half of the world’s iPhones are made here’ (揭秘郑州苹果城:全球一半iPhone产自这里), Tencent Technology (腾讯科技), 18 September 2017, online. ↩︎
  124. Phoebe Zhang, ‘Apple iPhone 11 launch marred by claims Foxconn factory broke labour laws’, South China Morning Post, 9 September 2019, online. ↩︎
  125. Jamie Fullerton, ‘Suicide at Chinese iPhone factory reignites concern over working conditions’, The Telegraph, 7 January 2018, online; Yuan Yang, ‘Apple’s iPhone X assembled by illegal student labour’, Financial Times, 21 November 2017, online. ↩︎
  126. ‘Precision poverty assistance, the Group enters Xinjiang’s Kashgar’ (助力精准扶贫集团走进新疆喀什地区), Foxconn, 5 December 2018, online. In 2018, a Foxconn media release claimed that the company had donated 15 televisions to an army unit in Xinjiang and money to a Kashgar hospital. Foxconn’s company Communist Party branch also established a ‘joint development’ relationship with a border checkpoint in Xinjiang. ↩︎
  127. ‘Xianning, Hubei, opens up a ‘green tunnel’ for Xinjiang’s organised labour export’ (咸宁为新疆籍有组织劳务输出开辟’ 绿色通道’ ), United Front of Jingchu (荆楚统战) via Headlines Express (看点快报), 18 May 2018, online. ↩︎
  128. ‘Xianning, Hubei, opens up a ‘green tunnel’ for Xinjiang’s organised labour export’ (咸宁为新疆籍有组织劳务输出开辟’ 绿色通道’ ), United Front of Jingchu (荆楚统战) via Headlines Express (看点快报), 18 May 2018, online. ↩︎
  129. ‘Yidong Overview’ (奕东简介), Dongguan Yidong Electronic Co. Ltd (东莞市奕东电子有限公司), online. ↩︎
  130. ‘Collaborative customers’ (合作客户), Dongguan Yidong Electronic Co. Ltd (东莞市奕东电子有限公司), online. ↩︎
  131. Lauly Li and Cheng Tingfang, ‘Exclusive: Apple turns to China to double AirPods Pro production’, Nikkei Asian Review, 27 November 2019, online. ↩︎
  132. Ainur helps family realise ‘supermarket dream’ (阿依努尔助力家人实现’超市梦), Hotan government (和田政府网), 31 July 2019, online. ↩︎
  133. Xinhua (新华网), ‘Uyghur Hefei—Ainur: Wishes come true 3,500 kilometres away’ (维吾尔族合肥-阿依努尔:愿望实现于3500公里之外), Chongqing News (重庆第一眼), 3 August 2019, online. ↩︎
  134. ‘Happiness is earned through struggle: girl from Pishan wants to stay in Hefei as a blue-collar worker’ ([幸福是奋斗出来的] 皮山姑娘要留在合肥当蓝领), Tianshan Net (天山网), 19 March 2018, online. ↩︎
  135. The report also says that she was a student in Guma majoring in food processing. ↩︎
  136. Annual report (年度报告), Highbroad Advanced Material (Hefei) Co., Ltd. (翰博高新才科(合肥)股份有限公司), 2018, online. ↩︎
  137. Huawei has a group-wide policy, signed in 2018, that acknowledges ‘the risk of modern slavery due to the complexity of global supply chains within the ICT industry’ and says it ‘will not tolerate forced, bonded (including debt bondage) or indentured labour, involuntary prison labour, slavery or trafficking of persons.’ The statement says that it audits its suppliers’ performance annually and discloses ‘records of all forced labour noncompliances’. Minglu Zhao, Statement on modern slavery, Huawei, 26 June 2018, online. ↩︎
  138. William Gallagher, ‘China’s BOE set to become Apple’s second-largest OLED screen supplier in 2021’, Apple Insider, 30 December 2019, online. ↩︎
  139. Apple supplier responsibility: supplier list, Apple, 2019, online. In its Supplier Responsibility Policy, online, Apple says it has ‘zero tolerance’ for bonded labour, conducts investigations where it is discovered and has instituted other programs designed to improve protections for at-risk workers in its supply chains. ↩︎
  140. ‘Highbroad Advanced Material (Hefei) Co. Ltd’ (翰博高新才科(合肥)股份有限公司), online. ↩︎
  141. ‘Highbroad Advanced Materials (Hefei) Co., Ltd.’ (翰博高新材科(合肥)股份有限公司), 51Job, online. ↩︎
  142. ‘Highbroad Advanced Material (Hefei) Co., Ltd’ (翰博高新才科(合肥)股份有限公司), China LCD Network (中华液晶网), online. ↩︎
  143. ‘Xinjiang Human Resources and Social Security Department: Strengthening labour cooperation in the region to promote long-term stable employment’ (新疆自治区人力资源和社会保障厅:强化区内劳务协作 促进长期稳定就业), Ministry of Human Resources and Social Security, People’s Republic of China (中华人民共和国人力资源和社会保障部), 11 January 2019, online. ↩︎
  144. ‘Let the seeds of national unity be rooted in the heart—a note on the true love and care among minority women workers’ (让民族团结的种子根植于心——市妇联真情关爱少数民族女工侧记), Laixi government Net (莱西政府网), 9 October 2019, online. ↩︎
  145. Lv Nanfang (吕楠芳), ‘Industry supports Xinjiang in ‘making blood’; women hold up half the sky!’ (产业援疆来’ 造血’ ,妇女撑起半边天!), From Guangzhou (羊城派), Sina (新浪网), 30 December 2019, online. ↩︎
  146. The National People’s Congress of the People’s Republic of China, Constitution of the People’s Republic of China, 4 December 1982, online. ↩︎
  147. See the United State’s Tariff Act of 1930, online, and Australia’s Modern Slavery Act 2018, online. ↩︎
  148. Convention Concerning Forced or Compulsory Labour, 1930 (No.29), online. ↩︎
  149. Convention Concerning the Abolition of Forced Labour, 1957 (No.105), online. ↩︎
  150. Protocol of 2014 to the Forced Labour Convention, 1930, online. ↩︎

ICT for development in the Pacific islands

Information and communication technologies (ICTs) as an invisible driver of socio-economic change have long captured the imagination of politicians, policymakers and aid professionals alike. 

Since the first fibre-optic submarine cable connected Fiji 20 years ago, many reports and studies have been written about the potential that the introduction of ICTs in the South Pacific would bring for reaching targets of poverty reduction and economic growth. 

The internet, mobile devices and e-commerce have already penetrated the Pacific, configured to the political, economic and sociocultural context of the various island nations. 

This report takes a step back and zooms in on one aspect of that digital revolution: e-government. 

E-Government is defined as a set of capabilities and activities that involves the use of ICTs by government to improve intragovernmental processes and to connect with citizens, businesses and industry. 

Fiji was the first island to get linked up to the global network of submarine communications cables in 2000. In 2020, all major islands in the region are connected through one or more domestic and international fibre-optic cables. The region is connected. 

This report finds that the potential of ICTs to enable stronger governance, effective public service delivery and better government services is there. In all countries that are part of this study, critical foundational infrastructure is in place: 

  • Government broadband networks that connect departments, schools and hospitals have been established.
  • Central government data centres have been built, public registries are being digitised, and the introduction of national (digital) identities is currently being considered.
  • All Pacific island states have introduced relevant strategy and policy documents and have reviewed, or are currently reviewing, legislation related to data-sharing, cybersecurity and universal access.
  • All islands have an online presence that is steadily professionalising. Government (information) services are increasingly provided online, along with tourism information, fisheries data, geological data and meteorological forecasts. 

But there’s still a lot to be unlocked. 

Increased internet connectivity, the availability of mobile devices and online services and access to information are creating a greater demand from users to their governments. International donors similarly focus on the delivery of ‘digital aid’, using ICTs to provide international assistance more efficiently and effectively. 

This report asks the following questions: 

  • What capabilities have been established and are in place?
  • What are the current policy issues?
  • What can the international (donor) community do to enhance its support for the digitisation process of the Pacific island governments? 

The report reaches five main conclusions for the implementation of e-government and digital government initiatives, and it concludes with four recommendations for future programming of international support in the area of ICTs and e-government. 

Mapping more of China’s tech giants: AI and surveillance

This second report accompanies the Mapping China’s Technology Giants website.

Several report are now available on this topic;

Executive summary

ASPI’s International Cyber Policy Centre has updated the public database that maps the global expansion of key Chinese technology companies. This update adds a further 11 companies and organisations: iFlytek, Megvii, ByteDance (which owns TikTok), SenseTime, YITU, CloudWalk, DJI, Meiya Pico, Dahua, Uniview and BeiDou.

Our public database now maps 23 companies and organisations and is visualised through our interactive website, Mapping China’s Technology Giants. The website seeks to give policymakers, academics, journalists, government officials and other interested readers a more holistic picture of the increasingly global reach of China’s tech giants. The response to phase 1 of this project—it quickly became one of ASPI’s most read products—suggests that the current lack of transparency about some of these companies’ operations and governance arrangements has created a gap this database is helping to fill.

This update adds companies working mainly in the artificial intelligence (AI) and surveillance tech sectors. SenseTime, for example, is one of the world’s most valuable AI start-ups. iFlytek is a partially state-owned speech recognition company. Meiya Pico is a digital forensics and security company that created media headlines in 2019 because of its monitoring mobile app MFSocket.1 In addition, we’ve added DJI, which specialises in drone technologies, and BeiDou, which isn’t a company but the Chinese Government’s satellite navigation system.

We also added ByteDance—an internet technology company perhaps best known internationally for its video app, TikTok, which is popular with teenagers around the world. TikTok is also attracting public and media scrutiny in the US over national security implications, the use of US citizens’ data and allegations of censorship, including shadow banning (the down-ranking of particular topics via the app’s algorithm so users don’t see certain topics in their feed).

Company overviews now include a summary of their activities in Xinjiang.2 For some companies, including ByteDance and Huawei, we are including evidence of their work in Xinjiang that has not being reported publicly before. For most of these companies, the surveillance technologies and techniques being rolled out abroad—often funded by loans from the Export–Import Bank of China (China Eximbank)3—have long been used on Chinese citizens, and especially on the Uyghur and other minority populations in Xinjiang, where an estimated 1.5 million people are being arbitrarily held in detention centres.4 Some of these companies have actively and repeatedly obscured their work in Xinjiang, including in hearings with foreign parliamentary committees. This project now includes evidence and analysis of those activities in order to foster greater transparency about their engagement in human rights abuses or ethically questionable activities in the same way Western firms are held to account by Western media and civil society actors, as they should be.

In this report, we include a number of case studies in which we delve deeper into parts of the dataset. This includes case studies on TikTok as a vector for censorship and surveillance, BeiDou’s satellite and space race and CloudWalk’s various AI, biometric data and facial recognition partnerships with the Zimbabwean Government. We also include a case study on Meiya Pico’s work with China’s Public Security Ministry on Belt and Road Initiative (BRI) aid projects in Southeast Asia and Central Asia.

Those projects include the construction of digital forensics labs and cyber capacity training, including for police forces across Asia.

We have also investigated the role that foreign investment plays in the global expansion of some of these companies, particularly in China’s surveillance and public security sector.
 

The updated database

Our public database now maps out 23 companies and organisations. On the Mapping China’s Technology Giants website you’ll find a dataset that geo-codes and analyses major points of overseas presence, including 5G relationships; ‘smart cities’ and ‘public security’ solutions; surveillance relationships; research and university partnerships; submarine cables; terrestrial cables; significant telecommunications and ICT projects; and foreign investment. The website does not map out products and services, such as equipment sales.

Previously, in April 2019, we mapped companies working across the internet, telecommunications and biotech sectors, including Huawei, Tencent, Alibaba, Baidu, Hikvision, China Electronics Technology Group (CETC), ZTE, China Mobile, China Telecom, China Unicom, Wuxi AppTec Group and BGI. This dataset has also been updated, and new data points have been added for those companies, including on 5G relationships, smart cities, R&D labs and data centres.

At the time of release this updated research project now maps and tracks: 

  • 26,000+ data points that have helped to geo-locate 2,500+ points of overseas presence for the 23 companies
  • 447 university and research partnerships, including 195+ Huawei Seeds for the Future university partnerships
  • 115 smart city or public security solution projects, most of which are in Europe, South America and Africa
  • 88 5G relationships in 45 countries
  • 295 surveillance relationships in 96 countries
  • 145 R&D labs, the greatest concentration of which is in Europe
  • 63 undersea cables, 20 leased cables and 49 terrestrial cables
  • 208 data centres and 342 telecommunications and ICT projects spread across the world.

Other updates have also been made to the website, often in response to valuable feedback from policymakers, researchers and journalists. Updates have been made to the following:

  • The landing ‘splash page’5
  • How to use this tool6
  • Glossary.7

Terrestrial cables have now been added and can be searched through the filter bar (via ‘Overseas presence’)

The original report that accompanied the launch of the project was translated into Mandarin in August 2019.

In addition to this dataset, each company has its own web page, which includes an overview of the company and a summary of its activities with the Chinese party-state. The overviews now include a summary of each company’s activities in Xinjiang. This research was added for a number of reasons.

First, we needed to compile the information in one place for journalists, civil society groups and governments. Second, these companies aren’t held to account by China’s media and civil society groups, and it’s clear that many have obscured their activities in Xinjiang. Some have even provided incorrect information in response to direct questions from foreign governments. For example, a Huawei executive told the UK House of Commons Science and Technology Committee on 10 June 2019 that Huawei’s activities in Xinjiang occurred only via ‘third parties:’8

Chair Sir Norman Lamb: But do you have products and services in Xinjiang Province in terms of some sort of contractual relationship with the provincial government?

Huawei Executive: Our contracts are with the third parties. It is not something we do directly.

That’s not correct. Huawei works directly with the Chinese Government’s Public Security Bureau in Xinjiang on a range of projects. Evidence for this—and similar—work can now be found via each company’s dedicated Mapping China’s Technology Giants web page and is also analysed below.

Methodology

ASPI’s International Cyber Policy Centre began this research project due to a lack of publicly available quantitative and qualitative data, especially in English, on the overseas activities of these key technology companies. Some of the companies disclose little in the way of policies that affect data, security, privacy, freedom of expression and censorship. What information is available is spread across a wide range of sources and hasn’t been compiled in one location. In-depth analysis of the available sources also requires Chinese-language capabilities and an understanding of other issues, such as the relationships the companies have with the state and how Chinese state financing structures work.

For example, some of the companies, especially Huawei, conduct a lot of their work in developing countries through China Eximbank loans. Importantly, the use of internet and other archiving services is vital, as Chinese web pages are often moved, altered or deleted.

This research relied on open-source data collection that took place primarily in English and Chinese. Data sources included company websites, corporate information, tenders, media reporting, databases and other public sources.

The following companies—which work across the telecommunications, technology, internet, surveillance, AI and biotech sectors—are now present on the Mapping China’s Technology Giants website (new additions are bold):

  • Alibaba
  • Baidu
  • BeiDou
  • BGI
  • ByteDance
  • China Electronics Technology Group (CETC)
  • China Mobile
  • China Telecom
  • China Unicom
  • CloudWalk
  • Dahua
  • DJI
  • Hikvision (a subsidiary of CETC)
  • Huawei
  • iFlytek
  • Megvii
  • Meiya Pico
  • SenseTime
  • Tencent
  • Uniview
  • WuXi AppTec Group
  • YITU
  • ZTE.

The size and complexity of these companies, and the speed at which they’re expanding, mean that this dataset will inevitably be incomplete. For that reason, we encourage researchers, journalists, experts and members of the public to continue to contribute and submit data via the online platform in order to help make the dataset more complete over time.

For tips on how to get the most out of the map, navigate to ‘How to use this tool’ on the website. When you’re first presented with the map, all data points are displayed. Click the coloured icons and cables for more information. To navigate to the list of companies, click ‘View companies’ in the left blue panel.

There’s a filter bar at the bottom of the screen. Click the items to select. To reset your search selection, click ‘Reset’ in the filter bar.

The yellow triangle icons on the map are data points of particular interest in which we invested additional research resources.
 

These companies differ in their size, scope and global presence

They may not be household names in the West, but the market size of many of the Chinese companies outlined in this report is larger than many of their more well-known counterparts outside China. iFlytek, a voice recognition tech company established in 1999, isn’t yet a household name outside China but has 70% of the Chinese voice recognition market and a market capitalisation of Ұ63 billion (US$9.2 billion). Newcomer ByteDance, an internet technology company with a focus on machine-learning-enabled content platforms, was established only in 2012 but is already valued at around US$78 billion, making it the world’s most valuable start-up.

Many of the companies outlined in this report have skyrocketed in value by capitalising on China’s surge in security spending in Xinjiang and elsewhere as a large, sprawling surveillance apparatus is constructed. Some have been, in effect, conscripted into spearheading the development of AI in the country—a goal of particular strategic importance to the party-state.

Other companies we examine in this report, such as Dahua Technology, Megvii and Uniview, aren’t well known but have significant global footprints. Dahua, for example, is one of the world’s largest security camera manufacturers. Between them Hikvision9 and Dahua supply around one-third of the global market for security cameras and related goods, such as digital video recorders.10

All Chinese tech companies have deep ties to the Chinese state security apparatus, but, perhaps more than the others, the companies in this report occupy a space in which the lines between the commercial imperatives of private companies (and some state-backed companies) and the strategic imperatives of the party-state are blurred.

Several of the companies we examine—including iFlytek, SenseTime, Megvii and Yitu—have been designated as official ‘AI Champions’ by the party-state, alongside Huawei, Hikvision and the ‘BATs’ (Baidu,11 Alibaba12 and Tencent;13) which were featured in our previous report. These ‘champions’, having been identified as possessing “core technologies”, have been selected to spearhead AI development in the country, with the aim of overtaking the US in AI by 2030.14

Gregory C Allen, writing for the Center for a New American Security, cited SenseTime executives as saying the title:

… gave the companies privileged positions for national technical standards-setting and also was intended to give the companies confidence that they would not be threatened with competition from state-owned enterprises.15

Speaking in December 2018, SenseTime co-founder Xu Bing alluded to the uniqueness of this privileged position:

We are very lucky to be a private company working at a technology that will be critical for the next two decades. Historically, governments would dominate nuclear, rocket, and comparable technologies and not trust private companies.16

Historically, the party-state drew on the power of a few state-owned enterprises to help it achieve its strategic goals. But in order to become a world leader in AI by 2025—an express aim of the Chinese Communist Party (CCP)— the People’s Republic of China (PRC) has demonstrated its ability to move away from those cumbersome organisations in favour of smaller, more agile companies not wholly owned by the state. This has proven to be a highly successful—and mutually beneficial—model.

Chinese AI and surveillance companies benefit from a highly favourable regulatory environment in which concerns over the potential use of invasive systems of surveillance to erode civil liberties are largely and substantively ignored by design, although they’re sometimes discussed in the Chinese media.17

Companies that we examine in this report, such as YITU, CloudWalk, iFlytek and SenseTime, have access to enormous customer databases that are generating huge amounts of proprietary data—the essential ingredient for improving AI and machine-learning algorithms.

AI giant SenseTime has access to a database of more than 2 billion images, at least some of which, SenseTime CEO Xu Li told Quartz,18 come from various government agencies, giving the company a distinct advantage over its foreign competitors.

The global expansion of these companies—from research partnerships with foreign universities through to the development of operational ‘smart city’ or ‘public security’ projects—raises important questions about the geostrategic, political and human rights implications of their work.

Users of the website will now find more than 26,000 datapoints that have helped to geo-locate 2,500+ points of overseas presence for the 23 companies and organisations. But it’s important to note that the presence of the companies’ products in overseas markets is far larger than the map can indicate.

Many of the companies’ relationships are business to business, and their products are integrated as part of other companies’ solutions. For example, iFlytek’s speech recognition software is used in the voice assistant in Huawei smartphones, and YITU provides its facial recognition and traffic monitoring software to Huawei’s smart cities solutions. So, while Huawei’s smart city solutions are mapped, the companies that provide certain technologies and component parts for smart cities can’t always be captured.

This illustrates a complex problem associated with data and privacy protection in ‘internet of things’ devices that is tackled in Dr Samantha Hoffman’s ASPI report Engineering global consent: the Chinese Communist Party’s data-driven power expansion.19 Companies can claim that they don’t misuse the data that their products collect, but those claims don’t always take into account how component-part manufacturers whose technologies are integrated into smart cities and public security services, for example, collect and use citizens’ data.

TikTok as a vector for censorship and surveillance

Unlike China’s first generation of social media tech giants, which stumbled in their international expansion,20 second-generation start-ups such as ByteDance are proving to be much more sure-footed. TikTok, a short-video app, is the company’s most successful foreign export, having grown a global audience of more than 700 million in just a few years.21 ByteDance achieved that meteoric growth, ironically enough, by ploughing US$1 billion into ads on the social platforms of its Western rivals Facebook, Facebook-owned Instagram and Snapchat.22

The app has managed to maintain its ‘stickiness’ for users—mostly teens—by virtue of the AI-powered advanced algorithm undergirding it. The remarkable success of the app enabled ByteDance to become the world’s most valuable start-up in October 2018 after it secured a US$3 billion investment round that gave it a jaw-dropping valuation of US$75 billion.23

TikTok has already attracted the ire of regulators around the world, including in Indonesia, India, the UK and the US, where the company made a $US5.7 million settlement with the Federal Trade Commission for violating the Children’s Online Privacy Protection Act.

But beyond the expected regulatory missteps of a fast-growing social media platform, ByteDance is uniquely susceptible to other problems that come with its closeness to the censorship and surveillance apparatus of the CCP-led state. Beijing has demonstrated a propensity for controlling and shaping overseas Chinese-language media. The meteoric growth of TikTok now puts the CCP in a position where it can attempt to do the same on a largely non-Chinese speaking platform—with the help of an advanced AI-powered algorithm.

In September 2019, The Guardian revealed clear evidence of how ByteDance has been advancing Chinese foreign policy aims abroad through the app via censorship. The newspaper reported on leaked guidelines from TikTok laying out the company’s approach to content moderation.

The documents showed that TikTok moderators were instructed to ‘censor videos that mention Tiananmen Square, Tibetan independence, or the banned religious group Falun Gong.’24

Unlike Western social media platforms, which have traditionally taken a conservative approach to content moderation and tended to favour as much free speech as possible, TikTok has been heavy-handed, projecting Beijing’s political neuroses onto the politics of other countries. In the guidelines, as described by The Guardian, the app banned ‘criticism/attack towards policies, social rules of any country, such as constitutional monarchy, monarchy, parliamentary system, separation of powers, socialism system, etc.’ Many historical events in foreign countries were also swept up in the scope of the guidelines. In addition to a ban on mentioning the Tiananmen Square massacre in 1989, the May 1998 riots in Indonesia and the genocide in Cambodia were also deemed verboten.

TikTok has even barred criticism of Turkish President Recep Tayyip Erdogan, as well as depictions of ‘non-Islamic gods’ and images of alcohol consumption and same-sex relationships—neither of which is in fact illegal in Turkey. Also prohibited is criticism of a list of ‘foreign leaders or sensitive figures’, including the past and present leaders of North Korea, US President Donald Trump, former South Korean President Park Geun-hye and Russian President Vladimir Putin. 

Despite this heavy-handed approach, a number of bad actors have been able to use the app to promote their agendas. On 23 October 2019, the Wall Street Journal reported that Islamic State has been using the app to share propaganda videos and has even uploaded clips of beheadings of prisoners.25 Motherboard also uncovered violent white supremacy and Nazism on the app in late 2018.26

ByteDance confirmed The Guardian’s report and the authenticity of the leaked content-moderation guidelines but said the guidelines were outdated and that it had updated its moderation policies.

Unconvinced, senior US lawmakers went on to request an investigation into TikTok on national security grounds.

In late October 2019, US Senator Marco Rubio appealed to Treasury Secretary Steven Mnuchin to launch an investigation by the Committee on Foreign Investment in the US into TikTok’s acquisition of US video-sharing platform Musical.ly,27 citing reports of censorship on the app, including a 15 September Washington Post article that provided evidence of TikTok’s censorship of reports on the Hong Kong protests.28

ByteDance said that the Chinese Government doesn’t order it to censor content on TikTok: ‘To be clear: we do not remove videos based on the presence of Hong Kong protest content,’ said a ByteDance spokesman cited by the New York Times.29 But a former content moderator for TikTok also told the Times that ‘managers in the United States had instructed moderators to hide videos that included any political messages or themes, not just those related to China’.

Speaking on the condition of anonymity, the former content moderator said that the policy was to, in the newspaper’s words, ‘allow such political posts to remain on users’ profile pages but to prevent them from being shared more widely in TikTok’s main video feed’—a practice known as ‘shadow banning’.

The concerns of other US Congress members extend from the app’s use of censorship to curate and shape information flows and export CCP media narratives to data privacy and the potential for the app to be used as a tool of surveillance in the service of the Chinese party-state. On 24 October, senators Chuck Schumer and Tom Cotton penned a letter asking Acting Director of National Intelligence Joseph Maguire to determine whether TikTok’s data collection practices pose a national security risk.30

David Carroll, an associate professor of media design at Parsons School of Design, discovered that TikTok’s privacy policy in late 2018 indicated that user data could be shared ‘with any member or affiliate of [its] group’ in China. TikTok confirmed to him that ‘data from TikTok users who joined the service before February 2019 may have been processed in China.’31

In November, regulators took action. Reuters reported that the US Government had launched a national security review of ByteDance’s US$1 billion acquisition of Musical.ly.32

Meiya Pico: from mobile data extraction to the Belt and Road’s ‘safety’ and security corridor

Inside China and at its borders, people are being asked to hand over their phones for police inspections. Within minutes, police can connect, extract and analyse phone and personal user data on the phone. In online chatter on Chinese platforms about the matter, people mostly express their fears of police discovering applications for ‘jumping the Great Firewall’, but police can extract more than just a list of installed applications. They can extract and access call and message logs; contact lists and calendars; location information; audio, video and documents; and application data.

In June 2019, Asia Society ChinaFile editor Muyi Xiao noticed multiple online reports on Chinese social media sites of Beijing and Shanghai police spot-checking people’s phones and installing a mobile app called ‘MFSocket’.33 She investigated further and found similar reports from Guangdong and Xinjiang from as early as 2016. One citizen reported that their employer had asked them and other colleagues to report to a police station, where, after they had their ID cards inspected and their photos and fingerprints taken, MFSocket was installed on their phones. In this particular case, the citizen had Google’s suite of apps installed (Google is available only outside China), and he was questioned about that.34 It isn’t clear whether these users were under suspicion for criminal activity, but one affected individual was reportedly going to the police station to update their ID, and another was riding their scooter and was stopped by police.35 Muyi Xiao’s investigations led her to the app’s developer—Meiya Pico, a prominent player in China’s digital forensics sector.

The MFSocket phone app is the client application for Meiya Pico’s mobile phone forensics suite.36

Once a person’s mobile phone is connected to the forensics terminal, the MFSocket app is pushed to the phone. When it’s installed, the operator is able to extract phone and personal user data from the phone, including contacts, messages, calendar events, call record data, location information, video, audio, a list of apps, system logs37 and almost 100 software applications.38

The functionality of MFSocket is neither unique nor suspicious; nor is it unusual for a digital forensics company to sell such software. What is of concern is the seemingly arbitrary nature of its use by police in China. It’s also not the only mobile data extraction app used in China. The Fengcai or BXAQ app,39 also known as ‘MobileHunter’,40 for example, has been installed onto the phones of foreign journalists crossing from Kyrgyzstan into Xinjiang. Similarly to MFSocket, it collects personal and phone data.41

Beyond China’s borders, Meiya Pico has provided training to Interpol42 and sells its forensics and mobile hacking equipment to the Russian military.43 Through financial support provided by China’s Ministry of Public Security, Meiya Pico also has a unique role in BRI projects. A report on Chinese information controls by the Open Technology Fund suggests that this could be part of a ‘safety corridor’ between China and Europe,44 linking safety and security products and services with foreign aid projects.45

Since 2013, Meiya Pico has been working with the Ministry of Public Security on BRI-focused foreign aid projects,46 constructing digital forensics laboratories in Central Asia and Southeast Asia,47 including in Vietnam48 and Sri Lanka.49 Meiya Pico claims to have provided, under the instruction of the ministry,50 more than 50 training courses to police forces in 30 countries51 as part of the BRI (Figure 1).52 For these projects, Meiya Pico reportedly sends professional and technical personnel to each location to conduct in-depth technical communication and exchanges.53 Chinese state media have reported that these projects enhance a country’s ability to fight cybercrime through technical and equipment assistance and support.54

Figure 1: Meiya Pico and BRI projects

Source: Meiya Pico, Belt and Road.

CloudWalk and data colonialism in Zimbabwe

The draconian techno-surveillance system that China is perfecting in Xinjiang and steadily expanding to the rest of the country is increasingly seen as an alternative model by non-democratic regimes around the world. In the first Mapping China’s tech giants report, we examined how Chinese technology companies are closely entwined with the CCP’s support for Zimbabwe’s authoritarian regime. From the country’s telco infrastructure through to social media and cybercrime laws, the PRC’s influence is pervasive.

In March 2018, the Zimbabwean Government took this approach to a new level when it signed an agreement with CloudWalk Technology to build a national facial recognition database and monitoring system as part of China’s BRI program of international infrastructure deals.55 The agreement was reached between a ‘special adviser to Zimbabwe’s Presidential Office’, the Minister of Science and Technology in Nansha district of Guangzhou and CloudWalk executives, according to a Science Daily (科技日报) report.56 Under the deal, Zimbabwe will send biometric data on millions of its citizens to China to assist in the development of facial recognition algorithms that work with different ethnicities and will therefore expand the export market for China’s product—an arrangement that had no input from ordinary Zimbabwean citizens. In exchange, Zimbabwe’s authoritarian government will get access to CloudWalk’s technology and the opportunity to copy China’s digitally enabled authoritarian system.

Former Zimbabwean Ambassador to China Christopher Mutsvangwa told The Herald, a Zimbabwean newspaper, that CloudWalk had donated facial recognition terminals to the country and that the terminals are already being installed at every border post and point of entry around the southern African nation: ‘China has proved to be our all-weather friend and this time around, we have approached them to spearhead our AI revolution in Zimbabwe.’ 57

The arrangement is paradigmatic of a new form of colonialism called ‘data colonialism’, in which raw information is harvested from developing countries for the commercial and strategic benefit of richer, more powerful nations that hold AI supremacy.58 Writing in the New York Times, Kai-Fu Lee, the former Google China head and doyen of China’s AI industry, outlined how these kinds of colonial arrangements are set to ‘reshape today’s geopolitical alliances’:59

[I]f most countries will not be able to tax ultra-profitable AI companies to subsidize their workers, what options will they have? I foresee only one: Unless they wish to plunge their people into poverty, they will be forced to negotiate with whichever country supplies most of their AI software—China or the United States—to essentially become that country’s economic dependent, taking in welfare subsidies in exchange for letting the ‘parent’ nation’s AI companies continue to profit from the dependent country’s users. Such economic arrangements would reshape today’s geopolitical alliances.

The CloudWalk–Zimbabwe deal, Science Daily notes, is a first for the Chinese AI industry in Africa  and serves a clear geostrategic aim: ‘[It] will enable China’s artificial intelligence technology to serve the economic development of countries along the “belt and road initiative” route.

The arrangement will not only help bring the Zimbabwean regime’s authoritarian practices further into the digital age, but will also enable the PRC—through state-backed and other nominally private companies—to export those means for other countries to use to surveil, repress and manipulate their populations.

Facial recognition technology is notoriously bad at detecting people with dark skin, making the data that the Zimbabwean Government is trading with CloudWalk highly prized.60 By improving its facial recognition systems for people with dark skin, CloudWalk is effectively opening up whole new markets around the world for its technology, while Zimbabwe perceives CloudWalk as ‘donating’ its technology to the country.

In exchange for the private biometric details of the Zimbabwean citizenry, CloudWalk’s technology will be deployed in the country’s financial industry, airports, bus stations, railway stations and, as the Science Daily puts it, ‘any other locations requiring face recognition to effectively maintain public security’.

According to The Herald, Zimbabwe signed another agreement with CloudWalk in April 2019, under which the Chinese firm will provide facial recognition for smart financial service networks, as well as intelligent security applications at airports and railway and bus stations. The new deal, according to the paper, was reached during a visit to China by Zimbabwean President Mnangagwa and forms part of China’s BRI in Africa.61

‘The Zimbabwean Government did not come to Guangzhou purely for AI or facial recognition technologies; rather it had a comprehensive package plan for such areas as infrastructure, technology and biology,’ CloudWalk CEO Yao Zhiqiang said at the time, according to the paper. 

BeiDou: China’s satellite and space race

Unlike other entities featured in this report, the BeiDou Navigation Satellite System (BeiDou) isn’t a company; rather, it’s a centrally controlled satellite constellation and associated service that provides positioning, navigation and timing information. It also presents itself as a completely functional and improved alternative to the US-controlled Global Positioning System (GPS).

The development of BeiDou began after the Third Taiwan Strait Crisis of 1996, when missile tests by the Chinese military were ineffective due to suspected US-directed disruption of the GPS. After that failure, the ‘Chinese military decided, no matter how much it would cost, [that China] had to build its own independent satellite navigation system.’62

The first generation of the system consisted of three satellites that provided rudimentary positioning services to users in China. However, in 2013, China reached its first agreements to export the service to other countries. Since then, BeiDou has upped the tempo of its global expansion and engagement.

For increased accuracy, positional satellites such as the BeiDou constellations need to precisely determine their orbital position. At this fine scale, satellite orbits aren’t regular across the globe, and modelling them within the millisecond relies on a global network of reference stations and onboard atomic clocks. The reference stations share data containing information on how long signals take to reach the receiver from the satellite, and then precise orbital determination can be more accurately modelled by trilaterating (similar to triangulating – using distances rather than angles) those signals (Figure 2). A wide geographical spread of reference stations allows the orbit to be precisely determined over a larger area.63 By having stations or receivers overseas, including in Australia, for example, BeiDou is able to more precisely determine post-processing adjustments over Australia, and thereby provide more precise positional data to an end user.

Figure 2: An infographic explaining how base stations can improve GNSS positional accuracy

Source: An introduction to GNSS, Hexagon.

In 2013, BeiDou signed an agreement with Brunei to supply the country with the technology for military and civilian use at a heavily subsidised price.64 Following Chinese Premier Li Keqiang’s 2013 visit to Islamabad, Pakistan became the first country in the world to sign an official cooperation agreement with the BeiDou Navigation Satellite System in both the military and civilian sectors.

Pakistan was granted access to the system’s post-processed data service, which provides far more precise location services and accompanying encryption services.65 These additional features allow for more precise guidance for missiles, ships and aircraft.66 In recent years agreements have also been reached with other countries including the United States and Russia to establish interoperability between different GNSS satellite constellations.

In the run-up to the 3rd generation of BeiDou’s satellite constellation, the service began to more aggressively pursue internationalisation. Agreements with countries in South and Southeast Asia were signed, providing access to BeiDou services and allowing BeiDou to construct permanent reference stations across the region and increase its positional accuracy outside China’s borders. In 2014, it was announced that China was planning to construct 220 reference stations in Thailand and a network of 1,000 across Southeast Asia.67 These newer stations improve the precise post-processing accuracy of the satellite signals, which in turn increases the precision of signals received by end users.68

In 2014, China Satellite Navigation System Management Office and Geoscience Australia established a similar agreement, but on a smaller scale. They met in Beijing with representatives of Wuhan University. The two sides reportedly agreed to establish a formal cooperation mechanism.69

Wuhan University was to provide Geoscience Australia with three continuously operating reference stations equipped with satellite signal receivers constructed by China Electronic Technology Group (CETC). CETC is one of China’s largest state-owned defence companies and was covered in the original dataset of Mapping China’s Technology Giants.70 By using CETC-constructed receivers, GA was provided access to additional signals that were unavailable to commercial off-the-shelf receivers. GA manages the communications of these sites, and also receives access to the global Wuhan University’s network of overseas tracking data.71

BeiDou’s presence in Australia has previously attracted academic and media scrutiny. Professor Anne-Marie Brady has been critical of Australia’s engagement with BeiDou because of its role in guiding China’s military technologies:72

Australia is playing a small part in helping China to get a GPS system as effective as the US system. China is aiming to have a better one than the US has by 2020, and so is Russia. They need ground stations to coordinate their satellites and they need them in the Pacific. Their first ground station in the Pacific region was built in Perth.

The three BeiDou ground facilities in Australia are at Yarragadee Station (Western Australia; the first one built), Mount Stromlo (Australian Capital Territory) and Katherine (Northern Territory) and are operated by Geoscience Australia. They were built in 2016 and have been operating for over three years.73 No data is sent directly from these (or any) receivers back to the BeiDou satellites, and detailed positional and signal data is provided publicly. These data streams are widely used by industry and civilian end-users.

The stations are a small part of Australia’s GNSS network, which then publicly provides precise positional and signal data. But it’s worth noting that Wuhan University has close links to the People’s Liberation Army (PLA) and has been previously accused by the US and Taiwanese Governments of carrying out cyberattacks.74

Foreign investment

The detention of an estimated 1.5 million members of ethnic minority groups,75 chiefly Uyghur, in so-called re-education camps in China’s far western region of Xinjiang is a human rights violation on a massive scale.76 For Chinese security companies, however, it is a win.

Many of the AI and surveillance companies added to our Mapping China’s Technology Giants project have capitalised on China’s surge in security spending, particularly in Xinjiang, in recent years.

Spending on security-related construction in Xinjiang tripled in 2017, according to an analysis of government expenditure by Adrian Zenz for the Jamestown Foundation.77

For Chinese security, AI and surveillance companies, Xinjiang has become, as Charles Rollet put it in Foreign Policy, ‘both a lucrative market and a laboratory to test the latest gadgetry’.78 The projects there, he notes, ‘include not only security cameras but also video analytics hubs, intelligent monitoring systems, big data centres, police checkpoints, and even drones.’

But China’s burgeoning surveillance state isn’t limited to Xinjiang. The Ministry of Public Security has ploughed billions of dollars into two government plans, called Skynet project (天网工程)79 and Sharp Eyes project (雪亮工程),80 that aim to comprehensively surveil China’s 1.4 billion people by 2020 through a video camera network using facial recognition technology.

China will add 400 million security cameras through 2020, according to Morgan Stanley, making investing in companies such as Hikvision and Dahua—which have received government contracts totalling more than US$1 billion81—extremely enticing for investors seeking high returns. Crucially, the gold rush hasn’t been limited to Chinese firms and investors.

Foreign investors, either passively or actively, are also profiting from China’s domestic security and surveillance spending binge. Investment funds controlling around US$1.9 trillion that measure their performance against MSCI’s benchmark Emerging Markets Index funnel capital into companies such as Hikvision82, Dahua83 and iFlytek,84 which have profited from the development of Xinjiang detention camps.

The market valuation of SenseTime, one of a few companies handpicked by the party-state to lead the way in China’s AI development, soared in 2018 on the back of increased government funding for its national facial recognition surveillance system.

Those massive government contracts have helped SenseTime attract top venture capital and private equity firms as well as strategic investors around the world, including Japanese tech conglomerate Softbank Group’s Saudi-backed Vision Fund. US venture fund IDG Capital supplied ‘tens of millions of dollars’ in initial funding to the company in August 2014.85

Other major shareholders include e-commerce giant Alibaba Group Holding Ltd, London-based Fidelity International (a subsidiary of Boston-based Fidelity Investments), Singaporean state investment firm Temasek Holdings, US private equity firms Silver Lake Partners and Tiger Global Management, and the venture capital arm of US telco Qualcomm.

More than 17 US universities and public pension plans have put money into vehicles run by some of these venture capital funds, according to an Australian Financial Review report citing historical PitchBook data.86

SenseTime rival, Megvii Technology, has also benefited from foreign investment, including from a Macquarie Group fund that sunk $US30 million ($44 million) into the facial recognition start-up.87

Macquarie declined to comment when questioned about the investment by the Australian Financial Review. Other firms such as Goldman Sachs Group Inc, have stated they’re reviewing their involvement in Megvii’s planned initial public offering after the U.S. government placed it on the US Entity List for alleged complicity in Beijing’s human rights abuses in China.88

Two of America’s biggest public pension funds—the California State Teachers’ Retirement System and the New York State Teachers’ Retirement System—own stakes in Hikvision, as the Financial Times reported in March 2019.89 Since at least 2018, Meiya Pico shares have been included in the FTSE  Russell Global Equity Index.90

Even if these companies aren’t listed on foreign bourses or are receiving money from foreign venture capital funds, they might still be getting investments from companies such as the BATs—Baidu, Alibaba and Tencent—that are traded on US stock exchanges.91

But, more often than not, the investments are made directly and wittingly by active funds that are seeking to maximise profits off the back of the boom in surveillance technologies used across China. To put it plainly, Western capital markets have funded mass detentions and an increasingly sophisticated repressive apparatus in China.

Some funds that have done their human rights and national security due diligence have started to divest themselves of some of these companies. At least seven US equity funds have divested from Hikvision, for instance.92 But many have not.

‘A lot of investors talk about ethical investing but when it comes to Hikvision and Xinjiang they are happy to fill their boots,’ one fund manager who sold out of Hikvision told the Financial Times in March 2019. ‘It is pretty hypocritical.’93
 

All roads lead to Xinjiang

In November 2019, internal Communist Party documents—obtained by the International Consortium of Investigative Journalists (ICIJ)—provided documentary evidence of how authorities in Xinjiang are using data and artificial intelligence to pioneer a new form of social control.94 The documents showed how authorities are using a data management system called the Integrated Joint Operation Platform (IJOP)—previously reported on by Human Rights Watch—to predictively identify those suspected of harbouring extremist views and criminal intent.95 Among the documents, a bulletin published on 25 June 2017, reveals how the IJOP system detected about 24,412 “suspicious” people in southern Xinjiang during one particular week. Of those people, 15,683 were sent to “education and training” — a euphemism for detention camps—and 706 were “criminally detained”.96

A month before this leak, in October 2019, the US Government added many of the AI and surveillance companies in this dataset—including Dahua Technology, iFlytek, Megvii Technology, SenseTime, Xiamen Meiya Pico Information Co. Ltd, Yitu Technologies and Hikvision97—to the US Entity List because of their roles in human rights violations in Xinjiang.98

However, Chinese tech companies’ activities in Xinjiang go beyond surveillance and extend to areas like propaganda and other coercive measures.

For example, we have found that TikTok’s parent company ByteDance—which is not on the US entity list for human rights violations in Xinjiang—collaborates with public security bureaus across China, including in Xinjiang where it plays an active role in disseminating the party-state’s propaganda on Xinjiang.

Xinjiang Internet Police reportedly “arrived” on Douyin—a ByteDance and video-sharing app—and built a “new public security and Internet social governance model” in 2018.99 In April 2019, the Ministry of Public Security’s Press and Publicity Bureau signed a strategic cooperation agreement with ByteDance to promote the “influence and credibility” of police departments nationwide.100 Under the agreement, all levels and divisions of police units from the Ministry of Public Security to county-level traffic police would have their own Douyin account to disseminate propaganda. The agreement also reportedly says ByteDance would increase its offline cooperation with the police department, however it is unclear what this offline cooperation is.

Tech companies have been piling into Xinjiang since the early 2010s. Huawei has been working for the Karamay Police Department on cloud computing projects since 2011,101 despite its debunked claims to work only with third parties.102 ZTE held its first Smart Cities Forum in Urumqi in 2013,103 and its ‘safe city’ solution has been largely used in surveilance and policing.104 In 2010, iFlytek set up a subsidiary in Xinjiang and a laboratory to develop speech recognition technology,105 especially in minority languages—technologies that are now used by the Xinjiang Government to track and identify minority populations.106

A surveillance industry boom was born out of the central government’s 2015 policy to prioritise ‘stability’ in Xinjiang107 and the national implementation of the Sharp Eyes surveillance project from 2015 to 2020.108 As of late 2017, 1,013 local security companies were working in Xinjiang;109 that figure excludes some of the largest companies operating in the region, such as Dahua and Hikvision, which had already won multimillion-dollar bids to build systems to surveil streets and mosques.110

Also in 2017, even with the central government halting some of the popular ‘PPP’ projects (public– private partnerships that channel private money into public infrastructure projects) that were debt hazards111 and tech companies becoming more cautious about investing in those projects, Xinjiang was an exception for about a year. Tech companies continued to hunt for opportunities in Xinjiang because funding for surveillance-related PPP projects in Xinjiang comes directly from defence and counterterrorism expenditure.112 However, in 2018, the debt crackdown eventually reached Xinjiang and a number of PPP projects there were also suspended. 113

A significant policy that encourages technology companies to profit from the situation in Xinjiang is the renewed ‘Xinjiang Aid’ scheme (援疆政策). Dating from the 1980s, these policies channel funds from other provincial governments to Xinjiang. Since the mass detentions in 2017 this scheme has encouraged companies in other provinces to open subsidiaries or factories in Xinjiang—factories that former detainees are forced to work in.114

A company can contribute to the Xinjiang Aid program, and the broader situation in the region, in many different ways. In 2014, for example, Alibaba began to provide cloud computing technologies for the Xinjiang Government in areas of policing and counterterrorism.115 In 2018, as part of Zhejiang Province’s Xinjiang Aid efforts, Alibaba was set to open large numbers of e-commerce service stations in Xinjiang, selling clothes and electronics.116 There’s no direct evidence that suggests Alibaba sells products sourced from forced labour. But clothing companies that have recently opened up factories in Xinjiang, because of favourable polices and an abundance of local labour—which can include forced labour117—have relied on Alibaba’s platforms to sell clothes to China, North America, Europe and the Middle East.118

Most of ByteDance’s activities in Xinjiang fall under the “Xinjiang Aid” initiative and the company’s cooperation with Xinjiang authorities is focused on Hotan, a part of Xinjiang that has been the target of some of the most severe repression. The area is referred to by the party-state as the most “backward and resistant”.119 According to satellite imagery analysis conducted by ASPI, there are approximately a dozen suspected detention facilities in the outskirts of Hotan.120 The city has seen an aggressive campaign of cemetery, mosque and traditional housing demolition since November 2018, which continues today.

In November 2019, Beijing Radio and Television Bureau announced its “Xinjiang Aid” measures in Hotan, to “propagate and showcase Hotan’s new image”—after more than two years of mass detention and close surveillance of ethnic minorities had taken place there. These measures include guiding and helping local Xinjiang authorities and media outlets to use ByteDance’s news aggregation app for Jinri Toutiao (Today’s Headlines) and video-sharing app Douyin to gain traction online.121 A Tianjin Daily article reported this April that after listening to talks by representatives from ByteDance’s Jinri Toutiao division, Hotan Propaganda Bureau official Zhou Nengwen (周能文) said he was excited to use the Douyin platform to promote Hotan’s products and image.122

Technology companies actively support state projects, even when those projects have nothing to do with tech. Also under the Xinjiang Aid umbrella, telecom companies such as China Unicom send their ‘most politically reliable’ employees to Xinjiang123 and deploy fanghuiju (访惠聚) units to villages in Xinjiang. ‘Fanghuiju’ is a government initiative that sends cadres from government agencies, state-owned enterprises and public institutions to regularly visit and surveil people.124

The China Unicom fanghuiju units were reportedly tasked with changing the villages, including villagers’ thoughts that are religious or go against CCP doctrines.125 Adding some of China’s more well-known technology and surveillance companies to the US Entity List was largely symbolic—after Huawei, Dahua and Hikvision were blacklisted in the US, Uniview’s president told reporters that, at a time when ‘leading Chinese technology companies are facing tough scrutiny overseas’, companies such as Uniview had the opportunity to grow and pursue their overseas strategies.126

Unfortunately, it’s extremely difficult for international authorities to sanction the circa 1,000 homegrown local Xinjiang security companies. However, as companies such as Huawei seek to expand overseas, foreign governments can play a more active role in rejecting those that participate in the Chinese Government’s repressive Xinjiang policies.

For example, the timeline of Huawei’s Xinjiang activities should be taken into consideration during debates about Huawei and 5G technologies. Huawei’s work in Xinjiang is extensive and includes working directly with the Chinese Government’s public security bureaus in the region. The announcement of one Huawei public security project in Xinjiang—made in 2018 through a government website in Urumqi127—quoted a Huawei director as saying, ‘Together with the Public Security Bureau, Huawei will unlock a new era of smart policing and help build a safer, smarter society.’128 In fact, some of Huawei’s promoted ‘success cases’ are Public Security Bureau projects in Xinjiang, such as the Modular Data Center for the Public Security Bureau of Aksu Prefecture in Xinjiang.129 Huawei also provides police in Xinjiang with technical support to help ‘meet the digitization requirements of the public security industry’.130

In May 2019, Huawei signed a strategic agreement with the state-owned media group Xinjiang Broadcasting and Television Network Co. Ltd at Huawei’s headquarters in Shenzhen. The agreement, which aims at maintaining social stability and creating positive public opinion, covered areas including internet infrastructure, smart cities and 5G.131

In 2018, when the Xinjiang Public Security Department and Huawei signed the agreement to establish an ‘intelligent security industry’ innovation lab in Urumqi. Fan Lixin, a Public Security Department official, said at the signing ceremony that Huawei had been supplying reliable technical support for the department.132 In 2016, Xinjiang’s provincial government signed a partnership agreement with Huawei.133 The two sides agreed to jointly develop cloud computing and big-data industries in Xinjiang. As mentioned above, Huawei began to work in cloud computing in Karamay (a Huawei cloud-computing ‘model city’ in Xinjiang)134 as early as 2011 in several sectors, including public security video surveillance.

In 2014, Huawei participated in an anti-terrorism BRI-themed conference in Urumqi as ‘an important participant of’ a program called ‘Safe Xinjiang’—code for a police surveillance system. Huawei was said to have built the police surveillance systems in Karamay and Kashgar prefectures and was praised by the head of Xinjiang provincial police department for its contributions in the Safe Xinjiang program.

Huawei was reportedly able to process and analyse footage quickly and conduct precise searches in the footage databases (for example, of the colour of cars or people and the direction of their movements) to help solve criminal cases.135

Since mass detentions began in Xinjiang over two years ago, state-affiliated technology companies such as those covered in this report have greatly expanded their remit and become a central part of the surveillance state in Xinjiang. Xinjiang’s crackdown on religious and ethnic minorities has been completed across the region. It has used and continues to use several different mechanisms of coercive control, such as arbitrary detention, coerced labour practices136 and at-home forced political indoctrination. Technology companies are intrinsically linked with many of those efforts, as the state’s crackdown offers ample opportunities for incentivised expansion and profitability.137
 

Conclusion

The aim of this report is to promote a more informed debate about the growth of China’s tech giants and to highlight areas where their expansion raises political, geostrategic, ethical and human rights concerns.

The Chinese tech companies in this report enjoy a highly favourable regulatory environment and are unencumbered by privacy and human rights concerns. Many are engaged in deeply unethical behaviour in Xinjiang, where their work directly supports and enables mass human rights abuses.

The CCP’s own policies and official statements make it clear that it perceives the expansion of Chinese technology companies as a crucial component of its wider project of ideological and geopolitical expansion, and that they are not purely commercial actors.138 The PRC’s suite of intelligence and security laws which can compel individuals and entities to participate in intelligence work139, and the CCP committees embedded within the tech companies (Chinese media has reported Huawei has more than 300 for example140) highlight the inextricable links between industry and the Chinese party-state.

These close ties make it difficult for them to be politically neutral actors. For western governments and corporations, developing risk mitigation strategies is essential, particularly when it comes to critical technology areas.

Some of these companies lead the world in cutting-edge technology development, particularly in the AI and surveillance sectors. But this technology development is focused on servicing authoritarian needs, and as these companies go global (an expansion often funded by PRC loans and aid) this technology is going global as well. This alone should give Western policymakers pause.

Increasing technological competition has the potential to deliver many benefits across the spectrum, but the benefits will not always accrue without good policy. If the West is going to continue to support the global expansion of these companies, it should, at a minimum, better understand the spectrum of policy risks and hold these companies to the same levels of accountability and transparency as it does its own corporations.


Acknowledgements

Thank you to Dr Samantha Hoffman and Nathan Ruser for their research contributions to this report and to the broader Mapping China’s Technology Giants project. Thank you to Fergus Hanson, Michael Shoebridge and anonymous peer reviewers for their valuable feedback on report drafts. And thank you to Cheryl Yu and Ed Moore for their research and data collection efforts.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an
international visits program that brings leading experts to Australia.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. ‘Chinese police use app to spy on citizens’ smartphones’, Financial Times, 3 July 2019, online. ↩︎
  2. Mapping China’s Tech Giants, ‘Explore a company’, online. ↩︎
  3. China Eximbank is wholly owned by the Chinese Government. More detail can be found in Danielle Cave, Samantha Hoffman, Alex Joske, Mapping China’s technology giants, ASPI, Canberra, 2019, 10, online. ↩︎
  4. Lucas Niewenhuis, ‘1.5 million Muslims are in China’s camps—scholar’, SupChina, 13 March 2019, online. ↩︎
  5. Mapping China’s Tech Giants, ‘Welcome to Mapping China’s Tech Giants’, online. ↩︎
  6. Mapping China’s Tech Giants, ‘How to use this tool’, online. ↩︎
  7. Mapping China’s Tech Giants, ‘Glossary’, online. ↩︎
  8. Science and Technology Committee, ‘Oral evidence: UK telecommunications infrastructure’, HC 2200, House of Commons, 10 June 2019, online. ↩︎

The China Defence Universities Tracker

Exploring the military and security links of China’s universities.

This report accompanies the China Defence Universities Tracker website.

What’s the problem?

The Chinese Communist Party (CCP) is building links between China’s civilian universities, military and security agencies. Those efforts, carried out under a policy of leveraging the civilian sector to maximise military power (known as ‘military–civil fusion’), have accelerated in the past decade.

Research for the China Defence Universities Tracker has determined that greater numbers of Chinese universities are engaged in defence research, training defence scientists, collaborating with the military and cooperating with defence industry conglomerates and are involved in classified research.1

At least 15 civilian universities have been implicated in cyberattacks, illegal exports or espionage.

China’s defence industry conglomerates are supervising agencies of nine universities and have sent thousands of their employees to train abroad.

This raises questions for governments, universities and companies that collaborate with partners in the People’s Republic of China (PRC). There’s a growing risk that collaboration with PRC universities can be leveraged by the People’s Liberation Army (PLA) or security agencies for surveillance, human rights abuses or military purposes.

Universities and governments remain unable to effectively manage risks that come with growing collaboration with PRC entities. There’s little accessible information on the military and security links of PRC universities. This knowledge gap limits the effectiveness of risk-management efforts.

What’s the solution?

Efforts to manage the risks of engaging with PRC universities should involve close collaboration between governments and universities. Both share a concern for protecting national interests, ensuring the integrity of research, preventing engagement from being exploited by rival militaries or for human rights abuses, and increasing the transparency of research collaboration.

The Australian Government should establish a national research integrity office and refine and enforce foreign interference and export controls legislation. It should use the China Defence Universities Tracker to improve the screening of visa applicants and inform decisions to award research funding.

Universities should be proactive in their efforts to concretely improve how research collaboration is managed.

The China Defence Universities Tracker is a tool to help universities and researchers understand institutions in China and avoid harmful collaborations.

Universities can use the recently published Guidelines to counter foreign interference in the Australian university sector to help review their management of collaboration.2 They should introduce clauses into agreements with PRC entities to terminate those agreements in the case of specific ethical concerns or indications of research going towards a military end use.

Universities could demonstrate their commitment to these initiatives by establishing independent research integrity offices that promote transparency and evaluate compliance with ethics, values and security interests, serving as administratively distinct bodies that avoid influence from internal university politics.

Introduction

Military–civil fusion is the CCP’s policy of maximising linkages between the military and the civilian sector to build China’s economic and military strength.3 The policy was promoted by President Hu Jintao in 2007 but has been elevated to a national strategy by President Xi Jinping, who personally oversees the Central Commission for the Development of Military–Civil Fusion (中央军民融合发展委员会).4 It has its roots in efforts dating back to the PRC’s founding, including policies such as military–civil integration and ‘nestling the military in the civil’.5

Many countries seek to leverage private industry and universities to advance their militaries. However, as scholar Lorand Laskai writes, ‘civil–military fusion is more far-reaching and ambitious in scale than the US equivalent, reflecting a large push to fuse the defense and commercial economies.’6

Military–civil fusion in China’s university sector has spurred efforts to increase academe’s integration with defence and security. In 2017, the Party Secretary of Beijing Institute of Technology, a leading university for defence research, wrote that universities should ‘stand at the front line of military–civil fusion’.7

‘National defence technology research requires the participation of universities’, according to the Chinese government agency overseeing efforts to safeguard classified information at universities. The agency describes universities as one of three parts of the national defence science and technology innovation system. Alongside defence conglomerates, which are responsible for large-scale projects and the commercialisation of defence equipment, and defence research organisations, which are institutes run by defence conglomerates or the military that are responsible for breaking through research bottlenecks and developing key components, universities undertake research at the frontier of defence technology.8

Military–civil fusion is tied to the government’s Double First-Class University Plan (世界一流大学和一 流学科建设 or 双一流) to build 98 of China’s best universities into world-class institutions by 2050.9

A 2018 policy document about the plan states that universities should integrate into ‘the military–civil fusion system’ and ‘advance the two-way transfer and transformation of military and civilian technological achievements’.10 The importance of international collaboration and foreign talent to the Double First-Class University Plan means that military–civil fusion, the improvement of China’s universities and research collaboration are becoming inextricable.11

While military–civil fusion doesn’t mean that barriers between the military and other parts of PRC society have vanished, it’s breaking down those barriers in many universities. At least 68 universities are officially described as parts of the defence system or are supervised by China’s defence industry agency, the State Administration of Science, Technology and Industry for National Defense (SASTIND, 国家国防科技工业局).

At the same time, universities around the world are expanding their collaboration with PRC partners. Much of that collaboration is mutually beneficial, but it’s clear that many institutions have not effectively managed risks to human rights, security and research integrity. While universities already have systems in place to manage these issues, they should be revisited and strengthened.

Recent cases have demonstrated gaps in universities’ management of research collaboration. For example, the ASPI International Cyber Policy Centre’s 2018 report Picking flowers, making honey: the Chinese military’s collaboration with foreign universities highlighted concerns about the high level of international research collaboration involving the PLA.12 Between 2007 and 2017, the PLA sent more than 2,500 of its scientists to train and work in overseas universities. Some of those scientists used civilian cover or other forms of deception to travel abroad. All of them were sent out to gain skills and knowledge of value to the Chinese military; all of them are believed to be party members who returned to China when instructed.

This report uses the ASPI International Cyber Policy Centre’s China Defence Universities Tracker to explain how many of the concerns raised by collaboration with the PLA increasingly apply to defence-linked Chinese universities, security organisations and industry conglomerates. The wedding of the military and the civilian in China’s universities has important consequences for policymakers and overseas universities engaged with partners in China.

To help universities, companies and policymakers navigate engagement with research institutions in China, the China Defence Universities Tracker is a database that sorts institutions into categories of very high, high, medium or low risk:

  • 92 institutions in the database have been placed in the ‘very high risk’ category
    • 52 People’s Liberation Army institutions
    • 8 security or intelligence-agency institutions
    • 20 civilian universities
    • China’s 12 leading defence industry conglomerates.
  • 23 institutions—all civilian universities—have been placed in the ‘high risk’ category.
  • 44 institutions—all civilian universities—have been placed in the ‘medium’ or ‘low’ risk categories.

The database is designed to capture the risk that relationships with these entities could be leveraged for military or security purposes, including in ways that contribute to human rights abuses and are against Australia’s interests. It provides overviews of their defence and security links and records any known involvement in espionage or cyberattacks, inclusion on end-user lists that restrict exports to them, and several measures of their involvement in defence research. While this project has uncovered large amounts of previously inaccessible information on PRC universities and research institutions, continued due diligence and research are required.

Research for the tracker was undertaken over the course of 2019. It focused on identifying key indicators of defence and security links at each university and developing reliable methods for evaluating those links. Institutions were included in the project for their military links, security links or known connection to human rights abuses or espionage. This research primarily used online Chinese-language resources from universities or Chinese Government agencies. We have attempted to archive all online sources using the Wayback Machine or archive.today.

China’s civilian defence universities

Many of China’s universities originated as military institutions but have since been developed into civilian universities that are increasingly competitive in global research rankings. However, developments over the past decade highlight the military and security links of more than 60 universities in particular.

The Seven Sons of National Defence

The ‘Seven Sons of National Defence’ (国防七子) are a group of leading universities with deep roots in the military and defence industry. They’re all subordinate to the Ministry of Industry and Information Technology (工业和信息化部), which oversees China’s defence industry through its subordinate agency, SASTIND.

The depth of the Seven Sons’ integration with the military suggests that it would be more accurate to describe them as defence universities than as civilian universities. In fact, they call themselves ‘defence science, technology and industry work units’ or parts of the ‘defence system’.13

Each year, more than 10,000 graduates from the Seven Sons join the defence research sector—just under 30% of their employed graduates. PhD graduates from these universities are particularly sought after, and as many as half of them go into the defence sector (Figure 1).14 State-owned defence conglomerates specialising in aircraft, missiles, warships, armaments and military electronics are among their top employers, alongside high-tech companies such as Huawei and ZTE.15

Figure 1: The percentage of employed 2017 or 2018 graduates of the Seven Sons working in the defence system

Note: Figures for Northwestern Polytechnical University and Harbin Engineering University are for 2017. The remaining figures are for 2018. Source: university graduate employment quality reports (毕业生就业质量年度报告).

The Seven Sons stand at the forefront of defence research in China. Hundreds of their scientists sit on PLA expert advisory committees and assist or even serve in major military projects, such as fighter jet or aircraft carrier programs.16 They dominate the ranks of defence research prize and defence technology patent recipients.17 One Chinese study of military–civil fusion in the university sector estimated that more than half the academics at the Seven Sons have been involved in defence projects.18 All seven have been accredited at the institutional level to participate in research into and the production of top-secret weapons and defence equipment.

They’re also among China’s best-funded universities. In 2016, the Seven Sons spent a total of ¥13.79 billion (A$2.88 billion) on research. In 2018, four of them ranked among China’s top five universities for funding per research staff member.19

Approximately half of their research spending goes towards defence research. Harbin Institute of Technology spent ¥1.973 billion (A$400 million), or 52% of its total research budget, on defence research in 2018.20 Beihang University spends roughly 60% of its research budget on defence research.21

Harbin Institute of Technology’s defence research spending alone is comparable to the Australian Department of Defence’s. The Australian Government’s most recent defence science and technology budget was just under A$469 million. Under current plans, that figure is estimated to decrease to A$418 million by 2023.22

Like the Seven Sons of National Defence, the ‘Seven Sons of the Arms Industry’ (兵工七子) are a group of Chinese universities previously subordinate to the Ministry of Ordnance Industry (兵器工业部), which was dissolved in 1986.23 Two of them—Beijing Institute of Technology and Nanjing University of Science and Technology—are also among the Seven Sons of National Defence (see box). All of them are still involved in researching and developing weapons.

Universities with national defence characteristics

Recent developments have pushed military–civil fusion far beyond the Seven Sons.24 Research for the China Defence Universities Tracker has identified 101 agreements signed between defence industry agency SASTIND (or its predecessor, COSTIND) and other agencies since 1999 to ‘jointly construct’ (共建) 61 universities subordinate to those agencies (see appendix).25 These agreements encompass leading national universities, such as Tsinghua University and Peking University, as well as provincial universities with strong foundations for defence research.

The Tracker also identifies similar agreements that show how defence industry conglomerates, such as China’s leading ballistic missile manufacturer, supervise nine universities.26 SASTIND’s joint-construction agreements have become far more common in recent years.

Fifty-seven of the 101 agreements were signed in the past five years. In 2016 alone at least 38 agreements were finalised (Figure 2).

Figure 2: SASTIND agreements on the ‘joint construction’ of universities (red bars denote agreements signed by SASTIND’s predecessor, COSTIND)

Through the agreements, SASTIND seeks to build institutions into ‘universities with national defence characteristics’ by expanding their involvement in training and research on defence technology and deepening their cooperation with defence companies.27 Specifically, it works to support the establishment of defence research laboratories, to fund defence-related research areas and to facilitate participation in military projects.28 This has led to the establishment of large numbers of defence laboratories and ‘disciplines with national defence characteristics’ (国防特色学科) in civilian universities, mostly in the past decade. More than 150 universities have received security credentials that allow them to participate in classified weapons and defence equipment projects.29

According to a university supervised by SASTIND, the agency aims to support five to eight defence disciplines and establish one or two defence labs in each university it supervises by 2020 (the end of the 13th Five-Year Plan).30 This hasn’t yet come to fruition and is unlikely to be fully achieved. Nonetheless, it may be the largest push to integrate universities into the defence research system since the beginning of China’s reform and opening, covering as many as 53 universities.31

Developing talent for China’s defence industry is an important objective of military-civil fusion in universities. In 2007, the Chinese government established the National Defence Science and Technology Scholarship to encourage high-achieving university students to join the defence sector.32

Every year, the scholarship is given to 2,000 ‘national defence technology students’ who are each sponsored by defence conglomerates or China’s nuclear weapons program to study in designated fields.33 After graduating, they are required to work for their sponsor for five years.34

Defence laboratories

The China Defence Universities Tracker has identified more than 160 defence-focused laboratories in civilian universities. It primarily catalogues three types of defence laboratories:

  • national defence science and technology key laboratories (国防科技重点实验室)
  • national defence key discipline laboratories (国防重点学科实验室)
  • Ministry of Education national defence key laboratories (教育部国防重点实验室).

By 2009, the Chinese Government had established 74 national defence science and technology key laboratories, all of which are jointly supervised by the PLA and SASTIND.35 The China Defence Universities Tracker has identified 39 in civilian universities; others are found in defence conglomerates and PLA units.

National defence science and technology key laboratories are the best funded and most prestigious kind of defence laboratory, holding the same status as state key laboratories. For example, Northwestern Polytechnical University’s national defence science and technology key laboratory for unmanned aerial vehicles has received over ¥420 million (A$87 million) in funding since its establishment in 2001.36

Thirty-six national defence key discipline labs, which are lower in status than national defence science and technology key labs and were first established around 2007, have also been identified.37

Ministry of Education defence laboratories are a previously unstudied kind of defence laboratory. Fifty-three of them have been identified at 32 universities. According to Shandong University, which hosts three of the labs, they are:

… approved by the Ministry of Education and entrusted to universities for their establishment in order to expand indigenous science and technology innovation for national defence, cultivate and concentrate high-level national defence science and technology talent, and engage in academic exchange and cooperation on national defence science and technology.38

One of these labs has been accused of carrying out cyberattacks for the PLA (see ‘Espionage’).

Many of these defence labs obscure their defence links in official translations of their names. National defence science and technology key laboratories often simply call themselves ‘national key laboratories’. For example, the National Key Laboratory of Science and Technology on Micro/Nano Fabrication jointly run by Shanghai Jiao Tong University and Peking University was established by the PLA in 1996.39 National defence key discipline laboratories are often known as ‘fundamental science’ laboratories. Ministry of Education defence labs are almost always referred to as ‘Ministry of Education Laboratory (B-category)’ (教育部重点实验室(B类)) or simply as Ministry of Education labs.

Designated defence research areas SASTIND approves ‘disciplines with national defence characteristics’, such as armament technology and materials science, at universities it supervises after an application process. They’re referred to in the China Defence University Tracker as ‘designated defence research areas’. The tracker identifies more than 400 designated defence research areas in universities. Since 2015, at least 280 of these were approved at 53 universities.40

Defence disciplines reflect each university’s specialities for defence research and serve as stepping stones for the establishment of prestigious defence laboratories. Shenyang Ligong University, one of the ‘Seven Sons of the Arms Industry’ supervised by SASTIND, stated that its defence disciplines are ‘a precursor and foundation for the university to apply to establish national defence key discipline laboratories’.41

It’s difficult to find detailed information on the operation of defence disciplines. However, one university wrote in 2018 that it expected to receive approximately ¥7 million (A$1.4 million) on average to develop each discipline.42 If that figure is representative, it indicates a doubling of the funding allocated to each discipline in comparison to a decade ago.43

Security credentials

‘Security credentials’ refers to the ‘weapons and equipment research and production unit secrecy credentials’ (武器装备科研生产单位保密资格) that are awarded to universities and companies at the institutional level. Security credentials are divided into three tiers: first class, second class and third class—roughly equivalent to top secret, secret and confidential clearances, respectively.44

The issuing of security credentials is overseen by National Administration of State Secrets Protection, the Central Military Commission’s Equipment Development Department and SASTIND, or their local equivalents.45

Security credentials allow their holders to participate in different levels of classified defence- and security-related projects. Universities with security credentials are required to meet certain standards in their protection and management of classified research and personnel.46 The credentials indicate a university’s involvement in defence projects, as well as the sensitivity of that work.

A top-secret security credentials plaque awarded to the Beijing Institute of Technology.

Source: Beijing Institute of Technology, ‘Our university passes the secrecy credentials examination and certification’, 24 April 2006, online.

As of November 2017, more than 150 universities had received security credentials.47 The tracker has identified eight universities with top-secret security credentials.

Military units don’t appear to be subject to this security credentials system but use it to scrutinise those they work with. For example, many procurement notices from the PLA require organisations submitting tenders to hold security credentials.48
 

Case study: The University of Electronic Science and Technology of China

The military links of the Seven Sons of National Defence are more widely recognised than those of an institution such as the University of Electronic Science and Technology of China (UESTC) in Chengdu.

However, UESTC has more in common with the Seven Sons than a typical Chinese university. UESTC’s defence links date back to its earliest days. In 1961, six years after its founding, it was recognised by the CCP Central Committee as one of China’s ‘seven defence industry academies’.49

Since 2000, it’s been the subject of three agreements between defence industry agency SASTIND and the Ministry of Education designed to expand its role in the defence sector.50

In 2006, defence electronics conglomerate China Electronics Technology Group Corporation (CETC) also became one of the university’s supervising agencies.51 As part of its agreement to supervise the university, CETC stated that it would work with the Ministry of Education to support UESTC’s management and reforms, involvement in major research projects, establishment of laboratories and exchanges of personnel. CETC, which is expanding its overseas presence at the same time as its technologies enable human rights abuses in Xinjiang, remains one of the primary employers of UESTC graduates.52

UESTC hosts at least seven laboratories dedicated to defence research and has 10 designated defence research areas related to electronics; signal processing and anti-jamming technology; optics; and radar-absorbing materials.53 In 2017, 16.4% of its graduates who gained employment were working in the defence sector.54 Approximately 30% of its research spending in 2015 went towards defence research.55

UESTC also has links to China’s nuclear weapons program. In 2012, it was added to the US Government’s Entity List, restricting the export of US-made technology to it, as an alias of China’s nuclear weapons facility, the Chinese Academy of Engineering Physics. This indicates that UESTC had acted as a proxy for China’s nuclear weapons program.56 Its High Power Radiation Key Laboratory is jointly run with the Chinese Academy of Engineering Physics.57

The university has also been implicated in the rollout of surveillance technology in Xinjiang, where an estimated 1.5 million ethnic Uygurs and other minorities have disappeared into concentration camps. The dean of its School of Computer Science and Engineering runs a company that supplies video surveillance systems to authorities in Xinjiang.58

UESTC’s international partnerships have deepened despite its links to the military, nuclear weapons and potential human rights abuses. Its collaborations naturally align with its specialisations, which are also its main areas of defence research. For example, in 2016, with the University of Glasgow, it established a joint college in China that offers degrees in electronics.59 UESTC also runs the Joint Fibre Optics Research Centre for Engineering with the University of New South Wales in Australia.60

Espionage

China’s National Intelligence Law requires entities and individuals to cooperate with intelligence operations. However, that doesn’t mean that all PRC entities are equally likely to engage in espionage or related forms of misconduct. Military–civil fusion hasn’t meant that all universities are equally integrated into the military’s efforts. When analysing cases of espionage and illegal export involving Chinese universities, it becomes clear that institutions with strong military and security links are disproportionately implicated in theft and espionage. This can be helpful in establishing a risk-based approach to collaboration with PRC entities.

The China Defence Universities Tracker has identified at least 15 civilian universities that have been linked to espionage, have been implicated in export controls violations or have been identified by the US Government as aliases for China’s nuclear weapons program. Four of the Seven Sons of National Defence have been implicated in espionage or export controls violations. Harbin Engineering University alone has been linked to five cases, including the theft of missile technology from Russia.61

One of the Seven Sons has been accused of collaborating with the Ministry of State Security to steal jet engine technology. In 2018, US authorities arrested an officer from the Jiangsu State Security Bureau, Xu Yanjun, who allegedly sought to steal engine technology from GE Aviation. The US Department of Justice’s indictment of Xu describes how an executive at Nanjing University of Aeronautics and Astronautics (NUAA) helped Xu identify and cultivate overseas targets.

Intelligence officer and part-time NUAA student Xu Yanjun after his arrest.

Source: Gordon Corera, ‘Looking for China’s spies’, BBC News, no date, BBC.

According to the indictment, the NUAA co-conspirator reached out to a GE Aviation engineer, inviting him to give a lecture at the university’s College of Energy and Power Engineering.62 The NUAA official then introduced the engineer to Xu, who used an alias and claimed to be from the Jiangsu Association of Science and Technology. Xu began cultivating the engineer and asked him to share proprietary information about fan blades for jet engines. NUAA has confirmed that Xu was also a part-time postgraduate student at NUAA.63

The establishment of defence laboratories fosters close relationships between researchers and the military that can be used to facilitate and incentivise espionage. For example, Wuhan University’s Ministry of Education Key Laboratory of Aerospace Information Security and Trusted Computing has been accused of carrying out cyberattacks on behalf of the PLA.64 The laboratory is one of the Ministry of Education’s ‘B-category’ laboratories that focuses on defence research and doesn’t appear on Wuhan University’s main list of labs on its website.65 One Taiwanese report, citing unnamed intelligence officials, claimed that an office in Wuhan University is in fact a bureau of the PLA’s signals intelligence agency.66

The same Wuhan University lab has collaborated with and even sent a visiting scholar to an Australian university. A professor alleged to be the lab’s liaison with the PLA has co-authored research with a University of Wollongong cryptographer.67 One of the lab’s associate professors visited the University of Wollongong in 2010, participating in an Australian Research Council project.68

Public and state security links

As the NUAA espionage case shows, some Chinese universities work closely with the Ministry of State Security (MSS), which is China’s civilian intelligence and political security agency. The ministry was established in 1983 by merging units responsible for foreign intelligence, economic espionage, counterintelligence, political security and influence work.69 It has since grown into a well-resourced agency believed to be a prolific perpetrator of cyberattacks and intelligence operations against companies, governments and universities for political influence and economic espionage.70

The MSS operates at least two universities: the University of International Relations71 in Beijing and Jiangnan Social University72 in Suzhou. These universities train intelligence officers and carry out research to support the MSS’s work. The University of International Relations has exchange agreements with universities in Denmark, the United States, France and Japan.73

The MSS also leverages civilian universities for training, research, technical advice and possibly direct participation in cyber espionage. For example, a big-data scientist at Hunan University, which hosts the PLA’s Tianhe-1 supercomputer, serves as a ‘Ministry of State Security specially-appointed expert’.74 A professor at Tianjin University has been awarded a ‘Ministry of State Security Technology Progress Prize’.75 A professor at Southeast University has been awarded two projects under the MSS’s 115 Plan, which is a research funding program.76 Cybersecurity firm ThreatConnect identified links between Southeast University and a hack of Anthem, one of the US’s largest healthcare companies.77

The same attack was separately linked to the MSS by another cybersecurity firm.78 The MSS recruits hackers from top universities such as Harbin Institute of Technology, Beijing University of Posts and Telecommunications and Zhejiang University.79

The Ministry of Public Security (MPS), China’s police agency, is also building links with civilian universities. The China Defence Universities Tracker includes entries on several universities that operate joint laboratories with the MPS. Those laboratories carry out computer science and artificial intelligence research to assist the MPS’s policing capabilities. The ministry’s pivotal role in the abuse of ethnic minorities, religious groups and political dissidents makes it nearly impossible to separate legitimate and illegitimate uses of that research.

The overseas expansion of China’s nuclear weapons program and defence industry

Employees of military aircraft manufacturer AVIC graduate from Cranfield University in 2013.

Source: Zhang Xinguo, ‘Cooperation progress between AVIC & UK universities’, Aviation Industry Corporation of China, 5 May 2016, online.

China’s nuclear weapons program and defence industry have expanded their presence in foreign universities. State-owned defence industry conglomerates have established joint research and training programs in Austria, Australia, the UK, France, Germany and Switzerland. Scientists from China’s nuclear weapons program have been identified in universities across developed countries.

Defence industry

At least four of China’s 12 state-owned defence industry conglomerates (defence state-owned enterprises, or defence SOEs) have a substantial presence in overseas universities. Their work covers military electronics, aviation technology and missiles. These companies seek to increase their access to world-class training, expertise and technology through exchanges and joint laboratories with foreign universities (Table 1). Many of the collaborations involve organisations that are subject to export restrictions by the US Government, raising concerns about the effect they may have on military technology and human rights violations in China.

Table 1: Defence SOE joint laboratories or major investments in foreign universities

AECC = Aero Engine Corporation of China; AVIC = Aviation Industry Corporation of China; BIAM = Beijing Institute for Aeronautical Materials; CALT = China Academy of Launch Vehicle Technology; CETC = China Electronics Technology Group Corporation; COMAC = Commercial Aircraft Corporation of China.

a: Victorian Department of Premier and Cabinet, ‘New hi-tech deal great for Victorian jobs’, media release, 24 October 2019, online.
b: Monash University, ‘Monash University and Commercial Aircraft Corporation of China sign MOU to accelerate aircraft development’, media release, 16 May 2017, online.
c: University of Technology Sydney, ‘New joint IET research centre with CETC’, media release, 26 April 2017, online.
d: University of Manchester, ‘Partnership with the Aero Engine Corporation of China’, media release, no date, online; BIAM – Manchester UTC, About us, no date, online.
e: BIAM – Manchester UTC, Research, no date, online.
f: University of Manchester Aerospace Research Institute, Sino-British Joint Laboratory on Advanced Control Systems Technology, no date, online.
g: China Academy of Launch Vehicle Technology (CALT), Sino-British Advanced Control System Technology Joint Laboratory, 14 May 2016, online (in Chinese).
h: University of Manchester Aerospace Research Institute, Our research, no date, online.
i: CALT, The Rocket Institute has built 4 overseas R&D institutions, 13 May 2016, online.
j: The University of Birmingham is listed as the coordinator of the EMUSIC project. See EMUSIC, Participants, no date, online.
k: EMUSIC, Efficient Manufacturing for Aerospace Components Using Additive Manufacturing, Net Shape HIP and Investment Casting (EMUSIC), no date, online.
l: EMUSIC, EMUSIC mid-term report shows progress being made on improving manufacturing efficiency, 16 January 2018, online.
m: BIAM is a consortium member of EMUSIC. BIAM representatives are listed as project coordinators with members of the University of Birmingham, which is the university that leads the EMUSIC program. See EMUSIC, Contact us, no date, online; EMUSIC, Participants, online; European Commission, ‘Efficient Manufacturing for Aerospace Components using Additive Manufacturing, Net Shape HIP and Investment Casting’, Cordis, no date, online; EMUSIC, ‘Efficient Manufacturing for Aerospace Components Using Additive Manufacturing, Net Shape HIP and Investment Casting’, TRIMIS, no date, online; ‘Efficient Manufacturing for Aerospace Components Using Additive Manufacturing, Net Shape HIP and Investment Casting’, Cimne.com, no date, online.
n: EMUSIC, Efficient Manufacturing for Aerospace Components Using Additive Manufacturing, Net Shape HIP and Investment Casting (EMUSIC).
o: Department of European Affairs, ‘Zhongao Electronic Technology Innovation Center was established in Graz’, news release, Ministry of Commerce, PRC Government, 4 December 2015, online (in Chinese).
p: Das Land Steiermark, ‘Chinese IT giant is becoming a global player from Graz’, news release, 2 November 2016, online (in German).
q: European Sustainable Energy Innovation Alliance, ‘Cooperation with CETC on the internet of things and new energies’, news release, 21 October 2014, online.
r: CALT, Sino-British Joint Laboratory of Advanced Structures and Manufacturing Technology, 14 May 2016, online (in Chinese); University of Exeter, ‘Annual review 2015’, Issue, 5, online.
s: ‘Versarien PLC: Term sheet with Beijing Institute of Graphene Tech’, Financial Times, 15 April 2019, online.
t: University of Manchester, Partnership with the Aero Engine Corporation of China, no date, online.
u: CALT, The Rocket Institute has built 4 overseas R&D institutions; CALVT, Artificial assisted heart overseas research and development institutions, 14 May 2016, online (in Chinese).
v: CALT, The Rocket Institute has built 4 overseas R&D institutions.
w: CALT, Artificial assisted heart overseas research and development institutions.
x: CALT, The Rocket Institute has built 4 overseas R&D institutions; CALVT, Artificial assisted heart overseas research and development institutions.
y: Imperial College London, AVIC Centre for Structural Design and Manufacture, no date, online.
z: University of Strathclyde, Space Mechatronic Systems Technology (SMeSTech) Laboratory, no date, online.
aa: University of Nottingham, ‘Chinese aerospace business funds £3m University Innovation Centre’, media release, August 2012, online.
bb: University of Nottingham, Composites Research Group, no date, online.
cc: The centre was administered by AVIC before the creation of AECC in August 2016 and was called the ‘AVIC Centre for Materials Characterisation, Processing and Modelling’. A formal change of name took place on 12 July 2017. See Imperial College London, AVIC Centre, no date, online; Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Visit of BIAM delegation (31 October 2018), online; Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Events, no date, online.
dd: Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Visit of BIAM delegation (31 October 2018), online.
ee: The centre was administered by AVIC before the creation of AECC in August 2016 and was called the ‘AVIC Centre for Materials Characterisation, Processing and Modelling’. A formal change of name took place on 12 July 2017. See Imperial  College London, AVIC Centre, no date, online; Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Visit of BIAM delegation, 31 October 2018, online; Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Events, no date, online.
ff: Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, no date, online.
gg: Imperial College London, BIAM – Imperial Centre for Materials Characterisation, Processing and Modelling, Projects, no date, online.

Missile technology

The China Aerospace Science and Technology Corporation (CASC) and China Aerospace Science and Industry Corporation (CASIC) are the Chinese military’s leading suppliers of missiles, carrier rockets and satellites.80 The conglomerates claim to send dozens of scientists abroad every year to train in countries that include Australia, France, Italy, Japan, Russia, Ukraine, the UK and the US.81

CASC has a significant overseas presence through its subsidiary China Academy of Launch Vehicle Technology (CALT), which develops space launch vehicles and intercontinental ballistic missiles.82 CALVT operates six joint labs in Europe and the UK that do research in areas such as additive manufacturing, aerospace materials and control systems.83

CALT scientists sent to work in its overseas labs are often involved in research on subjects such as hypersonic vehicles, missiles and heat-resistant aerospace materials.84 For example, Wang Huixia, who visited a CALVT joint lab at the University of Manchester in 2018,85 has published on missile flight simulation and missile countermeasures.86

CALT has a record of funding civilian technology with dual-use applications for missile systems. In 2013, it set up an ‘artificial assisted heart overseas research and development institution’ in collaboration with Germany’s RWTH Aachen University and Switzerland’s Northwestern University of Applied Sciences.87 State-owned news agency Xinhua noted in an article on CALT that the technology in artificial hearts is very similar to that in missile control systems.88

Aviation technology

The Aero Engine Corporation of China (AECC) and the Aviation Industry Corporation of China (AVIC) are the primary suppliers of aviation technology to the PLA. AECC develops aircraft engines, while AVIC enjoys a monopoly in the supply of military aircraft to the PLA.89

Both AECC and AVIC have expanded their relationships with foreign universities by establishing joint laboratories, training programs and partnerships in Europe.90

AECC was established to develop China’s own aircraft engine supply chain.91 China’s military aircraft have long depended on other nations’ jet turbine technology, so the CCP hopes to build indigenous capabilities in this area, which may be advanced by its joint labs. An AECC subsidiary, the Beijing Institute for Aeronautical Materials (BIAM), operates three joint laboratories in the UK—two at the University of Manchester and a third at Imperial College London.92 All three labs study aerospace applications of materials such as graphene.93

AVIC has established two joint labs with the UK’s Imperial College London and the University of Nottingham.94 Its lab at Imperial College London focuses on topics related to aircraft design and manufacturing, such as ultralight aviation components and metal forming techniques.95 The lab is headed by a participant in the Chinese Government’s Thousand Talents Plan (a controversial scheme to recruit scientists from abroad), who explained that the university’s collaboration with Chinese companies can help them become ‘technology leaders’.96

The Commercial Aircraft Corporation of China (COMAC), which is described as a defence industry conglomerate by the Chinese Government’s Ministry of Industry and Information Technology, has also expanded its ties with foreign universities.97 Monash University entered into a memorandum of understanding with COMAC in 2017, agreeing to host COMAC researchers and conduct collaborative research on aerospace materials.98 Through this partnership, the university supplied components for COMAC’s flagship aircraft, the C919, which many China analysts believe could be converted into a military surveillance aircraft.99

China’s defence aviation companies are also building ties in Europe and Australia through research collaboration and training programs. More than 700 AVIC engineers and managers have been sent to train at British, Dutch and French universities in the past 10 years.100 By 2020, the conglomerate plans to send a total of 1,200 of its researchers to study at institutions including Cranfield University, the University of Nottingham and the Institut Aéronautique et Spatial in France.101 In 2016, the Australian Research Council awarded A$400,000 to a joint project by the University of Adelaide and AECC on ‘superior rubber-based materials’.102

Military electronics

China Electronics Technology Group Corporation (CETC) is China’s leading manufacturer of military electronics such as radars and drone swarms. The conglomerate is a leading supplier of integrated surveillance systems, facial recognition cameras and mobile applications that have been linked to human rights abuses in Xinjiang.103 Hikvision, a major manufacturer of security cameras, is part of CETC’s stable of subsidiaries.

Since 2014, CETC has expanded its relationships with foreign universities, establishing joint laboratories in Europe and Australia. Its partnership and joint laboratory with Graz University of Technology in Austria, covering electronic information technology, laid the foundations for the establishment of its European headquarters in Graz.104

CETC’s relationship with the University of Technology Sydney (UTS) has attracted significant media scrutiny.105 The two began discussing a formal partnership in 2014 and agreed to establish a joint centre on information and electronics technologies by 2017.106 The centre was originally poised to receive up to A$20 million in funding from CETC over five years. Aside from its research on artificial intelligence, quantum information and big data, the centre was also set up as a training centre for CETC staff.

The partnership is still ongoing after a review in 2019, but UTS reportedly abandoned three of its joint projects with CETC after Australia’s Department of Defence raised concerns.107 Commentators have also drawn attention to the potential for UTS’s collaboration with CETC on ‘public security video analysis’ to contribute to human rights abuses in Xinjiang.108

Nuclear weapons program

The Chinese Academy of Engineering Physics (CAEP) is responsible for research into and the development and manufacturing of China’s nuclear weapons.109 It’s also involved in developing lasers, directed-energy weapons and conventional weapons.110

CAEP is expanding its international presence in order to attract leading talent to assist China’s development of nuclear weapons. Since 2000, CAEP researchers have published more than 1,500 papers with foreign co-authors.

In 2012, CAEP established the Center for High Pressure Science and Technology Advanced Research (HPSTAR) to better leverage foreign talent.111 The Beijing-based centre claims that it’s ‘committed to science without borders’ and uses English as its official language but doesn’t mention on its English-language website that it’s affiliated with CAEP. HPSTAR is run by a Taiwanese-American scientist who was recruited in 2012 through the Chinese Government’s Thousand Talents Plan—a scientific talent recruitment program that CAEP has used to hire at least 57 scientists from abroad.112

CAEP also sends large numbers of its employees to study abroad. In 2015, one of the academy’s officials claimed that hundreds of young CAEP researchers are sent to study abroad every year, which has ‘had clear results for building up young talents’.113

For example, Zhou Tingting, a researcher at CAEP’s Institute of Applied Physics and Computational Mathematics, recently worked as a visiting scholar at Caltech University’s Materials and Process Simulation Center in the US. The institute specialises in design and simulation computation for nuclear warheads and has been involved in at least two espionage cases. It’s been included on the US Government’s Entity List since 1997.114 While at Caltech, Zhou published research on polymer-bonded explosives that was funded by the US Office of Naval Research. Polymer-bonded explosives are used to detonate the cores of nuclear warheads.115

Zhou’s background also illustrates how China’s civilian universities serve as feeder schools for the nuclear weapons program. Before joining CAEP, Zhou studied at Beijing Institute of Technology—one of the Seven Sons of National Defence. As a student, she also visited the same Caltech centre to carry out research on explosives. Her supervisor at the Beijing Institute of Technology was an adviser to the PLA and the government on warheads and hypersonic vehicles.116

Figure 3: China’s twelve Defence Industry Conglomerates

Areas for further research

While the China Defence Universities Tracker includes entries for roughly 160 universities, companies and research institutes, it’s far from comprehensive. We intend to update and expand the tracker when that’s possible. In particular, there’s room for further research on the Chinese Academy of Sciences and its dozens of subordinate research institutes. Twelve of China’s defence conglomerates are included in the database, but their hundreds if not thousands of subsidiaries haven’t been publicly catalogued.

Nor have private companies and other major suppliers of equipment to the military and security apparatus been included in this project. Further research on the role of universities in supporting state surveillance and on companies that develop surveillance technology used in human rights abuses would be valuable.

Engaging with research partners in China

Better managing engagement with research partners in China will help ensure that collaborations align with Australia’s values and interests. A deeper understanding of PRC universities and the CCP will strengthen this engagement. Engagement should be built on robust risk management efforts, rather than on efforts to, on the one hand, cut out or, on the other hand, uncritically embrace interactions with PRC entities. Effective risk management won’t prevent collaboration between Australian universities and China. It won’t affect the vast majority of Chinese students studying in Australia.

Due diligence on research collaboration or visiting scholars and students should primarily take into account:

  • the nature of the engagement, such as the potential uses of a technology
  • the nature of the foreign partner.

University researchers are generally well placed to understand the nature of a technology and different ways a technology could be applied. This, in part, has led to a disproportionate focus on whether or not technologies have military or security applications; that is, whether they’re ‘dual-use’ technologies.

However, it appears that universities have insufficient expertise, resources and processes for understanding foreign research partners. Universities and researchers won’t be able to effectively scrutinise research collaborations without building better understanding of research partners. They should avoid collaborations with Chinese institutions on technologies that are also defence research areas for those institutions or could contribute to human rights abuses. Furthermore, some technology specialists aren’t used to considering ethics, values and security as a standard procedure when carrying out their research. The argument that research that leads to published papers is not of concern doesn’t consider the range of ways in which research, training and expertise can be misused by foreign partners.

Universities should set the bar higher than compliance with the law. As important civil society institutions, they should embody liberal values, especially in their interactions with overseas partners. As recipients of large amounts of public funding, they have an obligation to avoid recklessly harming human rights or national security, such as by training scientists from nuclear weapons programs or working with suppliers of surveillance technology used in Xinjiang. Universities should approach research collaboration as a way to promote ethical compliance, integrity and academic freedom rather than allowing collaborations to compromise their commitment to those values.

Recommendations for universities

1. Assess the situation.

  • Revisit existing collaborations, commissioning independent due diligence of concerning ones.
  • Review existing mechanisms for supervising collaborations and partnerships.
  • Apply particular scrutiny to engagement with high risk entities identified in the China Defence Universities Tracker.

2. Build capacity.

  • Establish an independent research integrity office:
    • The office should report directly to the vice chancellor.
    • It should be resourced to carry out due diligence and compliance work and be able to do country-specific research.
    • It should write annual reviews of research integrity in the university.
    • It should serve as an interface between security agencies and the university.
  • University research integrity offices or relevant staff members should form a working group across the university sector to share information and discuss threats.
  • Dedicate greater resources to due diligence and compliance work, including linguistic and country-specific capabilities.

3. Build a culture of proactive awareness of risks.

  • Hold briefings that are open to all staff on China, research collaboration and security by the government, university due diligence staff and scholars.
  • Encourage researchers to consider unwanted outcomes of research collaborations, such as contributions to human rights abuses.
  • Encourage researchers to consult the China Defence Universities Tracker when they’re considering collaboration or applications from visiting scholars and students.

4. Develop better systems for managing engagement with China.

  • Create general guidelines for informal and formal collaboration with PRC entities.
  • In all agreements with PRC entities, introduce clauses on ethics, academic freedom and security with provisions to immediately terminate partnerships if they’re breached.
  • Establish a travel database for staff that’s accessible to university executives and research contract, due diligence and research integrity staff.
  • Refine the approval process for collaborations with foreign entities:
    • Collaborations should consider risks to the national interest, national security, intellectual property, reputation and human rights.
    • The China Defence Universities Tracker should be used to inform decisions. Universities should avoid collaborating with Chinese institutions on technologies that are also defence research areas for those institutions.
  • Develop a policy on collaboration with foreign militaries, security agencies and defence companies
  • Use the China Defence Universities Tracker to improve the vetting of visiting scholars and students.
    • Visitors from the PLA, defence conglomerates or other high risk entities should be subject to greater scrutiny in light of their defence and security links.

5. Ensure the implementation of supervisory systems.

  • Enforce contracts and policies on conflicts of interest and external employment.
  • Introduce annual reviews of engagement with China and the management of research collaborations.
  • Introduce annual reviews of research integrity across the university.

Recommendations for the Australian Government

1. Increase and refine the allocation of government research funding, strengthening the government’s ability to encourage universities to better manage research collaboration.

  • In general, the government should seek to ensure that its research funding is being used in ways that align with Australia’s values, needs and national interests.
  • Federal funding agencies such as the Australian Research Council and the Defence Science and Technology Group should use the China Defence Universities Tracker to help investigate and consider the foreign military or security links of current and future funding recipients.
  • Federal funding agencies should ensure disclosure of conflicts of interest by grant application assessors.
  • Federal funding agencies should ensure that its policies on conflicts of interest and external employment are being followed by grant recipients.

2. Issue clear and public guidance to universities on specific areas of research with important security, economic or human rights implications that should be protected from unsupervised technology transfer.

  • The University Foreign Interference Taskforce could serve as a platform to begin developing this guidance in consultation with university representatives.

3. Reform the Defence Trade Controls Act 2012, developing solutions to the Act’s failure to control technology transfer to foreign nationals and foreign military personnel in Australia.
 

4. The Australian Federal Police and Department of Defence should enforce the Weapons of Mass Destruction (Prevention of Proliferation) Act 1995, which restricts the provision of services to assist weapons of mass destruction programs.

5. The Department of Home Affairs should incorporate the China Defence Universities Tracker into its screening of visa applicants.

  • PLA officers, PRC defence conglomerate employees and members of PRC security agencies should by default not be given visas if they intend to study dual-use technology in Australia.
  • The military and security links of university researchers, particularly those from universities whose government links have been identified in the China Defence Universities Tracker, should be scrutinised.

6. Establish a national research integrity office.

  • Its remit should cover universities, the Commonwealth Scientific and Industrial Research Organisation, medical research institutes and any other recipients of government research funding
  • It should be mandated to produce public reports evaluating efforts to ensure research integrity across the higher education sector
  • It should be empowered to carry out investigations into research integrity
  • It should produce annual reports on research integrity across Australia
  • It should report to the Education Minister
  • It should conduct outreach to universities and researchers and consult them on the development of research integrity guidelines

7. Encourage the establishment of independent research integrity offices in universities.

  • The government should introduce a start-up funding program for universities seeking to establish independent research integrity offices.

8. Create an annual meeting of education ministers from Five Eyes countries to deepen research collaboration within the alliance and coordinate on research security.

9. Work with Five Eyes partners to establish a joint centre on managing sensitive technologies.

  • It should be resourced to monitor and assess the full course of China’s technology transfer activity, tracking China’s technology priorities and efforts to exploit resources in Five Eyes countries in service of those priorities.
  • It should identify where research on sensitive technologies is being carried out within Five Eyes countries and coordinate both innovation and security efforts.

10. The National Intelligence Community should increase resourcing for efforts to study China’s technology priorities and technology transfer efforts.

Appendix: Universities supervised by SASTIND

  • Anhui University
  • Beijing University of Chemical Technology
  • Central South University
  • Changchun University of Science and Technology
  • Chongqing University
  • Dalian University of Technology
  • East China University of Technology
  • Fuzhou University
  • Guilin University of Electronic Technology
  • Hangzhou Dianzi University
  • Harbin University of Science and Technology
  • Hebei University
  • Hebei University of Science and Technology
  • Hefei University of Technology
  • Heilongjiang Institute of Technology
  • Heilongjiang University
  • Henan University of Science and Technology
  • Huazhong University of Science and Technology
  • Hunan University
  • Hunan University of Science and Technology
  • Jiangsu University of Science and Technology
  • Jilin University
  • Kunming University of Science and Technology
  • Lanzhou University
  • Lanzhou University of Technology
  • Nanchang Hangkong University
  • Nanjing Tech University
  • Nanjing University
  • North China Institute of Aerospace Engineering
  • North China University of Science and Technology
  • North University of China
  • Peking University
  • Shandong University
  • Shandong University of Technology
  • Shanghai Jiaotong University
  • Shanghai University
  • Shenyang Aerospace University
  • Shenyang Ligong University
  • Shijiazhuang Tiedao University
  • Sichuan University
  • Soochow University
  • South China University of Technology
  • Southeast University
  • Southwest University of Science and Technology
  • Sun Yat-Sen University
  • Tianjin Polytechnic University
  • Tianjin University
  • Tsinghua University
  • University of Electronic Science and Technology of China
  • University of Science and Technology Beijing
  • University of Shanghai for Science and Technology
  • University of South China
  • Wuhan Institute of Technology
  • Wuhan University
  • Xi’an Jiaotong University
  • Xi’an Technological University
  • Xiamen University
  • Xiangtan University
  • Xidian University
  • Yanshan University
  • Zhejiang University

Acknowledgements

The author would like to thank Charlie Lyons Jones for his contributions. He would like to thank Fergus Hanson, Michael Shoebridge, Danielle Cave, Audrey Fritz, John Garnaut, Luca Biason and Jichang Lulu for their insights. He would also like to thank the analysts who helped build the China Defence Universities Tracker: Elsa Kania, Audrey Fritz, Charlie Lyons Jones, Samantha Hoffman and others.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams.

To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.

The work of ICPC would be impossible without the financial support of our partners and sponsors across government, industry and civil society. ASPI is grateful to the US State Department for providing funding for this research project.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2019

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

  1. The China Defence Universities Tracker was developed by a team of analysts at ASPI’s International Cyber Policy Centre including Alex Joske, Charlie Lyons Jones, Dr Samantha Hoffman, Elsa Kania and Audrey Fritz. ↩︎
  2. University Foreign Interference Taskforce, Guidelines to counter foreign interference in the Australian university sector, Department of Education, Australian Government, November 2019, online. ↩︎
  3. Jun-min ronghe 军民融合 is officially translated as ‘civil–military fusion’ and sometimes as ‘civil–military integration’ or ‘military–civil integration’. However, ‘military–civil fusion’ preserves the original structure of the Chinese phrase, and ‘military–civil integration’ should be more accurately used as a translation of an earlier Chinese Government effort, jun-min jiehe 军民结合. See also Elsa Kania, Battlefield singularity: artificial intelligence, military revolution, and China’s future military power, Center for a New American Security, November 2017, endnote 9, online; Audrey Fritz, China’s evolving conception of civil–military collaboration, Center for Strategic and International Studies, 2 August 2019, online. ↩︎
  4. ‘军民融合发展委成立 军工板块再迎重磅利好’ [Military–civil fusion development commission established; the military–industrial bloc again welcomes great benefits], Xinhua, 23 January 2017, online. ↩︎
  5. ‘我国军民融合产业发展概况’ [The status of my country’s military–civil fusion industry development], China High Tech, 15 April 2019, online. ↩︎
  6. Lorand Laskai, Civil–military fusion: the missing link between China’s technological and military rise, Council on Foreign Relations, January 29, 2018, online. ↩︎
  7. 赵长禄 [Zhao Changlu], ‘大学应站在军民融合的前线’ [Universities should stand at the front line of military–civil fusion], The People’s Daily, 18 March 2017, online. ↩︎
  8. ‘做好军民融合背景下的高校保密工作’ [Doing university secrecy work in the context of military–civil fusion], National Administration of State Secrets Protection, 27 February 2018, online. ↩︎
  9. ‘2018中国双一流大学排行榜,87所跻身全国百强’ [2018 list of China’s double first‑class universities, 87 universities in the top 100 nationally], The People’s Daily, 27 December 2017, online. ↩︎
  10. ‘教育部 财政部 国家发展改革委印发 《关于高等学校加快’双一流’建设的 指导意见》的通知’ [Notice on the Ministry of Education, Ministry of Finance, National Development and Reform Commission releasing ‘Directions and thoughts on hastening the double first‑class development of higher education institutions], chsi.com, 27 August 2018, online. ↩︎
  11. Audrey Fritz, ‘University involvement in military–civilian fusion: the driving force behind achieving the Chinese Dream’, senior thesis submitted to the University of Chicago, 17 April 2019. ↩︎
  12. Alex Joske, Picking flowers, making honey: the Chinese military’s collaboration with foreign universities, ASPI, Canberra, October 2018, online. ↩︎

Tag Archive for: Cyber

A normative approach to preventing cyberwarfare

A series of episodes in recent years—including Russia’s cyber interventions to skew the United States’ 2016 presidential election toward Donald Trump, the anonymous cyber-attacks that disrupted Ukraine’s electricity system in 2015, and the ‘Stuxnet’ virus that destroyed a thousand Iranian centrifuges—has fuelled growing concern about conflict in cyberspace. At last month’s Munich Security Conference, Dutch Foreign Minister Bert Koenders announced the formation of a new non-governmental Global Commission on the Stability of Cyberspace to supplement the UN Group of Governmental Experts (GGE).

The GGE’s reports in 2010, 2013, and 2015 helped to set the negotiating agenda for cybersecurity, and the most recent identified a set of norms that have been endorsed by the UN General Assembly. But, despite this initial success, the GGE has limitations. The participants are technically advisers to the UN Secretary-General rather than fully empowered national negotiators. Although the number of participants has increased from the original 15 to 25, most countries do not have a voice.

But there is a larger question lurking behind the GGE: Can norms really limit state behaviour?

Most experts agree that a global cyberspace treaty currently would be politically impossible (though Russia and China have made such proposals at the UN). But, beyond formal treaties, normative constraints on states also include codes of conduct, conventional state practices, and widely shared expectations of proper behaviour among a group (which create a common law). In scope, these constraints can vary from global, to plurilateral, to bilateral. So what can history tell us about the effectiveness of normative policy instruments?

In the decade after Hiroshima, tactical nuclear weapons were widely regarded as “normal” weapons, and the US military incorporated nuclear artillery, atomic land mines, and nuclear anti-aircraft weapons into its deployed forces. In 1954 and 1955, the Chairman of the Joint Chiefs of Staff told President Dwight Eisenhower that the defense of Dien Bien Phu in Vietnam and of offshore islands near Taiwan would require the use of nuclear weapons (Eisenhower rejected the advice).

Over time, the development of an informal norm of non-use of nuclear weapons changed this. The Nobel laureate economist Thomas Schelling argued that the development of the norm of non-use of nuclear weapons was one of the most important aspects of arms control over the past 70 years, and it has had an inhibiting effect on decision-makers. But for new nuclear states like North Korea, one cannot be sure that the costs of violating the taboo would be perceived as outweighing the benefits.

Similarly, a taboo against using poisonous gases in warfare developed after World War I, and the 1925 Geneva Protocol prohibited the use of chemical and biological weapons. Two treaties in the 1970s prohibited the production and stockpiling of such weapons, creating a cost not only for their use, but also for their very possession.

Verification provisions for the Biological Weapons Convention are weak (merely reporting to the UN Security Council), and such taboos did not prevent the Soviet Union from continuing to possess and develop biological weapons in the 1970s. Similarly, the Chemical Weapons Convention did not stop either Saddam Hussein or Bashar al-Assad from using chemical weapons against their own citizens.

Nonetheless, both treaties have shaped how others perceive such actions. Such perceptions contributed to the justification of the invasion of Iraq in 2003 to the international dismantling of most Syrian weapons in 2014. With 173 countries having ratified the Biological Warfare Convention, states that wish to develop such weapons must do so secretly, and face widespread international condemnation if evidence of their activities becomes known.

Normative taboos may also become relevant in the cyber realm, though here the difference between a weapon and a non-weapon depends on intent, and it would be difficult to forbid—and impossible to prohibit reliably—the design, possession, or even implantation for espionage of particular computer programs. In that sense, efforts to prevent cyber conflict cannot be like the nuclear arms control that developed during the Cold War, which involved elaborate treaties and detailed verification protocols.

A more fruitful approach to normative controls on cyberwarfare may be to establish a taboo not against weapons but against targets. The US has promoted the view that the Law of Armed Conflict (LOAC), which prohibit deliberate attacks on civilians, applies in cyberspace. Accordingly, the US has proposed that, rather than pledging ‘no first use’ of cyber weapons, countries should pledge not to use cyber weapons against civilian facilities in peacetime.

This approach to norms has been adopted by the GGE. The taboo would be reinforced by confidence-building measures such as promises of forensic assistance and non-interference with the workings of Computer Security Incident Response Teams (CSIRTs).

The GGE report of July 2015 focused on restraining attacks on certain civilian targets, rather than proscribing particular code. At the September 2015 summit between US President Barack Obama and Chinese President Xi Jinping, the two leaders agreed to establish an expert commission to study the GGE proposal. Subsequently, the GGE report was endorsed by the leaders of the G20 and referred to the UN General Assembly.

The attack on the Ukrainian power system occurred in December 2015, shortly after the submission of the GGE report, and in 2016, Russia did not treat the US election process as protected civilian infrastructure. The development of normative controls on cyber weapons remains a slow—and, at this point, incomplete—process.

Understanding the cyber threat: defence, response, democracy

As Russia’s campaign to influence the US election falls out of the news cycle, it’s important to maintain a focus on the key lessons from the Democratic National Committee hack in order to understand what could’ve prevented it. The main takeaway is that any actor with enough resources and determination can compromise almost any system using an extraordinary range of tools (see here, here and here). The other is a fundamental change of thinking: total security is currently impossible to obtain and that there’s always a risk of your system being penetrated. With operations and data breaches increasingly being used to embarrass, extort and influence, there are several ways to better understand and manage the risk.

Nefarious actors waging information operations come from diverse backgrounds and have different agendas, from foreign governments and private enterprise to NGOs and lone actors. And sometimes they’ll “work” together, like when Russian military and domestic intelligence allegedly used a fake lone actor (Guccifer 2.0) to leak stolen government information to a real NGO (WikiLeaks). Hacker Andres Sepulveda and his team sold their services through private enterprises to political parties across Latin America seeking to infiltrate rivals and manipulate elections. Such examples highlight the complexity of information operations. To establish credibility or plausible deniability, the real mastermind may hide under many layers of intermediaries.

For those engaged in information warfare, the theft of data is one thing, but it’s getting the information out that’s key. For such operations to work effectively an adversary needs broad dissemination, acceptance of legitimacy and internalisation by the target audience. This was two-fold in the case of Russia’s influence campaign. First the perpetrators had to gain enough credibility to be picked up by mainstream US media, which was why WikiLeaks was used to get the word out. (A previous dissemination point, a website called DC Leaks, was set up in April but failed to gain traction.) WikiLeaks had the profile and produced the veneer of legitimacy needed for mainstream media sites to disseminate to the second audience, the US electorate. Internalisation—when your message or content is voluntarily used by actors within your target audience—occurred when Donald Trump used the leaked material during the second presidential debate to threaten Hillary Clinton with jail. The execution of this information loop helped Russia’s preferred candidate get elected. The operation was a success.

If the majority of media resources and effort go to covering the breach and the scoops found in the leaked data, then the adversary has “won” because they’ve reshaped the narrative. Government responses are then formed in reaction to the adversary’s information, allowing them to set the parameters of the game. Instead of investigating the source, the FBI chose to investigate the leaked information. It was only a month after the election that the White House ordered a separate investigation, which revealed the source as Russian intelligence.

When faced with information warfare on the scale of the DNC hack, focusing on the cause of the breach rather than the dissemination and exploitation of the stolen data is self-defeating. Inviting the foreign intelligence service to hack your country again is also counterproductive because it further legitimises the opponent and their narrative.

So, what to do? In terms of passive defence, network compartmentalisation and resiliency-building can reduce the amount and quality of data available, so decreasing the value of penetration. Building in network redundancy can also assist by keeping vital parts of the network away from attackers and reducing the time a network is down. Low-tech offset strategies, like using typewriters for sensitive communications, can also reduce exposure.

The other side is active defence. Having well-trained and well-resourced computer emergency response teams is crucial. The quicker they can detect, mitigate and neutralise the hack the less damage it can do in both the cyber and public relations realms. Forensic analysis of intrusions is also crucial in tracing the culprit, who can then be named and shamed to discredit their narrative.

These efforts are symbiotically attached to the need for much stronger strategic communications. Establishing a coherent, unified platform is crucial to reveal and defeat that narrative. Cyber units and the affected organisation must coordinate and deliver a unified message. The confusion around the Australian Census DDoS attack is an example of where this could have been applied. Attempts should also be made to create nuanced policies to deal with fake news, with several approaches being tried by countries and companies alike.

Discrediting or denying the adversary legitimacy is crucial to minimising the significance of an attack. Part of that relies on seeing the bigger picture and calling out intrusions for what they are. A breach represents a cyber-attack, but if the end goal of that attack is to destabilise an election or compromise an individual, it’s imperative that the scope of the attack be acknowledged transparently. This helps orientate discourse around the true intent of the malevolent actor. If their information can’t build traction, it’ll quickly be left behind as the news cycle moves on.

Focusing strategic efforts at the dissemination-end of information operations reduces the overall appeal of mounting an attack. A concerted response can form an implied deterrent which doesn’t risk escalation or miscalculation. If actors can’t produce the range or scale of effects they seek, their attacks are rendered impotent. With elections in France and Germany imminent it’s crucial we learn from attacks like this to tighten cyber security and protect democratic processes.

World Order 2.0

22044740591_dc70f87982_z

For nearly four centuries, since the Peace of Westphalia in 1648 ended the Thirty Years’ War in Europe, the concept of sovereignty—the right of countries to an independent existence and autonomy—has formed the core of the international order. And for good reason: as we have seen in century after century, including the current one, a world in which borders are forcibly violated is a world of instability and conflict.

But, in a globalised world, a global operating system premised solely on respect for sovereignty—call it World Order 1.0—has become increasingly inadequate. Little stays local anymore. Just about anyone and anything, from tourists, terrorists, and refugees to e-mails, diseases, dollars, and greenhouse gases, can reach almost anywhere. The result is that what goes on inside a country can no longer be the concern of that country alone. Today’s realities call for an updated operating system—World Order 2.0—based on ‘sovereign obligation,’ the notion that sovereign states have not just rights but also obligations to others.

A new international order will also require an expanded set of norms and arrangements, beginning with an agreed-upon basis for statehood. Existing governments would agree to consider bids for statehood only in cases where there was a historical justification, a compelling rationale, and popular support, and where the proposed new entity is viable.

World Order 2.0 must also include prohibitions on carrying out or in any way supporting terrorism. More controversially, it must include strengthened norms proscribing the spread or use of weapons of mass destruction. As it stands, while the world tends to agree on constraining proliferation by limiting countries’ access to the relevant technology and material, the consensus often breaks down once proliferation has occurred. This should become a topic of discussion at bilateral and multilateral meetings, not because it would lead to a formal agreement, but because it would focus attention on applying stringent sanctions or undertaking military action, which could then reduce the odds of proliferation.

Another essential element of a new international order is cooperation on climate change, which may be the quintessential manifestation of globalisation, because all countries are exposed to its effects, regardless of their contribution to it. The 2015 Paris climate agreement—in which governments agreed to limit their emissions and to provide resources to help poorer countries adapt—was a step in the right direction. Progress on this front must continue.

Cyberspace is the newest domain of international activity characterised by both cooperation and conflict. The goal in this area should be to create international arrangements that encourage benign uses of cyberspace and discourage malign uses. Governments would have to act consistently within this regime as part of their sovereign obligations—or face sanctions or retaliation.

Global health presents a different set of challenges. In a globalised world, an outbreak of infectious disease in one country could quickly evolve into a serious threat to health elsewhere, as has happened in recent years with SARS, Ebola, and Zika. Fortunately, the notion of sovereign obligation is already advanced in this sphere: countries are responsible for trying to detect infectious disease outbreaks, responding appropriately, and notifying others around the world.

When it comes to refugees, there is no substitute for effective local action aimed at preventing situations that generate large refugee flows in the first place. In principle, this is an argument for humanitarian intervention in selective situations. But translating this principle into practice will remain difficult, given divergent political agendas and the high costs of effective intervention. Even without a consensus, however, there is a strong case for increasing funding for refugees, ensuring their humane treatment, and setting fair quotas for their resettlement.

Trade agreements are, by definition, pacts of reciprocal sovereign obligations regarding tariff and nontariff barriers. When a party believes that obligations are not being met, it has recourse to arbitration through the World Trade Organization. But things are less clear when it comes to government subsidies or currency manipulation. The challenge, therefore, is to define appropriate sovereign obligations in these areas in future trade pacts, and to create mechanisms to hold governments accountable.

Establishing the concept of sovereign obligations as a pillar of the international order will take decades of consultations and negotiations—and even then, its acceptance and impact will be uneven. Progress will come only voluntarily, from countries themselves, rather than from any top-down edict. Realistically, it will be difficult to forge agreement on what specific sovereign obligations states have and how they should be enforced.

Complicating matters further, US President Donald Trump’s administration has espoused an ‘America First’ doctrine that is largely inconsistent with what is being suggested here. If this remains the US approach, progress toward building the sort of order that today’s interconnected world demands will come about only if other major powers push it—or it will have to wait for Trump’s successor. Such an approach, however, would be second best, and it would leave the United States and the rest of the world worse off.

Now is the time to begin the necessary conversations. Globalisation is here to stay. Moving toward a new international order that incorporates sovereign obligation is the best way to cope. World Order 2.0, predicated on sovereign obligation, is certainly an ambitious project—but one born of realism, not idealism.

International cyber norms: an Australian private sector perspective

On 10 November the government announced the appointment of Australia’s first ambassador for cyber affairs, ASPI’s Toby Feakin. A key role for Toby and his team over the next 12 months will be to help further refine, strengthen and implement norms of behaviour in cyberspace.

Norms in their simplest form are shared expectations of proper behaviour. They can evolve to keep pace with technological change and have the ability to incorporate the voices and opinions of multiple actors, even those nations with which we may ordinarily ideologically conflict. Norms have emerged as the best answer to the complicated question: how do you create international rules for acceptable online behaviour without stymying freedom of expression, economic exchange and technological innovation?

Australian private sector organisations should be active voices in the norms debate. Norms are a key vehicle to positively influence the direction of the online environment, of which business is a key participant. As owners, innovators and operators of the technology that underpins the backbone of Australia’s critical infrastructure, industry is also well placed to lend expertise devising acceptable international behaviours to aid its protection.

Private sector involvement in norm formation isn’t without historical precedent. The Dutch East India Company famously helped to entrench the concept of the freedom of the seas. Developed in response to a Portuguese policy seeking to carve out an exclusive trading zones in South and Southeast Asia, the Dutch company convincingly argued that the world’s oceans should be open to unrestricted access and trade by all.

Many nations have laws dictating what should and shouldn’t go on in cyberspace. But internationally, states have widely different interpretations on everything from freedom of speech and cyber arms control, to what even constitutes the very fabric of ‘cyberspace’. This makes a purely legal solution hard to find. Many governments, including Australia’s, have looked to cyber norms to fill the breach. By combining norms and existing international law, it’s hoped that we can maintain stability and avoid conflict in an increasingly volatile online environment.

Norms discussions have unfolded in many forums, including academic and non-government led processes, but the most tangible norm formation has taken place at exclusively state-based forums such as the UN Group of Governmental Experts.

One of the biggest practical barriers to legitimising the norms model has been effective implementation and compliance monitoring. Those obstacles could be alleviated by encouraging the private sector, who own and operate most of the world’s internet infrastructure, to become more involved in the norms discussion. And as key participants in a multi-stakeholder internet, the private sector deserves their own seat at the table.

Some in the academic community (PDF) forgave the omission by suggesting that the private sector has little interest in norm formation, due to a belief that they’ll have little success in influencing government cyber policymakers, or due to a fear that putting their heads above the parapets will lead to increased and unwanted regulation.

The Australian government has carried out fantastic norm formation work via leadership roles in the UN and as a norms champion in the Asian region. But the Australian private sector’s ability to augment and contribute to this process has largely gone unrealised. Earlier this year, Commonwealth Bank participated in an ASPI project to gauge the Australian private sector’s interest in and opinions on norms, the bank’s perceptions around the potential impact of norms on industry, and how governments could engage more broadly on norm formation.

This workshop and ASPI’s subsequent publication shows that there’s strong interest within the private sector on engaging in the norms discussion, and that high-level thinking is already taking place about which specific behaviours enable economic exchange while boosting stability and security online. Norms singled out for praise include those which encourage the free flow of information across national borders, protect the public core of the internet (such as the DNS), and prohibit the theft of intellectual property.

Cyber security is a shared responsibility for all participants in the digital economy, and the government’s decision to appoint an ambassador for cyber affairs is a shrewd move that will help to enable broader collaboration. By creating a figurehead for engagement on international cyber issues, the government has positioned itself to leverage expertise and experiences that lie in the private sector, this will help to create a stronger, holistic and coordinated Australian approach to cyber space.

 

Cyber wrap

Image courtesy of Flickr user Mambembe Arts & Crafts

Last week progress was made on three initiatives announced in April’s Cyber Security Strategy. First up, Foreign Minister Julie Bishop and Minister Assisting the PM for Cyber Security Dan Tehan announced last Thursday that ICPC’s Tobias Feakin will be Australia’s first Ambassador for Cyber Affairs. The new role will promote Australia’s position on key policy issues including international law and norms, and coordinate regional cyber capacity building work. Feakin will also develop the International Cyber Engagement Strategy which the government committed to back in April, a process that ICPC will be following closely. Congratulations, Toby!

Second, the Cyber Security Strategy also committed to move the Australian Cyber Security Centre (ACSC) from its current digs in ASIO’s headquarters to a facility that would be more accessible to partners from the private sector, research and academic communities. Reporting says that government will fit out a building just down the road from ASIO at Canberra Airport’s Brindabella Business Park at a cost of $38.8 million. The submission to the Parliamentary Public Works Committee notes that there are about 260 people in the ACSC at the moment, with the new facility to be designed to accommodate a maximum of 700. It’s planned to be a ‘multi-classification environment’ as much of ACSC’s work doesn’t involve highly classified information. That will help overcome the recruitment bottleneck created by the extensive clearance processes required for workers in the ACSC’s current home.

And third, the Australian Securities Exchange and Australian Securities and Investment Commission invited the ASX100 companies to participate in a Cyber Health Check. The voluntary Health Checks, led by industry, will benchmark cyber security awareness, capability and preparedness for cyber incidents.

Also last week, the government tabled the Telecommunications and other legislation Amendment Bill, putting into effect the long running Telecommunications Sector Security Reform program. The legislation requires telcos to advise government about changes to their networks and facilities that would have potential security implications—including equipment purchases and outsourcing agreements. It also gives the Attorney-General the power to direct telcos to cease using or supplying services when they’re ‘prejudicial to security’. During previous consultation, industry groups have criticised the legislation for its onerous compliance requirements and vagueness in previous drafts, and it remains to be seen if that criticism will need to be repeated. The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for review.

Professional networking site LinkedIn has been banned in Russia this week for failing to comply with the country’s privacy laws that require its citizens’ data to be stored in Russia. However, LinkedIn’s block may only be the start of big things for western companies seeking Russian audiences, with Facebook, WhatsApp and Twitter also named as targets of Russian regulator Roskomnadzor.

Facebook is also under pressure in the US from critics who are angry that the company has allowed ‘false’ news from non-traditional and highly partisan websites to spread through the social media platform. Founder Mark Zuckerberg released a statement defending Facebook and its content, but the company is apparently wrangling with the issue internally.

Finally, the US elections seem to have passed without any of the major cyber incidents that had been anticipated. Donald Trump’s big win means there’ll likely be some interesting and consequential changes in US cybersecurity policy. The actual direction Trump will take in this area isn’t entirely clear (as with most of his policies), but there’s plenty of speculation on the general direction of the Trump administration. During the campaign, Trump’s responses to cyber questions were vague and often weird, but he did release a short cybersecurity policy statement with a focus on strengthening cybersecurity and offensive cyber capabilities. Wired notes that Silicon Valley firms are worried that Trump will make even more insistent demands for government access to customer data. Gizmodo has warned that Rudolph Giuliani’s suggestion that he might take over as White House Cyber Czar would be disastrous due to his poor understanding of the issues, and further adds that ‘strong cybersecurity and a Trump administration are not compatible’ due to the patience and respect for privacy it requires. And over at CFR, David Fidler has assessed that Trump’s hostility towards trade agreements, such as the Trans-Pacific Partnership, will undermine the growth of stability of digital trade as his protectionist impulses build barriers to digital trade, signalling an end to US leadership of trade and digital commerce.

The ACSC Threat Report: a useful contribution to the cyber conversation

Yesterday the Australian Cyber Security Centre (ACSC) released its second annual Threat Report (PDF), outlining the cybersecurity challenges Australia faces and further developing Australia’s approach to cyberspace. This year’s ACSC report offers a detailed breakdown of cyber terminology, a strategic assessment of the threat environment and a refreshingly candid narrative.

The report emphasises the importance clarifying the language used to describe the cyber threats facing Australia. The ACSC goes to great pains to point out that indiscriminate use of the term ‘cyber attack’ by ‘media, academics and foreign governments’ has undermined a mature understanding of the cybersecurity challenge. The report highlights the range of nefarious behaviours possible in cyberspace and the need to label them accordingly. That echoes the sentiment of Prime Minister Malcolm Turnbull in his keynote speech at the recent Australia–US Cyber Security Dialogue, where he raised the ‘problem of cyber lexicon’ and the importance of standardising terminology across government, business, media and academia. Having a clearer understanding of what the various threat vectors are and of the dangers they pose is useful in creating broader understanding across the community. The report makes a concerted effort to address that issue, categorising cyber behaviours, from state-sponsored aggression to hacktivism, in terms of intent, methods and risk.

However, the addition of ‘cyber terrorism’ as a sub-class of online behaviour has us worried. The term is frequently used by authoritarian governments with a strict interpretation of what represents acceptable ‘freedom of speech’ online. The term is used to facilitate the prosecution of individuals who—within an Australian interpretation—would merely be expressing their opinions online, rather than facilitating or participating in terrorism. Having this term in an official Australian document doesn’t help the discussion around appropriate rules of the road for cyberspace, and makes arguing for an open, safe and secure internet more difficult.

More broadly, the report identifies an important strategic trend: the pattern of malicious actors using cyberspace ‘to seriously impede or embarrass organisation and governments—equating to foreign interference or coercion’. Traditional conceptions of ‘cyber attacks’ focus on the potential link between computer keyboards and kinetic disruption, and rightly direct attention to the cybersecurity and resilience of critical national infrastructure and core government networks. However, as the report points out, the list of potential targets has significantly grown to include political organisations, media and ‘other sectors considered important Australia’s economy and identity’. Recent incidents of state-sponsored hacking and data breaches haven’t been a precursor to, or enabler of, physical conflict, but are instead favoured by adversaries as a low-intensity tool of statecraft by which to achieve broader strategic ends.

Regardless of whether the released information is falsified or authentic, these ‘targeted disclosures’ offer an effective way to conduct information operations and undermine public confidence in organisations and governments. With direct reference to the US Democratic National Committee breach, the report voices concern over the increasing frequency of such ‘brazen’ behaviour and the impact this may have on international norms of behaviour in cyberspace.

Overall, this report offers a transparent look into government cybersecurity, including its weaknesses and capabilities. The report provides surprising specifics on the Bureau of Meteorology hack in December, detailing the methodology of the intruder, the compromise of agency data as well as other government networks, and the admission that ‘the security controls in place were insufficient’. It’s encouraging to see the Australian government leading by example on the importance of breach disclosure, in order to ensure that the private sector continue to do so themselves. Increasing broader awareness of the risks and responses is vital in this area.

The report also offers a fairly bold statement on Australia’s attribution capabilities. It challenges the perceived difficulty of identifying cyber adversaries, and asserts that Australia can achieve detailed attribution, even of individuals, ‘in a timely manner’. But although the report details technical incident response procedures, it leaves us guessing as to what the ACSC would deem an appropriate response to an attributed adversary, should a cyber–physical or cyber-coercion incident take place in Australia. Current deliberations over what action the US should take now that it’s officially attributed the recent spate of cyber intrusions to Russia, highlights the need to address the lack of established post-attribution policy options.

It may be the case, as the report claims, that Australia is unlikely to fall victim to such an incident in the next five years. However, recent international events indicate Australia needs to take seriously the risk posed to both soft and hard power targets, and the government should start developing the technology and policy needed to operate in today’s online threat landscape.

Increasingly careful use of cyber terminology, attention to strategic changes and more open conversations are essential elements of a more secure online environment. The new ACSC report offers important progress in this effort, and reinforces cybersecurity as a policy priority for the Turnbull government.

Cyber wrap

The inaugural Australia-US Cyber Security Dialogue was held in Washington D.C., by CSIS and ASPI the week before last. The event, announced by Prime Minister Turnbull and President Obama in January, brought together senior representatives from government, the private sector and academia to discuss common challenges and opportunities in cyberspace. The dialogue covered cyber developments in the Asia–Pacific, the fight against cybercrime and practical methods of advancing an innovative and secure digital economy for both countries. At the close of the dialogue, Prime Minister Turnbull delivered a keynote address followed by remarks from the US Secretary of Homeland Security Jeh Johnson. Check out the full speeches here and standby for upcoming blog pieces that will offer an insight into the dialogue discussions.

ICPC also launched its new report Cyber Maturity in the Asia-Pacific 2016 at New America in Washington DC last week. Peter W. Singer moderated an expert panel, including ICPC’s Dr Tobias Feakin, Denise Zheng of CSIS and Ryan Gillis from Palo Alto Networks, to discuss the findings of the report and broader themes of regional cyber policy development. Check out full video here.

While we were away, it was revealed that Yahoo! suffered a cybersecurity breach dating back to 2014. The breach exposed the names, emails, phone numbers, birthdays and encrypted passwords of at least 500 million customers—making it ‘the biggest hack the world has ever seen’. Apparently, the organisation’s lazy approach to security in favour of more convenient user-friendly methods is what led to this headline-grabbing cyber incident. Such negligence has prompted several lawsuits, as well as a critical open letter from six US senators, demanding that Yahoo! answer specific questions on how the breach came about and was subsequently handled by the organisation. Meanwhile, rumours are circulating over the true scale of the incident, with a former company insider putting the figure at between one to three billion compromised accounts. And in terms of attribution, the act was originally cast as being state-sponsored, however a recent cybersecurity firm report points the finger at an eastern European crime gang thought to be selling the data onto third parties. While at first glance the breach looks like a simple case of corporate incompetence, latest reports suggest the incident may have had something to do with an intelligence sharing arrangement the company had with the US government, involving the routine scanning of millions of customer emails. Well,  now that’s awkward for everyone.

Staying stateside, the first of three presidential debates took place last week featuring White House hopefuls Hillary Clinton and Donald Trump, with ‘the cyber’ briefly taking centre stage. Sadly, the candidates’ cybersecurity debate was content-light to put it mildly, mostly circling around the attribution of the DNC hack, with Clinton pointing the finger squaring at Moscow and Trump putting forward the ‘400-pound hacker’ as his best guess. Critics were left listing cyber issues that deserved serious attention at the debate, such as encryption, data-breach disclosures and protection of critical national infrastructure. Nevertheless, other experts were simply pleased cybersecurity made it onto the agenda. You can watch all seven enlightening minutes of the cybersecurity segment here.

At midnight on 30 September, after years of planning and discussion, the Internet Assigned Numbers Authority (IANA) function of the US National Telecommunications and Information Administration (NTIA) was handed over to the Internet Corporation for Assigned Names and Numbers (ICANN). The IANA functions underpin the operation of the global internet allowing users to search names rather than numeric addresses to find information (e.g. aspistrategist.org.au instead of 104.20.14.180). NTIA, part of the Department of Commerce, previously contracted ICANN to manage its IANA responsibilities. The move to hand over these functions to ICANN is the culmination of a policy announced in 1998 by the US government to transition management of the Internet’s domain name system to the international multistakeholder community. The process was met with opposition, including failed eleventh hour injunction filed by Ted Cruz and three other Republican state attorney generals to stop the process. The injunction was a last minute effort by Cruz after his attempt to convince Congress to include a rider to its continuing resolution preventing the transfer also failed.

Closer to home, it’s been reported that the Australian government has experienced another data-breach incident overnight. The information of more than 96,000 public servants has been compromised from the APS internal staff census, with confirmation that the data-set was downloaded almost 60 times before the information was taken down. The news comes less than a week after an embarrassing leak of patients’ health records in a Medicare data breach by the Health Department, which is now being investigated by the Australian Privacy Commissioner Timothy Pilgrim.

Cyber wrap

Image courtesy of Flickr user Jeso Carneiro.

Kicking off this week, China has invited foreign tech corporations to join its government’s central technical committee. Technical Committee 260, which reports to the Cyberspace Administration of China, is responsible for establishing China’s cyber security standards and will now feature Cisco, IBM, Intel and Microsoft as members. The move comes after intense criticism of China’s cyber regulations for being tough on international business interests, and has been interpreted as an attempt to placate those concerns. Ostensibly, these companies will now play a role in drafting China’s cyber security legislation; however the extent of their influence is still an unknown.

Cyber cooperation isn’t all Beijing has on its mind however. Kaspersky stats show Chinese hacking of the defense, aviation and nuclear industries in Russia has almost tripled since the beginning of the year. The clear focus on cyber espionage targeting critical national interests, rather than financial cybercrime on corporations, suggests these activities were either approved or undertaken by official Chinese representatives. This uptick of Russia’s cyber suffering at the hands of the Chinese has interestingly coincided with a recent drop in Chinese targeting of the US in cyberspace. Russia and China have historically demonstrated a fair degree of cooperation on cyber security, creating and updating a code of conduct for information security through the Shanghai Cooperation Organisation in 2011 and 2015, signing a bilateral ‘non-aggression pact’ in May last year and releasing a joint statement in June this year. However, these recent hacking trends may have confirmed suspicions that such public comradeship may only be surface deep.

Privacy feathers have been ruffled this week, with WhatsApp announcing a new information sharing deal with Facebook. WhatsApp will now disclose phone numbers and user activity analytics to its parent company in order to facilitate more targeted advertising and friend suggestions on Facebook, as well as fight spam. The new policy has raised eyebrows across the world, representing WhatsApp’s first diversion from its famous privacy vow and Facebook’s first steps to monetise the platform since purchasing it for US$22 billion in 2014. The good news is that users have the choice to opt-out of this new policy change—but you’d better move fast because the window to do so is only open for 30 days. WhatsApp has provided a slightly awkward ‘how-to’ guide here.

The privacy battle between government and civil society continues in America. Last week, tech giants vocally rejected the Obama administration’s proposal to request the social media accounts of foreign visitors in an attempt to identify terrorist threats. The proposed change would create a field stating ‘please enter information associated with your online presence’ on the US’s ESTA and I-94W arrival/departure forms. The companies, including Google, Facebook and Twitter, warn that the proposed measure will ‘have a chilling effect on the use of social media networks, online sharing and, ultimately, free speech online’. Civil liberties advocacy groups have also argued in an open letter that beyond invading individuals’ personal privacy, this measure will be ‘ineffective and prohibitively expensive to implement and maintain’.

Across the Atlantic, France and Germany are pushing for a European crackdown on encryption technology in response to the recent wave of terrorist attacks in Europe. The German Interior Minister, Thomas De Maizière, and his French counterpart, Bernard Cazeneuve, put forward a joint proposal calling on the European Commission to draft a law obliging online messaging services to monitor content and assist law enforcement with decryption efforts when required. As expected, the move sparked opposition from European industry groups who argue that enforcing such backdoors ‘ultimately leaves online systems more vulnerable’. It seems Europe is following in the footsteps of the privacy–security debate that has unfolded in the US over the last year.

Debate continues over the identity, capability and credibility of the Shadow Broker hackers who several weeks ago hosted on online auction of programs apparently nabbed from the NSA. Importantly, this content was stolen from another hacking team, Equation Group, and is actually fairly old, containing no programs more recent than October 2013. The indirect leak supposedly reveals some of the top secret cyber tools used by the spy agency to surveil American security companies such as Cisco and Fortinet. However, recent realisations that these tools contain the ability to compromise the firewalls of Chinese tech manufacturer Huawei have given even deeper insight into the scope of NSA operations. The contents of the Shadow Brokers dump have seemingly been confirmed as authentic by correlations with previously unreleased Snowden documents. Learn more about the speculated ‘who and how’ of the hack with this Engadget article and read this Lawfare piece for a low down of the questions that should be asked of the NSA in response.

And finally, check out Monday night’s episode of Four Corners, boldly titled ‘Cyber War’. While it won’t teach well-informed cyber nerds anything new, it’s a welcome fourth estate attempt to raise public awareness of cyber security. You can read commentary on the episode here and here.

Bit by bit: China’s quantum cryptography system

Image courtesy of Flickr user ibmphoto24

I read Geoff Slocombe’s recent post about quantum computing with interest and, I’ll admit, a little skepticism. While there’s no doubt that practical quantum computing would represent a significant step forward in computing power, there are still some struggles ahead to realise a device with enough qubits to do useful calculations and that’s stable enough to provide reliable service. When quantum systems interact with the outside world they tend to stop what they’re doing—not a great feature in a computer.

My hunch is that quantum computing will prove to be similar to energy generation through nuclear fusion—well understood from a theoretical point of view, entirely possible in principle, able to be demonstrated on a laboratory scale, but difficult to implement practically. Fusion power has been ‘a few decades away’ for much more than a few decades now, and no fusion reactor has yet been able to generate more energy than is required to run it. Some engineering problems are just really hard. Quantum computing might be one of them.

I’ve now set myself up to be proven dramatically wrong on not one but two major technologies, with my only protection from Clarke’s First Law being that no one’s ever likely to call me ‘distinguished’. So I’d better hedge and say prudent planning allows for the possibility of clever people solving difficult problems, and that it’s worth thinking about the potential impact of the maturation of either or both. I’ll come back to fusion in another post, but one of the hedging strategies against the development of quantum computing was in the news earlier this month, as China announced the launch of the world’s first quantum communication satellite.

I say ‘hedging’ because quantum computing threatens the security of one of the standard approaches to cryptography. Public key encryption is the foundation of internet security, and avoids having to securely distribute the digital equivalent of codebooks to users everywhere. A leading public key method relies on it being much easier to multiply two large prime numbers than to split an even larger number into prime factors.

There’s no mathematical law that precludes the possibility of a smart person finding a really neat trick for factoring big numbers, but no one has so far. Given the time mathematicians have spent studying number theory, it’s a fair bet it’s not going to happen. (I’m tempting Clarke again.) But a big enough quantum computer factorises much faster than existing computers, threatening the security of today’s communication. Needless to say, that has the attention of people whose job it is to keep information secure.

It turns out that there’s an answer to the potential problem, and again it comes from a property of the quantum world. If you can set up a channel that reliably allows the passage of quantum information (information that isn’t a string of zeroes or ones, but a string of various mixes of zeroes and ones) then you can send strings of digits and be sure that no one has intercepted them. That’s because the act of reading a quantum message intrinsically changes it, effectively destroying its content. And because of what’s called the ‘no cloning theorem, the eavesdropper can’t reconstruct the string and send it on to the unsuspecting recipient. By this method cryptographic keys can be distributed with absolute security. A bad guy can interfere with the communication of the key, but can’t steal it.

It turns out that engineering quantum communication is much less difficult (the word ‘easy’ probably shouldn’t be applied to any of these techniques) than quantum computing. For example, the transmission along fibre optic cables of sequences of single photons of light with useful quantum properties is now well-established. That’s the basis of the 2013 Australian Government Quantum Network project to link Parliament House with other government organisations in Canberra. A prototype system was running in the US several years before that and China has ambitious plans for a secure internal network.

Bumping up against the real world tends to cause photons signals to lose their initial quantum state, and a cable length of 250 kilometers still represents a significant achievement. But scientists are still making steady progress; a German group has demonstrated the transmission of quantum signals from an aircraft to a ground station 20km away, and others have done the same between fixed ground stations 144km apart. The Chinese satellite system would use encoded light pulses to communicate with the ground. Given progress elsewhere, if we take the Chinese explanation for the satellite at face value, either it’s experimental, or the Chinese are a few steps ahead of the pack.

Quantum communication requires a dedicated communication channel, so it’s not a solution for the internet. But it’ll work for governments and militaries keen to protect their information. It seems that quantum communication could negate one of the big selling points of quantum computers even before they arrive on the scene.

Cyber wrap

Image courtesy of Flickr user Henrik Jagels

The banking world is usually a pretty cutthroat place, but the shared issue of cyber security has prompted eight major US banks to form a new alliance. J.P. Morgan, Goldman Sachs and Bank of America are among the banks that will form the new information sharing group within the existing Financial Services Information Sharing and Analysis Center, and also prepare incident responses and simulate cyber attacks on the sector. Fortune has reported that in 2016, for the second year in a row, 77% of bank executives in the US told the Banks Directors Risk Practices Survey that cybersecurity was their top concern. This has prompted some major spending on the issue, with J.P. Morgan spending US$500 million on cybersecurity in 2015.

In Australia, the ASX’s submission to a Productivity Commission inquiry into data availability and use (PDF) has noted that cyber security costs continue to increase for Australian businesses as online threats continue to grow. The ASX notes that financial market institutions and infrastructure are at the ‘forefront’ of cybersecurity challenges given the nature of personal and financial information they hold. It says investment in cyber security is critical to ensure confidence in financial markets. The ASX is working with stakeholders to develop cyber security health checks, announced as part of the new Australian Cyber Security Strategy in April. An ASX spokesperson told The Australian that ‘the aim is to share best practice and raise awareness across the ASX100’.

The Productivity Commission inquiry is investigating the benefits and costs of greater availability and costs of public and private data sets, options for collection, sharing and release of data and how to preserve individual privacy and control of data. Other major Australian companies that have made submissions to the Productivity Commission include the Commonwealth Bank, Telstra, and Australia Post, as well as government agencies including AUSTRAC.

A collection of international business groups has appealed to Chinese premier Li Keqiang to change proposed cybersecurity legislation. Their letter to Keqiang warned that the legislation’s proposed limits on information security technology, which include requirements to store Chinese customers data in China and to provide source code to the government, would ‘separate China from the digital economy’. The Chinese government has justified the legislation as necessary to control terrorism and anti-government activity, but it has been criticised for its protectionist approach, shielding the emerging Chinese IT market from overseas competitors.

In other China news, State media has reported that China placed the world’s first quantum-communications satellite into orbit this week. Quantum technology, which promises to provide absolutely secure communications, is a key focus of China’s five year plan released in March this year. The satellite will be used to in experiments to test quantum communications at a global range by sending a cryptographic key from Beijing to Vienna.

#censusfail had just happened when Cyber Wrap was written last week, and while officials had blamed overseas hackers, it was still unclear exactly what had caused the census website to be taken offline. In the week since it has emerged that there was a bit more to it. Cyber security journalist Patrick Gray has listed on his site Risky.Biz the many contributing factors including the ABS and IBM’s refusal to purchase DDOS protection, their reliance on geo-blocking to defend the census from denial of service incidents, firewall errors, and false positive alerts about data exfiltration that caused the ABS to suspend the website. Gray characterises censusfail as ‘amateur hour’, and the PM probably agrees, accusing IBM of failing to take appropriate measures to protect the Census. Perhaps ASD’s new program to recruit high school students will make the next census a success.

And finally a mysterious group called ‘Shadow Brokers’ have announced an online auction of programs they claim have been stolen from the NSA. The announcement, made on a Tumblr blog, claims the group has stolen surveillance tools associated with the Equation Group, an actor that cyber security researchers believe is linked to the NSA. The Shadow Brokers have released samples of the programs which they say can overcome the security of network products provided by Cisco, Juniper and Fortinet. If the group receives at least 1 million bitcoin (US$550 million), they will apparently post more files for free download. While Russia has been mentioned as a possible source for the Shadow Brokers, Guccifer 2.0, also thought to be a Russian, told Foreign Policy that the Shadow Brokers dump was ‘bullshit’.

Tag Archive for: Cyber

Nothing Found

Sorry, no posts matched your criteria