Tag Archive for: cyber espionage

Economic cyber-espionage: a persistent and invisible threat

Economic cyber-espionage, state-sponsored theft of sensitive business information via cyber means for commercial gain, is an invisible yet persistent threat to national economies. As more states use cyber tools to secure economic and strategic advantages, a growing number of countries, particularly emerging economies, are vulnerable.

In response, G20 members agreed in 2015 that no country should engage in cyber-enabled theft of intellectual property (IP) for commercial gain.

That resulted in expectations that states could provide assurances that their cyberspace activities didn’t seek foreign IP for unfair economic advantage, that they could provide IP holders with a protective framework, and that they could attain a level of cybersecurity maturity for protection of IP-intensive sectors.

Unfortunately, the reality is different. The number of cyber operations targeting private forms has quadrupled since 2015. As technological capabilities become central to national power, states are increasingly seeking shortcuts to competitiveness. Cyber operations seemingly offer an effective and attractive means.

The shift in cyber-espionage to target emerging economies is evident in the data analysed by ASPI. Our first report, State-sponsored Economic Cyber-espionage for Commercial Purposes: Tackling an invisible but persistent risk to prosperity, noted that in advanced economies accounted for 60 percent of reported cyber-espionage cases in 2014. By 2020, that proportion had reversed, with emerging economies now bearing most campaigns.

Two follow-up reports, released today, shed light on how countries confront this growing threat. In State-sponsored Economic Cyber-Espionage: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, we evaluated the readiness of 11 major emerging economies to counteract cyber-enabled IP theft: Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. They represent some of the fastest-growing innovative economies in the world. Many are rapidly expanding in knowledge-intensive sectors such as biotech, advanced manufacturing and digital services. However, the report’s findings are concerning.

Most countries in South Asia, Southeast Asia and Latin America don’t recognise cyber threats to innovation and knowledge sectors as a major issue. This stance is reflected at the political-diplomatic level, where no government of an emerging economy has weighed in on these threats to innovation. Indonesia, India and Brazil, during their G20 presidencies, refrained from including cyber-enabled IP theft on the forum’s agenda.

When authorities in South and Southeast Asia and Latin America have strengthened their capacities to investigate and prosecute IP theft cases, it’s been driven by efforts to achieve conformity with World Trade Organization standards. But most governments struggle to live up to expectations in terms of securing and respecting higher-end IP, particularly when cases involve trade secrets and sensitive business information and when threat actors are believed to operate from foreign jurisdictions.

While no economy is safe from the risk of economic cyber-espionage, some are likelier targets, and some are more prepared to withstand the threat. Defending against economic cyber-espionage is an exercise in matching a response posture with an ongoing assessment of an economy’s risk profile

In our second report, State-sponsored Economic Cyber-espionage: Governmental practices in protecting IP-intensive industries, we looked at measures that governments in various parts of the world have taken to defend their economic crown jewels and other important knowledge-intensive industries from cyber threats.

Most prominently, in October 2023 the heads of the Five Eyes’ major security and intelligence agencies appeared together in public for the first time. In front of a Silicon Valley audience, they called China out as an ‘unprecedented threat’ to innovation across the world. That was followed up in October 2024 with a public campaign, Secure Innovation, which mirrored similar efforts by European and Japanese governments.

But still, IP-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure, despite accounting for the bulk of GDP growth, innovation and future employment.

Defending against economic cyber-espionage is complex. It involves defending against other states, or groups operating with their consent. These actors tend to be well resourced or insulated from consequences. At the coalface of those malicious cyber activities stand private and public companies—big and small—as well as research labs and universities. They’re the first line of defence against many cyber threats, including state-sponsored threat actors.

Governments can and must play an outsized role in shaping standards for making a country’s innovation ecosystem more cyber and IP secure. This involves strengthening domestic enforcement mechanisms. The issue must also be re-energising in forums such as the World Trade Organization, United Nations General Assembly and ministerial meetings under such organisations as the Quad and Association of Southeast Asian Nations. Interventions must focus on measures that prevent IP theft. After all, once IP is stolen, it’s stolen for good—along with all research and development investments made up to that point.

Combating the cyber heists that are costing the global economy

Across the world, governments and businesses depend on the transformative powers of digital technology to drive economic growth. Naturally, digitalisation leaves organisations, government agencies and consumers more vulnerable to cyber threats, including from states using digital technology to steal intellectual property for commercial gain—a practice known as economic cyber espionage.

But is there much that anyone can do about it?

Before we answer this question, it’s useful to consider how this threat is viewed in the international community. In November 2015, leaders of the G20 agreed that states should refrain from economic cyber espionage. The agreement came in the midst of looming threats to the prosperity of nations—hackers, in many cases affiliated with states, were stealing billions of dollars’ worth of IP from universities and companies around the world. In the US alone, the annual cost of IP theft has been estimated at up to $600 billion.

But eight years on, the G20 agreement has had mixed results. Some countries are taking the issue seriously and have moved to attribute cases when states steal IP. For example, in 2018, the UK government held China’s Ministry of State Security responsible for unleashing a ‘malicious cyber campaign’ that had been stealing IP in Europe, Asia and the US.

At the same time, cases have increased markedly in number, severity and scale (see Figure 1). Governments are uncovering more cases of cyber espionage, operations are harvesting greater amounts of IP and more firms in more countries across the world—including increasingly in emerging economies—are falling victim.

Figure 1: Number of reported incidents of state-sponsored cyber operations, 2009 to 2022

Source: Based on the Council on Foreign Relations’ Cyber Operations Tracker.

Given the worsening situation, it may be surprising that the issue hasn’t been given as much attention as other cyber-enabled threats like ransomware, cyberattacks on critical infrastructure, and denial-of-service attacks (a problem the G20 hasn’t discussed since the 2015 summit).

To a large extent, difficulties in addressing the threat of economic cyber espionage lie in attributing the attacks to a specific actor. The covert nature of these operations makes it hard to identify culprits with high enough confidence. Naturally, officials and investigators are faced with a long list of questions, like: how can we be certain that these hackers work for a state, or that they’re part of an organisation with strong connections to a state’s intelligence community? Even more difficult is identifying a hacker’s motivation; hackers—including those sponsored by states—hack for different reasons in different cases. And even if experts are certain that data was stolen, can they really be certain that it was given away to competing commercial firms?

Traditionally, experts look to hacking operations perpetrated by what’s known as ‘advanced persistent threats’, or APTs. In the hacking community, an APT is distinct because it requires considerable resources and is thus likely backed—or at minimum condoned—by a state actor.

But even if cybersecurity experts are certain about an APT’s hacking tactics, they may disagree over how closely affiliated the hacking group is with a particular state, or about its motivations. This is further complicated by the increasingly blurred boundaries between states and criminal gangs. APT 41, for instance, is a hacker group that the US has identified as simultaneously conducting its own non-state-sponsored targeting of the video games industry alongside state-sponsored attacks that align with China’s industrial plans. Given the methodological challenges in calculating the costs of even physical forms of IP theft, there are added complexities in calculating the true costs of IP theft.

These challenges are further compounded by reluctance to examine the detection of cyber espionage campaigns for fear that publicity could harm the economy or create collective responsibility that companies are unwilling to commit to. Because attribution and cost-calculations in cases of IP theft are time-consuming and complex, governments can never be perfectly aware of just how urgently they need to combat it—especially given that many emerging economies invest heavily in the research and development of critical technologies, including biofuels and 5G networks.

The detrimental effects on innovation, job stability, national security and global competitiveness demand a concerted effort to address economic cyber espionage. APTs are increasingly aiming to disrupt global supply chains, and developing economies in the global south are likely to become the prime targets of IP theft in the coming years, given rapid economic growth. Based on our own assessments, while private enterprises in advanced economies still constitute the largest targets of cyber operations by states, there are increasing numbers of cases in developing economies (see Figure 2).

Figure 2: Geographic spread of state-sponsored cyber operations affecting private entities, 2014 and 2020

Source: Based on the Council on Foreign Relations’ Cyber Operations Tracker.

States have committed to combating this threat, but they need to double down and get to work. Simply ignoring it would not only allow hackers to continue their practices without retribution, but also signal to potential perpetrators that the international community is willing to turn a blind eye.

Recognising and combating the threat of economic cyber espionage means more than attribution. It also about strengthening states’ resilience to the threat through investment in domestic cybersecurity capacity and national IP systems. International cooperation in combating non-accepted forms of cyber espionage also opens up room for states and corporations to work together to develop mutual resilience through capacity-building and advocacy.

It’s all too tempting to give up in the battle to combat the threat of economic cyber espionage. But given how serious the threat is to long-term prosperity, this is certainly not the time for complacency. When companies and universities live in fear that their IP will be stolen, it affects their motivation to undertake costly, but potentially fruitful, research. Covert actors can’t be allowed to stifle progress, hinder the development of ground-breaking ideas and impede economic growth.

Do cyber spies dream of electric shadows?

Alice sits at a bar with Bob, a travel consultant she has been seeing socially since she met him a few weeks ago in the lobby of the building where she works as a network administrator. Her company develops IT systems for the military. Bob isn’t actually a consultant but a foreign intelligence officer who has been influencing Alice to sell state secrets. He is facing away from the closed-circuit TV camera above the counter, but he’s oblivious to the fact that his movements have been tracked via facial recognition ever since he arrived in the country. Bob’s true identity was revealed in a ransacked personnel database and the microphone on his smartphone was hacked through a zero-day vulnerability to record Alice breaking the law.

While this story is fictional, it highlights how pervasive surveillance, online personal data and new technologies such as trackable devices are making it harder for states to collect intelligence from human sources (commonly referred to as human intelligence, or HUMINT), which includes a range of activities whose core purpose is to recruit an individual to ‘spy’.

In this new era, espionage will pit tech against tech to avoid detection and create more plausibly deniable covers. Covert communications will likely become more sophisticated to avoid detection, but HUMINT collection agencies could further collaborate with their technical counterparts to take full advantage of other emerging technologies to protect their intelligence officers and agents on the ground.

Cyberspace is changing spycraft, and national security agencies are being urged to adopt machine learning and open-source data to bolster their analytical capabilities. Human intelligence and networks of informants, however, will remain necessary for acquiring some secrets, assisting cyber operations by placing USB drives in air-gapped computers, for example, and providing insights into the thinking of decision-makers in target countries. To establish trust between officers and their informants, interpersonal and face-to-face meetings may be unavoidable while virtual reality and other digital technologies mature.

In countries like Russia and China, some experts have argued that traditional HUMINT tradecraft has become obsolete due to the use of facial recognition, biometric scanning and internet-connected devices that leave ‘digital dust’ for counterintelligence officers to detect. This has followed a New York Times report claiming a top-secret CIA cable revealed that dozens of informants working for the US had been compromised or killed in these increasingly difficult operating environments.

However, technological advances haven’t been fully utilised yet and present an opportunity for HUMINT collection agencies like the CIA, MI6 and the Australian Secret Intelligence Service to work with the NSA, GCHQ and Australian Signals Directorate to develop new HUMINT tradecraft. For example, new covert communication techniques could take advantage of anonymising technologies that are already challenging counterintelligence in open democracies.

Last month, an undercover FBI operation resulted in the arrest of Jonathan Toebbe, a US Navy engineer, for attempting to sell classified nuclear submarine technology to a foreign government. Toebbe employed a range of tools to protect his identity and encrypt his communications. ProtonMail, an end-to-end encryption mail service, was used over the Tor Network via publicly available wi-fi to hide his affiliated IP addresses. He also asked to be paid in Monero, a cryptocurrency that is harder to trace than Bitcoin but not impossible.

This case shows that anonymising technology can be used to avoid interception, but poor tradecraft might still result in detection. Even if Toebbe had been less trusting of his purported foreign handlers, these tools would have only delayed his eventual discovery. He would have had difficulty using and laundering the cryptocurrency, stolen information can be eventually traced back to the few users who had access to the original documents, and specific surveillance of Toebbe’s devices may have revealed suspicious activity.

The key takeaway is that knowledge of human behaviour combined with technical expertise is still essential to understanding the limitations of technologies and how they can be applied in HUMINT tradecraft. As described by former MI6 head Alex Younger, fourth-generation espionage will require ‘fusing … traditional human skills with accelerated innovation’.

In general, intelligence agencies could creatively use technology and consider tools and media that are not necessarily technical or were designed for other purposes.

For example, the China Institutes of Contemporary International Relations, a think tank affiliated with China’s top intelligence agency, the Ministry of State Security, published a report on the national security implications of the so-called metaverse (元宇宙). It recognised that this new model is likely to be the next generation of the internet and will become an integral part of a country’s political discourse and social culture. Without stating it explicitly, the report suggests that Chinese intelligence officers may be already thinking about how virtual and augmented realities could be used for recruitment or influence activities. Chinese intelligence services have previously exploited social media platforms like LinkedIn for similar espionage purposes and used traditional avenues like political organisations to carry out influence campaigns under plausibly deniable fronts.

Other technologies such as generative adversarial networks, or GANs, a class of artificial intelligence models that are designed to avoid detection by other AI models, could be used to mask covert activity among normal activities. They are already used in deep fakes and, combined with language models, like GPT-3, could be trained to automate the process of creating misleading digital personal data, spoof mobile metadata for operatives or create fake informant or employee entries as honeypots to taint personal databases that might be hacked.

For HUMINT collection agencies in the West, emerging technologies are an opportunity to support operations in increasingly difficult environments. To develop new tradecraft, HUMINT agencies could team up with technical agencies and recruit new talent for the next generation of cyber-enabled spies.

It’s not just spies who want your data

Australia’s domestic intelligence agency, the Australian Security Intelligence Organisation, released a rare public statement last week aimed at raising awareness about the use of social media and professional networking services for espionage purposes. ‘Think before you link’ focuses on foreign intelligence threats and rightly cautions Australians to be careful about revealing personal information on networking services. It is ASIO’s first public awareness campaign and marks a significant step in the right direction for Australian intelligence agencies as they seek to engage in more regular dialogue with the public, something they have long struggled to do.

But beyond foreign intelligence threats, there’s a broader issue that also deserves our attention. The problem is data—or, more specifically, the accumulation of stolen, scraped or traded personal information that affects everyone, not just government and defence employees. While it may not involve state secrets, personal data is a form of sensitive information and it needs to be protected.

In fact, many different groups—ranging from cyber criminals and marketers to banks and law enforcement agencies—derive value from personal information. So, even though ASIO’s warning focuses on Australians being recruited or duped by professional spies, online targeting and the creation of fake profiles and inauthentic networks are not just the realm of highly resourced state-sponsored cyber operatives. The tools and techniques used are cheap, simple and widely accessible. It’s not difficult, or expensive, to create an online presence with a unique artificial intelligence-generated profile picture. And it’s not just intelligence agencies manufacturing online personas.

Nor does engagement with these fake online personas always involve inducements such as generous gifts and trips overseas, particularly during a pandemic. It may not even be obvious to the victim that they are giving information away. In 2016, suspected Iranian threat actors stole data directly from their victims through a keylogger they hid in a CV-creation application that they required their victims to use as part of the job application process.

While people can limit their public disclosure of personal information on networking sites, they often still need to share personal data with online companies to accomplish common tasks like renting property and looking for a job. These companies should have robust privacy policies that state what information they collect, why they collect it and how they share, use and store it, but such policies are often ambiguous and written in legalese. Privacy policies are also often written to protect the company (the data taker) rather than the consumer (the source of the data).

More worryingly, it’s not always clear that these companies are capable of keeping people’s personal information secure. There are a significant number of unsecured databases left open and accessible to the public and organisations regularly suffer data breaches. The Office of the Australian Information Commissioner’s notifiable data breach report for the first half of 2020 shows that malicious or criminal attacks still remain the highest cause of data breaches. Once a data breach occurs, control of the data is lost. If it’s biometric data, like face, fingerprint or iris geometry, the consequences are even more serious. Unlike a password, your biometric data is a lot harder to change.

Data itself can be difficult to monetise, but deep insights into individuals derived from data are highly valuable. Data broking is believed to be a US$200 billion industry. The industry has developed a business model that revolves around aggregating datasets (online and/or offline data, such as loyalty card shopping data) that have been bought or publicly scraped, analysed and then sold to buyers for different uses. In the US, there are examples of police purchasing hacked data and  immigration authorities and the US military buying location data, and even Facebook is alleged to have bought back data.

In Australia, data brokers operate in the shadows. As users and consumers, we have no way of knowing exactly what happens to our data, which makes it difficult to truly protect our privacy or to provide informed consent as to how our data is used. To bring the industry out of the dark, the government should consider introducing a national registry of data brokers and implementing federal laws similar to those in California, which require data brokers to register with the state attorney-general.

Changes could also be made to the OAIC’s notifiable data breach scheme to better protect the privacy of personal data. Currently, the scheme requires regulated entities to report a data breach only if it is ‘likely to result in serious harm to any of the individuals to whom the information relates’. What constitutes ‘serious harm’ is ambiguous and this reporting requirement applies only to regulated entities, not all entities that could hold troves of personal data. And it is left to the entity that lost control of the data to decide what is considered ‘serious harm’.

The European Union’s General Data Protection Regulation better implements this protection by obligating all companies that are responsible for data to report a data breach to the supervisory authority within 72 hours after an assessment of risk to the data subjects’ rights and freedoms. The Australian scheme should be similarly broadened to better capture data breaches and clarify reporting requirements. Canada is proposing a Digital Charter Implementation Act that would impose fines on companies that breach the privacy of Canadians. Australia should explore the implementation of similar fines to encourage data holders to better secure people’s personal data and deter businesses from holding data they don’t need.

To lay the groundwork for a prosperous, data-driven economy that values privacy, more robust data protections and regulations should be implemented that give data subjects more control over their information.

Huawei: lessons from the United Kingdom

The UK government released the Huawei Cyber Security Evaluation Centre oversight board’s 2018 annual report on 19 July. HCSEC is a Huawei-owned facility that was created seven years ago to deal with the perceived risks of Huawei’s involvement in UK critical infrastructure by evaluating the security of Huawei products used in the UK telecommunications market.

The oversight board was set up in 2014 to assess HCSEC’s performance relating to UK product deployments. It comprises senior representatives from government and the UK telecommunications sector and a senior executive from Huawei.

For those worried about Huawei’s involvement in Australia’s 5G network, the oversight board’s report does not make reassuring reading.

The central concern in the debate over Huawei’s participation in Australia’s 5G network is that Chinese intelligence services could compel or coerce Huawei to leverage its involvement in critical infrastructure to enable espionage.

China has certainly demonstrated an intent to conduct wide-ranging espionage in Australia. There’s now a large body of evidence that China has been behind an array of data breaches, including at the Bureau of Meteorology; the departments of Defence, Prime Minister and Cabinet, and Foreign Affairs and Trade; and the parliamentary email system. But beyond what could be described as ‘legitimate’ espionage targeting government agencies, there have also been thefts of intellectual property, commercial-in-confidence material and trade secrets for commercial advantage from companies such as BHP, Rio Tinto and Fortescue Metals.

China’s intelligence services also have the ability to compel Huawei to assist them with their intelligence work.

Article 7 of China’s National Intelligence Law says that ‘[a]ll organizations and citizens shall support, assist, and cooperate with state intelligence work according to law’ and Article 14 states that national intelligence agencies ‘may request that concerned organs, organizations, and citizens provide necessary support, assistance, and cooperation’. In addition, Article 10 says that ‘national intelligence work institutions are to use the necessary means, tactics, and channels to carry out intelligence efforts, domestically and abroad’.

I’ve previously written about how Huawei could be used to enable espionage, with or without Huawei corporate’s complicity. Espionage doesn’t necessarily require sophisticated ‘backdoors’— even compelling Chinese engineers to assist could enable Chinese intelligence services to get useful access to Australia’s 5G network.

This demonstrated intent combined with the power provided by legal obligations imposed by Beijing means that Chinese companies like Huawei carry additional supply-chain risk compared with companies from countries without a long history of cyberespionage and/or countries without laws that specifically compel cooperation with intelligence agencies.

On the face of it, the UK approach to mitigate this supply-chain risk with HCSEC—assessing products to reassure ourselves that they are operating as expected—seems entirely reasonable. Can’t we assess products to make sure they won’t be used to spy on us?

The four HCSEC oversight board annual reports (2015, 2016, 2017 and 2018) show that it is very difficult indeed.

On the bright side, the reports have consistently stated that ‘HCSEC continues to provide unique, world-class cyber security expertise and technical assurance of sufficient scope and quality as to be appropriate for the current stage in the assurance framework around Huawei in the UK’.

HCSEC is also developing new tools and techniques to better understand security assurance in telecommunications, has found vulnerabilities that Huawei has subsequently remediated, and is actually improving Huawei’s basic engineering and security processes and code quality. These efforts have resulted in a more secure Huawei product.

Despite all this, the three most recent board reports have noted that HCSEC cannot confirm that what it has been testing matches what Huawei is using in the UK: the source code HCSEC has been given (that is, the computer instructions for Huawei’s equipment) doesn’t correspond with what has been deployed in the UK. So, much of the security testing that HCSEC has been doing may be irrelevant to the security of products used in the UK. At this point, the oversight board ‘can offer only limited assurance’.

This year’s report also indicates that some security-critical third-party software used in Huawei equipment is ‘not subject to sufficient control’. This is viewed as possibly a significant risk to UK telecommunications infrastructure mostly because of inconsistent product support lifetimes.

Overall, the report describes HCSEC as a high-functioning, world-class security evaluation centre. However, the board cautions that confidence in HCSEC’s ability to provide ‘long term technical assurance of sufficient scope and quality around Huawei in the UK’ is declining due to the ‘repeated discovery of critical shortfalls’ in ‘Huawei engineering practices and processes that will cause long term increased risk in the UK’.

Worse yet, the trend across the four oversight board reports suggests that as HCSEC has improved in capability, confidence that the security evaluation process will sufficiently mitigate risks has declined—the more HCSEC learned, the less confident they were.

There is a simple lesson for Australia from the HCSEC oversight board reports: using Huawei in our 5G network will introduce risks that we will find very difficult to mitigate.

Careful what you wish for—change and continuity in China’s cyber threats (part 1)

Although there’s been a discernible reduction in the magnitude of Chinese cyber intrusions in the past few years, the threat has been transformed, not diminished. While US diplomacy has helped reshape Chinese cyber activities during this period, the reorganisation and professionalisation of Chinese cyber forces constitute a greater long-term challenge.

In September 2015, then-US President Barack Obama and Chinese Communist Party (CCP) General Secretary Xi Jinping announced:

[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.

This agreement was initially hailed as a ‘significant step’ despite strong skepticism about its prospects for success. Initially, reports and assessments pointed to a distinct decrease in the operations of Chinese advanced persistent threat (APT) groups, although a range of factors other than US pressure likely accounted for the change.

In October 2017, the first US–China Law Enforcement and Cybersecurity Dialogue reaffirmed that, ‘Both sides will continue their implementation of [that] consensus’. Since then, however, debates about the agreement’s efficacy have continued, and the US later warned its Chinese counterparts about apparent backsliding.

As of March 2018, the US government’s Section 301 investigation into China’s ‘acts, policies, and practices related to technology transfer, intellectual property, and innovation’—which serves as the basis for the tariffs imposed against China by the Trump administration—has found:

China continues its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.

So, there’s indeed a degree of continuity in Chinese cyber-espionage activities. Despite this, notable changes have occurred, particularly since late 2015. In particular, there now appears to be clearer prioritisation and greater sophistication in targeting, which has increasingly been undertaken, often with some plausible deniability, by China’s Ministry of State Security.

US pressure and diplomacy evidently have affected Beijing’s calculus. To be sure, debate continues regarding how CCP and military leaders responded to the high-profile exposure of the activities of ‘APT1’, Unit 61398 of the Chinese People’s Liberation Army (PLA) in 2013, and then the US Department of Justice’s 2014 indictment of five officers from that same unit. The initial decrease in Chinese cyber-espionage operations is often dated to mid-2014.

Such ‘naming and shaming’ could be dismissed as being utterly ineffectual against the shameless. Or it could be seen as having a major effect by revealing that such detailed attribution is feasible, while exposing the full extent of the group’s activities.

China’s pursuit of industrial espionage has evidently been undertaken in accordance with national objectives for economic development and military modernisation. The scope and scale of these operations—including the risk of detection—however, may not have been clearly known to high-level leadership. And certain activities may have reflected ‘moonlighting’ or corruption by PLA units, which has since been targeted in Xi’s anti-corruption campaign.

Although the sincerity of Beijing’s commitment should certainly be questioned, the evidence that the Section 301 findings provide for ‘cyber-enabled theft of intellectual property’ since 2015 is rather limited (which I’ll look at in my next post). Most incidents of IP theft detailed in the report, including the targeting of SolarWorld and Westinghouse, were undertaken prior to 2015 by the Third Department of the former PLA General Staff Department (3PLA).

The 3PLA was once regularly used to advance economic interests, including on behalf of Chinese state-owned enterprises. Such activities were consistent with China’s concept of national or state security (国家安全), which explicitly includes a focus on economic security. For instance, as the Section 301 findings reveal, in 2012 China National Offshore Oil Corporation (CNOOC) requested that Chinese military intelligence provide information on US oil and gas companies to strengthen CNOOC’s position in negotiations.

Since 2015, as the PLA has concentrated on building up its military cyber capabilities, 3PLA has likely redirected its activities away from hacking for commercial purposes. Notably, in December 2015, the PLA embarked on a major reform and reorganisation that included the creation of the Strategic Support Force (战略支援部队, SSF).

The SSF has consolidated most of the PLA’s military cyber forces into its Network Systems Department (网络系统部) to build up a new ‘Cyber Corps’ (网军). It includes elements of the former 3PLA, as well as the 4PLA, which was responsible for electronic warfare and offensive cyber operations.

The SSF integrates the PLA’s space, cyber, electronic and psychological warfare capabilities into a single force that’s designed to achieve dominance in critical ‘strategic frontiers’ (战略边疆) that are seen as the ‘commanding heights’ of warfare.

The PLA’s apparent concern about the disparity between its cyber capabilities and those of the US was a major impetus for the SSF’s establishment. Since the SSF is directly under the command of the PLA’s Central Military Commission, its creation has consolidated and centralised control over China’s military cyber forces.

Although 3PLA units may have gained valuable operational experience in their commercial espionage activities, PLA leaders may prefer that they concentrate on building up actual combat power.

For instance, writing in early 2016, Major General Hao Yeli (郝叶力), former deputy head of 4PLA, highlighted the importance of improving cyber-operations capabilities. She alluded to the importance of establishing a more ‘positive image’ and countering the ‘guilty presumption’ that China’s Cyber Corps primarily engage in IP theft.

Since the establishment of the Strategic Support Force, China’s military cyber forces appear to have refocused their efforts on becoming a ‘sword for deterrence and shield for defence’ in this domain.

In the meantime, the Ministry of State Security appears to have taken up cyber espionage to advance state interests, often exploiting ambiguities in the Xi–Obama agreement. It’s certainly true that while that framework contributed to changes in Chinese cyber-threat activities, China has since made progress in its ambitions to emerge as a ‘cyber superpower’ (网络强国).

Cyber-enabled information and influence operations—it’s not just Russia

Each month we learn more and more about the extent of Russia’s interference in the 2016 US elections. Fraudulent social media accounts accused of propping up non-existent political commentators, armies of Twitter bots designed to cluster around and drive defined political and social issues, carefully crafted ‘dark posts’ that only some could see, and political rallies coordinated by social media event pages, all are now standard media fodder.

This sophisticated covert campaign used disinformation to sow confusion and magnify noise and disagreement. It prodded and promoted a lack of confidence in American leaders and institutions. It did so by taking advantage of the openness of American society—and by leveraging cyberspace in new and creative ways that outpaced and outfoxed government thinking. Given the lack of response from the US government during (and immediately following) the elections, and the seeming lack of awareness in media that events were being manipulated, it’s fair to say few understood the magnitude of what was tearing down the pipeline.

At an estimated cost of US$1.25 million a month—chump change for most developed countries’ intelligence services—the operation was a steal for the Russian government. (If you haven’t already done so, do read Special Counsel Robert Mueller’s 37-page indictment of 13 Russian nationals and three Russian entities, including the Internet Research Agency).

While international media remains focused on Russian influence operations in the US and Europe—Sweden is the latest to prepare for possible election meddling—it’s important to note that covert cyber-enabled influence operations take place around the world, including in the Indo-Pacific.

In the Philippines, for example, media and academia have tracked how President Rodrigo Duterte’s ‘keyboard trolls’ spread and amplify messages in support of his policies through a combination of social media bots and fake accounts. Parts of this domestically focused operation appear to be coming straight from the president’s office. A 2017 Oxford paper claimed that Duterte’s office had a budget of US$200,000 and employed 400–500 people to promote the president and defend him from online criticisms.

One operation that Australia’s national security community should watch closely is being investigated in Taiwan. Taipei’s District Prosecutors’ Office alleges that the Chinese government has been running a multi-year operation ‘aimed at infiltrating the military through obtaining confidential information from digital networks and databases, deepening existing contacts, holding military-related events and filing academic research reports’.

Apparently conducted through the Chinese government’s Taiwan Affairs Office (TAO), the operation involved financing pro-unification propaganda website FIRE News and then using the website’s Facebook page to recruit contacts, ideally senior military contacts. It’s been reported that TAO paid FIRE News’ administrators A$130 for every new Facebook like (as long as that user liked and read at least 70% of the page’s content). It offered A$220 for each Facebook user who interacted with the creators of the page at least once every two weeks for a minimum of two months. If offline meetings were secured with contacts (this had to be proved with photographs), A$435 was up for grabs.

A reward of A$2,180 was given if during these two-person exchanges the Facebook user opened up about their politics and personal feelings. If someone made it to this stage of the operation, it’s alleged that they were told to immediately get in touch with TAO for further instructions.

We could view this operation as stock-standard human intelligence collection—recruiting agents to recruit agents. But it’s actually a two-for-one hybrid operation. We have an Avon/Amway-style espionage operation fused with a cyber-enabled influence operation (taking place through both the website and attached Facebook page). Compared with Russia’s activities in this space, this operation was quieter (until it was discovered of course) and the approach appeared to be tilted towards long-term gain rather than short-term outcomes.

While this is one of the more interesting influence operations we are aware of in Asia, it’s only one case study we can learn from. Start scratching the surface of content farms—particularly in how they’re deployed against Taiwan—and we can glean insights into the types of information-warfare tactics being used in our region.

For Australia, it’s essential that we keep an eye on such influence operations occurring closer to home, particularly as we move towards our next national election. That’s a topic I’ll tackle in my next post.