In the past two decades, Australia’s Chinese-language media landscape has undergone fundamental changes that have come at a cost to quality, freedom of speech, privacy and community representation. The diversity of Australia’s Chinese communities, which often trace their roots to Hong Kong, Southeast Asia and Taiwan as well as the People’s Republic of China, isn’t well reflected in the media sector.
Persistent efforts by the Chinese Communist Party (CCP) to engage with and influence Chinese language media in Australia far outmatch the Australian Government’s work in the same space. A handful of outlets generally offer high-quality coverage of a range of issues. However, CCP influence affects all media. It targets individual outlets while also manipulating market incentives through advertising, coercion and WeChat. Four of the 24 Australian media companies studied in this report show evidence of CCP ownership or financial support.
WeChat, a Chinese social media app created by Tencent, may be driving the most substantial and harmful changes ever observed in Australia’s Chinese-language media sector. On the one hand, the app is particularly important to Chinese Australians and helps people stay connected to friends and family in China. It’s used by as many as 3 million users in Australia for a range of purposes including instant messaging.1 It’s also the most popular platform used by Chinese Australians to access news.2 However, WeChat raises concerns because of its record of censorship, information control and surveillance, which align with Beijing’s objectives. Media outlets on WeChat face tight restrictions that facilitate CCP influence by pushing the vast majority of news accounts targeting Australian audiences to register in China. Networks and information sharing within the app are opaque, contributing to the spread of disinformation.
Australian regulations are still evolving to meet the challenges identified in this report, which often mirror problems in the media industry more generally. They haven’t introduced sufficient transparency to the Chinese-language media sector and influence from the CCP. Few Australian Government policies effectively support Chinese-language media and balance or restrict CCP influence in it.
What’s the solution?
The Australian Government should protect Chinese-language media from foreign interference while introducing measures to support the growth of an independent and professional media sector. WeChat is a serious challenge to the health of the sector and to free and open public discourse in Chinese communities, and addressing it must be a core part of the solution.
The government should encourage the establishment and growth of independent media. It should consider expanding Chinese-language services through the ABC and SBS, while also reviewing conflicts of interest and foreign interference risks in each. Greater funding should be allocated to multicultural media, including for the creation of scholarships and training programs for Chinese-language journalists and editors. The government should subsidise syndication from professional, non-CCPcontrolled media outlets.
On WeChat, the government should hold all social media companies to the same set of rules, standards and norms, regardless of their country of origin or ownership. As it does with platforms such as Facebook and Twitter, the government should increase engagement with WeChat through relevant bodies such as the Department of Home Affairs, the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, the Australian Communications and Media Authority, the eSafety Commissioner, the Australian Electoral Commission and the Department of Infrastructure, Transport, Regional Development and Communications. The aim should be to ensure that WeChat is taking clear and measurable steps in 2021 to address concerns and meet the same sets of rules, standards and norms that US social media platforms are held to. This effort should be done in tandem with outreach to like-minded countries. If companies refuse to meet those standards, they shouldn’t be allowed to operate in Australia.3
The government should explore ways to amend or improve the enforcement of legislation such as the Broadcasting Services Act 1995 and the Foreign Influence Transparency Scheme Act 2018 to increase the transparency of foreign ownership of media in any language, regardless of platform.
Introduction
Australia’s Chinese‑language media sector is an important part of our democracy, yet its contours and its challenges are poorly understood.4 Australia is home to large and diverse Chinese communities. According to the 2016 Census, nearly 600,000 Australians spoke Mandarin at home, and more than 280,000 spoke Cantonese.5 Only a minority of Australians with Chinese heritage were born in mainland China—many were born in Australia, Taiwan, Hong Kong or Southeast Asia.6 However, individuals born in mainland China are probably the largest group of WeChat users. Migration from mainland China is likely to remain high, and Australia has been home to large numbers of visiting Chinese students and businesspeople.
It’s been claimed that most Chinese‑language media in Australia are controlled or influenced by Beijing.7 While that’s broadly accurate, past research hasn’t systematically examined the extent and mechanisms of CCP influence over Australian media.8 In particular, the pervasive effects of WeChat on the Chinese media sector haven’t been widely appreciated. Our research identified no significant influence in Australian Chinese‑language media from governments other than China’s.
Growing concerns about the lack of Chinese‑Australian representation in Australian politics, CCP interference in Australia and Australia–China relations highlight the need for policymakers to understand the Chinese‑language media environment. For example, Australian politicians and scholars have questioned WeChat’s role in elections, called out disinformation on the app and complained about the past absence of relevant security advice from the government.9 Marginal seats such as Chisholm and Reid have large Chinese communities, among which Chinese‑language media, particularly through WeChat, have been an important factor in some elections.10
The authors would like to thank John Fitzgerald, Danielle Cave, Louisa Lim, Michael Shoebridge, Peter Jennings and several anonymous peer reviewers who offered their feedback and insights. Audrey Fritz contributed research on media regulation and censorship.
Funding: The Department of Home Affairs provided ASPI with $230k in funding, which was used towards this report.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
Thailand’s political discourse throughout the past decade has increasingly been shaped and amplified by social media and digital activism. The most recent wave of political activism this year saw the emergence of a countrywide youth-led democracy movement against the military-dominated coalition, as well as a nationalist counter-protest movement in support of the establishment.
The steady evolution of tactics on the part of the government, the military and protesters reflects an increasingly sophisticated new battleground for democracy, both on the streets and the screens. Understanding these complex dynamics is crucial for any broader analysis of the Thai protest movement and its implications.
In this report, we analyse samples of Twitter data relating to the online manifestation of contemporary political protests in Thailand. We explore two key aspects in which the online manifestation of the protests differs from its offline counterpart. That includes (1) the power dynamics between institutional actors and protesters and (2) the participation and engagement of international actors surrounding the protests.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/15221021/WhatsHappeningInThailand-banner.png4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-12-14 06:00:002025-03-06 14:19:46#WhatsHappeningInThailand: The power dynamics of Thailand’s digital activism
Over the past decade, state actors have taken advantage of the digitisation of election systems, election administration and election campaigns to interfere in foreign elections and referendums.1 Their activity can be divided into two attack vectors. First, they’ve used various cyber operations, such as denial of service (DoS) attacks and phishing attacks, to disrupt voting infrastructure and target electronic and online voting, including vote tabulation. Second, they’ve used online information operations to exploit the digital presence of election campaigns, politicians, journalists and voters.
Together, these two attack vectors (referred to collectively as ‘cyber-enabled foreign interference’ in this report because both are mediated through cyberspace) have been used to seek to influence voters and their turnout at elections, manipulate the information environment and diminish public trust in democratic processes.
This research identified 41 elections and seven referendums between January 2010 and October 2020 where cyber-enabled foreign interference was reported, and it finds that there’s been a significant uptick in such activity since 2017. This data collection shows that Russia is the most prolific state actor engaging in online interference, followed by China, whose cyber-enabled foreign interference activity has increased significantly over the past two years. As well as these two dominant actors, Iran and North Korea have also tried to influence foreign elections in 2019 and 2020. All four states have sought to interfere in the 2020 US presidential elections using differing cyber-enabled foreign interference tactics.
In many cases, these four actors use a combination of cyber operations and online information operations to reinforce their activities. There’s also often a clear geopolitical link between the interfering state and its target: these actors are targeting states they see as adversaries or useful to their geopolitical interests.
Democratic societies are yet to develop clear thresholds for responding to cyber-enabled interference, particularly when it’s combined with other levers of state power or layered with a veil of plausible deniability.2 Even when they’re able to detect it, often with the help of social media platforms, research institutes and the media, most states are failing to effectively deter such activity. The principles inherent in democratic societies—openness, freedom of speech and the free flow of ideas—have made them particularly vulnerable to online interference.
What’s the solution?
This research finds that not all states are being targeted by serious external threats to their electoral processes, so governments should consider scaled responses to specific challenges. However, the level of threat to all states will change over time, so there’s little room for complacency. For all stakeholders—in government, industry and civil society—learning from the experience of others will help nations minimise the chance of their own election vulnerabilities being exploited in the future.3
The integrity of elections and referendums is key to societal resilience. Therefore, these events must be better protected through greater international collaboration and stronger engagement between government, the private sector and civil society.
Policymakers must respond to these challenges without adopting undue regulatory measures that would undermine their political systems and create ‘the kind of rigidly controlled environment autocrats seek’.4 Those countries facing meaningful cyber-enabled interference need to adopt a multi-stakeholder approach that carefully balances democratic principles and involves governments, parliaments, internet platforms, cybersecurity companies, media, NGOs and research institutes. This report recommends that governments identify vulnerabilities and threats as a basis for developing an effective risk-mitigation framework for resisting cyber-enabled foreign interference.
The rapid adoption of social media and its integration into the fabric of political discourse has created an attack surface for malign actors to exploit. Global online platforms must take responsibility for taking appropriate action against actors attempting to manipulate their users, yet these companies are commercial entities whose interests aren’t always aligned with those of governments. They aren’t intelligence agencies so are sometimes limited in their capacity to attribute malign activities directly. To mitigate risk during election cycles, social media companies’ security teams should work closely with governments and civil society groups to ensure that there’s a shared understanding of the threat actors and of their tactics in order to ensure an effectively calibrated and collaborative security posture.
Policymakers must implement appropriate whole-of-government mechanisms which continuously engage key stakeholders in the private sector and civil society. Greater investments in capacity building must be made by both governments and businesses in the detection and deterrence of these. It’s vital that civil society groups are supported to build up capability that stimulates and informs international public discourse and policymaking. Threats to election integrity are persistent, and the number of actors willing to deploy these tactics is growing.
Background
Foreign states’ efforts to interfere in the elections and referendums of other states, and more broadly to undermine other political systems, are an enduring practice of statecraft.5 Yet the scale and methods through which such interference occurs has changed, with old and new techniques adapting to suit the cyber domain and the opportunities presented by a 24/7, always connected information environment.6
When much of the world moved online, political targets became more vulnerable to foreign interference, and millions of voters were suddenly exposed, ‘in a new, “neutral” medium, to the very old arts of persuasion or agitation’.7 The adoption of electronic and online voting, voter tabulation and voter registration,8 as well as the growth of online information sharing and communication, has made interference in elections easier, cheaper and more covert.9 This has lowered the entry costs for states seeking to engage in election interference.10
Elections and referendums are targeted by foreign adversaries because they are opportunities when significant political and policy change occurs and they are also the means through which elected governments derive their legitimacy.11 By targeting electoral events, foreign actors can attempt to influence political decisions and policymaking, shift political agendas, encourage social polarisation and undermine democracies. This enables them to achieve long-term strategic goals, such as strengthening their relative national and regional influence, subverting undesired candidates, and compromising international alliances that ‘pose a threat’ to their interests.12
Elections and referendums also involve diverse actors, such as politicians, campaign staffers, voters and social media platforms, all of which can be targeted to knowingly or unknowingly participate in, or assist with, interference orchestrated by a foreign state.13 There are also a number of cases where journalists and media outlets have unwittingly shared, amplified, and contributed to the online information operations of foreign state actors.14 The use of unknowing participants has proved to be a key feature of cyber-enabled foreign election interference.
This is a dangerous place for liberal democracies to be in. This report highlights that the same foreign state actors continue to pursue this type of interference, so much so that it is now becoming a global norm that’s an expected part of some countries’ election processes. On its own, this perceived threat has the potential to undermine the integrity of elections and referendums and trust in public and democratic institutions.
Methodology and definitions
This research is an extension and expansion of the International Cyber Policy Centre’s Hacking democracies: cataloguing cyber-enabled attacks on elections, which was published in May 2019. That project developed a database of reported cases of cyber-enabled foreign interference in national elections held between November 2016 and April 2019.15 This new research extends the scope of Hacking democracies by examining cases of cyber-enabled foreign interference between January 2010 and October 2020. This time frame was selected because information on the use of cyber-enabled techniques as a means of foreign interference started to emerge only in the early 2010s.16
This reports appendix includes a dataset that provides an inventory of case studies where foreign state actors have reportedly used cyber-enabled techniques to interfere in elections and referendums.
The cases have been categorised by:
target
type of political process
year
attack vector (method of interference)
alleged foreign state actor.
Also accompanying this report is an interactive online map which geo-codes and illustrates our dataset, allowing users to apply filters to search through the above categories.
This research relied on open-source information, predominantly in English, including media reports from local, national, and international outlets, policy papers, academic research, and public databases. It was desktop based and consisted of case selection, case categorisation and mixed-methods analysis.17 The research also benefited from a series of roundtable discussions and consultations with experts in the field,18 as well as a lengthy internal and external peer review process.
The accompanying dataset only includes cases where attribution was publicly reported by credible researchers, cybersecurity firms or journalists. The role of non-state actors and the use of cyber-enabled techniques by domestic governments and political parties to shape political discourse and public attitudes within their own societies weren’t considered as part of this research.19
This methodology has limitations. For example, the research is limited by the covert and ongoing nature of cyber-enabled foreign interference, which is not limited to the period of an election cycle or campaign. Case selection for the new dataset, in particular, was impeded by the lack of publicly available information and uncertainty about intent and attribution, which are common problems in work concerning cyber-enabled or other online activity. It likely results in the underreporting of cases and a skewing towards English-language and mainstream media sources. The inability to accurately assess the impact of interference campaigns also results in a dataset that doesn’t distinguish between major and minor campaigns and their outcomes. The methodology omitted cyber-enabled foreign interference that occurred outside the context of elections or referendums.20
In the context of this policy brief, the term ‘attack vector’ refers to the means by which foreign state actors carry out cyber-enabled interference. Accordingly, the dataset contains cases of interference that can broadly be divided into two categories:
• Cyber operations: covert activities carried out via digital infrastructure to gain access to a server or system in order to compromise its service, identify or introduce vulnerabilities, manipulate information or perform espionage21 • Online information operations: information operations carried out in the online information environment to covertly distort, confuse, mislead and manipulate targets through deceptive or inaccurate information.22
Cyber operations and online information operations are carried out via an ‘attack surface’, which is to be understood as the ‘environment where an attacker can try to enter, cause an effect on, or extract data from’.23
Key findings
ASPI’s International Cyber Policy Centre has identified 41 elections and seven referendums between January 2010 and October 2020 (Figure 1) that have been subject to cyber-enabled foreign interference in the form of cyber operations, online information operations or a combination of the two.24
Figure 1: Cases of cyber-enabled foreign interference, by year and type of political process
Figure 1 shows that reports of the use of cyber-enabled techniques to interfere in foreign elections and referendums has increased significantly over the past five years. Thirty-eight of the 41 elections in which foreign interference was identified, and six of the referendums, occurred between 2015 and 2020 (Figure 1). These figures are significant when we consider that elections take place only every couple of years and that referendums are typically held on an ad hoc basis, meaning that foreign state actors have limited opportunities to carry out this type of interference.
As a key feature of cyber-enabled interference is deniability, there are likely many more cases that remain publicly undetected or unattributed. Moreover, what might be perceived as a drop in recorded cases in 2020 can be attributed to a number of factors, including election delays caused by Covid-19 and that election interference is often identified and reported on only after an election period is over.
Figure 2: Targets of cyber-enabled foreign interference in an election or referendum
Figure 3: Number of political processes targeted (1–4), by state or region
Cyber-enabled interference occurred on six continents (Africa, Asia, Europe, North America, Australia and South America).The research identified 33 states that have experienced cyber-enabled foreign interference in at least one election cycle or referendum, the overwhelming majority of which are democracies.25 The EU has also been a target: several member states were targeted in the lead-up to the 2019 European Parliament election.26
Significantly, this research identified 11 states that were targeted in more than one election cycle or referendum (Figure 3). The repeated targeting of certain states is indicative of their (perceived) strategic value, the existence of candidates that are aligned with the foreign state actors’ interests,27 insufficient deterrence efforts, or past efforts that have delivered results.28 This research also identified five cases in which multiple foreign state actors targeted the same election or referendum (the 2014 Scottish independence referendum, the 2016 UK referendum on EU membership, the 2018 Macedonian referendum, the 2019 Indonesian general election and the 2020 US presidential election). Rather than suggesting coordinated action, the targeting of a single election or referendum by multiple foreign state actors more likely reflects the strategic importance of the outcome to multiple states.
The attack vectors
The attack vectors are cyber operations and online information operations.29 Of the 48 political processes targeted, 26 were subjected to cyber operations and 34 were subjected to online information operations. Twelve were subjected to a combination of both (Figure 4).
Figure 4: Attacks on political processes, by attack vector
Cyber operations
This research identified 25 elections and one referendum over the past decade in which cyber operations were used for interference purposes. In the context of election interference, cyber operations fell into two broad classes: operations to directly disrupt (such as DoS attacks) or operations to gain unauthorised access (such as phishing). Unauthorised access could be used to enable subsequent disruption or to gather intelligence that could then enable online information operations, such as a hack-and-leak campaign.
Phishing attacks were the main technique used to gain unauthorised access to the personal online accounts and computer systems of individuals and organisations involved in managing and running election campaigns or infrastructure. They were used in 17 of the 25 elections, as well as the referendum, with political campaigns on the receiving end in most of the reported instances. Phishing involves misleading a target into downloading malware or disclosing personal information, such as login credentials, by sending a malicious link or file in an otherwise seemingly innocuous email or message (Figure 5).30 For example, Google revealed in 2020 that Chinese state-sponsored threat actors pretended to be from antivirus software firm McAfee in order to target US election campaigns and staffers with a phishing attack.31
Figure 5: The email Russian hackers used to compromise state voting systems ahead of the 2016 US presidential election
Source: Sam Biddle, ‘Here’s the email Russian hackers used to try to break into state voting systems’, The Intercept, 2 June 2018, online.
When threat actors gain unauthorised access to election infrastructure, they could potentially disrupt or even alter vote counts, as well as use information gathered from their access to distract public discourse and sow doubt about the validity and integrity of the process.
Then there are DoS attacks, in which a computer or online server is overwhelmed by connection requests, leaving it unable to provide service.32 In elections, they’re often used to compromise government and election-related websites, including those used for voter registration and vote tallying.
DoS attacks were used in six of the 25 elections, and one referendum, targeting vote-tallying websites, national electoral commissions and the websites of political campaigns and candidates. For example, in 2019, the website of Ukrainian presidential candidate Volodymyr Zelenskiy was subjected to a distributed DoS attack the day after he announced his intention to run for office. The website received 5 million requests within minutes of its launch and was quickly taken offline, preventing people from registering as supporters.33
Online information operations
This research identified 28 elections and six referendums over the past decade in which online information operations were used for interference purposes. In the context of election interference, online information operations should be understood as the actions taken online by foreign state actors to distort political sentiment in an election to achieve a strategic or geopolitical outcome.34
They can be difficult to distinguish from everyday online interactions and often seek to exploit existing divisions and tensions within the targeted society.35
Online information operations combine social media manipulation (‘inauthentic coordinated behaviour’), for example partisan media coverage and disinformation to distort political sentiment during an election and, more broadly, to alter the information environment. The operations are designed to target voters directly and often make use of social media and networking platforms to interact in real time and assimilate more readily with their targets.36
Online information operations tend to attract and include domestic actors.37 There have been several examples in which Russian operatives have successfully infiltrated and influenced legitimate activist groups in the US.38 This becomes even more prominent as foreign state actors align their online information operations with domestic disinformation and extremist campaigns, amplifying rather than creating disinformation.39 The strategic use of domestic disinformation means that governments and regulators may find it difficult to target them without also taking a stand against domestic misinformers and groups.
It is important to acknowledge the synergy of the two attack vectors, and also how they can converge and reinforce one another.40 This research identified three elections where cyber operations were used to compromise a system and obtain sensitive material, such as emails or documents, which were then strategically disclosed online and amplified.41 For example, according to Reuters, classified documents titled ‘UK-US Trade & Investment Working Group Full Readout’ were distributed online before the 2019 British general election as part of a Russian-backed strategic disclosure campaign.42
The main concern with the strategic use of both attack vectors is that it further complicates the target’s ability to detect, attribute and respond. This means that any meaningful response will need to consider both potential attack vectors when securing vulnerabilities.
State actors and targets
Cyber-enabled foreign interference in elections and referendums between 2010 and 2020 has been publicly attributed to only a small number of states: Russia, China, Iran and North Korea. In most cases, a clear geopolitical link between the source of interference and the target can be identified; Russia, China, Iran and North Korea mainly target states in their respective regions, or states they regard as adversaries— such as the US.43
The increasing cohesion among foreign state actors, notably China and Iran learning and adopting various techniques from Russia, has made it increasingly difficult to distinguish between the different foreign state actors.44 This has been further complicated by the adoption of Russian tactics and techniques by domestic groups, in particular groups aligned with the far-right for example.45
Russia
Russia is the most prolific foreign actor in this space. This research identified 31 elections and seven referendums involving 26 states over the past decade in which Russia allegedly used cyber-enabled foreign interference tactics. Unlike the actions of many of the other state actors profiled here, Russia’s approach has been global and wide-ranging. Many of Russia’s efforts remain focused on Europe, where Moscow allegedly used cyber-enabled means to interfere in 20 elections, including the 2019 European Parliament election and seven referendums. Of the 16 European states affected, 12 are members of the EU and 13 are members of NATO.46 Another focus for Russia has been the US and while the actual impact on voters remains debatable, Russian interference has become an expected part of US elections.47 Moscow has also sought to interfere in the elections of several countries in South America and Africa, possibly in an attempt to undermine democratisation efforts and influence their foreign policy orientations.48
Russia appears to be motivated by the intent to signal its capacity to respond to perceived foreign interference in its internal affairs and anti-Russian sentiment.49 It also seeks to strengthen its regional power by weakening alliances that pose a threat. For instance, Russia used cyber operations and online information operations to interfere in both the 2016 Montenegrin parliamentary election and the 2018 Macedonian referendum. This campaign was part of its broader political strategy to block the two states from joining NATO and prevent the expansion of Western influence into the Balkan peninsula.50
Figure 6: States targeted by Russia between 2010 and 2020
Over the past decade, it’s been reported that China has targeted 10 elections in seven states and regions. Taiwan, specifically Taiwanese President Tsai Ing-wen and her Democratic Progressive Party, has been the main target of China’s cyber-enabled election interference.51 Over the past three years, however, the Chinese state has expanded its efforts across the Indo-Pacific region.52 Beijing has also been linked to activity during the 2020 US presidential election. As reported by the New York Times and confirmed by both Google and Microsoft, state-backed hackers from China allegedly conducted unsuccessful spear-phishing attacks to gain access to the personal email accounts of campaign staff members working for the Democratic Party candidate Joseph Biden.53
China’s interference in foreign elections is part of its broader strategy to defend its ‘core’ national interests, both domestically and regionally, and apply pressure to political figures who challenge those interests. Those core interests, as defined by the Chinese Communist Party, include the preservation of domestic stability, economic development, territorial integrity and the advancement of China’s great-power status.54 Previously, China’s approach could be contrasted with Russia’s in that China attempted to deflect negativity and shape foreign perceptions to bolster its legitimacy, whereas Russia sought to destabilise the information environment, disrupt societies and weaken the target.55 More recently, however, China has adopted methods associated with Russian interference, such as blatantly destabilising the general information environment in targeted countries with obvious mistruths and conspiracy theories.56
Figure 7: States and regions targeted by China between 2010 and 2020
This dataset shows that Iran engaged in alleged interference in two elections and two referendums in three states.57 Iranian interference in foreign elections appears to be similar to Russian interference in that it’s a defensive action against the target for meddling in Iran’s internal affairs and a reaction to perceived anti-Iran sentiment. A pertinent and current example of this is Iran’s recent efforts to interfere in the 2020 US presidential election by targeting President Trump’s campaign.58 As reported by the Washington Post, Microsoft discovered that the Iranian-backed hacker group Phosphorus had used phishing emails to target 241 email accounts belonging to government officials, journalists, prominent Iranian citizens and staff associated with Trump’s election campaign and successfully compromised four of those accounts.59
Figure 8: States targeted by Iran between 2010 and 2020
North Korea has been identified as a foreign threat actor behind activity targeting both the 2020 South Korean legislative election and the 2020 US presidential election.60 Somewhat similarly to China’s approach, North Korea’s interference appears to focus on silencing critics and discrediting narratives that undermine its national interests. For example, North Korea targeted North Korean citizens running in South Korea’s 2020 legislative election, including Thae Yong-ho, the former North Korean Deputy Ambassador to the UK and one of the highest-ranking North Korean officials to ever defect.61
Figure 9: States targeted by North Korea between 2010 and 2020
Detection and attribution requires considerable time and resources, as those tasks require the technical ability to analyse and reverse engineer a cyber operation or online information operation.
Beyond attribution, understanding the strategic and geopolitical aims of each event is challenging and time-consuming.62 The covert and online nature of cyber-enabled interference, whether carried out as a cyber operation or an online information operation, inevitably complicates the detection and identification of interference. For example, a DoS attack can be difficult to distinguish from a legitimate rise in online traffic. Moreover, the nature of the digital infrastructure and the online information environment used to carry out interference enables foreign state actors to conceal or falsify their identities, locations, time zones and languages.
As detection and attribution capabilities improve, the tactics and techniques used by foreign states will adapt accordingly, further complicating efforts to detect and attribute interference promptly.63
There are already examples of foreign state actors adapting their techniques, such as using closed groups and encrypted communication platforms (such as WhatsApp, Telegram and LINE) to spread disinformation64 or using artificial intelligence to generate false content.65 It can also be difficult to determine whether an individual or group is acting on its own or on behalf of a state.66 This is further complicated by the use of non-state actors, such as hackers-for-hire, consultancy firms and unwitting individuals, as proxies. Ahead of the 2017 Catalan independence referendum, for example, the Russian-backed media outlets RT and Sputnik used Venezuelan and Chavista-linked social media accounts as part of an amplification campaign. The hashtag #VenezuelaSalutesCatalonia was amplified by the accounts to give the impression that Venezuela supported Catalonian independence.67 More recently, Russia outsourced part of its 2020 US presidential disinformation campaign to Ghanaian and Nigerian nationals who were employed to generate content and disseminate it on social media.68
The ‘bigger picture’
States vary in their vulnerability to cyber-enabled foreign interference in elections and referendums.
In particular, ‘highly polarised or divided’ democracies tend to be more vulnerable to such interference.69 The effectiveness of cyber-enabled interference in the lead-up to an election is overwhelmingly determined by the robustness and integrity of the information environment and the extent to which the electoral process has been digitised.70 Academics from the School of Politics and International Relations at the Australian National University found that local factors, such as the length of the election cycle and the target’s preparedness and response, also play a significant role. For example, Emmanuel Macron’s En Marche! campaign prepared for Russian interference by implementing strategies to respond to both cyber operations (specifically, phishing attacks) and online information operations. In the event that a phishing attack was detected, Macron’s IT team was instructed to ‘flood’ phishing emails with multiple login credentials to disrupt and distract the would-be attacker. To deal with online information operations, Macron’s team planted fake emails and documents that could be identified in the event of a strategic disclosure and undermine the adversary’s effort.71
Electronic and online voting, vote tabulation and voter registration systems are often presented as the main targets of cyber-enabled interference. It is important to recognise that the level of trust the public has in the integrity of electoral systems, democratic processes and the information environment is at stake. In Europe, a 2018 Eurobarometer survey on democracy and elections found that 68% of respondents were concerned about the potential for fraud or cyberattack in electronic voting, and 61% were concerned about ‘elections being manipulated through cyberattacks’.72
That figure matched the result of a similar survey conducted by the Pew Research Center in the US, which found that 61% of respondents believed it was likely that cyberattacks would be used in the future to interfere in their country’s elections.73
However, not all states are equally vulnerable to this type of interference. Some, for example, opt to limit or restrict the use of information and communication technologies in the electoral process.74 The Netherlands even reverted to using paper ballots to minimise its vulnerability to a cyber operation, ensuring that there wouldn’t be doubts about the electoral outcome.75 Authoritarian states that control, suppress and censor their information environments are also less vulnerable to cyber-enabled foreign interference.76
The proliferation of actors involved in elections and the digitisation of election functions has dramatically widened the attack surface available to foreign state actors. This has in large part been facilitated by the pervasive and persistent growth of social media and networking platforms, which has made targeted populations more accessible than ever to foreign state actors. For example, Russian operatives at the Internet Research Agency were able to pose convincingly as Americans online to form groups and mobilise political rallies and protests.77 The scale of this operation wouldn’t have been possible without social media and networking platforms.
Figure 10: Number of people using social media platforms, July 2020 (million)
Source: ‘Most popular social networks worldwide as of July 2020, ranked by number of active users’, Statista, 2020, online.
While these platforms play an increasingly significant role in how people communicate about current affairs, politics and other social issues, they continue to be misused and exploited by foreign state actors.78 Moreover, they have fundamentally changed the way information is created, accessed and consumed, resulting in an online information environment ‘characterised by high volumes of information and limited levels of user attention’.79
In responding to accusations of election interference, foreign actors tend to deny their involvement and then deflect by indicating that the accusations are politically motivated. In 2017, following the release of the United States’ declassified assessment of Russian election interference,80 Russian Presidential Spokesperson Dmitry Peskov compared the allegations of interference to a ‘witch-hunt’ and stated that they were unfounded and unsubstantiated, and that Russia was ‘growing rather tired’ of the accusations.81 Russian President Vladimir Putin even suggested that it could be Russian hackers with ‘patriotic leanings’ that have carried out cyber-enabled election interference rather than state-sponsored hackers.82
Plausible deniability is often cited in response to accusations of interference, with China’s Foreign Ministry noting that the ‘internet was full of theories that were hard to trace’.83 China has attempted to deter future allegations by threatening diplomatic relations, responding to the allegations that it was behind the sophisticated cyber attack on Australia’s parliament by issuing a warning that the ‘irresponsible’ and ‘baseless’ allegations could negatively impact China’s relationship with Australia.84
Recommendations
The threats posed by cyber-enabled foreign interference in elections and referendums will persist, and the range of state actors willing to deploy these tactics will continue to grow. Responding to the accelerating challenges in this space requires a multi-stakeholder approach that doesn’t impose an undue regulatory burden that could undermine democratic rights and freedoms. Responses should be calibrated according to the identified risks and vulnerabilities of each state. This report proposes recommendations categorised under four broad themes: identify, protect, detect and respond.
1. Identify
Identify vulnerabilities and threats as a basis for developing an effective risk-mitigation framework
Governments should develop and implement risk-mitigation frameworks for cyber-enabled foreign interference that incorporate comprehensive threat and vulnerability assessments. Each framework should include a component that is available to the public, provide an assessment of cybersecurity vulnerabilities in election infrastructure, explain efforts to detect foreign interference, raise public awareness, outline engagement with key stakeholders, and provide a clearer threshold for response.85
The security of election infrastructure needs to be continuously assessed and audited, during and in between elections.
Key political players, including political campaigns, political parties and governments, should engage experts to develop and facilitate tabletop exercises to identify and develop mitigation strategies that consider the different potential attack vectors, threats and vulnerabilities.86
2. Protect
Improve societal resilience by raising public awareness
Governments need to develop communication and response plans for talking to the public about cyber-enabled foreign interference, particularly when it involves attempts to interfere in elections and referendums.
Government leaders should help to improve societal resilience and situational awareness by making clear and timely public statements about cyber-enabled foreign interference in political processes. This would help to eliminate ambiguity and restore community trust. Such statements should be backed by robust public reporting mechanisms from relevant public service agencies.
Governments should require that all major social media and internet companies regularly report on how they detect and respond to cyber-enabled foreign interference. Such reports, which should include positions on political advertising and further transparency on how algorithms amplify and suppress content, would be extremely useful in informing public discourse and also in shaping policy recommendations.
Facilitate cybersecurity training to limit the effect of cyber-enabled foreign interference
Cybersecurity, cyber hygiene and disinformation training sessions and briefings should be provided regularly for all politicians, political parties, campaign staff and electoral commission staff to reduce the possibility of a successful cyber operation, such as a phishing attack, that can be exploited by foreign state actors.87 This could include both technical guides and induction guides for new staff, focused on detecting phishing emails and responding to DoS attacks.
Establish clear and context-specific reporting guidelines to minimise the effect of online information operations
As possible targets of online information operations, researchers and reporters covering elections and referendums should adopt ‘responsible’ reporting guidelines to minimise the effect of online information operations and ensure that they don’t act as conduits.88 The guidelines should highlight the importance of context when covering possible strategic disclosures, social media manipulation and disinformation campaigns.89 Stanford University’s Cyber Policy Center has developed a set of guidelines that provide a useful reference point for reporters and researchers covering elections and referendums.90
The computer systems of parliaments, governments and electoral agencies should be upgraded and regularly tested for vulnerabilities, particularly in the lead-up to elections and referendums.
Greater investments by both governments and the private sector must be made in the detection of interference activities through funding data-driven investigative journalism and research institutes so that key local and regional civil society groups can build capability that stimulates and informs public discourse and policymaking.
Governments and the private sector must invest in long-term research into how emerging technologies, such as ‘deep fake’ technologies,91 could be exploited by those engaging in foreign interference. Such research would also assist those involved in detecting and deterring that activity.
4. Respond
Assign a counter-foreign-interference taskforce to lead a whole-of-government approach
Global online platforms must take responsibility for enforcement actions against actors attempting to manipulate their online audiences. Their security teams should work closely with governments and civil society groups to ensure that there’s a shared understanding of the threat actors and their tactics in order to create an effectively calibrated and collaborative security posture.
Governments should look to build counter-foreign-interference taskforces that would help to coordinate national efforts to deal with many of the challenges discussed in this report. Australia’s National Counter Foreign Interference Coordinator and the US’s Foreign Influence Task Force provide different templates that could prove useful. Such taskforces, involving policy, electoral, intelligence and law enforcement agencies, should engage globally and will need to regularly engage with industry and civil society. They should also carry out formal investigations into major electoral interference activities and publish the findings of such investigations in a timely and transparent manner.
Signal a willingness to impose costs on adversaries
As this research demonstrates that a small number of foreign state actors persistently carry out cyber-enabled election interference, governments should establish clear prevention and deterrence postures based on their most likely adversaries. For example, pre-emptive legislation that automatically imposes sanctions or other punishments if interference is detected has been proposed in the US Senate.92
Democratic governments should work more closely together to form coalitions that develop a collective and publicly defined deterrence posture. Clearly communicated costs could change the aggressor’s cost–benefit calculus.
The authors would like to thank Danielle Cave, Dr Samantha Hoffman, Tom Uren and Dr Jacob Wallis for all of their work on this project. We would also like to thank Michael Shoebridge, anonymous peer reviewers, and external peer reviewers Katherine Mansted, Alicia Wanless and Dr Jacob Shapiro for their invaluable feedback on drafts of this report.
In 2019, ASPI’s International Cyber Policy Centre was awarded a US$100,000 research grant from Twitter, which was used towards this project. The work of ASPI ICPC would not be possible without the support of our partners and sponsors across governments, industry and civil society.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published October 2020.
ISSN 2209-9689 (online), ISSN 2209-9670 (print) Cover image: Produced by Rebecca Hendin, online.
Funding for this report was provided by Twitter.
Fergus Hanson, Sarah O’Connor, Mali Walker, Luke Courtois, Hacking democracies: cataloguing cyber-enabled attacks on elections, ASPI, Canberra, 17 May 2019, online. ↩︎
Katherine Mansted, ‘Engaging the public to counter foreign interference’, The Strategist, 9 December 2019, online. ↩︎
Erik Brattberg, Tim Maurer, Russian election interference: Europe’s counter to fake news and cyber attacks, Carnegie Endowment for International Peace, May 2018, online. ↩︎
Laura Rosenberger, ‘Making cyberspace safe for democracy: the new landscape of information competition’, Foreign Affairs, May/June 2020, online. ↩︎
For a comprehensive overview of foreign interference in elections, see David Shimer, Rigged: America, Russia, and one hundred years of covert electoral interference, Knopf Publishing Group, 2020; Casey Michel, ‘Russia’s long and mostly unsuccessful history of election interference’, Politico, 26 October 2019, online. ↩︎
David M Howard, ‘Can democracy withstand the cyber age: 1984 in the 21st century’, Hastings Law Journal, 2018, 69:1365. ↩︎
Philip Ewing, ‘In “Rigged,” a comprehensive account of decades of election interference’, NPR, 9 June 2020, online. ↩︎
Eric Geller, ‘Some states have embraced online voting. It’s a huge risk’, Politico, 8 June 2020, online. For a comprehensive discussion on electronic voting, see NRC, Asking the right questions about electronic voting. ↩︎
CSE, Cyber threats to Canada’s democratic process. ↩︎
Samantha Bradshaw, Philip N Howard, The global disinformation order: 2019 global inventory of organised social media manipulation, Computational Propaganda Research Project, Oxford Internet Institute, 2019, online. ↩︎
National Research Council (NRC), ‘Public confidence in elections’, Asking the right questions about electronic voting, Computer Science and Telecommunications Board, National Academies Press, Washington DC, 2006, online. ↩︎
Communications Security Establishment (CSE), Cyber threats to Canada’s democratic process, Canada, 7 June 2017, online. ↩︎
Elizabeth Dwoskin, Craig Timberg, ‘Facebook takes down Russian operation that recruited U.S. journalists, amid rising concerns about election misinformation’, Washington Post, 1 September 2020, online. ↩︎
See Alicia Wanless and Laura Walters, How Journalists Become an Unwitting Cog in the Influence Machine, Carnegie Endowment for International Peace, online, 1. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/25155529/pb41-cyber-elections_static-banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-10-28 06:00:002025-03-25 16:02:33Cyber-enabled foreign interference in elections and referendums
This report by ASPI’s International Cyber Policy Centre and India’s Observer Research Foundation argues that as the India-Australia bilateral relationship continues to grow and evolve, both governments should invest in the construction of a new India–Australia partnership on technology.
The foundation for such a partnership already exists, and further investment areas of complementary interests could stimulate regional momentum in a range of key critical and emerging technology areas including in 5G, Artificial Intelligence, quantum technologies, space technologies and in critical minerals. The report contains 14 policy recommendations that will help build this new technology partnership.
This new report outlines what this new India-Australia technology partnership could look like. It examines the current state of the India–Australia relationship; provides an overview of current technology cooperation and where challenges and roadblocks lie; analyses each state’s competitive and complementary advantages in selected technology areas and highlights opportunities for further collaboration across the areas of 5G, Artificial Intelligence, Quantum technologies, Space technologies and in critical minerals.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/15192535/PB39-Critical-technologies_banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-10-15 06:00:002024-12-15 19:29:58Critical technologies and the Indo-Pacific: A new India-Australia partnership
China’s central bank digital currency, known as ‘DC/EP’ (Digital Currency / Electronic Payment), is rapidly progressing and, if successful, would have major international implications that have not yet been widely considered by policymakers.
DC/EP would have ramifications for governments, investors, and companies, including China’s own tech champions.
It has the potential to create the world’s largest centralised repository of financial transactions data and, while it may address some financial governance challenges, such as money laundering, it would also create unprecedented opportunities for surveillance. The initial impact of a successful DC/EP project will be primarily domestic, but little thought has been given to the longer term and global implications. DC/EP could be exported overseas via the digital wallets of Chinese tourists, students and businesspeople.
Over time, it is not far-fetched to speculate that the Chinese party-state will incentivise or even mandate that foreigners also use DC/EP for certain categories of cross-border RMB transactions as a condition of accessing the Chinese marketplace.
DC/EP intersects with China’s ambitions to shape global technological and financial standards, for example, through the promotion of RMB internationalisation and fintech standards-setting along sites of the Belt and Road Initiative (BRI). In the long term, therefore, a successful DC/EP could greatly expand the party-state’s ability to monitor and shape economic behaviour well beyond the borders of the People’s Republic of China (PRC).
What’s the solution?
To date, policymakers in the democratic world have taken a whack-a-mole approach to the security challenges presented by Chinese technologies, if they have taken action at all.
Those actions—such as those pertaining to Huawei and 5G over several years and TikTok and WeChat more recently—have been taken long after the relevant brands and technologies have entered the global marketplace and established dominant positions, and they don’t solve root problems.
The potential for DC/EP to be successful enough to have a disruptive impact on the global economic system might be far into the future, but it’s important to consider what impact DC/EP could have on the global economy. Liberal democracies should act now to deepen analysis, develop standards and coordinate approaches to the risks inherent in DC/EP, including unconstrained data collection and the creation of powerful new tools for social control and economic coercion. By acting now to build a baseline analysis of the DC/EP project, decision-makers have an opportunity to anticipate challenges and build a consistent and coherent policy framework for managing them.
Early efforts to establish and coordinate norms, rules and standards will reduce any subsequent need to resort to blunt and arbitrary measures that are economically, socially and diplomatically disruptive. Governments should also act to address existing vulnerabilities that DC/EP could exploit, for instance by introducing stricter laws on data privacy, by regulating the way that any entity can collect and use individuals’ data and by improving due diligence aimed at mitigating data security risks.
Executive summary
Globally, there’s increasing interest in the development of central bank digital currencies, driven by a wide range of policy motivations. A survey published by the Bank for International Settlements in January 2020 found that, out of 66 central banks, 80% were engaged in the research, experimentation or development of a central bank digital currency.1
The PRC is a significant actor in this space, not least because it’s years ahead of the world in research into the development of its central bank digital currency known as ‘digital currency / electronic payment’ or simply ‘DC/EP’ (see Figure 1). China’s market-Leninist approach to innovation, personal data and industry policy makes it possible to conceive that over a billion Chinese consumers could be transacting in DC/EP before a central bank digital currency becomes mainstream in any other country.
At the technocratic level, DC/EP is designed to ensure visibility and traceability of transactions and establish greater control over China’s financial system and capital accounts while displacing anonymising cryptocurrency alternatives that can’t be readily controlled. Recent reporting has also indicated that the People’s Bank of China (PBoC) aims for DC/EP to erode the dominance of Alipay and WeChat Pay in the digital payments space, levelling the playing field between the technology duopoly and commercial banks.
At the leadership level, DC/EP is being driven by the financial ‘risk management’ and ‘supervision’ imperatives of Chinese Communist Party (CCP) General Secretary Xi Jinping. DC/EP will offer no true anonymity, as the PBoC will have both complete visibility over the use of the currency, and the ability to confirm or deny any transaction. There are also no express limits on the information-access powers of the party-state’s political security or law enforcement agencies, such as the Central Commission for Discipline Inspection (CCDI), which has a keen interest in the technology. While DC/EP could enable more effective financial supervision and risk management that any government might seek to embed in a central bank digital currency, the PRC’s authoritarian system embeds political objectives within economic governance and otherwise reasonable objectives. Terms such as ‘anti-terrorist financing’, for instance, take on a different definition in the PRC that is directed at the CCP’s political opponents.
DC/EP is being developed and implemented domestically first, but could allow China to shape global standards for emerging financial technologies. It also creates opportunities for the PRC to bypass the US-led financial system, which it perceives as a threat to its security interests, potentially disrupting existing systems of global financial governance. Through DC/EP, Beijing could over time move away from the SWIFT system and bypass international sanctions.
The purpose of this policy brief is to improve baseline understanding of DC/EP’s structural mechanics and place the project in its political and bureaucratic context. The aim is to catalyse and contribute to an informed conversation about what the rollout of DC/EP may mean for China and for the world.
This policy brief is organised as follows: Section 1 is a general overview of digital currencies; Section 2 focuses on the policy drivers behind DC/EP; Section 3 examines DC/EP’s architecture based on patents in order to assess the surveillance capabilities it would embed; Section 4 describes the institutional ecosystem behind DC/EP; Section 5 looks at how DC/EP would affect domestic digital payment systems Alipay and WeChat pay; and Section 6 looks at the implications DC/EP could have for global financial governance.
Figure 1: What is DC/EP?
Source: Created by ASPI
1. Two sides of the digital-coin: freedom and control
Elise Thomas
A fundamental question at the heart of all digital currencies is one of control, but the ways in which the dynamics of control and power play out differ between different types of digital currencies.
There is a difference between private digital tokens (for example, cryptocurrencies) and central bank digital currencies (such as DC/EP). A primary goal behind many cryptocurrencies (such as bitcoin, a decentralised, anonymised blockchain-based digital token) is to evade the controls of any single actor, and in particular the control of governments.2 In this sense, the technology behind cryptocurrencies was devised as a challenge to the power of states over the finances of individuals. For a centralised, state-controlled digital currency, however, the inverse may be true. A centrally controlled digital currency could enable a level of financial surveillance, economic power and societal control that was previously impossible. Such tools present tantalising opportunities for authoritarian states, financial institutions and corporations in the absence of effective controls.
While many digital currency projects have been announced by both state and non-state actors, none has managed to attain a level of widespread adoption or to operate at scale as a medium of exchange.3
In Venezuela, the aggressive support of the Maduro government hasn’t been enough to make the nation’s ‘petro’ currency a success.4 Even the Facebook-backed Libra project—with its potential to leverage Facebook’s 2.6 billion users—has changed course towards integrating fiat currency payments into its existing platforms.5
Despite the failure to date of any digital currency to achieve mass adoption or widespread use as a medium of exchange, many central banks around the world have demonstrated an interest in the concept of developing their own digital currency. Beyond the PRC, central banks in Canada, Sweden, the Bahamas, Japan and many other countries are at different stages of research on and development of central bank digital currencies.6 They provide a range of policy justifications. The Bank of Canada, for instance, has said its research is contingency planning, and the bank doesn’t currently plan to launch a central bank digital currency. It has said that, alongside a potential decline in the use of bank notes, a key reason to potentially launch a central bank digital currency is the widespread use of alternative digital currencies, probably by private-sector entities that could ‘undermine competition in the economy as a whole because the company might use its dominant market position in one industry to control payments and competition in other industries’.7
Existing digital currencies have provoked mixed regulatory responses from states and financial institutions, and those responses have focused largely on the risks arising from cryptocurrencies (see Figure 2). There’s a tendency to approach them as speculative assets or securities, rather than as actual currencies.
Figure 2: Global regulatory framework for cryptocurrencies
Source: Created by the Law Library of Congress based on information provided in the report, Regulation of cryptocurrency around the world, online.
The goal of decentralised cryptocurrencies is to disperse power across the network and away from any one actor. Central bank digital currencies are fundamentally different. They are, as the Bank for International Settlements defines it, ‘a central bank liability, denominated in an existing unit of account, which serves both as a medium of exchange and a store of value’.8 DC/EP, for example, is a form of legal tender that’s issued and backed by a liability of the PBoC. It introduces the digital renminbi, an encrypted string that holds details about that individual bill and additional fields for currency security and tracking.
In a world increasingly driven by access to data, that granular detail about how money moves through the economy, through specific companies and industries, and through the personal accounts of individuals presents both a promise and a threat. The promise is a vastly greater understanding of how the economy operates and the ability to respond where needed for the benefit of all. The threat is the ability to consolidate power in the hands of authorities, to enable persecution and surveillance and to reshape society as the authorities want it to be. Centralised digital currencies have the potential to turn financial surveillance into a powerful tool that could be wielded by authoritarian states inside, and potentially even outside, their own borders.
2. Drivers of the PRC’s digital currency project
John Garnaut and Dr Matthew Johnson
At the leadership level, the DC/EP project has been driven by the financial ‘risk management’ and ‘supervision’ imperatives of CCP General Secretary Xi Jinping. At the technocratic level, it’s designed to ensure the visibility of all financial flows and establish greater control over China’s financial system and capital accounts while displacing anonymising cryptocurrency alternatives that can’t be readily controlled. Statements from the CCP and financial insiders indicate that a key driver of DC/EP is the party’s need for a financial architecture which exists outside the SWIFT network 9 and other US-dominated alternatives. The imperative of operating beyond the reach of US monitoring and law enforcement has come to the fore in recent months, as the US targets financial sanctions against CCP officials and entities in response to human rights and national security concerns. ‘We must make preparations to break free from dollar hegemony and gradually realise the decoupling of the RMB from the dollar,’ said Zhou Li, a former deputy minister of the International Liaison Department, in a June 2020 article.10
What problems would DC/EP solve?
PBoC official statements and documents give no clear answer to the basic question: What is the policy problem that China’s digital currency project is trying to solve? Nobody is claiming a consumer experience that’s superior to the already impressive convenience accessible through Alipay and WeChat Pay. The answer, however, becomes clear in statements emanating from higher up in the CCP organisation chart, where CCP leaders and Politburo-level organs describe a need to use technology to enhance the party-state’s visibility and control over the entire financial system. DC/EP is conceived as a supervision mechanism for preserving ‘stability’ and enhancing state control.
DC/EP fits within a vision of ‘economic work’ that Xi Jinping has developed over the past five years, which puts surveillance and supervision at the core. At the Central Economic Work Conference in December 2015, he said:
It is necessary to strengthen omni-directional supervision, standardise all types of financing behaviour, seize the opportunity to launch special programs for financial risks regulation … strengthen risk monitoring and early warning, properly handle cases of risk, and resolutely adhere to the bottom line that systemic and regional financial risk will not occur.11
Xi’s position that ‘financial risk should not occur’ is consistent with the party’s state security strategy, which prioritises pre-empting risk before it can emerge. This is embedded in the party’s state security work through the concept of ‘financial security’ (金融安全).12 Financial security means stability on the party’s terms. It calls for reforming the financial system by establishing supervision and control mechanisms, total financial governance, and strengthening China’s financial power.
At the Politburo’s collective study meeting of 23 February 2019, which focused specifically on preventing financial risks, Xi’s was quoted as stating:
It is necessary to do well in comprehensive financial industry statistics, complete an information system that reflects risk fluctuation in a timely manner, perfect information release management regulations, and complete a credit punishment mechanism. It is necessary to ‘control people, watch money, and secure the system firewall’ … Modern technological means and payment settlement mechanisms should be used to dynamically monitor online, offline, international, and domestic capital flows in a timely manner, so that all capital flows are placed within the scope of supervision of financial regulatory institutions.13
Xi’s guidance for using technology to connect finance and security has cascaded down to the fintech planning and implementation level. At every step, internally focused discussion of DC/EP has focused on supervision and centralised management. During a 30 December 2019 meeting of the PBoC Financial Technology Committee, PBoC deputy governor Fan Yifei reiterated the importance of supervising fintech innovation, ‘optimising’ the mobile payment ecosystem and ‘actively promoting data governance and accelerating the construction of a “digital central bank”’.14 At a PBoC work meeting held on 5 January 2020, participants including Governor Yi Gang and PBoC Party Committee secretary Guo Shuqing spoke of party-building at all levels of the financial system, building a ‘big supervision mechanism’, and strengthening financial statistics monitoring and analysis with specific reference to fintech and digital currency.15
Macroeconomic policy
As well as improving the scrutiny, and visibility, of international capital flows, and reducing the costs of printing and maintaining the circulation of cash, PBoC officials say the data collected through DC/EP will be used to improve macroeconomic policymaking. According to Yao Qian, who founded the Digital Currency Research Lab at the PBoC:16
Within this [digital currency] technology system, the central bank has the highest decision making and operational jurisdiction… big data analysis comes in during the process of currency issuance, monitoring, and control. Under conditions of data being appropriately stripped of identifying details, the central bank can use big data to carry out in-depth analysis of digital currency issuance, circulation and storage; understand the laws of monetary operation; and provide data support for intervention needs such as monetary policy, macro-prudential supervision, and financial stability analysis.17
Yao says the data used to inform macroeconomic policymaking will be anonymised. However, he also says the data will be used for law enforcement.18
Political discipline
The CCP’s top political organ for imposing political discipline internally, the CCP’s CCDI, is increasingly prominently involved in both the promotion and policy direction of DC/EP. The CCDI has recently promoted DC/EP’s potential to ‘solve’ the problem of terrorist financing and combat financial crimes such as bribery and embezzlement.19 However, the purpose of the CCDI is to impose party discipline through channels that exist above and outside the formal legal apparatus. The CCDI has served as Xi’s primary organisational weapon in his ongoing campaign to combat corruption, enforce ideological unity and purge the party of potential rivals.20 The involvement of the CCDI serves as a strong indicator of how the party intends to exploit the vast troves of data that DC/EP will make available to it.
Competing with the US financial-led global financial system
The party’s six-year program to develop a sovereign digital currency has been driven in part by a desire to propose currency alternatives to the US dollar (see Section 6). Recently, however, it’s been spurred by the competition from US digital currencies. China’s finance and banking officials have repeatedly expressed concern at the prospect of a supranational stablecoin, which they perceive as being tied to the US dollar. They equate US digital currencies with US dollar hegemony and say that it reinforces the need to decouple the renminbi from the US-dollar-led global financial system.21 An article by the PBoC’s China Banknote Printing and Minting Corp. Blockchain Technology Research Institute,22 published in the CCP Central Party School journal Study Times in August 2019, described DC/EP as a response to US-based digital currency Libra’s imminent “major and far-reaching effect on the global pattern of international monetary development”, and called for accelerating China’s development of digital currency and a digital currency supervision system.23 Similarly, Wang Zhongmin, former deputy chair of the China Social Security Fund Council and a former long-serving CCDI official, has said DC/EP’s progress is being benchmarked against that US effort.24 Li Lihui, former Bank of China president and head of the Blockchain Research Group of the China Internet Finance Association, has also indicated that China’s banking sector views US currencies as a danger to China’s currency and an extension of US global financial leadership and democratic values.25
Competing globally
China has a clear ambition to shape global technological and financial standards. With a new industrial policy (China Standards 2035) on the horizon, DC/EP and its related technologies are likely to be an important component in China’s push to establish a comprehensive alternative to the dollar system. The liberalisation of China’s current account is not required for export of the DC/EP technology stack to other countries. China’s ability to develop new financial technology that embeds authoritarian norms of control and surveillance may affect global standards and financial infrastructure well before the internationalisation of the renminbi is achieved.
3. DC/EP and surveillance
Dr Samantha Hoffman
DC/EP is being built to meet China’s specific needs, as defined by the party-state. In order to understand the CCP’s needs and their potential implications, it’s necessary to examine the tracking of money flow that is inherent in the DC/EP system, in conjunction with the supervision objectives those capabilities support. DC/EP’s surveillance and data collection potential doesn’t create fundamentally new forms of political or financial control but will enhance existing monitoring and surveillance capabilities.
Centralised control and visibility
DC/EP transactions are fully traceable. Yao Qian (the PBoC’s primary patent author on DC/EP) described DC/EP as having an ‘anonymous front end, real-name backend’.26 There’s an element of anonymity through a characteristic of DC/EP called ‘controlled anonymity’, but true anonymity doesn’t exist, as currency registration and traceability are built into DC/EP’s transaction process. That process, augmented by data mining and big-data analysis, provides the PBoC with the ability to have complete oversight over the use of the currency. That functionality is provided through DC/EP’s ‘three centres’ (Figure 3).
Figure 3: DC/EP’s data centres
Source: Created by ASPI
The term ‘controlled anonymity’ within the operation of DC/EP means that the PBoC has complete supervision over the digital currency but has afforded users some anonymity for their transactions and protection of their personal information from other third parties, besides PBoC. DC/EP has been designed such that, even if commercial banks and merchants were to collude, users’ purchase history couldn’t be determined by them or any other third party, except, crucially, the currency issuer.27
PBoC Deputy Governor Fan Yifei has explained that full anonymity won’t be implemented through DC/EP in order to discourage crimes such as tax evasion, terrorism financing and money laundering.28
All central banks would need to ensure that their digital currency meets anti-money-laundering and countering terrorism financing rules. Central bank digital currencies would allow for better digital records and traces, but it’s been suggested in a report by the Bank of International Settlements that such gains may be minimal because illicit activity is less likely to be conducted over a formal monetary system that’s fully traceable.29
DC/EP is designed so it can be used without the need for a bank account, but digital wallets have a grading system such that wallets that are loosely bound to a real-name account have transaction size limits. A user can attain the lowest grade of digital wallet—with the transaction limits—by registering their wallets with a mobile number only (of course, phone numbers are required to be registered to an individual’s real name in the PRC). Users can access higher grade digital wallets by linking to an ID or bank card. Through the Agricultural Bank of China, for instance, users are encouraged to upgrade their digital wallets to a ‘Level 2 digital wallet’ by registering with their name and national ID details (Figure 4).30 If a user registers in person at a counter, there are no restrictions on their digital wallet.31
Figure 4: Leaked Agriculture Bank of China DC/EP mobile application
Agricultural Bank of China’s test DC/EP mobile app provides the function to scan code to pay, transfer money, receive payment and touch phones to pay. The digital currency section allows the user to exchange digital currency, view transaction summaries, manage the digital wallet exchange and link an account to the digital currency wallet.
Source: ‘China’s central bank digital currency wallet is revealed’, Ledger Insights, online.
The integration of DC/EP into third-party applications doesn’t make users’ transactions on those applications more private, but the underlying digital currency system is designed to provide privacy from third parties (except, of course, the central bank). That being said, practicalities when implementing any payment system mean that in practice there’s little anonymity for the individual from any app, because the app will already know the user, and when transacting will need the user to identify the recipient of the funds and the transaction amount. Therefore, the implementation of DC/EP into mobile applications, such as DiDi Chuxing, BiliBili and Meituan Dianping, that are in partnership negotiations with PBoC32 doesn’t change the amount of information those apps, and by extension their linked platforms, are able to collect on the user.
Using DC/EP to enhance the party-state’s control
The PBoC’s creation of a massive repository of financial transaction data could improve both the efficiency and visibility required for the PBoC and CCDI to effectively supervise and police financial transactions. DC/EP’s political-discipline-linked policy drivers—anti-money-laundering, anti-terrorist financing and anti-tax evasion—are linked to the party-state’s ‘social governance’ process (also called ‘social management’). Social governance describes how the CCP leadership attempts to shape, manage and control all of society, including the party’s own members, through a process of co-option and coercion.33 DC/EP helps solve legitimate problems, but that problem solving also acts as a tool for enhancing control. For instance, a local PBoC official described ‘anti-money laundering’ as an ‘important means to prevent and defuse financial risks and consolidate social governance.’34 Similarly, an article by Deputy Governor of the PBoC Liu Guoqiang published in the People’s Daily said:
In recent years, the scope of anti-money laundering work has become increasingly diverse and has expanded to many areas such as anti-terrorist financing, anti-tax evasion and anti-corruption. Anti-money-laundering work has strengthening modern social governance as its goal, through guiding and requiring anti-money-laundering agencies to effectively carry out customer identification, discovering and monitoring large-value transactions and suspicious transactions, timely capturing abnormal capital flows, and enhancing the standardisation and transparency of economic and financial transactions to weave a ‘security net’ for the whole society to protect normal economic and financial activities from infringement …35
More specifically, the connection of DC/EP’s policy drivers to social management is indicative of how DC/EP would ultimately serve the party’s needs in practice. Through the PRC’s global Operation Skynet, which seeks to ‘track down fugitives suspected of economic crimes and confiscate their ill-gotten assets’, the PBoC cooperates directly with the Ministry of Public Security because of the role of the PBoC as an anti-money-laundering authority.36 Genuinely corrupt officials are certainly caught up in the campaign, but the accusation of corruption is the result of a political decision linked to power politics. Likewise, the crime of ‘terrorist financing’ is defined by the Chinese party-state’s version of ‘terrorism’, and it’s been directly linked to the PRC’s campaign against the Uyghurs in Xinjiang. For instance, in July 2020, Australian media reported on a Uyghur woman who has been arrested on charges of financing terrorism for sending money to her parents in Australia, who used it to purchase a house.37 DC/EP doesn’t create a process that didn’t already exist, but the technical ability to aggregate bulk user data in one place has the future potential to automate identification and analysis processes that at present are only partially automated; for example, to help trace money transfers through different entities at different levels.
Nor does DC/EP create objectives that didn’t already exist. Rather, its digital nature and centralised supervision facilitate the aggregation and bulk analysis of user and financial data, to more easily meet those objectives.
Future extraterritorial implications?
Under Xi Jinping, the concept of social management has expanded to specifically include ‘international social management’.38 Something to consider is the fact that Hong Kong’s new state security law criminalises separatism, subversion, terrorism, and collusion in and support for any of those activities by anyone in the world no matter where they are located.39 This means that journalists, human rights advocacy groups, researchers or anyone else accused of undermining the party-state and advocating for Hong Kong democracy could be accused of those four types of crime. By extension, anyone financing those individuals or entities (such as funding a research group) could potentially be linked to the accusations. If DC/EP is successfully rolled out and adopted, then the world would have to be prepared to contend with a PRC in possession of information that would also allow it to enforce its definitions of the activities that it’s monitoring (anti-corruption and anti-terrorism, for instance) globally, thus potentially allowing it to implement PRC standards and definitions of illegality beyond its borders with greater effectiveness.
4. The party-state ecosystem behind DC/EP
Dr Matthew Johnson
At the China Fintech Development Forum on 20 June 2020, Wang Zhongmin, the former deputy director of the China Social Security Fund Board (China’s national pension fund) and a former member of the CCP’s CCDI, announced that the back-end architecture for China’s central bank digital currency was basically complete.40 After six years of planning, investment and R&D, progress towards a cashless society had finally reached the testing stage (Figure 5, next page). The fact that this key announcement was made by a former member of the party’s political discipline inspection body, rather than a current or former official of the PBoC, demonstrates that the bureaucratic structure behind DC/EP’s development goes well beyond the central bank.
The speed with which DC/EP is being developed is partly a result of the enormous institutional power behind it. As well as the PBoC and the CCDI, the project is being shaped by a cluster of powerful regulatory and supervisory institutions that serve as the fulcrum for CCP efforts to maintain leverage over every element of the financial and economic systems.
Beyond the supervisory institutions, many of China’s biggest companies are also being called in to support. They include:
Bank of China, China Construction Bank, Agricultural Bank of China, Industrial and Commercial Bank of China, China Postal Bank and China CITIC Bank
China Mobile, China Telecom, China Unicom, and China UnionPay
Alibaba Group affiliate Ant Group (Alipay), Tencent (WeChat Pay), Huawei Technologies and JD.com.
Figure 5: DC/EP development timeline
Source: Garnaut Global, September 2020.
PBoC leadership and innovation
The DC/EP project has been driven by the PBoC since its inception. Former PBoC Governor Zhou Xiaochuan established a digital currency research group in 2014. In March 2018, Zhou announced that the project had received approval from the State Council and now had a name—Digital Currency Electronic Payment.41
Through DC/EP, the PBoC has been swiftly transformed into a hub of party-state fintech innovation.
It has established its own technology units, such as the Digital Currency Research Institute, and harnessed a constellation of commercial enterprises and government agencies to drive investment in blockchain and fintech.42 More than 80 patents related to DC/EP have been filed with the Chinese Patent Office by research institutes connected to the PBoC.43 The standards created by these new technologies are likely to shape future development pathways for China’s cashless monetary system.
Information concerning local DC/EP pilots has been scarce, imprecise and occasionally misleading, but the overall trend it describes suggests that progress towards buildout of the user ‘front end’ is real.
Since April 2020, banks and government institutions have launched pilot distribution experiments and showcased prototype ‘digital wallets’ (apps that store payment details). The private sector has been particularly critical to building DC/EP’s scale; PBoC partners Alibaba Group and Tencent provide networks and raw data-processing power that no other state-controlled system can match (see Section 5).44
Powerful guidance
Outwardly shaped and managed by the PBoC, China’s DC/EP project is also guided by the top echelons of the CCP leadership. The PBoC itself isn’t independent but is one of several interconnected institutions, the function of which is, collectively, to prevent systemic risk through total control over China’s financial economy.45 The Financial Stability and Development Commission, chaired by Xi Jinping’s trusted economic adviser Liu He, sits at the apex of this financial regulatory cluster. The CCDI, the party’s extrajudicial discipline enforcer, encircles both, ensuring that regulatory officials adhere politically to Xi’s authority.46
Managing corruption: the Central Commission for Discipline Inspection
The CCDI sits several bureaucratic rungs above the PBoC and hasn’t featured in mainstream or industry reporting on DC/EP. Analysis of party texts and structures, however, indicates that the CCDI is emerging as one of the key patrons and potential customers of the DC/EP project. An ‘authoritative explainer’ on DC/EP, aired by national news broadcaster CCTV in June 2020, even explained that the CCDI would use digital currency as a ‘booster in managing corruption’.47
CCDI organisations are embedded directly within the PBoC itself, which is significant because it illustrates the party’s growing control over the central bank as well as other systemically important financial institutions.48 The CCDI is one of the party’s four core departments. It’s answerable directly to the Politburo Standing Committee through its Secretary, Zhao Leji, who’s the sixth-ranked leader in the Party (Figure 6). Three of Zhao’s deputies sit in the Central Committee. Compared to the CCDI, the PBoC is politically a relatively junior organisation. Its Governor, Yi Gang, isn’t counted among the 205 members of the Central Committee.49
Figure 6: DC/EP’s political and commercial ecosystem
Source: Garnaut Global, June 2020.
Coordinating security: the Financial Stability and Development Committee
In July 2017, Xi Jinping moved to integrate financial system regulation with the Party’s political, security, and legal organs by creating a new super agency called the Financial Stability and Development Committee (FSDC).50 Xi tapped Vice Premier Liu He to chair the committee, with Premier Li Keqiang as his deputy.51 The FSDC now serves as China’s main financial regulatory body.52
It also serves as the institutional flywheel that connects the finance system to key security organs.
According to state-controlled economic news media, the FSDC has special ‘planning and coordination’ arrangements with the party-state’s core security bodies, including the CCDI, the Propaganda Department, the Office of the Commission for Internet Security and Informatisation, the Ministry of Public Security, the Ministry of Justice and the Supreme People’s Court.53 The FSDC also oversees local financial coordination and regulation through local branches of the Banking and Insurance Regulatory Commission, the Securities Regulatory Commission and the Foreign Exchange Bureau.54 The Office of the FSDC is located within the PBoC and is directed by PBoC Governor Yi Gang, illustrating the ‘deputy’ function that the PBoC plays in implementing FSDC policy.55
5. The role of WeChat Pay and Alipay in DC/EP
Fergus Ryan and Alexandra Pascoe
China’s mobile payments industry has seen explosive growth over the past decade as the country’s two most widely used mobile payment services, Alipay and WeChat Pay, have garnered more than 890 million users.56 The two platforms have driven a shift away from cash in the country’s economy— an effort that DC/EP is expected to continue and complete.
In 2016, China’s mobile payments hit US$5.5 trillion, or roughly 50 times the size of America’s $112 billion market, according to consulting firm iResearch.57 The following year, that figure more than doubled: transactions made on the two third-party payment institutions (TPPIs) totalled more than US$17 trillion.58 Using QR codes and digital wallets, the companies enabled consumers to jump directly from cash to mobile payments. That saw users leapfrog the nascent and cumbersome debit and credit card systems established by the commercial banking sector. Collectively, the two TPPIs hold more than 90% of the market. Alipay has over 50% market share, and WeChat Pay almost 40%.59 Ninety per cent of people in China’s biggest cities use those payment platforms as their primary payment method; each platform boasts more than 600 million monthly active users.60
Beijing’s policy towards the TPPIs was marked by early optimism about the ability of the companies to break down the control of the banking system by the Big Four state-owned commercial banks.
The aim was to increase competition and innovation in the financial sector and drive economic activity by opening up additional sources of lending for Chinese small and medium-sized enterprises.
The disruption and innovation brought about by Alibaba and Tencent were actively encouraged and coupled with favourable government policies and protection from international competition.
However, Alipay’s and WeChat Pay’s rapid growth and increasing level of dominance have caused the overt encouragement of the fintech sector and regulatory permissiveness to increasingly shift to ambivalence and moves to enhance oversight over the payment systems.
In 2010, the PBoC enacted regulations that meant that foreign-funded third-party operators would need State Council approval to operate in the Chinese market, and under different rules from those governing domestic operators. That ruling prompted Alibaba founder Jack Ma, in a highly controversial decision, to secretly spin off the online payment service Alipay from Alibaba Group, which foreign operators Yahoo and Softbank have significant stakes in, to a private firm he controlled.61
In a text-message exchange with Hu Shuli, the editor of business magazine Caixin, Ma sought to explain his decision to spin off the company without the go-ahead from Yahoo and Softbank by saying the decision involved ‘more than just commercial interests’ and that there were national security implications to Alipay’s ownership structure. ‘The market economy tells us to steer clear of politics.
But if I ruin Alipay, I may face prison in addition to bankruptcy,’ Ma texted Hu.62 The spun-off firm was later renamed Ant Financial and now operates Alipay.
Like its rival, Tencent, Alibaba and Ant Financial both have CCP committees as part of their governance structures.63 The CCP has a direct line into both companies, but policymakers are increasingly concerned about the inordinate power of the duopoly. There are also concerns over the speed with which their third-party payment ecosystems have taken over systemically important functions of the country’s economy.
Driven by concerns over the growing size of money market funds facilitated by Alipay and WeChat Pay (Yu’e bao 余额宝 and Lingqiantong 零钱通), as part of its ‘deleveraging campaign’ in 2017,64 the PBoC expanded its regulatory oversight of the TPPIs, ordering the firms to move funds out of commercial banks and into PBoC accounts. In 2019, that process was completed when the central bank took over all deposits of platforms such as Alipay and WeChat Pay.65 This has helped to address risks associated with shadow banking, while also moving valuable user transaction data into the hands of the PBoC.
Most recently, it was reported that the State Council is considering whether to launch an antitrust investigation into Alipay and WeChat Pay. The PBoC recommended the probe earlier this year, given the platforms’ dominance and attempts to foster greater competition in the payments space by assisting smaller companies to enter the market.66
Co-opting Alipay and WeChat Pay
DC/EP will be made available through a two-tier system. The central bank plans to issue DC/EP to both commercial banks and TPPIs, and then the banks and TPPIs would distribute it to consumers. In this case, the current financial structure doesn’t change with DC/EP, only the mechanism through which commercial banks and TPPIs get their money.
The PBoC could have dealt a serious blow to Alipay and WeChat Pay by excluding them from the second tier of the structure. However, given the user base of the two payment platforms, that would severely limit the take-up and use of the digital currency. The PBoC appears to be bringing Alipay and WeChat Pay into the DC/EP structure on its own terms, allowing it to continue its quest to rein in the dominance of the firms while also using their user base and technology.
Patent applications from both Alibaba and Tencent appear to indicate the role that these platforms will play in the issuance of DC/EP. Between 21 February and 17 March 2020, Alibaba filed five patents on ‘digital currency delivery and transaction account functions, supervision and handling of illegal accounts, digital currency wallets, [and] support for anonymous transactions’.67 On 24 April, it was also reported that Tencent had filed a patent related to the transaction of digital assets, although the report didn’t directly refer to the PBoC’s digital currency, as appeared in Alipay’s patents.68
That being said, how exactly the PBoC and TPPIs will cooperate remains unclear. How those institutions distribute DC/EP will be the subject of a ‘horse race’ between the commercial banks and the TPPIs, the eventual frontrunner of which will ‘take the whole market’, the head of the PBoC Digital Currency Research Institute, Mu Changchun, told an audience in Hong Kong in 2019.69 That echoed comments made in 2018 by PBoC Deputy Governor Fan Yifei, who wrote that the central bank could leverage market forces to optimise related systems through close cooperation with commercial banks and other organisations, without imposing any prescriptive technology path in advance. This would facilitate resource integration, synergistic collaborations and innovation, as well.70
Mu Changchun has trumpeted DC/EP as having a superior legal and security status to WeChat Pay and Alipay due to its state backing.71 He has said that, should Alipay or WeChat Pay go bankrupt, there’s currently no way to assure the money held in those digital wallets. However, if the wallets held PBoC-backed digital currency, those funds could be guaranteed by the central bank.
The alleged superior security of DC/EP is perhaps more a rhetorical point from Mu, rather than reflecting any real possibility of Ant Financial or Tencent going bust. Furthermore, regulation changes requiring Alipay and WeChat Pay deposits to be moved into PBoC accounts mean that the PBoC has already clawed back a fair degree of oversight and control over funds held by those platforms.
Mu’s statements, along with references to how DC/EP will allow for anonymous transactions, taking user transaction data out of the hands of ‘private’ firms and into the hands of the central bank, appear to be aimed at sowing distrust in the non-state platforms and motivating trust in the PBoC’s digital currency in an attempt to drive take-up.
Recent reporting citing sources ‘familiar with the thinking’ of the PBoC states that DC/EP is aimed at eroding the dominance of Alipay and WeChat Pay in the digital payments space and providing a more level playing field between the two payment giants and the commercial banks.72 While DC/EP certainly presents an opportunity for greater competition—with commercial banks advancing their own user-facing offerings of digital wallets and QR codes—the current market share of Alipay and WeChat Pay means that it’s unlikely that the commercial banks will be able to quickly gain a stronger foothold in the payments space. It’s true that the PBoC has tried to rein in the dominance of Alipay and WeChat Pay, but it’s likely that the two platforms will play some role in DC/EP’s success.
According to PBoC statements, the transaction processing requirement for DC/EP is an average of 300,000 transactions per second (tps).73 While Tencent’s fintech division processes an average of 1 billion transactions per day, on Singles Day in 2019, Alibaba reportedly demonstrated its ability to process 544,000 tps.74 It’s unclear how closely Alibaba is working with the PBoC on DC/EP and, although it could be called on for assistance if asked, the PBoC would be building its own back-end architecture, meaning that it couldn’t simply replicate Alibaba’s system. Despite that, the raw data-processing power of Alibaba, and to a lesser degree of Tencent, is unmatched by any state-controlled system. Without an ability to at least match Alibaba’s capabilities in this area, widespread voluntary take-up of DC/EP will be difficult to achieve.
Future adoption
Given the ubiquity of Alipay and WeChat Pay in China, implementing digital wallets via the commercial banks alone would not readily result in the wide-scale adoption and use of DC/EP that the PBoC hopes for.
There’s speculation that the PBoC will provide incentives to drive take-up in the use of digital currency, for instance by providing salaries and travel subsidies in the digital currency, or not charging merchants a fee to accept DC/EP. Those incentives could be coupled with further measures to limit the dominance of Alipay and WeChat Pay and to boost the competitiveness of the commercial banks.
But, since most people in China’s biggest cities use either WeChat Pay or Alipay as their main payment method, the PBoC needs the user base of those platforms to achieve scale. The way in which the payment platforms are integrated into Chinese people’s daily lives means that Alipay and WeChat users are unlikely to quickly switch to a different wallet that, from a user’s perspective, barely differs from what they already use.75 As indicated by patent applications, the two payment platforms appear to have scoped out a role within the DC/EP system in order to maintain their user base and position in the payments space.
Further, Alipay and WeChat Pay are working hard to stay ahead of a QR-code-based DC/EP, exploring the development of payments systems based on facial-recognition technology.76
Thus, DC/EP can’t be read simply as an attempt to wind back the dominance of Alipay and WeChat Pay.
Beijing is likely to be working to strike a balance between using the technology and user base of the platforms while encouraging greater involvement from other players in the payments space.
6. DC/EP’s potential internationalisation and the global economy
The Chinese Government has stated that one driver behind its attempts to internationalise the renminbi is to create a substantial rival to the US dollar. From Beijing’s perspective, a US-led global economy is a potential threat to the Chinese party-state’s stability, because the US could leverage economic tools that could act as a catalyst for disrupting Chinese economic and social stability.77
Recent developments in Hong Kong illustrate why the party-state takes that threat seriously. In reaction to the Hong Kong State Security Law enacted on 1 July, the US and EU have both threatened sanctions on foreign financial institutions that knowingly do business with Chinese officials involved in stifling the protests.78 If taken to extremes, such sanctions could damage the Chinese economy and stifle development. Of course, Beijing has also suggested that any ‘rash’ US sanctions ultimately could damage US companies as well, including via possible Chinese retaliation.79
If DC/EP supports the PRC’s efforts to gain a stronger foothold in the international economic system, it could also help the PRC disrupt the existing system of global economic governance, which among other things could reduce the impact of international sanctions.
Renminbi internationalisation?
Since the 2009 global financial crisis, the internationalisation of the renminbi has been a significant PBoC objective. China’s 13th Five-Year Plan (2016–2020) clearly outlined the ambition, stating that China ‘will take systematic steps to realize RMB capital account convertibility, making the RMB more convertible and freely usable, so as to steadily promote RMB’.80 Its efforts to achieve that goal to date have included signing bilateral currency swap agreements,81 agreeing to add the currency to the International Monetary Fund’s Special Drawing Rights basket of currencies82 and investing heavily in renminbi-based regional projects.83
The nature of the Chinese economy and political system, however, undermines those objectives. Most internationalised currencies are associated with relatively open economies. In maintaining a ‘closed’ capital account84 and tight controls on the economy, Beijing inhibits its own internationalisation attempts. The renminbi doesn’t compete seriously on the international stage, even compared to its regional competitors, such as the Japanese yen. SWIFT’s June 2020 RMB Tracker statistics list the renminbi as the sixth most active currency for global payments by value, following the dollar, euro, pound, yen, and Swiss franc.
That being said, DC/EP could allow China to further define the global standards for emerging financial technologies, giving Beijing space to shape international standards (particularly as opposed to rival stablecoins). As a result, DC/EP may serve as a model for digitising a fiat currency—which would create a new form of power for Beijing. As a new technology, DC/EP’s incorporation into Chinese apps and cross-border trade might not have major implications initially, but could enable the PRC to push other countries’ financial technology out of developing markets.
Through DC/EP, payments would be settled as soon as possession of the digital currency changes, as opposed to the current system, which relies on intermediaries. Most current transaction methods are technically reversible for a period of time, depending on the speed and communication of the banks involved. This change would have significant implications for internationalisation via Chinese regional initiatives, particularly the BRI. If Beijing moves BRI payments to DC/EP, it could create DC/EP-based automated payments across more than 60 countries.85 Requiring DC/EP in payments doesn’t necessarily translate to those countries choosing to hold DC/EP or transact in it in any meaningful way, but it would provide an incentive for them to increase renminbi transactions where they might otherwise be reluctant. In any case, this process would be likely to take years. Even the integration of DC/EP into China’s financial activities wouldn’t necessarily lead to other countries choosing to either keep or spend DC/EP on their own.
An alternative to SWIFT?
If DC/EP succeeds, it could help reduce the PRC’s reliance on the SWIFT system. SWIFT is viewed as a secure financial messaging service that plays a vital role in connecting the international banking system.
Although the system itself has some flaws,86 it’s the mechanism by which financial institutions are able to communicate with each other, sending and receiving information about transactions in order to complete transfers and settlements. SWIFT acts as an intermediary for most global bank transactions, and the US has a capability to access those transactions for national security concerns.
For example, in 2006, the US Department of the Treasury went through SWIFT’s database to identify transactions tied to al-Qaeda, instructing SWIFT to block terror-related transactions.87 If SWIFT declines to be involved in a transaction, the transfer won’t go through. Naturally, this perceived level of oversight and control is concerning to many other global actors, especially those under sanctions.
Global reliance on SWIFT is one of the most crucial pieces of the financial system, and its impact is one that China doesn’t underestimate. In 2019, Huang Qifan, Deputy Director of the China Center for International Economic Exchange, stated that SWIFT is ‘gradually becoming [a] financial instrument for the United States to exercise global hegemony and exercise long-arm jurisdiction,’ citing examples of the US using the SWIFT database to blacklist and freeze transactions from Iranian banks over terrorism financing allegations, as well as the US’s 2014 threats to exclude Russia from the system altogether.88
The threats alone had an intensely negative impact on the Russian economy and depreciated the rouble.89
According to PBoC official Li Wei, through the BRI, China seeks to establish a ‘financial standard exchange cooperation and build a “hard mechanism” of … financial infrastructure cooperation’.90
To date, Beijing’s attempts to create an alternative to SWIFT have resulted in the introduction of the Cross-Border Inter-Bank Payments System (CIPS) in 2015. In 2018, CIPS handled approximately US$3.7 trillion.91 SWIFT, meanwhile, facilitated the transfer of US$40 trillion in 2018 and US$77 trillion in 2019.92
Bypassing sanctions?
The creation of an effective alternative to SWIFT would create an opportunity for Beijing to bypass international sanctions. In fact, CIPS has already been used by countries exposed to US sanctions, such as Turkey and Russia, to avoid SWIFT.93 If foreign businesses are able to bypass US banks and US currency, then the impact of US sanctions would be significantly reduced. While CIPS aids efforts to bypass US banks and currency, DC/EP could be implemented as a key part of the settlement system or as an alternative transaction method functioning in parallel to CIPS. It’s worth noting, however, that CIPS can carry any currency, while DC/EP will be limited to the renminbi.
DC/EP offers the opportunity to move away from the SWIFT system, as it appears DC/EP would have the same messaging capabilities that SWIFT and CIPS provide, but it would remove the need for intermediaries. DC/EP, therefore, could serve as a new messaging system that allows sanctions evasion, as an article published in Chinese state media argued:
[a] sovereign digital currency provides a functional alternative to the dollar settlement system and blunts the impact of any sanctions or threats of exclusion both at a country and company level. It may also facilitate integration into globally traded currency markets with a reduced risk of politically inspired disruption.94
Other state actors, such as North Korea, may also be attracted to the option to use DC/EP to evade sanctions. North Korea is widely understood as a proficient and successful cyber actor with an interest in cryptocurrencies and blockchain.95 Given Pyongyang’s interest in cryptocurrencies and increased holdings in various coins, any possibility of China allowing transactions between cryptocurrencies, such as bitcoin or Monero, and DC/EP could prove to be extremely beneficial to North Korea, and any other sanctioned actors. The most difficult part of sanctions evasion using cryptocurrency is the exfiltration point into fiat (or other digital) currency—DC/EP could offer a solution to that problem.
While, initially, given Beijing’s oversight, engaging with DC/EP might not be the ideal way past SWIFT, tightened sanctions and limited options could lead various sanctioned countries to view Beijing as their best path forward.
7. Recommendations
DC/EP’s rollout is likely to have notable ramifications for governments, investors and companies, including China’s own tech champions. More analysis is needed before prescriptive policy solutions can be developed for the political and financial oversight challenges DC/EP could create. At the same time, it’s important to act in anticipation of key shifts in global financial regulation and advances in financial technology, so that governments don’t end up trying to reverse course when it’s too late to deal with the systemic risks DC/EP could create.
We suggest the following:
If DC/EP achieves global take-up, the political features it embeds won’t be possible to effectively mitigate or regulate. Therefore, governments must be prepared to mitigate the political risks by investing in research into and the development of credible alternatives to DC/EP for all key highly traded currencies.
Decision-makers in liberal democracies must develop a clear strategy for detecting flaws in and improving the existing system for global financial governance and work to improve international coordination among each other to achieve those strategic outcomes.
Liberal democracies should establish domestic laws on data privacy and protection. They should regulate the ways that any entity can collect and use individuals’ data, improve oversight and improve due diligence aimed at mitigating data security risks.
Acknowledgements
The authors would like to thank several anonymous peer reviewers, as well as Michael Shoebridge, Fergus Hanson, Danielle Cave, James Aitken, Bill Bishop, Stephen Joske and Greg Walton for their helpful feedback.
This independent research was partly supported by a US$50,000 grant from Facebook, Inc. Additional research costs were covered from ICPC’s mixed revenue base. The work of ASPI ICPC would not be possible without the support of our partners and sponsors across governments, industry and civil society.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on.
If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published October 2020.
ISSN 2209-9689 (online), ISSN 2209-9670 (print)
.
Funding statement: Funding for this report was partly provided by Facebook Inc.
Codruta Boar, Henry Holden, Amber Wadsworth, ‘Impending arrival—a sequel to the survey on central bank digital currency’, Bank for International Settlements, January 2020, online; see also Raphael Auer, Giulio Cornelli, Jon Frost, ‘Rise of the central bank digital currencies: drivers, approaches and technologies’, Bank for International Settlements, August 2020, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/27174917/PB40-Digital_Currency-static-banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-10-14 06:00:002025-03-27 17:50:58The flipside of China’s central bank digital currency
The rapid escalation in the long-running conflict between Azerbaijan and Armenia which took place in late September 2020 has been shadowed by a battle across social media for control of the international narrative about the conflict. On Twitter, large numbers of accounts supporting both sides have been wading in on politicised hashtags linked to the conflict. Our findings indicate large-scale coordinated activity. While much of this behaviour is likely to be authentic, our analysis has also found a significant amount of suspicious and potentially inauthentic behaviour.
The goal of this research piece is to observe and document some of the early dynamics of the information battle playing out in parallel to the conflict on the ground and create a basis for further, more comprehensive research. This report is in no way intended to undermine the legitimacy of authentic social media conversations and debate taking place on all sides of the conflict.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/15222206/quickTake-shadowWar-banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-10-08 06:00:002024-12-15 22:24:39Snapshot of a shadow war
5G will be the next generation of mobile telecommunications.
There are differing views on how quickly it will become commonplace and exactly what form it will take, but it will ultimately transform much of what we do and how society functions. The trustworthiness, security and resilience of 5G networks will therefore be critical. A key part of this will be the partnerships that network operators form with vendors to provide and maintain the network infrastructure. There’s now a good understanding that 5G will underpin critical national infrastructure in a way that previous telecommunication technologies don’t, and that supply-chain trust and security are key national security issues.
Australia and some other countries have eliminated specific vendors from their 5G supply chains, but the space is globally contested and there is no consensus on what happens next. There is a need for a trusted ecosystem of vendors, which may also bring enormous opportunities for states, including Australia, to develop sovereign 5G capabilities and grow their 5G market. However, barriers to entry and a lack of consensus among key 5G stakeholders across the public and private sectors are holding up progress towards these goals.
What’s the solution?
It’s time to move on from debates about individual vendors to understand what a trusted ecosystem of 5G vendors and technology should consist of, what needs to be done to achieve that outcome and how we still manage the residual risks associated with vendors. Rather than looking at the trustworthiness of individual vendors as a binary yes/no decision at a particular point in time, policymakers and industry need to understand the spectrum of vendor risk and put in place measures to manage different levels of risk. The highest risk vendors can be excluded, but residual risks need to be understood and mitigated. The costs of insecure systems must be recognised and better explained.
Governments need to work together to build an environment that promotes a resilient supply chain with a plurality of trusted suppliers to avoid the risk of operators putting all their eggs in one basket.
If the security of one vendor is compromised, that shouldn’t compromise the whole network or all the networks. This will require initiatives to promote diversity and interoperability, including standards setting, testing and integration facilities, and regulation. If implemented correctly, this will not only improve cybersecurity but also provide an economic opportunity for industry. States need to find the most promising opportunities to develop key sovereign 5G capabilities, including in Australia, and take that same approach to other key enabling technologies in order to avoid similar supply-chain security challenges in the future. The window of opportunity is open now, so we need to lead by taking action now and encouraging other like-minded countries to follow and coordinate with us.
Introduction
5G is a subject that seems to come up in almost every discussion about the future of technology.
Numerous networks are already advertising 5G services, on the basis that they deploy new, more efficient 5G radios at the edge of the network. However, the real transformation, in which the major security implications arise, of a merged ‘core’ and ‘edge’ operating inside a cloud environment is yet to arrive. While there may be debates about how quickly the full 5G transformation will happen and what form it will take, there’s no doubt that it has the potential to transform much of what we do. As this technology becomes an integral part of our lives, the trustworthiness, security and resilience of 5G networks will become ever more critical. A key part of this is the suppliers who will build and maintain the network equipment, and this has led to numerous discussions about the trustworthiness of particular vendors and to some countries, including Australia, banning Chinese vendors such as Huawei and ZTE from their 5G network builds.
This paper aims to broaden the global discussion. Given that all 5G network operators will need to rely on vendor partnerships to build and operate their networks, what are the desired characteristics of the vendor ecosystem that supports operators and what practical policy options should be considered to help achieve that?
This paper is based on a review of existing global literature and interviews with key stakeholders from vendors, network operators and governments in Australia and overseas. The views of these stakeholders – across the public and private sectors – differed considerably in a range of areas. This, in itself, is a part of the problem– there is often not agreed consensus on key topics and therefore the right pathway forward.
This report begins with a review of what 5G is, the current state of technology and rollouts, and the implications and considerations for the cybersecurity of 5G networks, and then looks at the current vendor environment, market opportunities and barriers to entry and diversity, leading to recommendations for the way forward.
What is 5G?
New generations of mobile technology come along about every 10 years, driven by increasing volumes of data, increased variety of data and the rapid velocity of change in types of data usage. The 5th generation, or 5G, the latest one, is starting to be implemented now and will ultimately replace the 4G networks that began to appear in 2010. However, existing technologies will probably still be with us alongside 5G for many years to come. Change between each mobile generation is not always a step change, and there have been incremental updates between generations. In fact, the first mobile data devices, including the first iPhone, used a technology called GPRS, which was sometimes referred to as ‘2.5G’.
The internationally accepted technical standards are set by an organisation known as the 3rd Generation Partnership Project (3GPP1). As the name implies, this was originally for 3G mobile networks, but it’s taken the lead for 4G and 5G without an update of its name.
It’s generally accepted that true 5G networks require the implementation of at least R15 of the 3GPP standard.2 In simple terms, there are three key components of ‘real’ 5G:
Faster mobile broadband speeds: This is generally the most common public perception of 5G—how many gigabits of speed can be provided to a mobile handset and hence how quickly you can download an ultra-HD movie to your phone. However, this is unlikely to be what delivers transformational change in how we use mobile devices; nor will it provide the revenues to justify the investment made by network operators.
Ultra-reliable low-latency communications: These are needed for extremely time-sensitive and mission-critical applications, such as remote factory automation and so on. It’s even been suggested that this could enable remote robotic surgery in which a surgeon is able to get real-time feedback on how the patient reacts to steps taken and can reliably make changes that are implemented in real time.
Massive machine-to-machine communications: 5G networks will enable a much greater density of transmitting and receiving devices, especially if they’re sending small amounts of data. This will enable large-scale monitoring, measuring and sensing applications in which large numbers of devices directly communicate with each other without human intervention—machine-to-machine communications. This is sometimes also referred to as the ‘internet of things’. While this is already starting to happen, 5G networks will enable exponential growth in the numbers of connected devices.
Other key features, depending on how networks are configured, can include ‘edge computing’, in which the equivalents of current cloud computing capabilities are brought closer to wireless devices to enable more rapid processing, and ‘network slicing’, in which different customers, applications, or both can have their own virtual slices of a common physical network.
In the underlying technology stack (see box), a key part of 5G network architecture is increased ‘virtualisation’, in which more and more functionality is implemented in software, including even the underlying network topology. This enables greater flexibility and agility in how they will be used, but also, as we shall see, brings greater complexity and potential security vulnerabilities.
It would be fair to say that no one really knows what 5G networks will be used for—including the service providers who will need to commercialise and monetise them. However, it’s certain that they’ll drive ever more usage and reliance on mobile data networks, and in particular more and more critical applications, transforming our way of life in ways not yet even imagined. Of course, this isn’t unusual for new technologies—remember that the worldwide explosion in SMS messaging since the late 1990s came from an obscure engineering feature included in the 2G mobile specifications that was intended for network service messages.
5G technology components
At the conceptual level, a telecoms network consists of:
a radio access network (RAN)—antennas and electronics that convert between the radio signals sent to and from wireless devices and the bits and bytes sent as signals on network cables and inside computer equipment
a core network that manages and carries the network traffic between the mobile devices and the other computer and network components, and also authenticates and provisions services to users
traditional ICT—routers, switches and servers that provide the data transport, storage, processing and logic.
Within each of these ‘black boxes’ are a huge number of electronic components, some of which are specialised for the functions of 5G, such as high-density antennas and signal processing, and some of which are more generic (Figure 1).
Figure 1: A 5G network
The overall user experience is delivered by applications and services that run across the top of these components: different bits of software may run on different components of the system but work together to provide a seamless experience for the user. One of the differences in moving to 5G is that more and more will be done in software, and in order to provide the full experience the application service provider will need to run specific software on more parts of the network.
For example, today a messaging service such as WhatsApp requires specialised software running on the end-user device and on the WhatsApp servers. Tomorrow, supporting remote surgical procedures via a 5G network may require software running on the radio access nodes and servers at the edge of the network to meet the response time requirements.
This virtualisation will enable greater service customisation, scale and optimisation. The standards even envisage ‘network slicing’, in which there may be a dedicated ‘slice’ across the whole system for a particular user group and application service—effectively, computational and network resources on every box reserved just for them.
Overview of current 5G technology maturity
Preparations for 5G by telecommunications network operators are proceeding at pace. At the end of 2019, it was estimated that 348 operators in 199 countries had announced plans to invest in 5G.3
However, implementation and take-up have been slow to date. Only 77 operators have deployed 5G technology, and 61 operators in 34 countries have launched services. Although only limited 5G-enabled devices are currently available, Ericsson estimates that there were 13 million users globally at the end of 2019, mostly driven by take-up in Korea and China.4 The same report forecasts an estimated 2.6 billion active 5G subscriptions by 2025, but even that pre-pandemic estimate would still be less than a third of all mobile subscriptions.
While a glance at advertising material might make you think that fully featured 5G networks are commonplace in many major countries, the advertising doesn’t tell you that those deployments are often only part of the overall 5G capability. Generally, operators have implemented radio interfaces that allow users to experience the faster mobile broadband speeds of 5G, but not other features.
Even the radio interfaces are generally not using the cloud-based radio processing included in the 5G standards. Almost all currently deployed networks are built on top of existing 3G/4G networks (referred to as ‘NSA’, or non-stand-alone), which has allowed rapid rollout. That means that, while 5G coverage may be limited (for example, to just parts of major cities in Australia), users can have a seamless experience when moving in and out of 5G coverage. Chinese mobile providers had previously announced plans to deploy a stand-alone (SA) 5G network in the last quarter of 2019, but appear to have settled for an initial NSA deployment.
A full 5G core and SA network architecture will be needed to enable the other key features, such as low latency and massive machine-to-machine communications, and hence many of the transformational and mission-critical applications. This will require significant new investment in an environment in which network operators have had low margins from their existing businesses, even before the pandemic. The last-minute decision by China Telecom to change its deployment from an SA network to NSA probably confirms the challenges in implementing SA networks and the immaturity of the technology. That said, we are seeing some evidence of SA deployments this year despite all the disruption, for example with Telstra claiming to have made their network “standalone-ready” in May 20205, but it’s clear that the full concepts and designs for true next-generation architectures and applications are still emerging.
5G standards and interoperability
Looking at the current 5G standards, it’s clear that there’s much to be defined. The current widely-implemented version of the 3GPP standard is R15, which really focuses on migration from 4G to 5G, and even for this operators have noted that different vendors have different approaches to the coexistence of the generations and to fallback from 5G to 4G when 5G isn’t available. The next version of the standard, R16, issued in July 2020, starts to look at specific use cases such as industrial internet of things applications and better power consumption, but we’ll need to wait for R17, the scope of which isn’t even confirmed yet, in order to define some of the more critical features.
A further complication is that the agreement of standards, once considered a very dry subject in which technical experts put their heads together and collaborate to get the best technical outcomes, has now become politicised. Some nation-states have realised that there are advantages in influencing choices towards areas where they have expertise and technical leadership. This can help provide ‘first mover’ advantage in implementation and can also often deliver value from existing patents in the form of royalties (from manufacturers that make standards-compliant products) that can be reinvested in R&D to maintain a leading position.
As an example, in May 2018, it appears that Chinese companies were pressured into backing a Huawei proposal over one from US rival Qualcomm, and Lenovo’s founder was forced to issue a statement denying the company had been unpatriotic and failed to back its compatriot in the final round of voting.6 This is hardly surprising, given that homegrown technologies are often a matter of national pride, and China has set an explicit goal of becoming ‘a standards-issuing country’.7 The rewards for success in influencing the standards can be immense, in the form of both tangible, monetary rewards (licensing fees can be worth several billions of dollars a year to a company) and the intangible—the ability to influence how technology is used (see, for example, recent proposals by Huawei to the International Telecommunication Union for a ‘New IP’ internet architecture, which some have seen as an attempt introduce new, authoritarian-friendly values8).
Therefore, standard setting has become a key to global power and influence, but Australia and other allies don’t appear to have recognised this and hence aren’t currently in a position to compete in this sphere.
Although 5G is based on an ‘open standard’ published by the 3GPP consortium there are still factors that work against easy interoperability. Apart from the usual engineering challenge that different engineers may interpret standards differently, the standards definition process may be being manipulated, and in any case lags well behind what vendors are developing and carriers are implementing. The challenges from immature technology and the standards processes are undoubtedly a factor driving carriers to prefer single-vendor end-to-end solutions.
Although 3GPP, a body dominated by carriers and vendors, has become the de facto leader in mobile network standards, it is only one of a number of potential bodies. There is a potential overlap with the International Telecommunications Union which is an international member state, treaty based organisation, and there are also other competing standards bodies such as ISO and ETSI. Making a choice about how and where to develop standards has became a matter of values and geopolitics, often at the expense of technology considerations.
Some carriers have recognised these challenges, in particular in relation to radio signalling and the problems of getting different base stations to work together, and have established their own initiatives, such as the OpenRAN venture under the Facebook-headed Telecom Infra Project. This initiative is intended to reduce the expense of providing internet and voice services by standardising the design and functionality of hardware and software in the RAN, increasing the number of companies that can supply components for the infrastructure that carries mobile traffic. There are a number of competing interests at play here: carriers and Facebook would like telecommunications in general to be cheaper; incumbents would prefer no increase in competition; and some states have interests in promoting national champions. Despite this, the OpenRAN initiative appears to be gathering momentum, with at least one global player, Nokia, recently committing to Open RAN interfaces9.
Another development has been the announcement by a number of global carriers, including Telstra, of the establishment of the 5G Future Forum, which intends to produce uniform interoperability specifications, develop public and private marketplaces to enhance access to technology and share global best practice.10
If these sorts of initiatives don’t succeed and the global 5G market ends up with different vendors dominant in different geographies, without clear standards and interoperability, there’s a very real risk of long-term incompatibilities that will undermine many of the potential benefits. After all, it’s happened before—in the 1990s, the major US carriers chose a technology called CDMA, while the rest of the world followed the GSM standard.11 The current lack of a major US network equipment vendor is probably at least partially due to that bifurcation—US companies concentrated on developing a technology that no one else used and ended up in a technical dead end.
5G and cybersecurity
Why is cybersecurity seen as so critical for 5G networks? Because 5G isn’t just the next natural stage in the evolution of wireless networks. 5G is about more than movie downloads. The likely applications and use cases will become critical to the functioning of governments, companies and society, including cyber-physical and safety-critical systems that will rely on the network. Not only do we need to be concerned about the confidentiality of data and users on the network, but we also need to consider the impacts of an attacker potentially compromising the availability and integrity of the systems, including the risks of the attacker being able to take down the whole network at once.
Australian and many other governments have already identified telecommunications networks as critical national infrastructure that’s essential to the effective functioning of society and therefore requiring additional regulation and attention, and it’s easy to understand why.12 In Australia in recent months, we’ve seen the chaos caused by outages of electronic payment (EFTPOS) systems for a few hours, making it impossible for people to buy basic items because they’re unused to carrying cash.13
Now imagine the impact of a smart city suddenly losing all traffic sensor data and the ability to control traffic lights. An attacker could cause major accidents by maliciously changing the data being sent to traffic lights. In fact, given some of the potential applications enabled by 5G, it could be possible to cause major disruption by more subtle changes. If applications such as remote driving of vehicles rely on ultra-low latency, what would happen if an attacker introduced a small delay to some or all network traffic?
The increasing importance of the network, combined with the increased risk that a cyber breach will cause major real-world consequences, means that the cybersecurity of 5G networks must be a critical consideration, planned and accounted for from the outset. Risk management approaches should also consider the more sensitive functions that are used by national security and law enforcement authorities, such as compliance with legislation on telecommunications interception and data retention, which may create additional security risks.
Building an understanding of 5G security requires integrating security and the 5G network architecture. Both suffer from a major skills gap in Australia14 and globally,15 so we would expect a major shortage of professionals with a detailed understanding of both, exacerbated by the fact that 5G architectures are complex and still evolving.
One example is the debates about the separation of the ‘core’ and ‘edge’ components of a 5G network. Can they be effectively segregated so that a threat in the edge can’t affect the core? Australian authorities say they can’t be effectively segregated, whereas UK authorities appear to be suggesting they can. Without getting involved in the details of the debate here, it’s likely that the true answer is that it depends on architectural choices and complex overall system-level interactions. Concepts such as network slicing will make this even more complex. End users are given effective control and exclusive use of an end-to-end slice of the network, and attention will need to be paid to the security safeguards required to minimise the risk of them escaping their own virtual slice and getting access to other parts of the network.
Vendor trust and security
The issue of vendor trust and security has been prominent in discussions about 5G security. Australia and the US have announced decisions to bar certain vendors, the UK has been formulating a compromise approach,16 (although this seems to be still evolving) and active debates in Europe are seemingly close to reaching a conclusion.
The risks from using a particular vendor can be many and varied. Much commentary on the subject talks about hardware ‘backdoors’ being inserted by a vendor at the factory,17 but that’s probably not the biggest issue. In fact, it’s probably an unhealthy focus that can drive the debate onto specific component manufacturers, when the bigger risks probably come higher up the technology stack.
A much more worrying vendor risk occurs when carriers are critically dependent on vendors for maintaining the quality of service and so give the vendors access to the live network for support and maintenance. The nature of 5G networks as ‘software defined everything’ also means that there are security risks throughout the network that can be hidden in the complexity of software—vulnerabilities that are deliberately introduced by the vendor, or that come from genuine errors and oversights.
Different vendors have different approaches to and cultures of security. The extent to which they use approaches such as secure software development, system integrity validation and third-party supplier checks can be a useful guide, as well as their approach to the reporting and patching of security issues.
However, the control and ownership of vendors, in particular those from nation-states in which companies may be subject to extrajudicial direction, has, to date, been the main criterion used to measure vendor risk.18 This should be broadened to consider all sources of risk. As well as foreign ownership and control, vendor threats can come from insiders, such as rogue employees, even in a vendor from a trusted country, and also depend on the quality of the security culture and secure-by-design approaches used by a vendor. This leads to a spectrum of vendor risk levels that can be used to guide appropriate treatments.
We can sensibly decide to exclude very high risk vendors, but since no vendor will be zero-risk, other mitigation measures will be needed in addition. While, given the criticality of 5G networks, we should impose a high standard of cybersecurity control and risk management across the network even for the lowest risk vendors, additional measures may be needed for intermediate levels. It’s important that carriers understand these requirements and can factor the different security costs into their procurement decisions (so potentially avoiding the incentive to simply choose the cheapest supplier who isn’t excluded due to being very high risk).
Independent testing of vendor equipment may be of some use to assess and mitigate risk (see, for example the Huawei testing facility set up and used by the UK over the past few years), but it’s not just a matter of testing the product from the factory. For any software components, each new release will require retesting, and in a 5G world the software becomes the most critical layer. The public reports from the UK testing facility19 show a series of damning findings and a lack of any assurance that identified flaws are resolved effectively. This means that, at best, this approach can be only a small part of a broader strategy.
In some cases, architectural approaches can be used to mitigate the risk. For example, end-to-end encryption could be used to mitigate the risk that particular network equipment could have unnecessary access to user details and data on the network. However, if we look at the risk of an adversary seeking to completely disable a network, the vendor risk is much greater, as ultimately the end-to-end network works only if every component in the chain is working—RAN, core access and routing.
This means it isn’t just a matter of assessing and using a vendor with an acceptable level of risk. Any farmer will tell you to avoid monoculture—growing just one crop means that one disease can wipe you out overnight. Similarly, if a network is dependent on a single vendor and a vulnerability is found, the vendor becomes untrusted for some reason or the company collapses, the equipment will be almost impossible to replace, and entire networks can become at risk overnight.
Therefore, as well as vendor trust, we need to ensure vendor diversity and redundancy in design.
Operators need to have confidence that multiple vendors’ equipment can interoperate, and ideally have multiple vendors’ systems in service for each major function. This will provide resilience and options to reduce dependence on a particular vendor if circumstances change. In a given carrier’s network, there should be at least two vendors for each key equipment type, and across the market there should be four or more viable suppliers considered acceptable to use. These are bare minimums from a competition policy and resilience perspective; from a long-term resilience point of view, there should be as many vendors as possible, subject to ensuring that each has critical mass and is commercially sustainable in the long term.
The 5G vendor landscape
The dominant vendors in the 5G market are generally considered to be Huawei and ZTE from China, Nokia from Finland and Ericsson from Sweden. This is certainly the case in the 5G network equipment sector, although they have some competition from Samsung (Korea) for radio equipment and Cisco (US) for the network core. There’s more competition in the devices market and for switches and routers. The main market players are shown in Figure 2.
Figure 2: The main 5G players
Source: Adapted with permission from James A Lewis, How will 5G shape innovation and security: a primer, Center for Strategic and International Studies, Washington DC, 2018, 4, online.
Figure 2 shows that Chinese companies are major players in the network equipment market, but not (yet) runaway leaders. Ericsson and Huawei have very similar shares of the RAN equipment market, and Nokia isn’t far behind, and for the evolved packet core Ericsson leads Huawei. The US is also starting to have a presence among market leaders in the core network, where much of the future growth is expected. All three network equipment categories show very strong concentration: only two or three non-Chinese vendors in each category have any significant market share.
Considering the RAN in more detail, the OpenRAN initiative mentioned above is creating opportunities for new entrants. In January this year, O2, the Telefonica-owned UK mobile operator, announced plans to engage new UK- and US-based entrants, including Mavenir, DenseAir and WaveMobile, in an OpenRAN deployment.20 In November 2018, Vodafone revealed that it had issued a request for information covering tests for OpenRAN-compatible solutions and received responses from seven vendors, only one of which (Samsung) appears in the list above; the others were a mix of US, French and Indian companies. Vodafone then ran a request for quote process for the deployment of OpenRAN across 100,000 sites on its European networks.
Down at the component level, there’s greater diversity. For specialised radio components, such as small cell antenna arrays and power amplifiers, European and US companies dominate, and for specialised field-programmable gate arrays, which are essential for high-power embedded processing, there are really only two major manufacturers: Intel and Xilinx, which are both US companies.
This confirms that, if the US continues to enforce the listing of Huawei on the ‘Entity List’, and thus prohibit exports of US-made components to it, there would be serious impacts on Huawei’s ongoing manufacturing capability, at least in the short to medium term.
If we look further up the stack to the services and applications layer, that’s where many critical applications will be implemented, which also provides an opportunity to reduce dependence on the network equipment (for example through end-to-end encryption). The use cases and applications are only now being defined and implemented, so it’s too early to identify the key players in this space, but it will be an important one in which to understand vendor trust and act accordingly.
Market opportunities and barriers
The 5G infrastructure spend was US$784 million in 2019 and is forecast to be US$47.8 billion in 2027.21
This estimate didn’t account for the impact of Covid-19, which is likely to cause some delays and cutbacks, but the market over the next few years is still likely to be highly lucrative as a whole, although the accessible RAN market may be less so due to the high market share of low-cost Chinese vendors.
While a significant portion of the revenue will go to the established players noted above, there are still opportunities for new entrants to gain significant revenue, given that the development and building of fully featured 5G networks is still at an early stage.
Compared to earlier generations of mobile technology, 5G offers more opportunities for new entrants to the market. This is because in 5G architectures a significant number of functions become virtualised and are implemented in software. This opens up opportunities for software solution providers unconstrained by the costs and timescales of bespoke hardware development—especially if they can write efficient, fast and reliable code to implement mission-critical use cases. This world of ‘software defined everything’ means that innovative and potentially sovereign businesses have the opportunity to add trust and value at the software layer.
The RAN equipment market presents particular challenges—it traditionally requires specialist hardware for antennas, radio signal generation and reception, and signal processing. Significant investment and time are needed to develop new hardware for the new frequencies, higher speeds and more devices that 5G will need to support. However, the 5G architecture does mean that, even for radio processing that’s traditionally done using specialised hardware at the antenna site, signals can be digitised and processed in software at remote sites.
In other network equipment classes, there will still be barriers to entry. The established players can be expected to compete strongly to maintain market dominance. They’ll also use the immaturity of standards to persuade service providers that it’s lower risk to use a single end-to-end provider. From discussions with providers for this report, this could resonate, especially given consumers’ focus on service quality. Telecoms companies nowadays prefer to buy managed services from vendors rather than build and integrate systems themselves. This means that when there are service outages they have a ‘single throat to choke’ (their vendor’s), rather than having to referee finger-pointing between vendors. A shortage of systems engineering skills has also been identified as a major barrier to enabling telecoms companies to consider developing multivendor environments, along with the challenge of needing to develop expensive interoperability testing facilities.
The third area of opportunity is in developing and running applications and services across the network to implement 5G use cases. In this case, the market for software to implement new applications is wide open, given that the applications have often not even been defined, or in some cases probably not even imagined yet.22 However, we can still expect the leading network equipment vendors to compete strongly, given their obvious adjacency and the opportunity to grow their businesses. Revenue streams from network equipment sales, in addition to any state subsidies, can be used to fund major R&D budgets and aggressive pricing. Antidumping provisions are especially difficult to manage for software, given the low cost of production, and carriers will always have financial drivers to choose the cheapest option without necessarily paying heed to broader requirements for vendor diversity and risk management.
Established vendors, wherever they’re from, can be expected to promote the perceived benefits of their end-to-end integration, critical mass and established brand recognition. They may use their control of the platform to seek to set up trusted ecosystems (think of Apple iOS devices and the App Store) in the name of security and openness, while in practice setting up barriers to entry. We can also imagine groups of platform, software and hardware vendors from one country, with implicit or explicit encouragement from their government, looking to set up collective monopolies. Carriers will see advantages in single-vendor solutions, in reducing performance risks, reducing their requirements for system integration skills etc. The challenge will be to persuade major carriers to look at the broader risk landscape, to be willing to integrate multi-vendor solutions and to put faith in emerging companies for what would be expected to be a long-term investment.
Recommendations for developing the trusted vendor market
We’ve noted that there are significant opportunities for vendors from Australia and allied countries to develop critical technology. However, they face significant competition from established players with economies of scale, and in some cases direct or indirect foreign government support. Appropriate policy actions will be needed to overcome the barriers in order to open up genuine opportunity for a broader range of vendors and provide the diversity that we need to improve the security and resilience of our 5G ecosystem.
Take a graduated approach to risk assessment and mitigation
There is a need for appropriate market signals to encourage carriers to choose lower risk vendors. There’s already, in Australia and some other countries, an outright ban on very high risk vendors, but, given the spectrum of risk, regulation should also ensure that the increased security costs of choosing a higher risk option sit with the carrier, rather than, for example, national cyber authorities being responsible for extra costs as they seek to protect carrier networks against vendor threats and mitigate risk.
The Australian Cyber Security Centre should develop a comprehensive framework of recommended vendor risk ratings based on various factors. The ratings should be used to define mandated risk-mitigation actions based on risks, which could include tailored levels of isolation, control and monitoring of any access that vendors are given to live networks for support and maintenance purposes, along with limitations on offshore managed service provision and offshore data storage.
Another example could be ensuring that sensitive and critical functions (such as lawful interception and audit logging) are segregated and can be separately managed using highly trusted solutions independent of the main network equipment vendors.
Regulate competition
Competition and merger policy levers should also be used to ensure fair opportunity for new entrants by limiting consolidation, preventing cross-subsidies of existing major vendors when selling new capabilities, and perhaps even mandating major vendors to subcontract a portion of the work.
This could include identifying where companies may be receiving subsidies from nation-state governments, and whether trade and international agreements provide remedies to address unfair competition impacts.
These restrictions should apply to all existing major vendors, not just those from high-risk jurisdictions. It wouldn’t be an appropriate approach to just pick one or two ‘winners’ from the existing major European and US vendors—a rich, diverse, vendor pool is needed to ensure the long-term resilience of our 5G networks.
Expand industry development policy and invest in key technologies
We’ve seen that building 5G vendor diversity can also be an economic opportunity for Australia. Therefore, we should ensure that industry policy promotes this. While we have a strong start-up culture, we need to ensure that successful companies are able to scale up rapidly to credibly compete and serve the global market.
Regulatory barriers that prevent or slow scale-up should be identified and addressed, and action is also needed to address the problem of access to capital. The Australian Government should establish an investment fund that can fund key technologies critical to our national security. It could be modelled, for example, on the National Security Strategic Investment Fund set up by the UK.23 Its remit would probably be broader than the scope of this paper, but it could certainly help to support the scale-up of 5G technologies. Another model to consider could be the recent proposal from a group of US senators for a US$1.25 billion proposal to fund new R&D and a multilateral project fund for 5G technologies.24
Encourage a more open network equipment market
Given the desired objective of vendor diversity, we need to ensure that carriers have both the right incentives and the confidence to move away from the single-vendor environment. To assist this, the government should establish, fund and manage an independent test facility for 5G networks. This should be fully modular to allow the testing of different components from different vendors (as an example of how this can be done, see, for example, the Open 5G Core project25). As well as enabling interoperability testing, this would also enable security and vulnerability research and testing at the overall 5G system level, which we’ve noted is currently a poorly understood area. Potentially, this could be a joint undertaking with other allied countries, such as Canada and New Zealand, to reduce costs, but we caution that it should be ensured that Australia is a major contributor to this and hence able to use influence to achieve our own national security objectives.
Consideration should be given to mandating that network providers use multiple vendors for key components. This may be difficult to implement, and network providers may have concerns over the burden that it imposes. However, doing so would go a long way towards overcoming the possibility of ‘monoculture’ security risk. Other countries, such as the UK, have discussed going in a similar direction, and that may allow Australia to learn lessons from their experience and devise an appropriate approach for our circumstances.
We need to ensure active engagement with 3GPP on standards setting to avoid politicisation and ensure that choices that maximise overall security and resilience, and market opportunity for new entrants, are made. This will include the identification of the key use cases for priority development, seeking to avoid choices reliant on foreign patents, and preference for the best technical choices based on open standards and implementation. Current responsibility for such engagement is diffused among different organisations, so one organisation needs to be given the mandate and funding to lead this work.
We’ve noted the challenges with standards-setting bodies, so, if engagement there doesn’t prove effective, there may be a need for local regulations to mandate open interfaces for the most critical functions, especially where they’re needed to provide the option to segregate critical functions to be carried out by sovereign vendors. As an example, for lawful interception, open internal interfaces, referred to as X1, X2 and X3, would allow the administration of warrants and the intercepted data to be partitioned securely. Ideally, we could seek to align such regulations with those of other like-minded countries, but in the absence of agreement Australia may need to act alone in our own interest.
Address RAN equipment supply
Even though the RAN forms only one part of the overall 5G network, the small number of suppliers and its criticality to the overall availability of the network indicate that equipment supply should receive some focus from policy-makers. Although it does not seem likely to lead to security or diversity benefits in the short term, if the OpenRAN initiative gains more momentum it will also provide opportunities for new entrants. Australia should work with allies and other countries that do not have domestic suppliers or interests in promoting their national champions to encourage further adoption of the OpenRAN standard to allow more vendors into this marketplace using appropriate combinations of grants and incentives to carriers to encourage them to adopt this standard.
Invest for the future
Finally, action needs to be taken to prepare for the future to avoid a repetition of this situation with other emerging technologies. Australia needs to invest in developing and commercialising technologies for artificial intelligence, 6G, quantum computing and other emerging fields. In building the right skills pipeline, we should also address current perceived skills gaps. We need systems engineers who can design and build systems bringing together components and technologies from different companies.
Conclusions
5G networks are the next generational uplift in mobile communications technology. They’ll enable not only fast speeds but more reliable, low-latency communications and massive machine-to-machine communication, enabling new applications for which security will be critical. While there are significant identified risks to the privacy and confidentiality of data on the network, and the users, there are also risks from an adversary seeking to completely take down a communications network or compromise its integrity. There are a number of potential causes, but a significant one is trust in the vendors whose equipment is used. Various countries have made differing decisions on excluding specific vendors considered to be high risk, but the discussion needs to move on, as reliance on one or two ‘not high risk’ vendors will still create major security risks. Long-term security and resilience depend on a diverse vendor ecosystem.
Fortunately, the technology and rollout plans for ‘real’ 5G are still developing, so now’s the time to take appropriate action. We recommend that urgent action be taken to identify opportunities for developing new capabilities, the barriers to market entry, and policy actions to encourage new entrants and build a diverse 5G vendor ecosystem. Table 1 summarises our findings and recommendations.
Table 1: Findings and recommendations
We should seek to work in coordination with our allies and other like-minded countries for maximum impact. However, if we wait to first build global consensus it’s likely that we’ll miss the window of opportunity. Australia took the lead in making the decision to exclude the highest risk vendors and now needs to lead in taking the next set of actions required for the long-term security and stability of 5G infrastructure, and in parallel encourage others to work with us in this endeavour.
Acknowledgements
The author thanks those government and industry stakeholders who made themselves available for discussions and openly shared their thoughts and perspectives, and ASPI colleagues who provided constructive comments on this report. The author also thanks all anonymous peer reviewers for their feedback. No specific sponsorship was received to fund production of this report. The work of ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published September 2020. ISSN 2209-9689 (online), ISSN 2209-9670 (print)
Funding: No specific sponsorship was received to fund production of this report.
For more information on 3GPP membership and activities, see About 3GPP home, 3GPP, 2020, online. ↩︎
Kelly Hill, ‘5G deployment faces a skills gap’, RCR Wireless News, 4 April 2019, online. ↩︎
UK Government, ‘Coronavirus (COVID‑19): what you need to do’, Gov.UK, 28 February 2020, online. ↩︎
See, for example, Peter Bright, ‘Bloomberg alleges Huawei routers and network gear are backdoored’, ArsTechnica, 5 January 2019, online. ↩︎
Scott Morrison, Mitch Fifield, ‘Government provides 5G security guidance to Australian carriers’, joint media release, 23 August 2018, online. ↩︎
‘Huawei cyber security evaluation centre oversight board: annual report 2019’ UK Cabinet Office, 28 March 2019, online. ↩︎
Bevin Fletcher, ‘UK’s O2 taps non‑traditional vendors for O‑RAN project’, FierceWireless, 16 January 2020, online. ↩︎
‘5G Infrastructure Market by Communication Infrastructure, Core Network, Network Architecture, Operational Frequency, End User & Geography ‑ Global Forecast to 2027’, MarketsandMarkets, Oct 2019, online. ↩︎
As an example, in the late 1990s some companies made huge revenues from developing software to send short service messages around 2G networks—which was ultimately used for the explosion in SMS communication. ↩︎
‘British Business Bank launches £85m National Security Strategic Investment Fund (NSSIF) Programme to support development of advanced dual‑use technologies’, news release, British Business Bank, 31 July 2018, online. ↩︎
Mark R Warner, ‘National security senators introduce bipartisan legislation to develop 5G alternatives to Huawei’, press release, 14 January 2020, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/25111748/PB30-Trusted-5G_banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-09-17 06:00:002025-03-25 11:19:32Ensuring a trusted 5G ecosystem of vendors and technology
While most major international social media networks remain banned from the Chinese market in the People’s Republic of China (PRC), Chinese social media companies are expanding overseas and building up large global audiences. Some of those networks—including WeChat and TikTok—pose challenges, including to freedom of expression, that governments around the world are struggling to deal with.
The Chinese ‘super-app’ WeChat, which is indispensable in China, has approximately 1.2 billion monthly active users1 worldwide, including 100 million installations outside of China.2 The app has become the long arm of the Chinese regime, extending the PRC’s techno-authoritarian reach into the lives of its citizens and non-citizens in the diaspora.3 WeChat users outside of China are increasingly finding themselves trapped in a mobile extension of the Great Firewall of China through which they’re subjected to surveillance, censorship and propaganda. This report also shows how Covid-19 has ushered in an expanded effort to covertly censor and control the public diplomacy communications of foreign governments on WeChat.
Newcomer TikTok, through its unparalleled growth in both Asian and Western markets, has a vastly larger and broader global audience of nearly 700 million as of July 2020.4 This report finds that TikTok engages in censorship on a range of political and social topics, while also demoting and suppressing content. Case studies in this report show how discussions related to LGBTQ+ issues, Xinjiang and protests currently occurring in the US, for example, are being affected by censorship and the curation and control of information. Leaked content moderation documents have previously revealed that TikTok has instructed “its moderators to censor videos that mention Tiananmen Square, Tibetan independence, or the banned religious group Falun Gong,” among other censorship rules.5
Both Tencent and ByteDance, the companies that own and operate WeChat and TikTok, respectively, are subject to China’s security, intelligence, counter-espionage and cybersecurity laws. Internal Chinese Communist Party (CCP) committees at both companies are in place to ensure that the party’s political goals are pursued alongside the companies’ commercial goals. ByteDance CEO Zhang Yiming has stated on the record that he will ensure his products serve to promote the CCP’s propaganda agenda.6
While most major international social media platforms have traditionally taken a cautious and public approach to content moderation, TikTok is the first globally popular social media network to take a heavy-handed approach to content moderation. Possessing and deploying the capability to covertly control information flows, across geographical regions, topics and languages, positions TikTok as a powerful political actor with a global reach.
What’s the solution?
The global expansion of Chinese social media networks continues to pose unique challenges to policymakers around the world. Thus far governments have tended to hold most major international social media networks and Chinese social media networks to different standards. It’s imperative that states move to a policy position where all social media and internet companies are being held to the same set of standards, regardless of their country of origin or ownership.
This report recommends (on page 50) that governments implement transparent user data privacy and user data protection frameworks that apply to all social media networks. If companies refuse to comply with such frameworks, they shouldn’t be allowed to operate. Independent audits of social media algorithms should be conducted. Social media companies should be transparent about the guidelines that human moderators use and what impact their decisions have on their algorithms. Governments should require that all social media platforms investigate and disclose information operations being conducted on their platforms by state and non-state actors. Disclosures should include publicly releasing datasets linked to those information campaigns.
Finally, all of these recommended actions would benefit from multilateral collaboration that includes participation from governments, the private sector and civil society actors. For example, independent audits of algorithms could be shared by multiple governments that are seeking the same outcomes of accountability and transparency; governments, social media companies and research institutes could share data on information operations; all stakeholders could share lessons learned on data frameworks.
We would like to thank Danielle Cave and Fergus Hanson for their work on this project. We would also like to thank Michael Shoebridge, Dr Samantha Hoffman, Jordan Schneider, Elliott Zaagman and Greg Walton for their feedback on this report as well as Ed Moore for his invaluable help and advice. We would also like to thank anonymous technically-focused peer reviewers.
This project began in 2019 and in early 2020 ASPI was awarded a research grant from the US State Department for US$250k, which was used towards this report. The work of ICPC would not be possible without the financial support of our partners and sponsors across governments, industry and civil society.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy. The centre has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues.
The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.
We would like to thank all of those who support and contribute to the ICPC with their time, intellect and passion for the topics we work on. If you would like to support the work of the centre please contact: icpc@aspi.org.au
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published September 2020.
ISSN 2209-9689 (online), ISSN 2209-9670 (print)
Funding for this report was provided by the US State Department.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/27171932/PB37-TikTok_static-banner.jpg4631386nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-09-08 06:00:002025-03-27 17:22:24TikTok and WeChat
This new ASPI report canvasses the extraordinary recent developments in genome sequencing and genetic engineering, which will transform all biological enterprises, including healthcare, among the most important parts of the global economy. It argues that there is a once-in- generation opportunity for Australia to play a leading role in a major economic and revolution with digital deliverables, capitalising on our high quality biomedical science, agricultural R&D and healthcare systems
The report identifies a number of elements for Australia to realize this opportunity. First and foremost, a national strategic and action plan is required for the collection and integration of genomic, clinical and smart sensor data for healthcare, and the development of advanced analytical software and point-of-care reporting systems, which can be exported to the world. This plan needs to be resourced by the Australian government, as a major public good infrastructure project.
Such information will be part of the very fabric of healthcare and drug development in the future. More broadly, genomic information will be used in infection tracing, customs, quarantine, protection of commercial rights, quality control, provenance, security and policing, among others. It will accelerate the identification of valuable traits in animals, plants and microorganisms. Genetic engineering can now be done with speed, sophistication and precision that were unimaginable just a few years ago, and will enhance the efficiency, quality and range of biological production.
There are resourcing, privacy, vulnerabilities, sensitivities and national security issues to consider, protections to be put in place, and social licenses to be obtained. Big-data analysis skills need be taught in science and engineering, and built into research institutions as well as health, agricultural and environmental management enterprises and agencies.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2024/12/15191728/SR159-Biotech_banner.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-08-27 06:00:002025-03-06 15:05:26Biodata and biotechnology: Opportunity and challenges for Australia
The Chinese Communist Party’s global search for technology and talent
NOTE:
In Policy Brief Report No. 35 ‘Hunting the Phoenix’ by Alex Joske and published by the Australian Strategic Policy Institute, reference was made to Professor Wenlong Cheng, Professor and Director of Research, Chemical Engineering at Monash University. The author and the Australian Strategic Policy Institute accept Professor Cheng’s indication that he did not accept nor derive any benefit from the Thousand Talents Plan, or been involved in or contributed to China’s defence development. Further, the author and the Australian Strategic Policy Institute did not intend to imply that Professor Cheng had engaged in any discreditable conduct and if any reader understood the publication in that way, any such suggestion is withdrawn. The author and the Australian Strategic Policy Institute apologise to Professor Cheng for any hurt caused to him.
What’s the problem?
The Chinese Communist Party (CCP) uses talent-recruitment programs to gain technology from abroad through illegal or non-transparent means. According to official statistics, China’s talent-recruitment programs drew in almost 60,000 overseas professionals between 2008 and 2016. These efforts lack transparency; are widely associated with misconduct, intellectual property theft or espionage; contribute to the People’s Liberation Army’s modernisation; and facilitate human rights abuses.
They form a core part of the CCP’s efforts to build its own power by leveraging foreign technology and expertise. Over the long term, China’s recruitment of overseas talent could shift the balance of power between it and countries such as the US. Talent recruitment isn’t inherently problematic, but the scale, organisation and level of misconduct associated with CCP talent-recruitment programs sets them apart from efforts by other countries. These concerns underline the need for governments to do more to recognise and respond to CCP talent-recruitment activities.
The mechanisms of CCP talent recruitment are poorly understood. They’re much broader than the Thousand Talents Plan—the best known among more than 200 CCP talent-recruitment programs. Domestically, they involve creating favourable conditions for overseas scientists, regardless of ethnicity, to work in China.1 Those efforts are sometimes described by official sources as ‘building nests to attract phoenixes’.2
This report focuses on overseas talent-recruitment operations—how the CCP goes abroad to hunt or lure phoenixes. It studies, for the first time, 600 ‘overseas talent-recruitment stations’ that recruit and gather information on scientists. Overseas organisations, often linked to the CCP’s united front system and overlapping with its political influence efforts, are paid to run most of the stations.3
What’s the solution?
Responses to CCP talent-recruitment programs should increase awareness and the transparency of the programs.
Governments should coordinate with like-minded partners, study CCP talent-recruitment activity, increase transparency on external funding in universities and establish research integrity offices that monitor such activities. They should introduce greater funding to support the retention of talent and technology.
Security agencies should investigate illegal behaviour tied to foreign talent-recruitment activity.
Funding agencies should require grant recipients to fully disclose any participation in foreign talent-recruitment programs, investigate potential grant fraud and ensure compliance with funding agreements.
Research institutions should audit the extent of staff participation in foreign talent-recruitment programs. They should act on cases of misconduct, including undeclared external commitments, grant fraud and violations of intellectual property policies. They should examine and update policies as necessary. University staff should be briefed on foreign talent-recruitment programs and disclosure requirements.
Introduction
The party and the state respect the choices of those studying abroad. If you choose to return to China to work, we will open our arms to warmly welcome you. If you stay abroad, we will support you serving the country through various means.
—Xi Jinping, 2013 speech at the 100th anniversary of the founding of the Western Returned Scholars Association, which is run by the United Front Work Department.4
The CCP views technological development as fundamental to its ambitions. Its goal isn’t to achieve parity with other countries, but dominance and primacy. In 2018, General Secretary Xi Jinping urged the country’s scientists and engineers to ‘actively seize the commanding heights of technological competition and future development’.5 The Made in China 2025 industrial plan drew attention to the party’s long-held aspiration for self-sufficiency and indigenous innovation in core industries, in contrast to the more open and collaborative approach to science practised by democratic nations.6
The CCP treats talent recruitment as a form of technology transfer.7 Its efforts to influence and attract professionals are active globally and cover all developed nations. The Chinese Government claims that its talent-recruitment programs recruited as many as 60,000 overseas scientists and entrepreneurs between 2008 and 2016.8 The Chinese Government runs more than 200 talent-recruitment programs, of which the Thousand Talents Plan is only one (see Appendix 1).
The US is the main country targeted by these efforts and has been described by Chinese state media as ‘the largest “treasure trove” of technological talent’.9 In addition to the US, it’s likely that more than a thousand individuals have been recruited from each of the UK, Germany, Singapore, Canada, Japan, France and Australia since 2008.10
Future ASPI International Cyber Policy Centre research will detail Chinese Government talent- recruitment efforts in Australia. Past reports have identified a handful of Australian participants in China’s talent-recruitment programs, including senior and well-funded scientists, and around a dozen CCP-linked organisations promoting talent-recruitment work and technology transfer to China.11 However, the scale of those activities is far greater than has been appreciated in Australia.
China’s prodigious recruitment of overseas scientists will be key to its ambition to dominate future technologies and modernise its military. Participants in talent-recruitment programs also appear to be disproportionately represented among overseas scientists collaborating with the Chinese military. Many recruits work on dual-use technologies at Chinese institutions that are closely linked to the People’s Liberation Army.
These activities often exploit the high-trust and open scientific communities of developed countries. In 2015, Xi Jinping told a gathering of overseas Chinese scholars that the party would ‘support you serving the country through various means’.12 As detailed in Bill Hannas, James Mulvenon and Anna Puglisi’s 2013 book Chinese industrial espionage, those ‘various means’ have often included theft, espionage, fraud and dishonesty.13 The CCP hasn’t attempted to limit those behaviours. In fact, cases of misconduct associated with talent programs have ballooned in recent years. The secrecy of the programs has only been increasing.
The CCPs’ talent-recruitment efforts cover a spectrum of activity, from legal and overt activity to illegal and covert work (Figure 1). Like other countries, China often recruits scientists through fair means and standard recruitment practices. It gains technology and expertise from abroad through accepted channels such as research collaboration, joint laboratories and overseas training. However, overt forms of exchange may disguise misconduct and illegal activity. Collaboration and joint laboratories can be used to hide undeclared conflicts of commitment, and recruitment programs can encourage misconduct. Participants in talent-recruitment programs may also be obliged to influence engagement between their home institution and China. The Chinese Government appears to have rewarded some scientists caught stealing technology through talent-recruitment programs. In some cases, Chinese intelligence officers may have been involved in talent recruitment. Illustrating the covert side of talent recruitment, this report discusses cases of espionage or misconduct associated with talent recruitment and how the Chinese military benefits from it (Appendix 2).
Figure 1: The spectrum of the CCP’s technology transfer efforts
Talent-recruitment work has been emphasised by China’s central government since the 1980s and has greatly expanded during the past two decades.14 In 2003, the CCP established central bodies to oversee talent development, including the Central Coordinating Group on Talent Work ( 中 央 人才工作协调小组), which is administered by the Central Committee’s Organisation Department and includes representation from roughly two dozen agencies.15 In 2008, the party established the national Overseas High-level Talent Recruitment Work Group (海外高层次人才引进工作小组) to oversee the Thousand Talents Plan (see box).16 Local governments around China also regularly hold recruitment events at which overseas scientists are signed up to talent-recruitment schemes and funding initiatives.17 This demonstrates how talent-recruitment efforts are a high priority for the CCP, transcending any particular bureaucracy and carried out from the centre down to county governments.
The Overseas High-level Talent Recruitment Work Group
The Overseas High-level Talent Recruitment Work Group was established in 2008 to oversee the implementation of the Thousand Talents Plan. It’s administered by the Central Committee’s Organisation Department, which plays a coordinating role in talent recruitment work carried out by government and party agencies. Its members include the Ministry of Human Resources and Social Security, the Ministry of Education, the Ministry of Science and Technology, the People’s Bank of China, the State-owned Assets Supervision and Administration Commission, the Chinese Academy of Sciences, the United Front Work Department (UFWD) of the Central Committee of the CCP, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Finance, the Overseas Chinese Affairs Office (now part of the UFWD), the Chinese Academy of Engineering, the National Natural Science Foundation, the State Administration of Foreign Experts Affairs (now part of the Ministry of Science and Technology), the Communist Youth League of China and the China Association for Science and Technology.18
To illustrate the international reach of CCP talent recruitment, the ASPI International Cyber Policy Centre (ICPC) has created an original database of 600 overseas talent-recruitment stations. The operation of the stations is contracted out to organisations or individuals who are paid to recruit overseas scientists. They might not have a clear physical presence or might be co-located with the organisations contracted to run them (see box). This is a growing part of the CCP’s talent-recruitment infrastructure—providing on-the-ground support to the CCP’s efforts to identify and recruit experts from abroad—but it has never been analysed in detail before.
Features of overseas talent-recruitment stations
Overseas organisations or individuals contracted by the CCP to carry out talent-recruitment work
Often run by overseas united front groups
Tasked to collect information on and recruit overseas scientists
Promote scientific collaboration and exchanges with China
Organise trips by overseas scientists to China
Present across the developed world
May receive instructions to target individuals with access to particular technologies
Paid up to A$30,000 annually, plus bonus payments for each successful recruitment
The database was compiled using open-source online information from Chinese-language websites. Those sources included Chinese Government websites or media pages announcing the establishment of overseas recruitment stations and websites affiliated with overseas organisations running recruitment stations. We carried out keyword searches using various Chinese terms for talent-recruitment stations to identify their presence across the globe. An interactive version of the map of stations is in the online version of this report (Figure 2).
Figure 2: Overseas recruitment stations and their links back to China
Please click the map for the interactive database. Hover over data points for details on each recruitment station. Please note: stations are geo-located to City level (not street-level).
Using examples and case studies of stations from around the world, this report also reveals the role of the united front system in talent-recruitment work. The united front system is a network of CCP-backed agencies and organisations working to expand the party’s United Front—a coalition of groups and individuals working towards the party’s goals. Many of those agencies and organisations run overseas recruitment stations. As detailed in the ASPI report The party speaks for you: foreign interference and the Chinese Communist Party, the system is widely known for its involvement in political influence work, but its contributions to technology transfer have attracted little attention.
China’s talent-recruitment programs are unlike efforts by Western governments to attract scientific talent. As two scholars involved in advising the CCP on talent recruitment wrote in 2013, ‘The Chinese government has been the most assertive government in the world in introducing policies targeted at triggering a reverse brain drain.’19 The flow of talent from China is still largely in the direction of the US.20 However, research from the Center for Security and Emerging Technology found that the proportion of Chinese STEM PhD graduates of US universities intending to stay in the US has declined over the past two decades.21 In May 2020, the US Government announced new restrictions on visas for scientists linked to the Chinese military.22
The widespread misconduct associated with CCP talent-recruitment programs sets them apart from efforts by other nations. For example, an investigation by the Texas A&M University system found more than 100 staff linked to China’s talent programs, but only five disclosed it despite employees being required to do so.23 That level of misconduct hasn’t been reported in other countries’ talent-recruitment efforts. The absence of any serious attempt by the Chinese Government or its universities to discourage theft as part of its recruitment programs amounts to a tacit endorsement of the programs’ use to facilitate espionage, misconduct and non-transparent technology transfers.
The extent of misconduct by selectees suggests that this is enabled or encouraged by agencies overseeing the programs. Agencies at the centre of China’s talent recruitment efforts have themselves been directly involved in illegal activity. For example, an official from China’s State Administration of Foreign Experts Affairs was involved in stealing US missile technology through the recruitment of a US scientist (see Noshir Gowadia case in Appendix 2).24
Talent recruitment programs have been used to incentivise and reward economic espionage. For example, in 2013, Zhao Huajun (赵华军), was imprisoned in the US after stealing vials of a cancer research compound, which he allegedly used to apply for sponsorship there.25 A month after Zhao was released from prison, he was recruited by the Zhejiang Chinese Medicine University through the Qianjiang Scholars (钱江学者) program.26 In another case, a Coca-Cola scientist allegedly conspired with a Chinese company to secure talent-recruitment program funding on the basis of stolen trade secrets.27
Talent-recruitment programs are also tied to research commercialisation. Applicants to the Thousand Talents Plan have the option to join as ‘entrepreneurs’ rather than as scientists, supporting companies they have established in China.28 The Thousand Talents Plan is supported by the Thousand Talents Plan Venture Capital Center (千人计划创投中心), which runs competitions to pair participants with start-up funding.29
Commercial activity by talent-recruitment program participants isn’t always disclosed, which often breaches university policies on intellectual property and commercialisation. One recruit from an Australian university set up a laboratory and an artificial intelligence (AI) company in China that later received funding linked to the Thousand Talents Plan Venture Capital Center, but reportedly didn’t disclose that to his Australian university, against existing university policies. The company later supplied surveillance technology to authorities in Xinjiang.30
US investigations of participants in talent-recruitment programs have led to an increase in the programs’ secrecy, rather than reforms to make them more transparent and accountable. In September 2018, the Chinese Government began removing references to the Thousand Talents Plan from the internet and ordering organisations to use more covert methods of recruitment.31 A leaked directive told those carrying out recruitment work for the plan to not use email when inviting potential recruits to China for interviews, and instead make contact by phone or fax under the guise of inviting them to a conference (Figure 3). ‘Written notices should not contain the words “Thousand Talents Plan”’, the document states. In 2018, the official website of the Thousand Talents Plan removed all news articles about the program, before going offline in 2020.32
Figure 3: A leaked notice from September 2018 ordering organisations to use more covert methods of recruiting Thousand Talents Plan participants
Highlighted text: ‘In order to further improve work guaranteeing the safety of overseas talent, work units should not use emails, and instead use phone or fax, when carrying out the interview process. [Candidates] should be notified under the name of inviting them to return to China to participate in an academic conference or forum. Written notices should not include the words “Thousand Talents Plan”.’
Source: ‘被美國盯上 傳中國引進人才不再提千人計畫’ [Targeted by the US, it’s rumoured that China will no longer mention the 1,000 Talent Plan], CNA.com, 5 October 2018, online.
CCP technology-transfer efforts are often flexible and encourage individuals to find ways to serve from overseas. Participants in the Thousand Talents Plan, for example, have the option to enter a ‘short-term’ version of the program that requires them to spend only two months in China each year.33 Some selectees establish joint laboratories between their home institutions and their Chinese employers, which could be a way to disguise conflicts of commitment where they have agreed to spend time working for both institutions.34 ‘This enables them to maintain multiple appointments at once, which may not be fully disclosed. This may mean that they’re effectively using time, resources and facilities paid for by their home institutions to benefit Chinese institutions.
Without residing in China, scientists can support collaboration with Chinese institutions, receive visiting Chinese scholars and students and align their research with China’s priorities. Steven X Ding (丁先春), a professor at the University of Duisburg in Germany who has also been affiliated with Tianjin University, was quoted describing this mentality when he worked as vice president of the University of Applied Science Lausitz:35
I manage scientific research at the university, which has more than 100 projects supervised by me—this is a ‘group advantage’. I can serve as a bridge between China and Germany for technological exchange … and I can make greater contributions than if I returned to China on my own. Foreign countries aren’t just advanced in their technologies, but also their management is more outstanding. Being in Germany I can introduce advanced technologies to China, assist communication, exchange and cooperation, and play a role as a window and a bridge [between China and Germany].36
The CCP’s talent-recruitment activities are also notable for their strategic implications. The deepening of ‘military–civil fusion’ (a CCP policy of leveraging the civilian sector to maximise military power) means that China’s research institutes and universities are increasingly involved in classified defence research, including the development of nuclear weapons.37 Chinese companies and universities are also working directly with public security agencies to support the oppression and surveillance of minorities through their development and production of surveillance technologies.38 Participants in talent-recruitment programs also appear to be disproportionately represented among overseas scientists collaborating with the Chinese military.39 Recruitment work by the People’s Liberation Army and state-owned defence conglomerates is described later in this report.
These structures behind talent-recruitment activity and their links to national initiatives show how it’s backed by the party’s leaders and high-level agencies and has clear objectives. This contradicts the theory that China employs a ‘thousand grains of sand’ approach to intelligence gathering or economic espionage, relying on uncoordinated waves of amateur ethnic-Chinese collectors to hoover up technology.40 Indeed, what may be one of the most egregious charges of misconduct related to a talent-recruitment program involves Harvard Professor Charles Lieber, a nanotechnologist with no Chinese heritage, who was arrested in 2020 for allegedly failing to disclose a US$50,000 monthly salary he received from a Chinese university as part of the Thousand Talents Plan.41 As shown by the case of Zheng Xiaoqing, who allegedly stole jet turbine technology from GE Aviation while joining the Thousand Talents Plan as part of a Jiangsu State Security Department operation, talent recruitment can at times involve professional intelligence officers (see Appendix 2).
In 2012, Peter Mattis, an expert on CCP intelligence activity, wrote that ‘The “grains of sand” concept focuses analytic attention on the [counter-intelligence] risk individuals pose rather than on government intelligence services.’42 In the case of talent-recruitment programs, interpreting them through the lens of a ‘grains of sand’ model would place greater emphasis on individuals involved in the programs while neglecting the mechanisms of talent recruitment activity used by the CCP. Talent-recruitment efforts are carried out with heavy involvement from the united front system and dedicated agencies such as the Ministry of Science and Technology’s State Administration of Foreign Experts Affairs.43
It isn’t an ethnic program with individual actors at its core—it’s a CCP program leveraging incentives as well as organised recruitment activity—yet it’s often framed by the party as serving the country’s ethno-nationalist rejuvenation.44
Recognising these features of CCP technology-transfer activity—such as its central and strategic guidance, implementation across various levels of the Chinese Government, high-rate of misconduct and reliance on overseas recruitment mechanisms—should be fundamental to any responses to the activity.45 Poorly executed, and sometimes misguided, attempts at investigating and prosecuting suspected cases of industrial espionage have helped build an image of both the problem and enforcement actions as being driven by racial factors rather than state direction.46
Talent-recruitment stations
Chinese Government and Party agencies from the national to the district level have established hundreds of ‘overseas talent recruitment workstations’ in countries with high-quality talent, cutting-edge industries and advanced technology.47 The stations are established in alignment with central guidance on talent-recruitment work and also adapt to the needs of the various Chinese Government organs establishing them. They’re run by overseas organisations, such as community associations, and are a key part of the CCP’s little-understood talent-recruitment infrastructure.
The stations work on behalf of the Chinese Government to spot and pursue talent abroad. Their importance is reflected in the fact that research for this report has uncovered 600 stations spread across technologically advanced countries (Figure 4).48 The increasingly covert nature of talent recruitment efforts means on-the-ground measures such as talent-recruitment stations should become more important.
The highest number of stations (146) was found in the United States. However, Germany, Australia, the United Kingdom, Canada, Japan, France and Singapore also each had many stations. This underscores the global reach of China’s talent-recruitment efforts and the high level of recruitment activity in those countries.
Figure 4: The top 10 countries hosting identified talent-recruitment stations
The stations often don’t have dedicated offices or staff. Instead, they’re contracted to local professional, community, student and business organisations, such as the Federation of Chinese Professionals in Europe.49 Such organisations already have established links inside Chinese communities and receive payments in return for spotting and recruiting talent, promoting research collaboration and hosting official delegations from China. The organisations are often linked to the CCP’s united front system and may be involved in mobilising their members to serve the party’s goals—whether cultural, political or technological. In at least two cases, talent-recruitment stations have been linked to alleged economic espionage.
Talent-recruitment stations have been established since at least 2006, and the number has grown substantially since 2015.50 The recent expansion may be related to policies associated with the 13th Five-Year Plan (2016–2020) that advocated strengthening talent-recruitment work ‘centred on important national needs’.51 Of the 600 stations identified in this report, more than 115 were established in 2018 alone (Figure 5).52
Figure 5: Talent recruitment stations established each year, 2008 to 2018
Note: Only stations with verified establishment dates are included.
Politics and talent recruitment intersecting in Canada
In July 2016, the Fujian Provincial Overseas Chinese Affairs Office, part of the united front system, sent representatives, including its director (pictured first from left in Figure 6), around the world to establish talent-recruitment stations.53 Four were established in Canada. John McCallum, a Canadian politician who resigned as ambassador to China in 2019 after urging the government to release Huawei CFO Meng Wanzhou, was pictured (second from right) at the opening of a station run by the Min Business Association of Canada (加拿大闽商总会).54 The association’s chairman, Wei Chengyi (魏成义, first from right), is a member of several organisations run by the UFWD in China and has been accused of running a lobbying group for the Chinese Consulate in Toronto.55
Figure 6: The opening ceremony
Source: ‘Fujian Overseas Chinese Affairs Office’s first batch of four overseas talent recruitment sites landed in Canada’, fjsen.com, 21 July 2016, online.
We obtained several talent-recruitment station contracts, contract templates and regulations that shine a light on the stations’ operations (Figure 7). They reveal that organisations hosting stations are paid an operating fee, receive bonuses for every individual they recruit and are often required to recruit a minimum number of people each year. Those organisations are also collecting data on foreign scientists and research projects. They organise talent-recruitment events, host and arrange visiting Chinese Government delegations and prepare trips to China for prospective recruits.56
Figure 7: A talent recruitment contract signed between the Human Resources and Social Security Bureau of Qingrong District in Chengdu and a Sino-German talent-exchange association
Source: ‘About this overseas talent workstation’, German-Chinese Senior Talent Exchange and Economic and Trade Cooperation Promotion Association, 12 July 2017, online.
Organisations running recruitment stations can receive as much as ¥200,000 (A$40,000) for each individual they recruit. In addition, they’re paid as much as ¥150,000 (A$30,000) a year for general operating costs.57
CCP talent-recruitment agencies gather large amounts of data on overseas scientists, and overseas talent-recruitment stations may be involved in this information-gathering work. Domestically, the Thousand Talents Think Tank (千人智库), which is affiliated with the UFWD, claims to hold data on 12 million overseas scientists, including 2.2 million ethnic Chinese scientists and engineers.58 In 2017, a Chinese think tank produced a database of 6.5 million scientists around the world, including 440,000 AI scientists, as a ‘treasure map’ for China’s development of AI technology and a resource for talent recruitment.59 Abroad, recruitment stations set up by Tianjin City are instructed to ‘grasp information on over 100 high-level talents and an equivalent amount of innovation projects’.60 Qingdao City’s overseas stations are required to collect and annually update data on at least 50 individuals at the level of ‘associate professor, researcher or company manager’ or higher.61 The Zhuhai City Association for Science and Technology tasks its overseas stations with ‘collecting information on overseas science and technology talents, technologies and projects through various channels’.62
Information about overseas technologies and scientists is used for targeted recruitment work that reflects the technological needs of Chinese institutions. For example, Shandong University’s overseas recruitment stations recommend experts ‘on the basis of the university’s needs for development, gradually building a talent database and recommending high-level talents or teams to the university in targeted way’.63 The Guangzhou Development Zone ‘fully takes advantage of talent databases held by their overseas talent workstations … attracting talents to the zone for innovation and entrepreneurship through exchange events and talks’.64
However, the 600 stations identified in this report are probably only a portion of the total number of stations established by the CCP. The real number may be several hundred greater. For example, we identified 90 stations established by the Jiangsu Provincial Government or local governments in the province, yet in 2017 the province’s Overseas Chinese Affairs Office—only one of many agencies in the province establishing overseas recruitment stations—stated that it had already established 121 stations.65
One hundred and seventy-one identified stations were established by united front agencies such as overseas Chinese affairs offices. For many other stations, it’s unclear which part of the bureaucracy established them, so the real number of stations established by the united front system is probably much greater. Similarly, the Qingdao UFWD describes how the city’s Organisation Department produced regulations on overseas talent-recruitment stations and the UFWD advised on their implementation and encouraged united front system agencies to carry them out.66 Universities, party organisation departments, state human resources and social affairs bureaus, state-backed scientific associations and foreign experts affairs bureaus also establish overseas-recruitment stations. None of them is an intelligence agency, but the networks and collection requirements of stations mean they could benefit China’s intelligence agencies.
Overseas talent-recruitment stations are typically run by local organisations, which are contracted to operate them for a period of several years. The local groups include hometown associations, business associations, professional organisations, alumni associations, technology-transfer and education companies and Chinese students and scholars associations (CSSAs) (see box). Local host organisations have often been established with support from, or built close relationships with, agencies such as China’s State Administration for Foreign Experts Affairs and the UFWD.67 Overseas operations of Chinese companies reportedly also host talent-recruitment stations.68 In one case, a station was reportedly established in the University College Dublin Confucius Institute.69
Chinese students and scholars associations involved in running talent recruitment stations
US: Greater New York Fujian Students and Scholars Association, University of Washington CSSA, North American Chinese Student Association, UC Davis CSSA
Australia: Victoria CSSA, Western Australia CSSA, New South Wales CSSA
UK: United Kingdom CSSA
Switzerland: Geneva CSSA
Italy: Chinese Students and Scholars Union in Italy
Czech Republic: Czech CSSA
Ireland: CSSA Ireland
Hungary: All-Hungary CSSA
Provincial, municipal and district governments are responsible for most talent recruitment, yet their activities are rarely discussed. Qingdao city alone claims that it recruited 1,500 people through its recruitment stations between 2009 and 2014.70 Out of 600 recruitment stations identified in this research, only 20 were established by national organisations, such as the UFWD’s Western Returned Scholars Association (WRSA) and Overseas Chinese Affairs Office.
Similarly, over 80% of talent-recruitment programs are run at the subnational level and may attract as many as seven times as many scientists as the national programs. Between 2008 and 2016, China’s Ministry of Human Resources and Social Security determined that roughly 53,900 scholars had been recruited from abroad by local governments. More than 7,000 scholars were recruited through the Thousand Talents Plan and Hundred Talents Plan (another national talent-recruitment program) over the same period.71
Case study: Zhejiang’s recruitment work in the United Kingdom
A 2018 CCP report on Zhejiang Province’s overseas talent-recruitment work mentioned that it had established 31 overseas recruitment stations. According to the report, Brunel University Professor Zhao Hua (赵华) from the UK is one of the scientists recruited through their efforts.72 Zhao is an expert in internal combustion engines who was recruited to Zhejiang Painier Technology (浙江 派尼尔科技公司), which produces ‘military and civilian-use high-powered outboard engines’.73
The partnership between Zhao and Zhejiang Painier Technology was formed with the help of a talent-recruitment station and reportedly attracted Ұ300 million (A$60 million) in investment.74 The Zhejiang UK Association (英国浙江联谊会) runs as many as four talent-recruitment stations and has recruited more than 100 experts for Zhejiang Province or cities in the province.75 They include a station for Jinhua, the city where Zhejiang Painier Technology is based, so it could have been the organisation that recruited Professor Zhao.76
The Zhejiang UK Association’s founding president is Lady Bates (or Li Xuelin, 李雪琳), the wife of Lord Bates, Minister of State for International Development from 2016 until January 2019.77 Accompanied by her husband, Lady Bates represented the association at the establishment of a recruitment station for Zhejiang Province’s Jinhua city in 2013 (Figure 8).78 She was a non-voting delegate to the peak meeting place of the CCP-led United Front—the Chinese People’s Political Consultative Conference (CPPCC)—and is a member of the UFWD-run China Overseas Friendship Association.79
Figure 8: Lord (first row, second from right) and Lady Bates (first row, centre)
Source: ‘英国浙江联谊会再次携手浙江——与金华市政府签署设立金华英国工作站协议’ [British Zhejiang Friendship Association joins hands with Zhejiang again—Signed an agreement with Jinhua Municipal Government for the establishment of Jinhua UK Workstation], ZJUKA, no date, online.
Counsellor Li Hui (李辉), a senior united front official from the Chinese Embassy in London, praised the association at the station’s founding.80 In particular, he noted Lady Bates’s use of her personal connections to arrange for the signing ceremony to be held in the Palace of Westminster.81
Talent-recruitment stations help arrange visits by Chinese delegations. For example, the Australian alumni association of Northwestern Polytechnical University (NWPU) became a recruitment station for the university and Xi’an City, where the university is located, in 2018.82 It arranged meetings between NWPU representatives and leading Australian-Chinese scientists and helped the university sign partnerships with them. Within a month, it claimed to have introduced five professors from universities in Melbourne to NWPU, although it’s unclear how many of them were eventually recruited by the university.83 NWPU specialises in aviation, space and naval technology as one of China’s ‘Seven Sons of National Defence’—the country’s leading defence universities.84 It’s been implicated in an effort to illegally export equipment for antisubmarine warfare from the US.85
Overseas talent-recruitment organisations also run competitions and recruitment events for the Chinese Government. For example, in 2017, the UFWD’s WRSA held competitions around the world, including in Paris, Sydney, London and San Francisco, in which scientists pitched projects in the hope of receiving funding from and appointments in China. The events were held with the help of 29 European, Singaporean, Japanese, Australian and North American united front groups for scientists.86 Organisations including the University of Technology Sydney CSSA and the Federation of Chinese Scholars in Australia (全澳华人专家学者联合会)—a peak body for Chinese-Australian professional associations that was set up under the Chinese Embassy’s guidance—have partnered with the Chinese Government to hold recruitment competitions tied to the Thousand Talents Plan.87 As described below, CSSAs have run recruitment events for Chinese military institutions and state-owned defence companies.
Talent recruitment in Japan
The All-Japan Federation of Overseas Chinese Professionals (中国留日同学会) is the leading united front group for ethnic Chinese scientists and engineers in Japan. It describes itself as having been established in 1998 under the direction of the UFWD and the UFWD’s WRSA, which is a dedicated body used by the department to interact with and influence scholars with overseas connections.88
Every president of the federation has also served as a council member of the WRSA or the China Overseas Friendship Association, which is another UFWD-run body.89 It runs at least eight talent-recruitment stations—organising talent-recruitment events in Japan and bringing scientists to talent-recruitment expos in China—and reportedly recruited 30 scientists for Fujian Province alone.90 Despite its involvement in the CCP’s technology-transfer efforts, it has partnered with the Japan Science and Technology Agency to run events.91 Former prime minister Hatoyama Yukio (鸠山由纪夫) attended the opening of a WRSA overseas liaison workstation run by the group—the first established by the WRSA (Figure 9).92
Figure 9: Former Japanese prime minister Hatoyama Yukio at the opening of a WRSA workstation
While raw numbers of recruited scientists are occasionally published, specific examples of scientists recruited by individual stations are difficult to find. In 2018, Weihai, a city in Shandong Province, released the names of 25 scientists recruited through stations in Japan and Eastern Europe.93 Among the recruits were medical researchers and AI specialists, including a Ukrainian scientist specialising in unmanned aerial vehicles who was recruited by Harbin Institute of Technology—one of China’s leading defence research universities.94
Case study: The Changzhou UFWD’s overseas network
The UFWD of Changzhou, a city between Shanghai and Nanjing, has established talent-recruitment stations around the world. The UFWD set up the stations alongside its establishment of hometown associations for ethnic Chinese in foreign countries. This illustrates the united front system’s integration of technology-transfer efforts and political and community influence work.
In October 2014, a delegation led by the Changzhou UFWD head Zhang Yue (张跃) travelled to Birmingham to oversee the founding of the UK Changzhou Association (英国常州联谊会). Zhang and the president of the UK Promotion of China Re-unification Society (全英华人华侨中国统一促进会) were appointed as the association’s honorary presidents.95 A united front official posted to the PRC Embassy in London also attended the event.96
The association immediately became an overseas talent-recruitment station for Changzhou and a branch of the Changzhou Overseas Friendship Association, which is headed by a leader of the Changzhou UFWD.97 According to a CCP media outlet, the association ‘is a window for external propaganda for Changzhou and a platform for talent recruitment’ (Figure 10).98
Figure 10: A plaque awarded by the Changzhou City Talent Work Leading Small Group Office to its ‘UK talent recruitment and knowledge introduction workstation’ in 2014
Three days later, the Changzhou UFWD delegation appeared in Paris for the founding of the France Changzhou Association (法国常州联谊会). Again, the Changzhou UFWD head was made honorary president and the association became a talent-recruitment station and a branch of the Changzhou Overseas Friendship Association. CCP media described it as ‘the second overseas work platform established by Changzhou’ under the leadership of Changzhou’s Overseas Chinese Federation, which is a united front agency.99
As detailed in a report published by the province’s overseas Chinese federation, these activities were part of the Changzhou united front system’s strategy of ‘actively guiding the construction of foreign overseas Chinese associations’.100 By 2018, when the report was published, the city had established associations in Australia, Canada, Singapore, the US and Hong Kong and was in the middle of establishing one in Macau. The founding of the Australian association was attended by a senior Changzhou UFWD official, Victorian Legislative Assembly member Hong Lim and Australian Chinese-language media mogul Tommy Jiang (姜兆庆).101
Economic espionage
The following two case studies demonstrate how talent-recruitment stations and their hosting organisations have been implicated in economic espionage and are often closely linked to the CCP’s united front system.
Case study: Cao Guangzhi
In March 2019, Tesla sued its former employee Cao Guangzhi (曹光植, Figure 11), alleging that he stole source code for its Autopilot features before taking it to a rival start-up, China’s Xiaopeng Motors.102
In July, he admitted to uploading the source code to his iCloud account but denies stealing any information.103 Tesla calls Autopilot the ‘crown jewel’ of its intellectual property portfolio and claims to have spent hundreds of millions of dollars over five years to develop it.104 Additional research on the subject of this ongoing legal case shows a pattern of cooperation between Cao and the CCP’s united front system on talent-recruitment work dating back to nearly a decade before the lawsuit.
Figure 11: Cao Guangzhi (far left) with other co-founders of the Association of Wenzhou PhDs USA
Source: ‘全美温州博士协会 “藏龙卧虎”,有古根海姆奖得主、苹果谷歌工程师···’ [The ‘Hidden Dragon and Crouching Tiger’ of the Wenzhou Doctors Association of the US; there are Guggenheim Award winners, Apple Google engineers…], WZRB, 14 April 2017, online.
When Cao submitted his doctoral thesis to Purdue University in 2009, he and three friends established the Association of Wenzhou PhDs USA (全美温州博士协会).105 All four hail from Wenzhou, a city south of Shanghai known for the hundreds of renowned mathematicians who were born there.106 From its inception, the association has worked closely with the PRC Government. A report from Wenzhou’s local newspaper claims that the Wenzhou Science and Technology Bureau, Overseas Chinese Affairs Office and Overseas Chinese Federation gave the group a list of US-based PhD students and graduates from the town, whom they then recruited as members.107 The head of the Wenzhou UFWD praised the association during a 2010 trip to America as ‘the first of its kind and highly significant’.108
The Association of Wenzhou PhDs USA carries out talent recruitment on behalf of the CCP. The year after its establishment, it signed an agreement with the UFWD of a county in Wenzhou to run a talent-recruitment station that gathers information on overseas scientists and carries out recruitment work.109 That year, it also arranged for 13 of its members to visit Wenzhou for meetings with talent-recruitment officials from organisations such as the local foreign experts affairs bureau 110 and with representatives of local companies. Several of the members also brought their research with them, presenting technologies such as a multispectral imaging tool.111
Within a few years of its founding, the association had built up a small but elite group of more than 100 members. By 2017, its members reportedly included Lin Jianhai (林建海), the Wenzhou-born secretary of the International Monetary Fund; engineers from Google, Apple, Amazon, Motorola and IBM; scholars at Harvard and Yale; and six US government employees.112 At least one of its members became a Zhejiang Province Thousand Talents Plan scholar through the group’s recommendation.113 It also helped Wenzhou University recruit a materials scientist from the US Government’s Argonne National Laboratory.114
Case study: Yang Chunlai
The case of Yang Chunlai (杨春来) offers a window into the overlap of the united front system and economic espionage. Yang was a computer programmer at CME Group, which manages derivatives and futures exchanges such as the Chicago Mercantile Exchange. Employed at CME Group since 2000, he was arrested by the Federal Bureau of Investigation (FBI) in July 2011.115 In 2015, he pleaded guilty to trade secrets theft for stealing CME Group source code in a scheme to set up a futures exchange company in China. He was sentenced to four years’ probation.116
Before his arrest, Yang played a central role in a united front group that promotes talent recruitment by, and technology transfer to, China: the Association of Chinese-American Scientists and Engineers (ACSE, 旅美中国科学家工程师专业人士协会). From 2005 to 2007 he was the group’s president, and then its chairman to 2009.117
ACSE is one of several hundred groups for ethnic Chinese professionals that are closely linked to the CCP.118 ACSE and its leaders frequently met with PRC officials, particularly those from united front agencies such as the Overseas Chinese Affairs Office (OCAO),119 the CPPCC and the All-Chinese Federation of Returned Overseas Chinese. At one event, the future director of the OCAO, Xu Yousheng (许又声), told ACSE:
There are many ways to serve the nation; you don’t have to return to China and start an enterprise. You can also return to China to teach or introduce advanced foreign technology and experience—this is a very good way to serve China.120
Yang was appointed to the OCAO’s expert advisory committee in 2008.121 In 2010, he also spoke about ACSE’s close relationship with the UFWD-run WRSA.122
Further illustrating these linkages, Yang visited Beijing for a ‘young overseas Chinese leaders’ training course run by the OCAO in May 2006. Speaking to the People’s Daily during the course, Yang said, ‘It’s not that those who stay abroad don’t love China; it’s the opposite. The longer one stays in foreign lands, the greater one’s understanding of the depth of homesickness.’123 Yang also spoke of the sensitivity of source code used by companies, work on which doesn’t get outsourced. However, he hinted at his eventual theft of code by saying: ‘Of course, even with things the way they are, everyone is still looking for suitable entrepreneurial opportunities to return to China’.124
In 2009, an ‘entrepreneurial opportunity’ may have presented itself when ACSE hosted a talent-recruitment event by a delegation from the city of Zhangjiagang (张家港).125 At the event, which Yang attended (Figure 12), ACSE signed a cooperation agreement with Zhangjiagang to ‘jointly build a Sino-US exchange platform and contribute to the development of the homeland’—potentially indicating the establishment of a talent-recruitment station or a similar arrangement.126
Figure 12: Yang Chunlai (rear, second from right) at the signing ceremony for ACSE’s partnership with Zhangjiagang
Yang later wrote a letter to the OCAO proposing the establishment of an electronic trading company led by him in Zhangjiagang and asking for the office’s support.127 In mid-2010, he emailed CME Group trade secrets to officials in Zhangjiagang and started setting up a company in China. By December, he began surreptitiously downloading source code from CME Group onto a removable hard drive.128
Yang’s relationship with the OCAO probably facilitated and encouraged his attempt to steal trade secrets in order to establish a Chinese company that, according to his plea deal, would have become ‘a transfer station to China for advanced technologies companies around the world’.129
Yang’s activities appeared to go beyond promoting technology transfer; there are indications that he was also involved in political influence work. This reflects the united front system’s involvement in both technology transfer and political interference. At a 2007 OCAO-organised conference in Beijing, Yang said that he had been encouraged by CPPCC Vice Chairman and Zhi Gong Party Chairman Luo Haocai to actively participate in politics, which he described as ‘a whip telling overseas Chinese to integrate into mainstream society’. He added, ‘I estimate that [ACSE] can influence 500 votes’ in the 2008 US presidential election.130 Yang also befriended politicians, including one senator, who wrote a letter to the judge testifying to Yang’s good character.131 In his OCAO conference speech, he highlighted the appointment of Elaine Chao as US Secretary of Labor and her attendance at ACSE events.132
Talent recruitment and the Chinese military
Talent recruitment is also being directly carried out by the Chinese military. For example, the National University of Defense Technology (NUDT, the People’s Liberation Army’s premier science and technology university) has recruited at least four professors from abroad, including one University of New South Wales supercomputer expert, using the Thousand Talents Plan.133
Outside of formal talent-recruitment programs, NUDT has given guest professorships to numerous overseas scientists, For instance, Gao Wei (高唯), an expert in materials science at New Zealand’s University of Auckland, was awarded a distinguished guest professorship at NUDT in May 2014.134
Gao is closely involved in CCP talent-recruitment efforts. In 2016, he joined Chengdu University as a selectee of the Sichuan Provincial Thousand Talents Plan.135 Just a month before joining NUDT, he signed a partnership with the State Administration of Foreign Experts Affairs as president of the New Zealand Chinese Scientists Association (新西兰华人科学家协会).136 In 2018, the association agreed to run a talent-recruitment station for an industrial park in Shenzhen.137 He has reportedly served as a member of the overseas expert advisory committee to the united front system’s OCAO.138 In 2017, at one of the OCAO’s events, Gao expressed his desire to commercialise his research in China and said that ‘even though our bodies are overseas, we really wish to make our own contributions to [China’s] development’.139
The military’s recruitment of scientists is supported by the same network of overseas recruitment stations and CCP-linked organisations that are active in talent-recruitment work more generally.
Chinese military recruitment delegations have travelled around the world and worked with local united front groups to hold recruitment sessions. In 2014, the New South Wales Chinese Students and Scholars Association (NSW-CSSA, 新南威尔士州中国学生学者联谊会) held an overseas talent-recruitment event for NUDT and several military-linked civilian universities.140 The NSW-CSSA is a peak body for CSSAs and holds its annual general meetings in the Chinese Consulate in the presence of Chinese diplomats.141 In 2013, NUDT held a recruitment session in Zürich organised by the Chinese Association of Science and Technology in Switzerland (瑞士中国学人科技协会).142 A similar event was held in Madrid in 2016.143
The Chinese Academy of Engineering Physics (CAEP), which runs the military’s nuclear weapons program, is particularly active in recruiting overseas experts. By 2014, CAEP had recruited 57 scientists through the Thousand Talents Plan.144 It runs the Center for High Pressure Science and Technology Advanced Research in Beijing in part as a platform for recruiting overseas talent. The institute doesn’t mention its affiliation with CAEP on its English-language website, yet it’s run by a Taiwanese-American scientist who joined CAEP through the Thousand Talents Plan.145 So many scientists from the US’s Los Alamos National Laboratory (a nuclear weapons research facility) have been recruited to Chinese institutions that they’re reportedly known as the ‘Los Alamos club’.146
CAEP also holds overseas recruitment events. At a 2018 event in the UK, a CAEP representative noted the organisation’s intention to gain technology through talent recruitment, saying ‘our academy hopes that overseas students will bring some advanced technologies back, and join us to carry out research projects.’147
Chinese state-owned defence conglomerates are engaged in the same activities. China Electronics Technology Group Corporation (CETC), which specialises in developing military electronics, has been building its presence in Austria, where it opened the company’s European headquarters in 2016 and runs a joint laboratory with Graz University of Technology.148 As part of its expansion, it held a meeting of the European Overseas High-level Talent Association (欧洲海外高层次人才联谊会) in 2017 that was attended by dozens of scientists from across Europe. Later that year, CETC reportedly held similar meetings and recruitment sessions in Silicon Valley and Boston.149 In 2013, the head of CETC’s 38th Research Institute, which specialises in military-use electronics such as radar systems, visited Australia and met with a local united front group for scientists.150 Several members of the group from the University of Technology Sydney attended the meeting, and two years later the university signed a controversial $10 million partnership with CETC on technologies such as AI and big data.151
The Chinese Government’s primary manufacturer of ballistic missiles and satellites, China Aerospace Science and Technology Corporation, has held recruitment sessions in the US and UK through the help of local CSSAs.152
In addition to traditional defence institutions (military institutes and defence companies), China’s civilian universities are increasingly involved in defence research and have also recruited large numbers of overseas scientists. ASPI ICPC’s China Defence Universities Tracker has catalogued and analysed the implementation of military–civil fusion in the university sector.153 The policy of military–civil fusion has led to the establishment of more than 160 defence laboratories in Chinese universities, and such defence links are particularly common among leading Chinese universities that attract the greatest share of talent-recruitment program participants.154 Many recruits end up working in defence laboratories or on defence projects.155
Recommendations
The CCP’s use of talent-recruitment activity as a conduit for non-transparent technology transfer presents a substantial challenge to governments and research institutions. Many of those activities fly under the radar of traditional counterintelligence work, yet they can develop into espionage, interference and illegal or unethical behaviour.
While this phenomenon may still be poorly understood by many governments and universities, it can often be addressed by better enforcement of existing regulations. Much of the misconduct associated with talent-recruitment programs breaches existing laws, contracts and institutional policies. The fact that it nonetheless occurs at high levels points to a failure of compliance and enforcement mechanisms across research institutions and relevant government agencies. Governments and research institutions should therefore emphasise the need to build an understanding of CCP talent-recruitment work. They must also ensure that they enforce existing policies, while updating them as necessary. This report recommends the introduction of new policies to promote transparency and accountability and help manage conflicts of interest.
For governments
We recommend that governments around the world pursue the following measures:
Task appropriate agencies to carry out a study of the extent and mechanisms of CCP talent-recruitment work, including any related misconduct, in their country.
Ensure that law enforcement and security agencies are resourced and encouraged to investigate and act on related cases of theft, fraud and espionage.
Explicitly prohibit government employees from joining foreign talent-recruitment programs.
Introduce clear disclosure requirements for foreign funding and appointments of recipients of government-funded grants and assessors of grant applications.
Ensure that funding agencies have effective mechanisms and resources to investigate compliance with grant agreements.
Ensure that recipients of government research funding are required to disclose relevant staff participation in foreign talent-recruitment programs.
Establish a public online database of all external funding received by public universities and their employees and require universities to submit and update data.
Establish a national research integrity office that oversees publicly funded research institutions, produces reports for the government and public on research integrity issues, manages the public database of external funding in universities, and carries out investigations into research integrity.
Brief universities and other research institutions about CCP talent-recruitment programs and any relevant government policies.
Develop recommendations for universities and other research institutions to tackle talent-recruitment activity. This can draw on the Guidelines to counter foreign interference in the Australian university sector developed by a joint government and university sector taskforce on foreign interference.156
Create an annual meeting of education, science and industry ministers from like-minded countries to deepen research collaboration within alliances, beyond existing military and intelligence research partnerships, and coordinate on issues such as technology and research security.
Increase funding for the university sector and priority research areas, such as artificial intelligence, quantum science and energy storage, perhaps as part of the cooperation proposed above.
Develop national strategies to commercialise research and build talent.
For research institutions
We recommend that research institutions such as universities pursue the following measures:
Carry out a comprehensive and independent audit of participation in CCP talent-recruitment programs by staff.
Ensure that there’s sufficient resourcing to implement and ensure compliance with policies on conflicts of interest, commercialisation, integrity and intellectual property.
Fully investigate cases of fraud, misconduct or nondisclosure. These investigations should determine why existing systems failed to prevent misconduct and then discuss the findings with relevant government agencies.
In conjunction with the government, brief staff on relevant policies on and precautions against CCP talent-recruitment programs.
Strengthen existing staff travel databases to automatically flag conflicts with grant commitments and contracts.
Update policies on intellectual property, commercialisation, research integrity, conflicts of interest and external appointments where necessary.
Participants in CCP talent-recruitment programs should be required to submit their contracts with the foreign institution (both English and Chinese versions) and fully disclose any remuneration.
Appendix
Two appendices accompany this report:
Appendix 1: Selected Chinese government talent-recruitment programs
Appendix 2: Cases and alleged cases of espionage, fraud and misconduct
I would like to thank Jichang Lulu, Lin Li, Elsa Kania, John Garnaut, Danielle Cave, Fergus Hanson, Michael Shoebridge and Peter Jennings for their support and feedback on this report. Lin Li helped compile the database of talent-recruitment stations. Alexandra Pascoe provided substantial help in researching and writing the case summaries in Appendix 2. Audrey Fritz and Emily Weinstein contributed valuable research on talent-recruitment programs. I would also like to thank anonymous peer reviewers who provided useful feedback on drafts of the report. The US Department of State provided ASPI with US$145.6k in funding, which was used towards this report.
What is ASPI?
The Australian Strategic Policy Institute was formed in 2001 as an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our Annual Report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements.
ASPI International Cyber Policy Centre
ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber and emerging technologies and their impact on broader strategic policy. The ICPC informs public debate and supports sound public policy by producing original empirical research, bringing together researchers with diverse expertise, often working together in teams. To develop capability in Australia and our region, the ICPC has a capacity building team that conducts workshops, training programs and large-scale exercises both in Australia and overseas for both the public and private sectors. The ICPC enriches the national debate on cyber and strategic policy by running an international visits program that brings leading experts to Australia.
Important disclaimer
This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.
This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publishers. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.
First published August 2020. ISSN 2209-9689 (online) ISSN 2209-9670 (print)
Those conditions include lucrative wages, the creation of tailored venture capital firms and dedicated technology parks. For an influential and detailed study of the domestic infrastructure of PRC technology-transfer efforts, as well as much of its overseas activities through the State Administration of Foreign Experts Affairs, in particular, see Bill Hannas, James Mulvenon, Anna Puglisi, Chinese industrial espionage: technology acquisition and military modernisation, Routledge, London and New York, 2013. ↩︎
See, for example, ‘致公党江苏省委首届“引凤工程”成果丰硕’ [Zhigong Party Jiangsu Committee’s first ‘Attracting Phoenixes Project’ has bountiful results], Jiangsu Committee of the Zhigong Party, 2 January 2011, online; Tang Jingli [唐景莉], ‘筑巢引凤聚才智 国际协同谋创新’ [Building nests to attract phoenixes and gather talents and knowledge, international collaboration for innovation], Ministry of Education, 5 April 2012, online; ‘“筑巢引凤”聚人才 浙江举行 “人才强企”推介会’ [Building nests to attract phoenixes and gather talents, Zhejiang holds the ‘strong talent enterprises’ promotional event], Zhejiang Online, 18 July 2019, online. ↩︎
See Alex Joske, The party speaks for you: foreign interference and the Chinese Communist Party’s united front system, ASPI, Canberra, June 2020, online. ↩︎
Xi Jinping [习近平], ‘习 近平:在欧 美同学会成立100周年庆祝大会上的讲话’ [Xi Jinping: Speech at the celebration of the 100th anniversary of the founding of the Western Returned Scholars Association], Chinese Communist Party News, 21 October 2013, online. ↩︎
‘习近平:瞄准世界科技前沿引领科技发展方向抢占先机迎难而上建设世界科技强国’ [Xi Jinping: Set sights on the cutting-edge of world science and technology and guide the direction of technological development; seize this strategic opportunity and meet the challenge of building a strong country in terms of science and technology], Xinhua, 28 May 2018, online. ↩︎
Elsa Kania, ‘Made in China 2025, explained’, The Diplomat, 2 February 2019, online; PRC State Council, ‘中国制造2025’ [Made in China 2025], www.gov.cn, 8 May 2015, online; China’s National Medium-Long Term Science and Technology Development Plan (2006–2020) highlighted the goal of indigenous innovation: online . ↩︎
China’s 2017 State Council Plan on Building a National Technology Transfer System describes talent recruitment as a form of technology transfer. See State Council, ‘国家技术转移体系建设方案’ [Plan on Building a National Technology Transfer System], www.gov.cn, 15 September 2017, online. ↩︎
‘我国留学回国人员已达265.11万人’ [The number of Chinese returning from studying abroad has reached 2,651,100], Economic Daily, 12 April 2017, online. ↩︎
‘中国驻外使领馆:万流归海引人才 不遗余力架桥梁’ [PRC overseas mission: amid the flow of tens of thousands of talents returning to China, we do not spare energy in building bridges], www.gov.cn, 4 June 2014, online. ↩︎
These estimates are based on the conservative assumption that 60,000 individuals have been recruited from abroad through CCP talent-recruitment programs since 2008. Data on 3,500 participants in the Thousand Talents Plan was used to estimate the proportion recruited from each country. ↩︎
Clive Hamilton, Alex Joske, ‘United Front activities in Australia’, Parliamentary Joint Committee on Intelligence and Security, 2018, online; Ben Packham, ‘Security experts warn of military threat from Chinese marine project’, The Australian, 10 February 2020, online; Alex Joske, ‘The company with Aussie roots that’s helping build China’s surveillance state’, The Strategist, 26 August 2019, online; Ben Packham, ‘Professor, Chinese generals co-authored defence research’, The Australian, 31 July 2019, online; Geoff Wade, Twitter, 25 February 2020, online. ↩︎
Xi Jinping [习近平], ‘习近平:在欧美同学会成立100周年庆祝大会上的讲话’ [Xi Jinping: Speech at the celebration of the 100th anniversary of the founding of the Western Returned Scholars Association]. ↩︎
Hannas et al., Chinese industrial espionage: technology acquisition and military modernization. ↩︎
‘中央引进国外智力领导小组始末’ [The beginning and end of the Central Leading Small Group for Introducing Foreign Expertise], Baicheng County Party Building Online, 30 September 2019, online. ↩︎
‘中国人才工作的新进展’ [New progress in China’s talent work], China Online, 28 June 2005, online. ↩︎
‘中共中央办公厅转发《中央人才工作协调小组关于实施海外高层次人才引进计划的意见》的通知’ [Notice on the CCP General Office circulating ‘Recommendations of the Central Talent Work Coordination Small Group on implementing the overseas high-level talent recruitment plan’], China Talent Online, 20 June 2012, online. ↩︎
‘2003年全国人才工作会议以来我国人才发展纪实’ [Recording the country’s talent development since the 2003 National Talent Work Conference], People’s Daily. Many of these events, such as Liaoning Province’s China Overseas Scholar Innovation Summit (中国海外学子创业周) and Guangzhou’s Convention on Exchange of Overseas Talents and Guangzhou, were first held before 2003. ‘2018中国海外人才交流大会开幕’ [2018 Convention on Exchange of Overseas Talents], Western Returned Scholars Association (WRSA), 24 December 2018, online ; ‘海外学子创业周凸显品牌效应’ [The Overseas Scholar Entrepreneurship Week has a clear brand effect], Sina, 26 May 2010, online. ↩︎
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/03/27152000/PB35-Hunting-the-Phoenix_banner-static.jpg4501350nathanhttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngnathan2020-08-20 06:00:002025-03-27 15:21:10Hunting the phoenix
I’ve seen a number of crazymedia pieces arguing that Apple’s Face ID technology has privacy implications and will enable government mass surveillance.
I disagree, and I think there’s a more sensible way to think about Face ID, phones and privacy.
Smartphones contain a great deal of personal information that is worth protecting, but because they’re so portable they’re often lost or stolen. Ideally, a phone would work only for its legitimate owner and no one else.
Fundamentally, the problem that PINs, Touch ID and Face ID are trying to solve is whether you are the phone’s owner.
Teaching an inanimate object how to recognise someone is a difficult problem. So in the smartphone world we’ve relied on proxies for identity:
something you know, such as a PIN or a password
some property of you, such as your fingerprint (Touch ID) and maybe now your face (Face ID).
In the real world, we quite often use ‘something we have’ as an assertion of identity (for example, a passport, driver’s licence or access card), but I’m not aware of that being used for smartphone identification.
All of these mechanisms are actually proxies for who you are, and don’t necessarily guarantee anything. PINs and passwords are often forgotten but can also be shared, stolen or guessed. Fingerprints can be copied and spoofed. Identical twins and doppelgangers exist, and no doubt someone will spoof Face ID.
One big advantage that biometric authentication methods such as Touch ID and Face ID have, to my mind, is that they directly address the question of who I am by looking at me. Authentication by PINs and passwords, by contrast, relies on arbitrary shared secrets that have absolutely nothing to do with me.
In my own life I recognise people by looking at them and that seems to work out okay, so at first glance it seems at least plausible that facial recognition might be an acceptable way to arrive at identity.
Assuming that the Face ID implementation is good enough for the average person—that is, there’s a low false positive rate (unlocking for the wrong person) and it’s hard to spoof—what are the implications for mass government surveillance?
The most worrisome scenario is that governments would immediately be able to access all Face ID data instantly for all users. I don’t believe that scenario: Face ID and Touch ID data is kept only on phones in Apple’s Secure Enclave; Apple fought government efforts to get data from a single phone; and Secure Enclave hasn’t publicly been hacked. Even if states have exploits, they are likely to be very high value and therefore not widely deployed because every time an exploit is used there’s a risk of discovery.
However, let’s assume I’m wrong and all smartphone data is accessible by governments. In that scenario governments already have your location, photos, messages, emails, chats, contacts and more. What extra information does Face ID provide? What other privacy concerns are there?
Governments will have better models of the shape of your head and Face ID will make them more confident that you are actually in possession of your phone, at least compared to a PIN. It’ll be easier for them to identify you.
But there are limits. It’s not clear that Face ID data would help pick you out of a crowd; Face ID will be optimised for authentication (Are you Tom? Yes/no) rather than identification (Who is this person?).
Remember also that governments potentially already have access to large datasets—such as driver’s licences, passports and mugshots—that they already own and can use without the need to either compel Apple or somehow subvert Apple’s infrastructure. Australia’s federal government, for example, already has passport data and is reportedly seeking access to driver’s licence photos from state governments for a national facial recognition database.
Really, though, if you’re concerned about mass surveillance and government access to smartphone data you should be throwing away your phone rather than worrying about the incremental privacy problems of Face ID.
Personally, I’ll wait and see how well Face ID is implemented when the iPhone X is released. If it works well as an authentication mechanism, I’ll consider using it. But I won’t worry about mass surveillance.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2017-10-05 03:30:492017-10-05 03:30:49Apple, Face ID and privacy
When cyber-security professionals were polled recently at their annual Black Hat conference in Las Vegas, 60% said they expected the United States to suffer a successful attack against its critical infrastructure in the next two years. And US politics remains convulsed by the aftermath of Russian cyber interference in the 2016 election. Are cyber-attacks the way of the future, or can norms be developed to control international cyber conflict?
We can learn from the history of the nuclear age. While cyber and nuclear technologies are vastly different, the process by which society learns to cope with a highly disruptive technology shows instructive similarities. It took states about two decades to reach the first cooperative agreements in the nuclear era. If one dates the cyber-security problem not from the beginning of the internet in the 1970s, but from the late 1990s, when burgeoning participation made the internet the substrate for economic and military interdependence (and thus increased our vulnerability), cooperation is now at about the two-decade mark.
The first efforts in the nuclear era were unsuccessful United Nations–centered treaties. In 1946, the US proposed the Baruch plan for UN control of nuclear energy, and the Soviet Union promptly rejected locking itself into a position of technological inferiority. It was not until after the Cuban Missile Crisis in 1962 that a first arms control agreement, the Limited Test Ban Treaty, was signed, in 1963. The Nuclear Non-Proliferation Treaty followed in 1968, and the bilateral US–USSR Strategic Arms Limitation Treaty in 1972.
In the cyber field, Russia proposed a UN treaty to ban electronic and information weapons (including propaganda) in 1999. With China and other members of the Shanghai Cooperation Organisation, it has continued to push for a broad UN-based treaty.
The US resisted what it saw as an effort to limit American capabilities, and continues to regard a broad treaty as unverifiable and deceptive. Instead, the US, Russia, and 13 other states agreed that the UN secretary general should appoint a Group of Governmental Experts (GGE), which first met in 2004.
That group initially produced meagre results; but, by July 2015, it issued a report, endorsed by the G20, that proposed norms for limiting conflict and confidence-building measures. Groups of experts are not uncommon in the UN process, but only rarely does their work rise from the UN’s basement to a summit of the world’s 20 most powerful states. But while the GGE’s success was extraordinary, last month it failed and was unable to issue a consensus report for 2017.
The GGE process has limitations. The participants are technically advisers to the UN secretary general rather than fully empowered national negotiators. Over the years, as the number of GGE member states increased from the original 15 to 20 and then to 25, the group became more unwieldy, and political issues became more intrusive. According to one diplomat who has been central to the process, some 70 countries have expressed interest in participating. But as the numbers expand, the difficulty of reaching agreement increases.
There are a wide range of views about the future of the GGE process. A first draft of a new report existed at the beginning of this year, and the able German chairman argued that the group should not rewrite the 2015 report, but try to say more about the steps that states should take in peacetime.
Some states suggested new norms to address data integrity and maintenance of the internet’s core structures. There was general agreement about confidence-building measures and the need to strengthen capacity. The US and like-minded states pressed for further clarification of the earlier agreement that international laws of armed conflict, including the right of self-defence, apply in cyber space, but China, Russia, and their allies were reluctant to agree. And the deterioration in US–Russian relations soured the political climate.
Moreover, whereas some states hope to revive the GGE process or enlarge it into a broader UN process, others are sceptical, and believe that future progress will be limited to discussions among like-minded states, rather than leading to universal agreements.
Norms that may be ripe for discussion outside the GGE process could include protected status for the core functions of the internet; supply-chain standards and liability for the ‘internet of things’; treatment of election processes as protected infrastructure; and, more broadly, norms for issues such as crime and information warfare. All of these are among the topics that may be considered by the new informal International Commission on Stability in Cyberspace established early this year and chaired by former Estonian Foreign Minister Marina Kaljurand.
Progress on the next steps of norm formation will require simultaneous use of many different formats, both private and governmental. For example, the 2015 agreement between China and the US to limit industrial cyber espionage was a bilateral accord that was later taken up by the G20.
In some cases, the development of norms among like-minded states can attract adherence by others at a later point. In others, such as the internet of things, norms for security standards may benefit from leadership by the private sector or non-profit stakeholders in establishing codes of conduct. And progress in some areas need not wait for others.
A regime of norms may be more robust when linkages are not too tight, and an overarching UN treaty would harm such flexibility at this point. Expansion of participation is important for the acceptance of norms, but progress will require action on many fronts. Given this, the failure of the GGE in July 2017 should not be viewed as the end of the process.
It’s been a big week for advocates of online OPSEC. On Monday, a Google employee suffered a high-profile firing after he circulated a ‘manifesto’ railing against Google’s institutional ‘political bias’ against conservatives and the need to have an ‘honest discussion’. Google’s leaders—currentand former—have universally taken issue with how consistently incorrect the manifesto is in its core argument (about how women aren’t biologically suited for tech jobs) and how damaging it has been to the company’s reputation and to the team. The fired employee is reportedly seeking any and all ‘legal remedies’; power to you, guy.
The Google anti-diversity memo is a great example of what the Australian Public Service Commission (APSC) was trying to protect against when it provided more detailed guidelines about what the APS Code of Conduct requires when it comes to making public comments, including on social media. Ironically, the APSC’s own communication about not staying stupid things online has become the latest example of poor online communication, and what was intended as guidance has been interpreted as a heavy-handed (and unconstitutional) gag order. Whether the confusion’s due to miscommunication or misrepresentation from the media isn’t clear, but it’s a reminder that confusion quickly escalates to fever pitch well before even the most eager 9-to-5 public servant has had their first coffee. And if it’s that hard to communicate guidelines on social media use, it might be impossible to raise cyber hygieneawareness (PDF) and practices.
Stop worrying and love AI
Two Tencent chatbots have been taken offline for revision after they provided politically inflammatory responses to queries about the Communist Party, insulting the party as ‘corrupt and useless’. The shutdown comes shortly after an (overblown) wave of concern about Facebook chatbots ‘inventing their own language’. The two stories seem to be being picked up as the ‘patient zero’ case studies for FUD (fear, uncertainty and doubt) about impending AI doom.
New South Wales is pushing ahead with autonomous vehicles anyway, greenlighting a program for a two-year trial program at Sydney Olympic Park. The trial will be going at a snail’s pace, though—the vehicles won’t be allowed to exceed 10 kilometres an hour along a closed-off road. Fingers crossed it all doesn’t go the way Tesla went at this year’s DEF CON.
The Australian Signals Directorate will be sharing threat intelligence with telcos and internet service providers, to help them provide, in turn, cost-effective cyber-security services for small to medium enterprises. This directly addresses the vulnerability to hacking of small and medium enterprises, which have been identified by both the government and the opposition as being sorely in need of protection, but without necessarily having the resources or expertise to protect themselves. Weirdly, however, this initiative ignores anti-virus and security software vendors—the companies that are perhaps best placed to immediately use this data to protect customers.
In similar research, Telstra has launched the Australian Digital Inclusion Index 2017, which has surveyed digital access disparities between socioeconomic classes and found that Australia’s getting better at digital inclusion, which could translate into better cyber-security outcomes for Australia. (For the final word on that, keep your eyes peeled for the latest edition of ASPI’s cyber maturity report later this year.)
The federal government has announced that it’ll be building a single ‘super logon’ to consolidate across the dog’s breakfast of government accounts, which currently saddles users with managing 10 to 30 accounts. It’s not clear from that exclusive interview whether the initiative is the same one as the ‘GovPass’ and ‘Tell Us Once’ initiatives announced in the 2017 budget. It’d be ironic if there were two separate programs under development to consolidate logins and accounts.
Regardless, work on GovPass continues unabated, and Airtasker, Travelex, Credit Union Australia and the Queensland Police Service have signed up for AusPost’s Digital ID service, which is currently serving as a pilot program for later reconciliation with the wider GovPass program. Gavin Slater, the CEO of the Digital Transformation Agency, which is managing the GovPass program, has announced that he’s been working to repair relationships with government agencies, after the then Digital Transformation Office became too ‘disruptive’ for the APS’s tastes.
The Australian Digital Health Agency published Australia’s National Digital Health Strategy (PDF) and outlined an action plan to make sure all Australians have a My Health record by 2018. The aim is to improve the protection of healthcare data and interoperability between healthcare organisations. However, privacy activists are concerned that the consolidated health data will present an increased privacy risk, which is why it’s a good thing that the agency will be establishing a Digital Health Cyber Security Centre to make sure Australia’s health data security is at the cutting edge of international best practice.
Open data dashboards tied up with strings
Open data dashboards have been popping up like daisies this week. The Alliance for Securing Democracy has launched a new online dashboard, Hamilton 68, tracking bot networks and troll accounts linked (after three years of observing) with Russian influence operations on Twitter. The top hashtag used by these accounts was MAGA, or Make America Great Again, the campaign slogan of US President Donald Trump. As with most social media analysis projects, the transparency of the methodology has been criticised.
Black hats, white hats, and cyber diplomats
US ‘cyber-diplomat’ Christopher Painter has signed off, writing a parting note on Medium about the continuing importance of diplomacy in cyberspace. Even after working for 26 years in this (highly depressing) space, he’s reportedly still passionate, calling cyber ‘the new black’.
The future of the ADF is ‘fifth generation’, or at least the Chiefs of Army, Navy and Air Force think so. It might’ve been just a passing fad, given that the term originated as a company marketing slogan selling a long-delayed fast jet. But in recent years the expression has morphed into a useful buzzword encapsulating several deeper concepts. At its core, ‘fifth generation’ is all about ideas, about how we conceive of waging tomorrow’s wars—and preparing for them. It encompasses four major approaches:
Networks. Modern war uses extensive digital networks. Conceptually, four interconnected and interdependent virtual grids—information, sensing, effects and command—overlie the operational theatre. The various force elements are interacting nodes on the grids that can each receive, act on and pass forward data.
Combat cloud. Working together, the grids can form avirtual combat cloud—akin to commercial cloud computing—that allows users to pull and add data as necessary. The result is longer-range tactical engagements. It’s no more, ‘Fire when you see the whites of their eyes’, but rather, ‘Engage when a symbol labelled “adversary” appears on a shared display’.
Multi-domain battle. There are five operational domains: land, sea, air, space and cyber. Thekey animating idea is cross-domain synergy, where force is applied across two or more domains in acomplementary manner (PDF) to achieve an operational advantage.
Fusion warfare. Thefusion warfare concept addresses command and control concerns arising from additional information flows, software incompatibilities and intrinsic vulnerabilities to attack and deception.
The order of these approaches mostly reflects the sequence in which they’ve been incorporated into the concept of fifth-generation warfare. The oldest is network-centric warfare, dating from the mid-1990s; the others have become increasingly prominent over the last several years. The progression highlights that commercial information technology has often led military developments in the fifth generation. Cloud computing, for example, was initially implemented in the mid-2000s but it was not until the mid-2010s that the concept was embraced by military thinkers.
Each of these four conceptualisations is important, but in fifth-generation warfare they don’t exist individually; they function together as an integrated, interdependent ‘system of systems’ whose whole is greater than the sum of its parts. Fifth-generation warfare is accordingly a dynamic way of war, constantly evolving as the context changes and new demands arise.
Moving to fifth-generation warfare has several implications.
First, there are obviously two in-built technical vulnerabilities. Digital systems are inherently susceptible to cyber intrusions that may steal, delete or change data, or insert false data that can quickly spread across the network. While cybersecurity techniques are steadily improving, so are cyber intrusion methods, with neither remaining in the ascendancy for long. But it’s more than just cyber: electronic and information warfare techniques are designed to deliberately input false data into hostile networks that spreads to all users, confusing and distorting the shared picture.
Moreover, fifth-generation warfare relies on datalinks. Emitters are inherently vulnerable to detection; network participants can be located and tracked—and thereby targeted by precision-guided weapons. Some datalinks are harder to detect than others; however, as with cyber, technology continually improves. Cybersecurity and datalink emission tracking will require constant effort for the operational life of fifth-generation warfare. They are serious Achilles’ heels.
Second, modern wars inevitably involve coalition operations, so on any network there may be actors from many different countries. All involved will be doing their best, but within each country’s forces, and within the coalition overall, there’ll be elements using different intelligence sources, different threat libraries and different electronic signature data to make decisions about the identity and location of hostile and friendly forces, and neutral entities. The operational perils implicit in the ‘garbage in, garbage out’ aphorism suggest that some force elements will be more trusted than others in fifth-generation warfare. ‘Balkanised’ networks (in which some nodes are disregarded or receive degraded data) are likely, leaving some nodes to potentially fight their own separate wars instead of being part of a coherent, carefully coordinated application of coalition military force.
Reducing a force to a collection of small, independent networks undercuts the Metcalfe’s law logic of fifth-generation warfare, which asserts that the ‘power’ of a network is proportional to the square of the number of nodes in the network. The probability of blue-on-blue engagements also increases as the location of friendly forces becomes less certain to all coalition participants.
Third, individual national sovereignty is diminished, especially in the combat cloud concept, since information is pulled from the digital cloud with perhaps only limited knowledge of its source. Using such off-board information—rather than that derived from one’s own onboard sensors as happens today—to engage targets inherently reduces each nation’s responsibility and accountability. A senior ex-RAF officer complained that ‘this slaughters [the UK’s] legal stance on a clear, unambiguous and sovereign kill chain’.
Fourth, the fifth-generation warfare idea relates to what Edward Luttwak called ‘the technical dimension of strategy’. Technology influences how we fight wars, but there’s more to being successful than technology. Leading-edge technology was insufficient to win the Vietnam, Iraq and Afghanistan wars—and fifth-generation warfare so far doesn’t appear any different.
And lastly, the end of fifth-generation warfare may be in sight. In the 1990s, futurists Alvin and Heidi Toffler argued that ‘how we make war reflects how we make wealth’. They foresaw that the information technology age would necessarily compel changes in warfare. In many respects, fifth-generation warfare is the working out of that idea. Now some see another industrial revolution approaching that will change the way wealth is made. If the Tofflers are right, warfare may change again. Third offset, anyone?
While the Australian Government’s Cyber Security Strategy contains many good initiatives, the government’s narrative needs to evolve to account for inevitable failures. Current government rhetoric is decidedly inconsistent: cyber espionage is alive and well, yet at the same time the data of the Australian people is safe and secure.
The Prime Minister has spoken about the importance of meaningful conversations about cybersecurity, but that narrative clearly has some internal inconsistencies and isn’t a realistic or nuanced message. As the Australian Public Service, business and the broader community raise their levels of cyber sophistication, we need to continually reframe government communications to push real cyber resilience.
Services delivered over the internet are exposed to several interesting asymmetries that all but guarantee that there’ll be cybersecurity failures of consequence. Imagine a hypothetical government IT project (let’s call it ‘Project ORCA’) that aims to provide a perfectly secure government portal to deliver vital services to the Australian public.
Our first asymmetry is that the teams building online services have only finite time to deliver their products. This is a good thing, as we want IT projects to be delivered, and infinite timelines aren’t helpful (even though that can feel like standard practice in government at times).
By contrast, malicious actors (baddies and hackers) on the internet are not time bound; their time horizon is effectively infinite. ORCA, for example, while built over a relatively short time, will be exposed to attack for the rest of its working life—which may possibly run from years to even decades. A successful attack on ORCA can be damaging to the government at any time throughout its life.
Second, teams building online services have limited skills and capabilities. The Project ORCA team is limited to the pool of skills available within the team. The very best we can hope for is that it implements the best possible solution at that point in time. But even this best-case scenario isn’t good enough.
Malicious actors can not only access the state of the art at the time when ORCA is built, but are also able to use new vulnerabilities that are discovered after the service has been delivered. In a very real sense, the Project ORCA team is trying to defeat hackers from the future!
Third, the ORCA team is focused on delivering what it uniquely adds to and builds upon the best frameworks and architectures available at the time.
Malicious actors, however, can attack not only what the ORCA team builds directly, but all the software and hardware that ORCA relies on and is connected to. The Project ORCA team can deliver its project perfectly, but the security of ORCA overall can still be undermined by factors outside the team’s control. In recent years, for example, there have been severalveryseverebugs that have affected internet services in totally unexpected ways, and Project ORCA can’t mitigate that class of threats.
Although this sounds pessimistic, this is broadly understood in private industry; breaches are common and inevitable, and there’s a very real focus on resilience and recovery. The cyber-mettle of an organisation isn’t measured by whether the organisation suffers a compromise, but by how quickly the compromise is discovered, how well it’s contained, and how effectively it’s cleaned up.
Government’s current narrative is focused on implementing the ‘Essential Eight’. These are the eight highest priority actions from the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents that help prevent cybersecurity breaches. The Essential Eight grew out of what were initially branded the ‘Top Four’, and when implemented will prevent a large majority of cyber intrusions that the ASD currently sees.
Even when these strategies are implemented, however, they are still only mitigation strategies. That is, they make things less bad than they were before. They aren’t a guarantee that security is perfect; they are just the first steps to take when your security baseline is very bad.
Real security doesn’t consist of implementing the ASD’s Top Four mitigations, and then a year or two later expanding that to the Essential Eight. Real security is the ongoing work that arises from an acceptance that failure is inevitable: understanding your network; detecting and investigating anomalies; patching, monitoring and alerting; clean-up, backup and disaster recovery.
The Prime Minister has spoken about the importance of meaningful conversations about cybersecurity events. But by denying the scope of the problem our political leaders are preventing the meaningful conversations that they desire and lulling us into a false sense of security. The conversation needs to change to account for the inevitability of failure.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2017-06-27 01:00:182017-06-27 01:00:18On the inevitable failure of cyber security
Facebook has finally weighed in on the elephant in the room in the encryption debate—terrorist communications. In an unusually high-profile blog post, the company stated that it has embraced technological solutions to remove terrorist communications and accounts from Facebook, including artificial intelligence. The blog post will be the first in a series called ‘Hard Questions’, where Facebook seeks to address complex social issues. It’ll be a series to watch closely as Facebook begins taking a more active role in public debate.
Back in Australia, the government has selected host universities for Australia’s first Academic Centres of Cyber Security Excellence. The University of Melbourne and Edith Cowan University will be the inaugural hosts for the centres, and will receive shares of funding allocated by the Cyber Security Strategy. That positive step in cyber education comes on top of Australia’s high performance in the International Telecommunications Union’s annual Global Cybersecurity Index. Australia placed 7th out of 134 member states in cybersecurity commitments and policy, with our technical certification and standards highlighted as a strong suit. Lastly, the Department of Defence is looking at introducing intelligence analytics tools and techniques to manage natural language data, from text, speech and video.
A data firm affiliated with the Republican National Committee, Deep Root Analytics, accidentally left a database full of voter information open on the internet to random users—potentially exposing private information on 198 million US voters. Election security has been a prominent theme elsewhere this week, with early findings from investigations in Illinois indicating that cyber attackers attempted to delete or alter voter data on software systems across 39 states in the 2016 presidential election—far more than previous reports indicated. North of the border, the Canadian Communications Security Establishment released a report stating that hackers attacked the 2015 General Election using a combination of selective leaks and disinformation campaigns. The report found that the attacks were relatively unsophisticated and not conducted by nation-states, but there’s little to suggest the next Canuck election will prove as resilient.
The Trump administration has taken an aggressive approach to government deregulation, issuing a memo instructing government agencies to remove up to 50 outdated reporting requirements, seven of which had forced federal agencies to provide updates on their preparedness for the Y2K bug—17 years after the bug became a non-issue. There’s nothing quite like timeliness…
By letting registration of a control domain expire, Samsung left phones with the stock Samsung S Suggest app potentially vulnerable to hijacking. The app was discontinued in 2014, but continued to receive instructions from a web domain, which expired this week. Fortunately, ethically-minded cybersecurity researchers bought out the domain before harm could be done, but they found that the domain could have pushed malicious code directly to phones with the app.
Finally, in the US, the Girl Scouts of the USA have announced a partnership with Palo Alto Networks to introduce cybersecurity education to the girl scouts including 18 new cybersecurity badges starting in 2018. The new focus area was decided on as a result of a survey of young women, who stated they wanted to learn technical skills and boost their participation in STEM. The badges provide programs for all skill levels, from the basics of privacy and online safety to learning how to become an ethical hacker.
Since 2015 Australia—partnering with Switzerland—has built support among 36 countries to address concerns about military and police forces’ interest in the use of highly toxic chemicals, such as anaesthetic and sedative agents, as weapons for law enforcement. This is a great achievement on an issue first brought forward by the International Committee of the Red Cross (ICRC) in 2003, and on which there has been scant multilateral progress. Particularly so given that in recent years the Organisation for the Prohibition of Chemical Weapons has been focused on efforts to dismantle Syria’s chemical weapons and put a halt to the repeated use of chemical weapons in Syria and Iraq.
This development signals two important characteristics of Australia’s approach: a willingness to tackle threats to international law and civilian protection, even where there are significant differences in viewpoints among countries; and an ability to remain attentive to emerging risks, even while embroiled in an ongoing crisis.
Such international leadership is urgently needed in other areas where science and technology collide with international law and humanitarian concerns.
The ICRC, for its part, has always pressed for a realistic assessment of new technologies of warfare to ensure they are not employed prematurely if respect for the law cannot be guaranteed. And so I’m pleased to be in Australia this week to take part in the Symposium on the Ethical, Legal and Social Implications of Emerging Military Technologies at Melbourne Law School.
At the UN, efforts to address the implications of increasing autonomy in weapon systems have moved forward slowly. General agreement among States that ‘views on appropriate human involvement with regard to lethal force and the issue of delegation of its use are of critical importance’ has been an important outcome of three, week-long, informal discussions at the Convention on Certain Conventional Weapons (CCW). However, this work now needs to step up a gear.
Here there are opportunities for constructive proposals—based on states’ obligation to uphold international humanitarian law (IHL) and minimise risks to civilians and to combatants no longer taking part in hostilities.
Australia’s efforts to promote better implementation of the legal obligation, and policy necessity, for countries to conduct national legal reviews of new weapons prior to their acquisition or use, are very welcome. It’s something the ICRC has long advocated. However the ICRC believes there is a critical need to achieve an understanding at the international level on how to ensure that humans remain in control of weapon systems and the use of force while making the necessary legal decisions on targeting in armed conflict.
What’s needed now is state-driven work by the newly established CCW Group of Government Experts to start answering the difficult questions. Recognising the critical importance of human ‘involvement’, ‘control’ and ‘judgement’ in the use of force in armed conflict, the ICRC has suggested that states now determine the type and degree of human control necessary to ensure compliance with IHL, and ethical acceptability. Switzerland’s IHL ‘compliance based’ approach has gained significant support, in particular from Brazil, Chile, Finland, Netherlands, Republic of Korea, South Africa, and Sweden, at the CCW Review Conference in December 2016. Here again, Australia might consider the benefits of joining Switzerland and other concerned States.
Similar arguments for foresight and unity could be made for international debates about other new technologies of warfare. Recently, discussions about robotic weapon systems that are not autonomous but remain remote controlled have focussed on transparency in armed drone operations. With the rapid proliferation of military drones to over 90 countries, and non-State armed groups starting to employ improvised versions, the implications for IHL compliance and humanitarian consequences could evolve considerably. Could a move towards reliance on robotic weapon systems on land lead to new risks for civilian populations?
Elsewhere, international discussions on cyber warfare—notably through another UN GGE, which Australia chaired from 2012-13—have been considering the applicability of international law in cyberspace. Australia has stressed the importance of ‘elaboration of how international law applies to states’ behaviour in cyberspace especially in non-conflict situations.’
Nevertheless, there is also a need to consider the potential humanitarian consequences of the use of cyber weapons in armed conflict and constraints that may be needed in future on cyber weapons development, acquisition and use. Some ideas are also emerging from industry, for example Microsoft’s recent proposal for a ‘Digital Geneva Convention’ for peacetime, which might influence the debate in situations of armed conflict.
The risks from weapons targeting space systems are also of increasing concern. Although the recurring UN General Assembly Resolution on the prevention of an arms race in outer space has almost universal support, there are different views among major powers on the means of prevention. Given these realities, Australia has called for greater focus on voluntary transparency and confidence building measures.
From the ICRC’s perspective, the ever-increasing military attention to the contested domains of cyber and outer space, and the reliance of civilian infrastructure and services on these interconnected networks, bring with them a particular need to consider the potential humanitarian consequences.
There’s much work to do. Australia—with its government, think-tank, and academic expertise—is well placed to play a greater role.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2017-05-30 01:00:402017-05-30 01:00:40Australian leadership on new technologies of warfare
Earlier this month, the campaign of French presidential election candidate Emanuel Macron fell victim to targeted cyber intrusion efforts by infamous Russian hacking collective that goes by a number of names including Pawn Storm, Strontium, Fancy Bear or APT28. Spear phishing email attacks against Macron’s En Marche! Party were followed by the public release of 9 gigabytes of reportedly confidential communications less than 48 hours before ballot boxes opened. While Macron was still able to secure the presidency on 7 May, his campaign said that the efforts had ‘put the vital interests of democracy in jeopardy’.
The French experience is just the most recent development in what appears to be a tide change in international cyber relations. The 2016 US presidential race between Hillary Clinton and Donald Trump was a wakeup call that highlighted democracy’s vulnerability to manipulation in today’s digital world. The hacking of multiple state voter registration databases, the strategic dumping of stolen email communications and the prominent position of social media all played a role in undermining public confidence and shaping public opinion. A US intelligence community assessment controversially asserted that, ‘Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.’ Unsurprisingly, Putin has denied any involvement, but it seems the threat’s here to stay—countries such as Germany and the UK now concerned for the digital security of their upcoming elections.
As this kind of cyber operation becomes an increasingly attractive tool of statecraft, it’s important to understand the distinct variables at play in modern election security. My new report, Securing democracy in the digital age, presents a conceptual framework through which to understand the challenge. By employing the US election experience as a case study, the report outlines the distinction between the cyber vulnerabilities of election infrastructure and the possibility that public opinion is vulnerable to manipulation.
The most direct way to influence a democratic process is to compromise the practical mechanisms that are used to assess the public will. Vulnerabilities inevitably exist in any digital system, and election infrastructure is no different. Malicious actors can target weak spots in voter registration databases and e-voting machines to influence both who can vote and how their vote is recorded. While this seems like the most obvious point to target, it’s challenging to rely on these points to sway anything other than an extremely close election, especially in countries like the US which have a particularly decentralised electoral system.
A more sophisticated technique is to influence how people decide their vote. Every vote cast is the product of the information ecosystem that individual has been exposed to in the preceding months. This environment can be manipulated in three ways: by strategic disclosure of compromising information, by disseminating “fake news” and by leveraging the echo chambers of social media.
Acquiring and distributing true but previously unavailable facts about a candidate can change the way people make their election choice. Sometimes referred to as ‘doxxing’, this approach involves ‘maliciously disclosing information in a calculated fashion to inflict setbacks in political momentum and unity’. The Wikileaks dump of 20,000 Democratic National Committee emails in June followed by 58,000 from Clinton’s campaign manager in October 2016, and the targeting of Macron’s campaign emails are the most prominent examples of that tactic in recent times.
But malicious actors don’t even have to go to the effort of stealing authentic compromising information: they can just create fake news. False information can be disseminated online to influence citizens’ decision-making and the democratisation of media means that this type of mass misinformation operation is easier to carry out than ever before. The proliferation of fake news was a defining theme of the 2016 US presidential election. Worryingly, in the final months before the election, trending fake news headlines received higher Facebook engagement rates than the top headlines from traditional media outlets, such as The New York Times and The Washington Post.
The introduction of new information into the public debate, whether real or fake, can also be more impactful than ever before thanks to artificial consensus on social media. Newsfeed algorithms are designed to show people what they want to read, based on their demonstrated preferences. The result is the creation of online silos, or ‘echo chambers’, which reduce the likelihood that an individual will be exposed to views contrary to their own. The volume of those arguments can also be automatically boosted by networks of bot accounts or manually boosted by armies of trolls. Those techniques can give a voter the impression that a particular view receives a greater level of popular support than it really does.
The issue of contemporary election security isn’t going away. Democracies need to consider the vulnerability of their electoral process and craft policy solutions for their specific context, and Australia is no exception. ICPC’s new report outlines a variety of policy questions that governments need to address related to the cybersecurity of election infrastructure, the integrity of the public debate and the development of normative responses. It will pay for Australia to be on the front foot on this issue. Proactive steps should be taken to ensure that our democracy remains secure in the digital age.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2017-05-29 02:30:032017-05-29 02:30:03Securing democracy in the digital age
Speculation over whether the Hermit Kingdom is behind WannaCry has also continued this week. Cybersecurity firm Symantec’s Security Response team have released further evidence which they claim more closely ties WannaCry to the North Korean-linked Lazarus Group of hackers. Symantec notes that similarities in the tools used in last week’s attack link the ransomware to the tools used in other cyber incidents linked to North Korea—including the 2014 Sony hack and last year’s attack on Bangladesh’s Central bank. However, the difference between previous incidents and WannaCry is the nature of the malware’s autonomous propagation through networks using the EternalBlue exploit, whereas previous Lazarus Group linked malware required greater intervention by the hackers, limiting the extent of its spread.
Various North Korean People’s Army units have been identified as being involved in cyber operations, but Unit 180 in the Reconnaissance General Bureau has been most closely linked to WannaCry. Greg Austin from UNSW told a seminar in Canberra last week that over 6,000 North Koreans are involved in various aspects of cyber operations including disrupting the South’s military critical infrastructure and command and control systems. And over at the UN, the North Korean Sanctions Committee has warned members to be alert to North Korean hacking after one of its panel of experts was hacked. The warning ominously noted that the hackers had gained ‘very detailed insight’ into the work of the committee.
Closer to home, the Australian government has agreed to work with the Information Commissioner to develop a privacy code for Commonwealth agencies. Back in March, Commissioner Tim Pilgrim requested that the new code be developed, spurred by the fact that significant bungles including #censusfail and data breaches from the Health Department and Public Service Commission had the potential to significantly undermine public trust in the government’s ability to manage data appropriately. The code will be implemented in 2018.
When confronting the problems of cybersecurity, it’s often noted that, regardless of time and space, we’re all exposed in some way to the same active and innovative threat actors. Shared threats promote cooperation, and sharing information on cyber threats has long been acknowledged as an efficient way to reduce the effectiveness of cyber threat actors. For this reason, a key initiative of Australia’s Cyber Security Strategy is the establishment of a multilayered, public–private cyber information sharing network, focused on the Australian Cyber Security Centre (ACSC) and new cross-sectoral joint cyber security centres (JCSCs) in state capitals. Cyber information sharing is not new to Australia, but this renewed focus is an opportunity to create an effective national network to share information that assists all participants to improve their security, collectively enhancing Australia’s overall cybersecurity posture and capability.
However, establishing information sharing networks isn’t simple. They can be undermined by a lack of trust, inadequate funding, and poor engagement from contributors who don’t share a common understanding of the vision and objectives of the organisation. In addition, public–private information sharing is often held back by concerns that overclassification of information and slow sharing by government agencies reduces the value and effectiveness of information sharing. This was recently highlighted in the ACSC’s 2016 CyberSecurity Survey, which showed that respondents viewed information, intelligence sharing and collaboration as the least important factor in mitigating cyber risks. The survey’s poor results for perceptions of the value of information sharing indicate that the foundations of trusted information sharing networks in Australia remain weak.
As Australia embarks on a process to develop a deeper and wider national cyber information sharing network, careful consideration of the lessons learned by the US and other international partners is necessary to ensure early success and long-term sustainability. This is the focus of my paper, Cyber information sharing: lessons for Australia, which was released today. The paper builds on a forthcoming report by ASPI’s US partner the MITRE Corporation, Building a National Cyber Information-Sharing Ecosystem.
The US has been pursuing cyber information sharing since the late 1990s, when the federal government directed the creation of public–private partnerships for critical infrastructure protection. The now decades-long development of a variety of information sharing models in the US, and the greater complexity of its industrial and commercial sectors, provide a healthy catalogue of case studies and lessons for the Australian cybersecurity community as it pursues deeper information sharing mechanisms.
MITRE has examined three US cross-sectoral, regionally based information sharing and analysis organisations: the Advanced Cyber Security Center from Massachusetts, the Northeast Ohio CyberConsortium from Ohio, and the National Cyber Exchange from Colorado. From its assessment, MITRE has devised nine questions, dubbed the ‘Gnarly 9’, which must be addressed to build a successful cross-sectoral cyber information sharing organisation. The nine questions can be further distilled into three pillars of a successful information sharing organisation: adequate funding, trust between participants, and a collaboratively developed strategic plan.
Funding and a strategic plan are factors of the investment of time, money and people in the initial stages of establishment, but trust is an intangible quality that has to grow between participants. Growing trust will take time and experience of cooperation between individuals and organisations, although there are structural components that can support the growth of trusted relationships and enable effective information sharing. There are several possible models for information sharing ecosystems, but the current approach of the Australian community, building on the ACSC and JCSCs, is leading towards a ‘hub-and-spokes’ model. In this model, the nature and role of the hub is particularly important in enabling the growth of effective sharing and trusted relationships.
Building on the lessons learned from US information sharing organisations as discussed by MITRE, Cyber information sharing: lessons for Australia presents a possible model that meets the Cyber Security Strategy’s call for a multilayered public–private information sharing network. Based on existing sharing organisations and linkages, such as the ACSC and emerging JCSCs, this information could be provided to an independent clearing house as the hub of the national network, integrating multiple information feeds. This would make it easier to ensure that information is appropriately managed and ensure a level of anonymity for information providers, supporting the development of trust in the network necessary for participant buy-in and sustained information sharing. Further investment in automated, secure, standards-based information sharing will also be necessary to provide actionable information in real time.
A national cyber information sharing network will be an important mechanism to enable the achievement of stronger national cyber defences and resilient networks. The development of this network will be an evolutionary process, but Australia should take heed of the lessons learned by partners in the US and elsewhere.
https://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.png00markohttps://aspi.s3.ap-southeast-2.amazonaws.com/wp-content/uploads/2025/04/10130806/ASPI-Logo.pngmarko2017-05-03 20:00:112017-05-03 20:00:11Cyber information sharing: achieving the Holy Grail of cooperation
