Understanding the cyber threat from China

To say we are witnessing a global power struggle for domination of information technology, with the United States and China at the forefront, is no exaggeration. Naturally, security professionals focus on associated cyber-security threats such as industrial espionage, but a wider appreciation of China’s strategic objectives suggests other security challenges lie ahead.

Since 2013, China has accelerated its efforts towards manufacturing independence, boosting indigenous production by pursuing expertise in key technologies, and leveraging state power over Chinese enterprises. In 2015, Chinese Premier Li Keqiang launched Made in China 2025, a strategic plan to gain parity with the US in ten key industries including; biomedicine, robotics, space technology, cloud computing, and artificial intelligence. The US has since imposed tariffs on Chinese goods, accusing China of intellectual property theft and forced technology transfer from US companies to Chinese entities.

Cyber espionage – is China back to old tricks?

The Office of US Trade Representatives reports China is once again penetrating US corporate networks to steal data, following a perceived lull during the latter years of the Obama administration [1], and there is a strong correlation between the companies targeted and China’s ten key industries. Notable tactics include using malware signed with certificates stolen from third party software providers, abuse of remote access afforded to Managed Service Providers (MSPs), and opportunistic account hijack, targeting users of cloud productivity suites.

A perceived increase in cyber espionage activity could also be interpreted as hybrid response to the ongoing trade war. Unlike most Western countries, China makes no distinction between political, military, and economic espionage. From this perspective, state intervention on behalf of Chinese enterprise could be viewed as an equivalent to the US using tariffs to protect semiconductor companies. More banally, it may just reflect the restructuring of China’s cyber apparatus into one Strategic Support Force.

And yet cyber espionage is just one lever in a multi-dimensional power struggle. Journalist David Sanger notes China can obtain equivalent access to proprietary information from foreign firms through minor investment [2]. Meanwhile Chinese and US national interests are creating other security challenges. Reporting suggests China's government is keeping its security researchers from attending conferences [3]. If vulnerability research becomes nationalized, we could see more 0days. Recorded Future, a threat intelligence company, reports the Chinese Ministry of State Security has systematically backdated the publication date for many vulnerabilities which may have been exploited in the wild [4]. Equally, the US ban on Kaspersky has been heralded as “an opportunity to create a model [for tackling] nation-state threats that emanate through global business processes”, raising the prospect of further national security assessments effectively balkanizing information technology [5].

Protectionist approaches to secure the modern battlefield

The rollout of 5G networks and the proliferation of IoT devices will bring unprecedented levels of connectivity and new security challenges. After years of deep suspicion over Chinese involvement in telecommunications infrastructure, some nations have explored the move to 5G networks, which depend on new technology, as an opportunity to exclude Chinese enterprises [6]. But the reality is that most countries must choose from the major telecommunications providers that dominate the world market, two of which (ZTE, Huawei) are Chinese. Aspirations to build a ‘spy proof’ (read: nationalized) telecommunications supply chain may not be economically viable [7].

While the security risk posed by Chinese telecommunications infrastructure is hotly debated, protectionist approaches already look unfeasible. Research reveals the supply chains of IT suppliers to the US Federal Government are not only global but also overwhelmingly Chinese [8]. While supply chain risk currently receives a lot of attention (as recent updates to the NIST Cyber Security Framework demonstrate), We predict organizations will begin to view their networks as untrusted, increasingly outsourced utilities, and focus security controls further up the technology stack. Approaches like zero trust networking will not only become more popular but also more relevant, as many organizations migrate towards cloud infrastructure.

Dawn of quantum computing and the end of encryption

Further into the future, exponential developments in the field of quantum computing, led by competition between Silicon Valley and Chinese research institutes, have brought forward estimates on the emergence of general use quantum computers. Whenever the date may be, it’s safe to assume government departments – notably defence and intelligence agencies – will be among the first to get access to this technology. The potential security implications are profound: public key cryptography relies on a number of algorithms theoretically threatened by quantum computing, undermining the confidentiality and integrity of digital communications worldwide. States that develop this capability may also be able to decrypt stolen data already in their possession. While the risk may seem distant, mitigation, by moving to quantum resilient algorithms [9] or quantum key distribution, will take large organizations some time.

What should organizations do to defend themselves?

Organizations can take the following steps to secure themselves from cyber threats and future security challenges caused by China’s strategic objectives and international responses:

• Enumerate and secure third party access, including remote management by MSPs, using relevant government advisories [10].
• Securely configure online services to protect against account hijack - use multi-factor authentication [11].
• Optimize threat and vulnerability management, including emergency patching, to minimize exposure to publically disclosed vulnerabilities.
• Review response to national security assessments on foreign technologies. How quickly could your organization find and remove hardware or software, and accelerate procurement cycles to find and implement replacements?
• Organizations that have lost encrypted data should consider the risk associated with its future disclosure (likely over a 10 year period).
• Organizations holding sensitive data deemed valuable over a similar period should perform a risk-assessment to determine their exposure [12].