China’s government is on a digital giving spree. Over the past five years, the government has donated computers and equipment to governments in over 35 countries around the world. These gifts have been gratefully accepted by parliaments, political parties, government departments and even police agencies from Africa to the Pacific, from South East Asia to Eastern Europe and the Caribbean.
At the same time, Western nations are taking extraordinary measures to keep Chinese-made devices out of sensitive areas of their governments and militaries. Security agencies from Canada, Australia, the US and the United Kingdom have warned that Chinese-made devices could be used for spying by Chinese intelligence services.
So far, there is no evidence that China’s digital generosity towards smaller nations is being used for espionage. In the face of the state’s rising ambitions on the world stage and against the drumbeat of warnings about its cyber capabilities, however, the question is – are there some gifts it might be better to refuse?
Knowing whether China’s many digital gifts to governments around the world are being used for espionage purposes is complicated, because most of the countries receiving gifts do not have the cybersecurity capacity to find out – countries which need to be given computers as gifts are, almost by definition, unlikely to have advanced cybersecurity capabilities.
Take Tonga. The tiny island nation received computers, printers and other devices from the Chinese embassy for its Ministry of Information in 2014, a time when it effectively had no national cybersecurity capacity – no official cybersecurity unit, no policies, no strategy, nothing. It wasn’t until 2016 that Tonga established a national Computer Emergency Response Team, the first in the Pacific.
Despite this extremely slow start Tonga is still ahead of some other recipients of China’s donated computers, like Malawi, whose Ministry of Trade and Industry was given $760,000 worth of equipment in 2018. China has been accused of exploiting the African nation, which ranks amongst the poorest countries in the world and does not have a national cybersecurity body. (China has denied all accusations).
What is clear, however, is that China’s gifts follow its economic, political and geostrategic interests. In 2017, for instance, the Pakistani parliament received 330 pieces of equipment as a gift from the Chinese embassy, including laptops, computers, scanners, printers and projectors. At the handover ceremony, Chinese ambassador Sun Weidong reportedly “expressed the hope that the two sides continue making joint efforts to push for the construction of the China-Pakistan Economic Corridor so as to better benefit the people of the two countries.”
Risks in the supply chain
The risk to national security from cyber espionage by the Chinese government, and from prominent Chinese technology companies such as Huawei, ZTE and Lenovo, is considered serious enough that normally secretive Western intelligence agencies are breaking their silence to warn against it.
The UK’s National Cyber Security Centre has said that the use of equipment made by Chinese company ZTE poses “national security risks… [which] cannot be mitigated.” The US Department of Defence has banned the sale of phones manufactured by Chinese companies Huawei and ZTE on US military bases. A Pentagon spokesperson said the Chinese-made phones “may pose an unacceptable risk to the department’s personnel, information and mission.” Despite this president Donald Trump has struck a deal to save ZTE and lift sanctions imposed on the firm.
The Australian Defence Department is also “phasing out” Huawei and ZTE phones. As far back as 2012, Australia stopped Huawei from entering a tender to construct its National Broadband Network, and is considering banning Huawei’s involvement in building 5G mobile networks in Australia. Three former directors of Canadian national security agencies have publicly warned their government that Huawei poses a risk, particularly in relation to the development of 5G technology. The Five Eyes intelligence agencies have reportedly had an unofficial blacklist against Lenovo devices for many years.
“If you think about how electronic components are manufactured on one side of the Pacific, assembled on the other side, packaged somewhere else and then shipped everywhere else, there are lots of points along the way to embed, alter, or add to a device,” says Brian Vosburgh of Interos, a company which specialises in supply chain risk management, and recently produced a report for the US-China Economic and Security Review Commission on supply chain vulnerabilities in US federal ICT equipment from Chinese-made products.
This includes the kind of devices which people might not normally think could be used for espionage. “Seemingly innocuous equipment like a keyboard still connects to another device and contains hardware that can mask keylogging functionality that could transmit login credentials,” says Vosburgh.
“In [cyber]security, if you can touch it, you can own it,” says Adam Meyers, VP of intelligence at CrowdStrike, a cybersecurity company which monitors and protects against global cyber threats. “Software supply chain attacks have long been associated with nation-state espionage operations. In 2017, this technique really appeared to spread alarmingly.”
“The infection of software update processes was observed in criminally motivated and destructive campaigns, in addition to likely state-sponsored activity across the globe. It’s a real threat to national security for public organisations, but also in terms of the impact on the running of key economic sectors.”
According to Meyers, it’s hard to even detect if a supply chain attack is happening in the first place. “For years security researchers have warned about attacks against embedded systems,” he says. “For example, years ago it was demonstrated that malicious code could be embedded on chips in network cards and other devices that interact with the computer hardware underneath the operating system. These types of implants would be extremely difficult to detect.”
CrowdStrike has been tracking Chinese activities in cyberspace for a decade, and has watched them grow in scale and sophistication. “Threat intelligence has demonstrated Chinese involvement in many covert cyber data acquisitions, and given what is known about China’s economic, military, and political goals, it’s reasonable to assume that efforts to secure data on people, enterprises, governments, and intellectual property will continue indefinitely,” says Meyers.