On July 6, 2022, the heads of the U.S. Federal Bureau of Investigation (FBI) and the British MI5 law enforcement agencies issued an unprecedented joint statement warning about espionage and other economic threats from China. Addressing an audience that included chief executives of businesses and senior officials from universities, FBI Director Christopher Wray stated that the economic and national security threats posed by the Chinese Communist Party are “immense” and “breathtaking” while MI5 head Ken McCallum called them “game-changing.” Director Wray indicated that the Chinese government “poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize,” and that China had interfered in politics, including recent elections. This statement was validated by the U.S. National Counterintelligence and Security Center in a separate statement that indicated that China has accelerated efforts to influence U.S. policy-making through overt and covert means, ranging from open lobbying to collecting personal information about state and local community leaders, and uses economic incentives to reward or punish officials. MI5 head McCallum further elaborated that MI5 had more than doubled its countermeasures against Chinese activity in the last three years and is expected to double it again soon.
Cybersecurity Threats
Director Wray told attendees that the Chinese government was “set on stealing your technology – whatever it is that makes your industry tick – and using it to undercut your business and dominate your market.” He further indicated that China is using a wide range of tools and that China had deployed cyber espionage to “cheat on a massive scale,” engaging in a level of hacking activity that rivaled every other major country combined. MI5 head McCallum added that the biggest risk from the Chinese Communist Party is to “the world-leading expertise, technology, research, and commercial advantage developed and held by people in this room, and others like you,” and highlighted that the risks posed by the Chinese government included covert theft, technology transfer, and exploiting research.
As further evidence of the immediate threat, MI5 head McCallum suggested that MI5 had thwarted a sophisticated threat against aerospace organizations and described sophisticated “recruiting” activities posed as job interviews designed to encourage technology experts to describe technical information about their work to Chinese intelligence officials. McCallum indicated that intelligence information about cybersecurity threats had been shared with 37 other countries.
While the joint statement did not directly address the impact that such cybersecurity attacks could have on critical infrastructure, many of the concerns apply equally to organizations involved in critical infrastructure, and such organizations should take the threats from the Chinese Communist Party and other similar nation-state threat actors equally seriously.
Importance of the Statement
The joint statement is the first-ever joint public appearance between the two directors and an unusual statement for two of the largest national law enforcement agencies in the Western world. The unprecedented statement underscores some of the main cybersecurity concerns that are often overlooked:
-
Cybersecurity threats cross traditional international boundaries. Director Wray elaborated on the international scope of the threat posed by China and stated that the Chinese government posed the “biggest long-term threat to our economic and national security – and by ‘our,’ I mean both of our nations, along with our allies in Europe and elsewhere.”
-
While businesses often focus their cybersecurity efforts on the threats to personal information, the intellectual property held by many organizations may be even more valuable to many nation-state threat actors in an effort to achieve economic superiority.
-
Defending against such threats may demand a coordinated, international response that includes the sharing of threat intelligence information between countries.
China’s Response
China denied that it engages in the activities that Director Wray and MI5 head McCallum claimed, and stated through a spokesperson in China’s embassy in Washington, D.C. that Beijing’s position is that it is a defender of cybersecurity, its government would never condone such activities, and that it is the victim of cybersecurity attacks. The spokesperson criticized the statements by Director Wray and MI5 head McCallum as “U.S. politicians who has been tarnishing China’s image and painting China as a threat with false accusations,” and accused the U.S. of launching a mass online surveillance campaign and that the U.S. should “be a truly responsible actor in cyberspace.”
What Business Should Do
Attacks from China (and other nation-state threat actors) can come at any time. In fact, they are likely already be happening – Former FBI Director Robert Mueller once stated, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” To defend against such attacks, businesses of all kinds should consider the following actions to protect their intellectual property and critical infrastructure activities:
-
Review Patching Policies and Procedures. Nation-state actors quickly and easily exploit systems that have failed to patch known vulnerabilities.
-
Address Insider Threats. Although Director Wray was careful to be clear that the threat was from the Chinese government and the Chinese Communist Party and not the Chinese people or Chinese immigrants, businesses should be on alert for the potential of internal threats to cybersecurity from all of their employees.
-
Security Audits and Penetration Testing. Engage an independent security company to conduct penetration testing and a cybersecurity audit to verify the strength of the business’ cybersecurity defenses.
-
Isolate Critical Assets on the Network. Consider moving the highest value technology and other trade secrets to isolated computing systems that do not have physical access to the public internet. While this may not be practical for some organizations that are still working remotely, “sneaker net” can still be one of the best security measures when practical for the business.
-
Consider Risks to Business in China. Exercise caution when doing business in China. Director Wray also pointed to Chinese laws and regulations that pose risks to foreign companies operating in China and encouraged business leaders to evaluate the risk of commercial interactions with Chinese partners. “Maintaining a technological edge may do more to increase a company’s value than partnering with a Chinese company to sell into that huge Chinese market, only to find the Chinese government and your partner stealing and copying your innovation,” he said.
-
Review Supply Chain for Technological Risks. Both the U.S. and British governments have launched efforts to limit or eliminate Chinese equipment from next-generation 5G telecommunications networks over concerns over potential malware and other malicious components. Businesses should review their supply chain for the potential for the introduction of malware – not just for physical parts, but also for software and other network components, such as firewalls, routers, wireless access points, laptops, telecommunications systems, anti-virus software, and other similar network devices that may touch or have access to data. Businesses should only buy such products and services from reliable sources and avoid products that may come from organizations that may be associated with nation-state threat entities in countries that may be aggressive towards the West’s economic interests, such as China, Russia, and North Korea. Businesses may wish to consider NIST SP800-161 and NIST’s Software Supply Chain Security Guidance for guidance on reviewing and mitigating risks to their supply chain.
-
Plan for Geopolitical Supply Chain Disruptions. In addition to supply chain risks posed by malware and other malicious code, businesses should consider the potential impact of their supply chain due to geopolitical forces. Director Wray suggested that China was taking lessons from Russia’s invasion of Ukraine to insulate the impact of economic sanctions that could be imposed on it by the West, and highlighted that China could disrupt supply chains in an effort to hold Western organizations hostage, and the potential disruption that could result from a Chinese invasion of Taiwan or other economic retaliation would be much greater than those seen this year as a result of Ukraine.
-
Review Disaster Recovery Plans. While the focus from China is a little different than traditional ransomware, China may attempt to get an economic advantage over major businesses by deploying similar tactics used in double-extortion ransomware, namely exfiltration of information and depriving the business of availability of the information. On top of the actions described above, businesses should ensure that they have appropriate disaster recovery policies and procedures (including testing backup and restore capabilities) to ensure that the business can recover prior progress and maintain its business advantage.
-
Review Other Cybersecurity Policies and Procedures. Conduct a table-top exercise targeting the misappropriation of intellectual property and disabling of critical systems, and review and update other cybersecurity policies and procedures as necessary to further protect this important asset.
Conclusion
Perhaps the most encouraging statement in the warning was from Director Wray, who offered that “I know that this all sounds alarming. But while the threat is immense, that doesn’t mean the harm is inevitable.” Businesses should take the actions described above to review and update their cybersecurity practices.