20 May The Balance of Power in Cyberspace – What it Means for UK Business
As strategic rivals increasingly seek to use cyberspace as a form of tech warfare, BFPG is exploring what this means for UK plc and for UK national security. In this piece Senior Research Fellow Professor Victoria Baines provides a primer on some of the key threats cyber warfare may pose.
What has the tech trade war to do with the cybersecurity of your business? More than you might think.
Earlier this month, the Ministry of Defence (MoD) announced that it had been the victim of a cyber-attack, in which compromise of third-party software exposed the payroll data of hundreds of thousands of serving and former military personnel. Along with the MoD, SSCL lists the Metropolitan Police Service and the Construction Industry Training Board (CITB) among its clients. The latest attack on the Ministry of Defence is a salutary reminder of the prevalence and impact of compromise of IT supply chains. As I have written elsewhere, supply chain assurance is now a vital component of cybersecurity.
While the defence secretary refused in the Commons to name those responsible – perhaps because the investigation is in too early a stage to make a positive attribution – the suggestion that it was a state-led, or otherwise state-sponsored, attack by China has been widely reported in the media. This is a reasonable suspicion, as China has form for this kind of attack. In March of this year, the National Cyber Security Centre (NCSC) attributed the targeting of parliamentarians’ emails in 2021 to APT31, a China state-affiliated actor. Another, unnamed, China state-affiliated actor has been assessed by the NCSC as likely to have been responsible for compromising systems at the UK Electoral Commission in 2021 and 2022. In response, the NCSC has published guidance for high-risk individuals, political organisations, and organisations coordinating elections, under the banner Defending Democracy. In what is shaping up to be an election year, state-sponsored interference could have dramatic consequences, especially where this takes the form of voter manipulation through social media disinformation, or attempts at intimidation, observed during the 2020 US elections.
Keeping the cyber peace
Attributing a cyber-attack to state-affiliated actors is one thing. Enforcing against them is quite another. Almost thirty years ago, Internet pioneer John Perry Barlow issued his famous challenge to governments in A Declaration of the Independence of Cyberspace: “You have no sovereignty where we gather…Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot.” Divergent approaches to cyberspace governance have since emerged. Where the US and its allies argued for the applicability of existing international law, including the law of armed conflict (LOAC) and the Council of Europe Cybercrime Convention, Russia, China, and their allies have continued to press for a more comprehensive treaty on responsible behaviour in cyberspace. A third group, comprised of mostly US-based Big Tech companies, has sought to foster multistakeholder development of principles for responsible behaviour in cyberspace, among them the norms proposed by the Global Commission for Stability in Cyberspace.
Russia was the first to call for a non-binding international code of conduct under the auspices of the UN Disarmament Committee ‘to identify the rights and responsibilities of States in the information space, promote constructive and responsible behaviour on their part and enhance their cooperation in addressing common threats and challenges in the information space’. By 2019 — and with the support of China, the Central Asian Republics, and several other states — Russia was chief sponsor of a resolution “to establish an open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international Convention on countering the use of information and communications technologies for criminal purposes”. Despite opposition by Australia, Canada, Israel, Japan, New Zealand, the United States, the United Kingdom, and the European Union’s twenty-seven member states, the resolution was adopted by vote on 18th November of that year.
Since then, many states have contributed to the Ad Hoc Committee for the elaboration of the Convention, which has been heralded as the first legally binding multilateral treaty in cyberspace. From the outset there has been considerable divergence in its suggested scope. Russia’s and China’s sponsorship of hard international law in cyberspace may come as something of a surprise, given the prominence of Russian state-affiliated groups in cybercrime and disinformation operations. Russia’s original draft text and China’s suggestions have throughout indicated a preoccupation with outlawing particular categories of online content, thus revealing domestic information control to be among their national security priorities. The European Union, Five Eyes nations and others have sought to narrow the focus to international cooperation on combatting cyber-dependent and cyber-enabled crime. Among notable others, India’s initial submission to the Ad Hoc Committee sought expansive provision not only for international cooperation, capacity building to improve countries’ cybersecurity, and confidence building measures, but also norms, rules, and principles for the responsible behaviour of states.
Apparent disagreement on the purpose of the Convention continues to hamper progress. In February of this year, after two years of negotiation, the concluding session of the Ad Hoc Committee closed with states still unable to agree whether the treaty should focus solely on cyber-dependent crime (hacking and the like) or on all crimes committed using ICT. This decision has been postponed to a reconvened concluding session, currently scheduled to begin on 29th July. Given diverging national opinions on what constitutes a crime committed using ICT, many human rights organisations are currently breathing a sigh of relief.
Even if a text is agreed, it is unlikely to deter state-affiliated groups from conducting cyber-attacks. States may well ratify the Convention but not adhere to it. Lack of clarity in the relationships between cybercriminals and governments means that they are eminently deniable and very often denied. Recommendations on due diligence by the Group of Governmental Experts on responsible use of Information and Communications Technologies to the effect that states “should not knowingly allow their territory to be used for internationally wrongful acts using ICTs” are nowhere explicit in the draft. Rather, the preamble of the current text states that States Parties to the Convention are “determined to deny safe havens to those who engage in the use of information and communications technologies for criminal purposes by prosecuting these crimes wherever they occur.” One might say that it is reflected in the spirit rather than the letter of the law.
Superpower déjà vu
Events outside of official negotiations point to what is really at stake. There is much that is reminiscent of Cold War imperatives, with the obvious difference that Russia has been relegated from superpower to miscreant. While Russia can boast some of the most disruptive profit-driven cybercriminal groups and disinformation operators, China is the only tech superpower to rival the US. For the world’s pre-eminent tech superpowers, the US and China, the dominance of one constitutes a threat to the other’s national security.
Domestic Chinese cybersecurity legislation requires network operators in the country to “cooperate with cybersecurity and informatization departments and relevant departments in conducting implementation of supervision and inspections in accordance with the law”. Following that logic, the FBI asserted in 2020 that “Beijing could likely use these authorities and policies to compel access to US commercial and sensitive personal data, including sensitive information stored or transmitted through Chinese systems”.
Legislation passed in 2021 seeks to apply extraterritorial jurisdiction on entities outside China that engage in “data handling activities that harm the national security, the public interest, or the lawful interests of citizens or organizations of the People’s Republic of China” and the adoption of counter-measures for “any country or region that adopts discriminatory prohibitions, limitations or other such measures toward the People’s Republic of China with respect to investment or trade related to data, data development and use, or technology”.
In the latest instalment in this techno-nationalist drama, Beijing ordered Apple to remove Meta-owned apps WhatsApp and Threads, along with Telegram and Signal, from its app store. Apple complied, effectively rendering these apps inaccessible to people in China. It is of note that with the exception of Threads, these apps deploy end-to-end encryption, which frustrates governments’ attempts to read their citizens’ communications. At the strategic level, the move can be interpreted as resistance of US dominance of global messaging services. At the operational/tactical level, it is a step towards greater oversight of and insight (literally) into citizens’ communications in the clear.
Almost concurrently, President Biden signed into law a bill which gives China-based tech company ByteDance nine months to sell TikTok or be blocked in the US. The requirement to divest revives the provisions of a Trump-era Executive Order, which cited TikTok’s data collection as threatening “to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.” US law-makers remain consistent in their assessment that ByteDance’s ownership of TikTok is tantamount to allowing “the Chinese Communist Party to control one of the most popular apps in America” (Senator Marco Rubio).
Trump’s 2020 Executive Order also cited TikTok’s reported censorship of content that the CCP deems to be politically sensitive, and the potential for the app to be used for disinformation campaigns that would be to the CCP’s benefit. US preoccupations, then, concern various flavours of undue foreign influence and access to data that may pertain to national security. Arguably, Chinese and US fears about the other’s Big Tech are not a million miles apart. But where information control is an imperative for Beijing, the rhetoric of freedom – in this case of information and speech – is useful to Washington. In light of recent reports that searches on Chinese owned retail platform Temu are being censored for US customers, rejection of Chinese online content rules is an expression of US digital sovereignty as much as it is an idealistic stand for freedom of access to information. When we look to the burgeoning field of Artificial Intelligence and rapidly emerging quantum computing, China is also a dominant power. With OpenAI’s ChatGPT already restricted in China, these tensions are set to replay themselves for the foreseeable future.
What this means for UK Plc
All of this puts the UK in a curious position. According to government data, China is the UK’s third largest import market. Given the US government’s current stance, it’s not impossible that we will see further international pressure on the UK to disentangle itself from Chinese IT components on national security grounds. This is easier said than done – if you own an Apple Watch, the chances are that it will have been manufactured in China. Moreover, HMG has previously shown itself to be reluctant on this score: when pressed by the US to remove Huawei components from its mobile network infrastructure on the premise that Chinese ownership of hardware presented a risk of hostile infiltration, the UK government found an artful diplomatic compromise, commissioning its National Cyber Security Centre (NCSC) to conduct a review of the hardware’s cybersecurity. When Huawei was found wanting, HMG was able to commit to removal of Huawei components by 2027 based on their poor quality, rather than their capacity specifically for espionage.
For British businesses, the day-to-day of cybersecurity is likely to be more of the same. State-affiliated cyber-attacks will not magically decrease, even if agreement is reached in the UN on how to cooperate to combat them. Indeed, for at least one country they are an economic necessity, with North Korea reportedly deriving up to 50 per cent of its GDP from cybercrime. Russian affiliates will continue to launch operations aimed at extortion, disruption, and manipulation. China will still engage in infiltration and exfiltration, with a particular focus on R&D theft. What has changed is the extent to which businesses of all sizes face scrutiny for their strategic partnerships and procurement, even for individual line items. International relations and economic policy are just as important as technological innovation in the fight against cybercrime. Now more than ever, the cybersecurity of your business is a geopolitical issue.
