Sunday, January 24, 2021

China Beats the CIA Pt. III: "Tech Giants Are Giving China A Vital Edge in Espionage"

 The third installment of a very serious piece, from Foreign Policy, December 23, 2020:

In 2017, as U.S. President Donald Trump began his trade war with China, another battle raged behind the scenes. The simmering, decadelong conflict over data between Chinese and U.S. intelligence agencies was heating up, driven both by the ambitions of an increasingly confident Beijing and by the conviction of key players in the new administration in Washington that China was presenting an economic, political, and national security challenge on a scale the United States had not faced for decades—if ever.

This series, based on interviews with over three dozen current and former U.S. intelligence and national security officials, tells the story of China’s assault on U.S. personal data over the last decade—and its consequences.

Part 1: China Used Stolen Data to Expose CIA Operatives in Africa and Europe
After China discovered extensive U.S. networks inside its own government, it struck back with a series of hacks that allowed it to expose CIA operatives in Africa and Europe—while upping domestic security at home to protect against further U.S. infiltration.

Part 2: Beijing Ransacked Data as U.S. Sources Went Dark in China
As Xi Jinping consolidated his power through purges at home, the loss of U.S. sources left the Obama administration struggling to grasp what was happening in China. Meanwhile, intelligence agencies carried out enormous thefts of U.S. data—while the United States strived to do the same in China.

Beijing was giving China hawks in the United States plenty of ammunition. That same year, hackers working for China’s People’s Liberation Army would mastermind a massive breach of Equifax, one of the United States’ largest credit reporting firms. The military-linked hackers absconded with a dizzying amount of personal data, including Social Security numbers, home addresses, birth dates, driver’s license numbers, and credit card information. Roughly 145 million Americans had their personal data exposed by the hack.

The Trump administration’s China policies were probably the most antagonistic of any U.S. presidency since the height of the Cold War in the 1960s. Still, even within the administration, key China advisors were divided. “In the first year [of the Trump era] at the National Security Council, we were arguing and debating the direction [of China policy],” recalled Robert Spalding, who served as the council’s senior director for strategic planning until early 2018. The environment shifted in 2018, Spalding said, after the advent of the administration’s National Security Strategy, its decision to escalate the trade war, and the departure of Susan Thornton, the State Department’s top Asia policy official, who Spalding says stymied attempts by the FBI and Department of Justice to take a more aggressive tack on China-related prosecutions. (Thornton declined to comment.)

But for some critics, the administration’s shifting rationales undermined its credibility on China and technology issues. A number of Trump administration officials emphasized the national security threats posed by Chinese tech giants, while others—most notably Trump himself—intimated that these companies’ access to U.S. goods and markets were bargaining chips in the ongoing trade war. ZTE, a major Chinese telecommunications firm, was almost driven out of business after the administration, citing national security, banned American suppliers from working with it—until Trump granted the company a reprieve, seemingly as part of trade-related negotiations with Chinese leader Xi Jinping. “President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!” Trump tweeted in May 2018.

A full-court press by the administration on Huawei, the world’s largest telecom equipment firm, lost momentum after the president floated dropping an extradition request against a Huawei executive arrested in Canada for sanctions evasion in exchange for trade relief. Administration officials also shifted from hinting about the company’s current malicious activities on behalf of China’s spy services to emphasizing the threat it might pose in the future, once it had monopolized much of the world’s telecom infrastructure.

This was a fair worry. Chinese industry has always been, to some extent, subordinated or intertwined with the party-state, although the origins of these ties are often murky. The People’s Liberation Army was a dominant player in Chinese firms for decades, owning businesses from hospitals to condom factories; the Chinese Communist Party has itself repeatedly attempted to force military divestiture to fight corruption.

But the embrace between China’s intelligence services and Chinese businesses has gotten tighter, U.S. officials say. In 2017, under Xi’s intensifying authoritarianism, Beijing promulgated a new national intelligence law that compels Chinese businesses to work with Chinese intelligence and security agencies whenever they are requested to do so—a move that codified “what was pretty much what was going on for many years before, though corruption had tempered it” previously, a former senior CIA official said.

In the final years of the Obama administration, national security officials had directed U.S. spy agencies to step up their intelligence collection on the relationship between the Chinese state and China’s private industrial behemoths. By the advent of the Trump era, this effort had borne fruit, with the U.S. intelligence community piecing together voluminous evidence on coordination—including back-and-forth data transfers—between ostensibly private Chinese companies and that country’s intelligence services, according to current and former U.S. officials. There was evidence of close public-private cooperation occurring on “a daily basis,” according to a former Trump-era national security official. “Those commercial entities are the commercial wing of the party,” the source said. “They of course cooperate with intelligence services to achieve the party’s goals.”


Beijing’s access to, and ability to sift through, troves of pilfered and otherwise obtained data “gives [China] vast opportunities to target people in foreign governments, private industries, and other sectors around the world—in order to collect additional information they want, such as research, technology, trade secrets, or classified information,” said William Evanina, the United States’ top counterintelligence official. “Chinese technology companies play a key role in processing this bulk data and making it useful for China’s intelligence services,” he said.

In what amounts to intelligence tasking, China’s spy services order private Chinese companies with big-data analytics capabilities to “condition”—that is, work up or process—massive sets of information, including from hacks like the massive breach of the U.S. Office of Personnel Management (OPM), that have intelligence value, according to current and former officials. This data then promptly flows back to Chinese state entities, they say.

“Just imagine on any given day, if NSA and CIA are collecting information, say, on the [Chinese military], and we could bring back seven, eight, 10, 15 petabytes of data, give it to Google or Amazon or Microsoft, and say, ‘Hey, condition this on the weekend. We want all these analytics; get it back to us next week.’ That’s what they do. They have Alibaba and they have Baidu. We don’t have that,” a current senior intelligence official said.....



It's not just that China can task their corporations to collect data. The latest of the Chinese security laws claims universal jurisdiction, see "How to Respond To China's Claim That The New Hong Kong Security Law Applies To Actions Everywhere In The World"

If interested see also "So You Want To Do Business In China Do You? "China’s New Cybersecurity Program: NO Place to Hide"
We mentioned the National Security Law (and the cybersecurity law and the NGO law) back in July,* anyone doing business in China WILL comply, here's a deeper dive....

*"How the state runs business in China"

.... The author rather blithely skips over the National Security Law.
Here via China Law Translate:

There is not a lot of wiggle room in Article 7

Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.
The State protects individuals and organizations that support, assist, and cooperate with national intelligence efforts.
All means all, including foreign companies operating in China.
Ditto articles 14:
Article 14: National intelligence work institutions lawfully carrying out intelligence efforts may request that relevant organs, organizations, and citizens provide necessary support, assistance, and cooperation.
And 16:
Article 16: When national intelligence work institutions staff lawfully perform their tasks in accordance with relevant national provisions, with approvals and upon the presentation of relevant identification, they may enter relevant restricted areas and venues; may learn from and question relevant institutions, organizations, and individuals; and may read or collect relevant files, materials or items.
And then there's The Cybersecurity Law and the Foreign NGO Law (2016) and the Counter-espionage Law (2014) and all worded vaguely enough that the laws can mean whatever the Party and the authorities want them to mean.

Making a bit of a straw man argumentum ad absurdum, the top Canadian spinmeister for one of the companies subject to the National Security Law said:

‘At Huawei, we’re not attaching laser beams to the heads of sharks’
—Alykhan Velshi, Vice President, Corporate Affairs, Huawei Technologies Canada, Markham, Ont.
Letter to the Editor, Maclean's Magazine, published July 23, 2019

Personally I think laser-enhanced sharks would be kind of cool, it's the required handing over of data should the Chinese government request it that gives one pause.

The quibble on the importance of the National Security Law aside, my Mandarin speaking friends say the Guardian article is a fair representation of Xi and how he is shaping China.

In addition, every Chinese citizen studying, working, or even just traveling abroad is subject to being ordered to spy for Beijing or risk losing all travel privileges and document.

Previously from Foreign Policy:
January 16
The Unbelievable Failure Of The CIA And The Intelligence Community Regarding China
January 2
Data and Money and Death: "China Used Stolen Data to Expose CIA Operatives in Africa and Europe"