With the announcement that the UK government would be imposing sanctions on two individuals and one entity accused of targeting – without success – UK parliamentarians in cyber-attacks in 2021, the phrase “tip of the iceberg” comes to mind. But that would underestimate the iceberg.
James Cleverly, the home secretary, said the sanctions were a sign that “targeting our elected representatives and electoral processes will never go unchallenged”.
But some experts saw it as a sign that the UK had been pushed into a corner by a decision in Washington to indict seven individuals associated with the hacking outfit known as APT31, who are accused of engaging in a “prolific global hacking operation” that sent more than 10,000 malicious emails to politicians, officials, journalists and critics of China across several continents.
The sanctions “won’t make a blind bit of difference” to the UK’s cybersecurity, according to Alan Woodward, a professor of cybersecurity at the University of Surrey, who said they were “the equivalent of sending a stiffly worded letter”. The UK government “have got to say something because the Americans are saying something, but still don’t want to upset the Chinese”.
The government revealed the historical hacking attempts on the same day that it pointed the finger at a “Chinese state-affiliated entity” for compromising the Electoral Commission’s systems between 2021 and 2022. The Chinese embassy in London said the UK’s statement was “completely unfounded and constitutes malicious slander”. But the UK did not accuse any of the sanctioned entities of being involved in that breach. The government has “conflated two separate issues in a way that is quite confusing to the general public”, said Jamie MacColl, a research fellow in cybersecurity at the Royal United Services Institute thinktank.
Part of the reason that the UK’s response is seen by some as being weak and confusing is that Chinese hacking attempts are not isolated events. Rather, they constitute the ecosystem in which all western governments must navigate their relationships with Beijing. In a report published on 27 March, Google said China “continues to lead the way for government-backed exploitation”. APT31 alone has been linked to hacks in France, Finland and of Microsoft, while New Zealand said this week that another well-known Chinese hacking outfit, APT40, attacked its parliament in 2021 (the Chinese embassy in New Zealand denied the allegations).
A recent leak of data from the Chinese cybersecurity firm iSoon revealed the extent to which China’s hackers for hire compete for government contracts, sometimes hoovering up data from foreign agencies on spec with the hope of selling it to the highest bidder. In the case of APT31, the US Department of Justice alleges that the hacking operation was directly run by a provincial department of China’s ministry of state security.
But in general, said Mei Danowski, a China cybersecurity expert and author of the Natto Thoughts newsletter, nearly every cybersecurity firm in China would have some sort of contract with government clients. With a cybersecurity industry worth an estimated $13bn (£10.3bn), that is a lot of potential hackers.
That leaves western governments struggling to coordinate an effective response to hacks or hacking attempts. In many cases, the Chinese government has plausible deniability about responsibility, and it is not always clear what the impact of data breaches are. Audrye Wong, an assistant professor at the University of Southern California, said that while Russian-based hacks often “sow discord and chaos”, China was “more cautious” and “still very much cares about shaping perceptions of China and the Chinese Communist party”. Many western international security experts refer to the maxim that while Russia may be the storm, China is climate change.
Danowski says that since the US indicted hackers associated with a company called Chengdu 404 in 2020, its business operations in China have carried on as normal, suggesting that the “name and shame” tactic adopted by the US and the UK this week may be symbolic at best.
And while China says it has “no interest or need to meddle in the UK’s internal affairs”, some cybersecurity experts note that gathering information on foreign states is the bread and butter of every country’s intelligence operations – in other words, spies spy.
Reuters recently reported that Donald Trump, while president, had authorised a covert CIA operation on Chinese social media to turn Chinese public opinion against Beijing, in an operation that may still be active. If Chinese cyber-attacks lead to “the harassment of dissidents, I could see why sanctions would be justified”, said MacColl. “But from my perspective the activity that’s been named is predominantly political espionage.”