News that the Chinese ATP 40 cyber-hacking unit penetrated parliamentary internet networks in 2021 has renewed concerns about the PRC’s malign intentions in Aotearoa. But is the hack that significant given the length of time that has passed since its discovery and the lack of sensitivity of the information that was accessed? I was asked to write about this for a corporate news outlet but since it is my work I have added some details and posted it here.
The hack is unsurprising given that NZ is a 5 Eyes partner and parliamentary services and the parliament counsel’s office handle sensitive information as a matter of course. NZ may be a trading partner of the PRC but is in essence a security adversary given its membership in 5 Eyes and its close military alignment with the US, Australia and other Western states that are (whether rightly or wrongly) hostile to PRC power-projection world wide. Since the PRC is a main focus of 5 Eyes signals and technical intelligence collection, it would be remiss for ATP 40 to ignore potential avenues of exploitation when it comes to obtaining political or security-related intelligence in NZ. That is part of their mission, and complements the well-known presence of numerous PRC human intelligence agents in this country.
It is therefore reassuring that the GCSB National Cyber Security Centre (NCSC) discovered the hack and found that no strategically important or sensitive information was breached. We shall have to trust them on that. However, that does not mean that this will be the last time ATP 40 or some other PRC cyber-hacking unit will attempt to breach NZ government and private cyber defences. That is what they do, and because NZ has in the past been seen as the Achilles heel of the 5 Eyes network due to traditionally poor cyber security practices, it will likely do so again. This is an ongoing problem that the NCSC was created to address, but the offence versus defence dynamic inherent in (cyber) espionage and warfare is still in play and will continue to be so for the foreseeable future.
Some have suggested that NZ impose sanctions on the PRC in response to the parliamentary cyber intrusion. The US and UK have announced such measures due to similar PRC behaviour with regard to them (more on this below). However, for NZ that would be a mistake because sanctions at this point would be counter-productive. First, because it would be akin to poking a tiger and invite disproportionate retaliation over what is a relatively minor transgression in the broader scheme of things. Since NZ has yet to wean itself off of its self-made PRC trade dependency, it cannot afford to alienate it just yet, if ever, over an intrusion of this order.
Secondly, these type of breaches are usually handled quietly so that the offending party is not completely sure of how and why they were thwarted or countered. In other words, the GCSB does not want to show its hand when it comes to its counter-hacking capabilities. That the breach occurred in 2021 and only has been acknowledged now indicates that the GCSB feels that enough time has elapsed for operational security concerns to be ameliorated and a “fair warning” issued to the hackers that they are being identified, traced and countered. So there is no need to cause an inevitably damaging public spat with a much more powerful interlocutor. For all the coziness of the 5 Eyes members, no one will come to NZ’s economic rescue if the PRC decides to take punitive economic measures against NZ in the event that NZ tries to impose sanctions of some sort on its largest trade partner.
The timing of the GCSB announcement about the 2021 hack is also coincident with the US publishing the identities of ATP 40 hackers targetting US infrastructure and Australia and the UK warning of their and other Chinese political interference efforts in strong terms, with particular focus in the UK and US on PRC hacker compromises to voting systems in election years in both. The timing of the announcements about PRC hacking efforts therefore seems to be a 5 Eyes-coordinated “shot across the bow” that gives warning to ATP 40 and their counterparts that the times of easy access to critical data infrastructure, even if indirectly and even in NZ, are over.
But that may be all that it is and not, at least in NZ’s case, a reason for NZ to escalate the matter beyond what it already has said and done. Chinese diplomats have been summoned to MFAT for a “please explain” and scolded for ATP 40’s misbehaviour. The PRC Foreign Ministry has rejected the accusations and warned about scurrilous attempts to besmirch the PRC’s good name. Perhaps it is time to let the dogs go back to sleep.
It remains to be seen if this type of State-backed cyber-probing ends because if nothing else the PRC hacking community is ingenious, well resourced and persistent. For them, this is part of the PRC’s ascent to having a multi-dimensional (voice and cyber encrypted communication intercept, physical and infrared (thermal) imagery aquisition, submarine fiberoptic cable “tapping,” capabilities, etc.), broad specturm, multi-domain (air, land, sea, space, cyber) warfare infrastructure on its way to achieving superpower status. As part of 5 Eyes, NZ is standing in the (albeit in a small) way of that goal. It was and is bound to be an ongoing target of Chinese espionage efforts, including in the cyber domain.
Ultimately the revelations about ATP 40s operations in NZ are a reminder against cyber complacency at home and at work, be in the public or private sectors. This is very true when dealing with so-called “frenemies,” that is, States with which NZ has cordial, even friendly relations on the public surface but with which underlying value systems and security relations are incompatible, strained or even hostile. So long as NZ is a member of the 5 Eyes network and the PRC is an adversary and target of that network even if it is NZ’s largest trade partner, ATP 40 and other PRC intelligence units will be hard at work seeking to discover and exploit any potential avenues of opportunity in NZ cyber-space as well as in other domains. It may be in that in the past “loose lips sunk ships,” but in the contemporary era all keystrokes, phone calls, encrypted messages, Tik Toks and Instas are also grist for the intelligence mill—and exploitable as such.
An earlier version of this essay appeared on March 27, 2024 in the NZ Dominion Post (the-post.co.nz, p.19) and affiliated media outlets.
“For all the coziness of the 5 Eyes members, no one will come to NZ’s economic rescue if the PRC decides to take punitive economic measures against NZ in the event that NZ tries to impose sanctions of some sort on its largest trade partner.”
In fooking deed ! We’d better prepare ourselves for the possibility though that we could get stomped on. I hope NZ’s coalition of its so-called ‘left’ are thinking about it. Its coalition of the so-called ‘right’ don’t have a couple of ideas to rub together
On the bright side, we could be left with a load of dairy and a heap of pine logs that have nowhere else to go.
Cudda Shudda Wudda
Have you wondered about the possibility that another pressing reason for revealing this 2021 incursion just now, this very week, is to create a diversionary smokescreen over the Inspector General’s report released not too many days prior? The placement of multiple ‘capacities’ in our capital city’s nerve centre could really be of much greater significance with regard to our human rights and national sovereignty. The whole mess surrounding it, that the agency didn’t even get around to informing the Minister, nor even the new DG…. and the whole embarrassment of the matter. Even our own agency staff at times didn’t know what was being done with the ‘capacity’ through remote means…. It really makes us look like a blind colonial donkey being pulled along the farm track by a long rope…. Look the IGI didn’t even tell us who it was that placed the ‘capacity’ within our agency’s premises. He used the convenient euphemism, ‘an overseas partner.’ But can we really consider that someone who treats us like that is a ‘partner’? An abusive partner perhaps? Yes, ok, you may have your own surmising on who or what agency it was, but here could be other possibilities. But really, why was the identity of that ‘overseas partner’ hidden from us? What political reasons could be behind that reluctance to be fully open with us? What price (to our human rights, privacy and national sovereignty) has been paid on our behalf to maintain that level of ‘name suppression’?
William,
Yes, I assumed that this latest anouncement was an attempt at balancing out the news about the foreign partner “capability.” I should have noted that in the post but it slipped my mind at the time of writing. There are dodgy aspects to both stories, as you and others have noted, not the least of which is that if the ATP 40 probes were essentially inconsequential, why even mention them unless it was to also join the other 5 Eyes partners in undertaking a PR campaign against PRC interference? Something is up but it may not be just the interference per se.