Cyber-hacking comes to Aotearoa.*

The Government Security Communications Bureau (GCSB) has announced that Chinese hackers were responsible for cyber intrusions against New Zealand managed service providers (MSPs), the telecommunications firms responsible for providing phone, email and internet services and data banking to individual, public agency and corporate consumers. This is surprising only because it confirms what private security analysts and partner intelligence services have been claiming for some time: that the Chinese are engaged in a global campaign of cyber theft of commercial secrets and intellectual property. They do so as part of a strategy to become the world’s dominant information and telecommunications player within 50 years, and they do so by using ostensibly private firms as cover for hacking activities directed by the Chinese Ministry of State Security (MSS).

The GCSB announcement coincided with indictment by the US Justice Department of two Chinese nationals who have been identified as belonging to the Advanced Persistent Threat (APT)-10 Group of MSS hackers operating under the cover of a Chinese-registered firm, Tianjing Huaying Haitai Science and Technology Development Company Ltd. (Huaying Haitai). Huaying Haitai claims to provide network security construction and product development services but has only two registered shareholders, one manager and no web presence (the domain name huayinghaitai.com is registered to the firm but cannot be found on-line, which is particularly odd for an internet security provider). The US has publicly identified Huaying Haitai as the corporate front for ATP-10, and the GCSB has confirmed that ATP-10 was responsible for the New Zealand-targeted cyber intrusions it has detected since early 2017.

The UK simultaneously announced that Chinese hackers had conducted a decade long-campaign of cyber-theft against British commercial entities, while the US identified 75 US-based targets as well as others in 12 other countries (excluding New Zealand). The GCSB announcement is therefore part of a coordinated effort by Western governments to identify Chinese-based cyber-theft campaigns, and follows on similar Australian revelations announced during the 2018 APEC summit a month ago.

The ATP-10 cyber-hacking campaign violates the terms of a 2016 APEC agreement signed by China (and New Zealand) committing member states to not use cyber hacking in order to engage in commercial espionage or intellectual property theft. It violates similar pacts signed with the US and UK in 2015. This means that China is deliberately violating international agreements for commercial gain. It also makes all Chinese-based telecommunications suspect, both in terms of their purported use of so-called digital backdoors built into their products that can be used by Chinese intelligence as well as their duplicitous corporate behaviour when it comes to proprietary information. In effect, Chinese telecommunications are seen as bad corporate actors as well as intelligence fronts by Western countries. This has caused firms such as ZTE and Huawei being excluded from critical infrastructure projects and 5G network upgrades in a number of countries, including, most recently, New Zealand.

The GCSB announcement refers to Chinese hacking in pursuit of cyber theft of sensitive commercial and intellectual property. It does not mention specific targets or refer to cyber-espionage per se.Yet the two are overlapped because of the nature of the targets and means by which they attacked. ATP-10 hacking attacks are aimed at Managed Services Providers (MSPs) who store data for individuals, public agencies and firms. These include large multinational email, internet and phone service providers as well as smaller cloud-based data storage firms.

If ATP-10 and other hackers can penetrate the security defenses of MSPs they can potentially bulk collect, then data mine whatever is digitally stored in the targeted archives. Although the primary interest is commercial in nature, the overlapping nature of data networks, especially in a small country like New Zealand, potentially gives ATP-10 and similar hacking groups access to non-commercial political, diplomatic and military networks.

For example, a home computer or private phone that has been compromised by a cyber hack on a internet service provider (ISP) can become, via the exchange of information between personal and work devices, an unwitting entry point to work networks in the private and public sectors that are not connected to the individual’s ISP. This raises the possibility of incidental or secondary data collection by hackers, which in the case of state organized outfits like ATP-10 may be of as much utility as are the commercial data being targeted in the first instance.

The dilemma posed by the GCSBs announcement is two-fold. First, will the government follow the GCSB lead and denounce the behaviour or will it downplay the severity of the international norms violations and intrusion on sovereignty that the ATP-10 hacking campaign represents? If it does, it sets up a possible diplomatic confrontation with the PRC. If it does not, it exposes a rift between the GCSB and the government when it comes to Chinese misbehaviour.

Neither scenario is welcome but one thing is certain: no response will stop Chinese cyber hacking because it is part of a long-term strategy aimed at achieving global information and telecommunications dominance within fifty years. But one response will certainly encourage it.

  • An earlier version of this essay appears on the Radio New Zealand website, December 21, 2018 (https://www.radionz.co.nz/news/on-the-inside/378835/cyber-hacking-comes-to-aotearoa).

Cyberwar comes to New Zealand.

News that Chinese hackers obtained personal details of 4 million US federal employees dating to 1985, following on the heels of similar attacks on the customer records of private insurance companies and retirement funds as well as the internal email networks of the US State Department and White House, demonstrate that a guerrilla cyber-war is underway. Although it will not replace traditional warfare any time soon, this is the new face of war for several reasons.

First, it does not involve physical conflict using kinetic weapons, which removes direct bloodletting from the equation. Second, it can target critical infrastructure (power grids, water supplies) as well as the command, control, communications, computing and intelligence (C4I) capabilities of adversaries. Third, it can be masked so that perpetrators can claim a measure of plausible deniability or at least intellectual distance from the action. Fourth, it can be used for tactical and strategic purposes and the pursuit of short or long-term objectives.

Much like military drones, cyberwar is here to stay.

The war is not one sided: Russian hackers have penetrated Pentagon email networks and the 5 Eyes signals intelligence alliance has dedicated hacking cells working 24/7 on targets of opportunity. Many other nations also indulge in the practice as far as their technological capabilities allow them. To these can be added a host of non-state actors—Wikileaks, Anonymous, ISIS, among others—who have also developed the capability to engage in electronic espionage, sabotage, data capture and theft.

With the most recent revelations about the hacks on the US Office of Personnel Management (OPM) archival records (which include personal details of active and retired federal employees as well as identities of those who have had or hold security clearances, perhaps including myself given my prior employment by the Department of Defense) an evolution in cyber warfare is now evident.

Previously, most state-sanctioned cyber attacks were so-called “front door” attacks on government or corporate mainframes, servers and networks. The interest was in surreptitiously obtaining sensitive data or installing surveillance devices in order to engage in ongoing monitoring of targeted entities. “Back door” probes and attacks were the province of non-state actors, especially criminal organisations, seeking to obtain private information of individuals and groups for fraudulent use. However, the recent attacks have been of the “back door” variety yet purportedly state sanctioned, and the Snowden leaks have revealed that 5 Eyes targets the personal communications of government officials, diplomats, military officials and corporate managers as a matter of course.

The move to state-sponsored “back door” hacks is ominous. Accessing data about current and retired government employees can be used to blackmail those suffering personal liabilities (debt, infidelity) in order to obtain sensitive information about government processes, procedures, protocols and policy. It can target active and former intelligence and military officials and others with access to classified information. It can target former public officials that have moved to the private sector, particularly in fields of strategic or commercial importance. Likewise, obtaining sensitive personal data of employees working in private firms opens the door to similar exploitation for illicit commercial gain.

Advances in consumer telecommunications have made cyber hacking easier. Smart phones and their applications are considered to be the most vulnerable to hacking. Because many people store an enormous amount of personal data on these devices, and because they often mix work and personal business on them, they represent an enticing entry point when targeted. Yet even knowing this millions of consumers continue to pack their lives into electronic devices, treating them more as secure bank vaults rather than as windows on their deepest secrets. Not surprisingly, both state and non-state actors have embarked on concerted efforts to penetrate mobile networks and hand-held devices. Encryption, while a useful defense against less capable hackers, only slows down but does not stop the probes of technologically sophisticated hackers such as those in the employ of a number of states.

The bottom line is this: the smaller the telecommunications market, the easier it is for cyber hackers to successfully place backdoor “bugs” into the network and targets within it, especially if government and corporate resources are directed towards defending against “front door” attacks. On the bright side, it is easier to defend against attacks in a smaller market if governments, firms, service providers and consumers work to provide a common defense against both “front door” and “back door” hacking.

The implications for New Zealand are significant.

In this new battleground physical distance cannot insulate New Zealand from foreign attack because cyber-war knows no territorial boundaries. New Zealand provides an inviting target because not only is an integral and active member of Western espionage networks, it also has proprietary technologies and intellectual property in strategic sectors of its trade-dependent economy (including niche defense-related firms) that are of interest to others. Because New Zealand’s corporate, academic and public service elites are relatively small and the overlap between them quite extensive, hacks on their personal data are a valuable tool of those who wish to use them for untoward purposes.

New Zealand public agencies and private firms have been relatively slow to react to the threat of cyber warfare. The data they hold on their employees, managers, policy elites and general population is an inviting “back door” for determined hackers seeking to exploit vulnerabilities in New Zealand’s cyber networks. Since many Kiwis are lax about separating their work and private electronic correspondence and records, the potential to access sensitive personal information is high.

New Zealand has been the subject of numerous “front door” cyber attacks and probes on public and private agencies, including an attack by Chinese-based hackers on the NIWA supercomputer carried out in concert with a similar attack by the same source on the supercomputer run by the US National Oceanographic and Atmospheric Administration (NIWA’s US counterpart). New Zealanders have been the targets of numerous “back door” intrusions such as phishing and other scams perpetrated by fraudsters and conmen. Yet successive governments have been slow to recognize the new threat advancing towards it in the cyber-sphere, only recently creating dedicated cyber security cells within the intelligence community and just last year amending the GCSB Act to address vulnerabilities in domestic internet security. But it still may not be enough.

Until New Zealand resolves the problem of institutional lag (that is, the time gap between the emergence of a technologically-driven threat and an institutional response on the part of those agencies responsible for defending against it), there is reason to be concerned for the security of private data stored in it. After all, in the age of cyberwar there is no such thing as a benign strategic environment.