News that the Chinese ATP 40 cyber-hacking unit penetrated parliamentary internet networks in 2021 has renewed concerns about the PRC’s malign intentions in Aotearoa. But is the hack that significant given the length of time that has passed since its discovery and the lack of sensitivity of the information that was accessed?  I was asked to write about this for a corporate news outlet but since it is my work I have added some details and posted it here.

The hack is unsurprising given that NZ is a 5 Eyes partner and parliamentary services and the parliament counsel’s office handle sensitive information as a matter of course. NZ may be a trading partner of the PRC but is in essence a security adversary given its membership in 5 Eyes and its close military alignment with the US, Australia and other Western states that are (whether rightly or wrongly) hostile to PRC power-projection world wide. Since the PRC is a main focus of 5 Eyes signals and technical intelligence collection, it would be remiss for ATP 40 to ignore potential avenues of exploitation when it comes to obtaining political or security-related intelligence in NZ. That is part of their mission, and complements the well-known presence of numerous PRC human intelligence agents in this country.

It is therefore reassuring that the GCSB National Cyber Security Centre (NCSC) discovered the hack and found that no strategically important or sensitive information was breached. We shall have to trust them on that. However, that does not mean that this will be the last time ATP 40 or some other PRC cyber-hacking unit will attempt to breach NZ government and private cyber defences. That is what they do, and because NZ has in the past been seen as the Achilles heel of the 5 Eyes network due to traditionally poor cyber security practices, it will likely do so again. This is an ongoing problem that the NCSC was created to address, but the offence versus defence dynamic inherent in (cyber) espionage and warfare is still in play and will continue to be so for the foreseeable future.

Some have suggested that NZ impose sanctions on the PRC in response to the parliamentary cyber intrusion. The US and UK have announced such measures due to similar PRC behaviour with regard to them (more on this below). However, for NZ that would be a mistake because sanctions at this point would be counter-productive. First, because it would be akin to poking a tiger and invite disproportionate retaliation over what is a relatively minor transgression in the broader scheme of things. Since NZ has yet to wean itself off of its self-made PRC trade dependency, it cannot afford to alienate it just yet, if ever, over an intrusion of this order.

Secondly, these type of breaches are usually handled quietly so that the offending party is not completely sure of how and why they were thwarted or countered. In other words, the GCSB does not want to show its hand when it comes to its counter-hacking capabilities. That the breach occurred in 2021 and only has been acknowledged now indicates that the GCSB feels that enough time has elapsed for operational security concerns to be ameliorated and a “fair warning” issued to the hackers that they are being identified, traced and countered. So there is no need to cause an inevitably damaging public spat with a much more powerful interlocutor. For all the coziness of the 5 Eyes members, no one will come to NZ’s economic rescue if the PRC decides to take punitive economic measures against NZ in the event that NZ tries to impose sanctions of some sort on its largest trade partner.

The timing of the GCSB announcement about the 2021 hack is also coincident with the US publishing the identities of ATP 40 hackers targetting US infrastructure and Australia and the UK warning of their and other Chinese political interference efforts in strong terms, with particular focus in the UK and US on PRC hacker compromises to voting systems in election years in both. The timing of the announcements about PRC hacking efforts therefore seems to be a 5 Eyes-coordinated “shot across the bow” that gives warning to ATP 40 and their counterparts that the times of easy access to critical data infrastructure, even if indirectly and even in NZ, are over. 

But that may be all that it is and not, at least in NZ’s case, a reason for NZ to escalate the matter beyond what it already has said and done. Chinese diplomats have been summoned to MFAT for a “please explain” and scolded for ATP 40’s misbehaviour. The PRC Foreign Ministry has rejected the accusations and warned about scurrilous attempts to besmirch the PRC’s good name. Perhaps it is time to let the dogs go back to sleep.

It remains to be seen if this type of State-backed cyber-probing ends because if nothing else the PRC hacking community is ingenious, well resourced and persistent. For them, this is part of the PRC’s ascent to having a multi-dimensional (voice and cyber encrypted communication intercept, physical and infrared (thermal) imagery aquisition, submarine fiberoptic cable “tapping,” capabilities, etc.), broad specturm, multi-domain (air, land, sea, space, cyber) warfare infrastructure on its way to achieving superpower status. As part of 5 Eyes, NZ is standing in the (albeit in a small) way of that goal. It was and is bound to be an ongoing target of Chinese espionage efforts, including in the cyber domain.

Ultimately the revelations about ATP 40s operations in NZ are a reminder against cyber complacency at home and at work, be in the public or private sectors. This is very true when dealing with so-called “frenemies,” that is, States with which NZ has cordial, even friendly relations on the public surface but with which underlying value systems and security relations are incompatible, strained or even hostile. So long as NZ is a member of the 5 Eyes network and the PRC is an adversary and target of that network even if it is NZ’s largest trade partner, ATP 40 and other PRC intelligence units will be hard at work seeking to discover and exploit any potential avenues of opportunity in NZ cyber-space as well as in other domains. It may be in that in the past “loose lips sunk ships,” but in the contemporary era all keystrokes, phone calls, encrypted messages, Tik Toks and Instas are also grist for the intelligence mill—and exploitable as such.

An earlier version of this essay appeared on March 27, 2024 in the NZ Dominion Post (the-post.co.nz, p.19) and affiliated media outlets.