On 24 September 2015, President Barack Obama and his Chinese counterpart Xi Jinping signed a landmark agreement on cyber espionage. Under the terms of the deal, the US and China would be allowed to continue spying on one another, but they would be forbidden from passing on any commercial secrets they uncovered to the private sector.
The deal was heralded as a major victory for American businesses, whose executives had long complained that China was routinely stealing intellectual property that had cost them billions of dollars to produce. And for some time, the agreement did have a substantial impact on rates of IP theft, which fell as the number of Chinese patents rose. But two years after Obama left office, US intelligence officials warned that the accord with China had begun to weaken.
In January, five years after the bilateral agreement was signed, security experts uncovered evidence that hackers working on Beijing’s behalf were targeting employees of NGOs and think tanks. The hackers were exploiting vulnerabilities in Microsoft’s Exchange email servers to spy on the individuals and extract sensitive data. While Beijing has denied involvement, a former White House chief information officer has described the attack as a typical example of Chinese “industrial espionage”.
The abuse of the vulnerability, which was at first highly targeted but has now ensnared tens of thousands of organisations, comes just weeks after the disclosure of a widespread attack on dozens of US government organisations and businesses using software produced by the Texan IT firm SolarWinds.
The two attacks have sparked calls for retribution. The New York Times reported earlier this month that the White House was planning to hit back at Russia with a series of cyber attacks that would be evident to the Kremlin but not the Russian public. Now the Biden administration is facing pressure to launch retaliatory attacks on China too.
Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre, cautions against such interventions. Martin, who stepped down as the UK’s most senior cyber security official last September and now runs a venture capital firm for security start-ups alongside his professorship at Oxford, notes the Moscow-linked attack is little different to the kind of digital espionage carried out by the US National Security Agency, or NCSC’s parent agency GCHQ.
“If SolarWinds is seen as beyond the pale, then there are serious implications for the Five Eyes,” Martin tells the New Statesman, referring to the intelligence sharing alliance between the UK, US, Canada, Australia and New Zealand. “There does not appear to be the appetite for that kind of restraint in the Five Eyes and there are good reasons not to. Spying can reduce the risk of miscalculation and harm.”
However, Martin is more concerned about the alleged China attack. According to Brian Krebs, the security journalist who broke the story, hackers working within an “unusually aggressive Chinese cyber espionage unit” compromised at least 30,000 organisations. In order to maintain access to the networks, the hackers deployed backdoors that are now vulnerable to further hacking by cyber criminal groups who may wish to hold organisations to ransom. Martin described the campaign as “reckless”, but again rejected calls for retaliatory cyber action, preferring to name and shame the perpetrators – a strategy he says has more of an effect on Beijing than Moscow.
Tech Monitor: Why the Exchange hack could benefit Microsoft Part of New Statesman Media Group
His comments come as the UK prepares to significantly expand its capacity for offensive cyber attacks. As part of the integrated foreign and defence review, the government is committing to a new “full spectrum approach to the UK’s cyber capability”. This includes bolstering the cyber defences of critical infrastructure and also placing a greater emphasis on the capacity to carry out attacks through the National Cyber Force, which was announced last year.
Downing Street said on 14 March that: “In recent years our adversaries have invested in their own capabilities and are constantly finding new ways to exploit our weaknesses and gain advantage in cyberspace. To cement our competitive edge and keep ahead of our enemies a full spectrum approach is therefore needed.” Boris Johnson added: “We need to build up our cyber capability so we can grasp the opportunities it presents while ensuring those who seek to use its powers to attack us and our way of life are thwarted at every turn.”
Martin is wary of overstating the role that offensive cyber can play in a country’s defences. “It’s most useful for things like countering terrorism, countering serious organised crime and cyber crime, and supporting military organisations,” he says, referring to a 2016-17 attack on Isis. “Recent history shows it’s actually much less effective at deterring state-sponsored cyber attacks against us. While it’s correct that it’s a major part of our national security capabilities, it’s not actually a major part of our cyber security capabilities.” In a speech at King’s College London in November entitled “Cyber weapons are called viruses for a reason”, Martin warned that “we militarise the internet at our peril”.
The integrated defence review positions the UK at the centre of efforts to uphold democratic values internationally. And there have been calls from the tech industry to codify the UK and US’s approach to cyber security in standards agreed between countries. But Martin is downbeat about the chances of such a system being realised.
“What’s our big bugbear with China? It’s commercial espionage,” he says. “It’s not lost on the rest of the world that the United Kingdom stopped commercial espionage all the way back in the mid-1990s and made it unlawful all the way back in 2016. For us to suddenly say – and of course we’re seen as a privileged country economically – it is an inviolable moral truth that companies should not undertake digital espionage for commercial reasons, most of the world does not find that credible.”
Martin warns that “the West is going to have a tough time and needs to undertake some self-examination about its own appetite for aggressive digital activity before a set of globally acceptable norms are possible”.