China's influence grows through Digital Silk Road Initiative.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Charity Wright: China has been very busy with cyberespionage campaigns over the past decade, but especially over the last few years, and I started doing some research on some of their Digital Silk Road projects.
Dave Bittner: That's Charity Wright. She's a cyber threat intelligence expert with Recorded Futures Insikt Group. The research we're discussing today is titled, "China's Digital Colonialism: Espionage and Repression along the Digital Silk Road."
Charity Wright: The Digital Silk Road is part of the more widely known Belt and Road Initiative. It's basically a private-sector agenda that aims to extend China's digital presence abroad and enhancing its commercial and political influence. So as I started researching some of these Digital Silk Road projects, I found some interesting findings around how they were using these projects to influence regimes in certain regions of the world, like Africa, Latin America, and South Asia. So that's what prompted me to do a little more digging and find out exactly the scope of these projects, what they're being used for, and what type of influence China is gaining in those regions.
Dave Bittner: Well, let's go through it together. I mean, can you take us through, I guess, you know, region-by-region, the ones that really caught your eye – what you discovered and what you make of it?
Charity Wright: I presented about – I think it was seven or eight different case studies in this report. And there are several from Africa. The African region in particular has been working closely with the Chinese government through the Digital Silk Road projects to set up data centers, fiber optic cable, 5G technology, all kinds of telecommunication. And additionally, they're setting up smart cities and what they're calling "safe cities," which involve a lot of online surveillance technology. So there are several different aspects that we address in this report.
Charity Wright: Some of it has to do with China's influence and access to data in these regions by setting up this type of infrastructure, both for espionage campaigns and for – I mean, it's basically unfettered access in institutions like the African Union. China donated a very large building to the AU. They set up their Internet infrastructure. And then it turned out that China was basically siphoning tons of data from this organization and conducting espionage on, you know, the political and diplomatic meetings that were happening through the AU. That's just one example, and there are several others.
Charity Wright: But then we also discovered that there was an aspect of human rights that we wanted to look at. China has been exporting digital surveillance technology. Now, what we're most concerned about is that this poses a critical privacy risk to citizens and businesses in these regions. We know that China is using surveillance technology in their own country to surveil their own citizens, to also monitor minority groups, and to quell pro-democracy movements, but they're also exporting this technology to illiberal regimes and authoritarian regimes to use in that same way.
Dave Bittner: Are these regimes going into these arrangements with China with their eyes open? In other words, do they likely know that in exchange for help building out this infrastructure, part of that deal is going to be that that China gets a view into what they're doing?
Charity Wright: Yes. These authoritarian regimes that are working with the Chinese Communist Party and with Chinese technology companies, I think they are very aware. Several of them have actually been hosted to go to China and observe how these surveillance technologies are used, how to best utilize them to monitor certain populations of people, to monitor individuals, and to also censor Internet communications. So, they go over there, they see the example, they see what is possible, and then they can sign up and enroll in whatever particular technology they want to implement in their own countries. And in addition to that, the Chinese government has often sent diplomats and technology personnel to train these regimes in how to use the technology as well.
Dave Bittner: And what do we suppose is in this for the Chinese? What do they want to access? Is it resources? Is it influence? What do you suspect is going on here?
Charity Wright: Absolutely. I think there are two main components that they benefit from. One is, what we're most concerned about, it basically – the technology creates a backbone for the flow of data to and from these developing regions. So oftentimes in the contract, China will stipulate that in trade for this technology – which, by the way, often comes with heavy state support from China and very, very large financial loans to get these regimes going. One of the stipulations is often that they will have access to the data in those servers and the data that's collected through the surveillance technology.
Dave Bittner: I can't help wondering if – is the opportunity, for example, in Africa, for China, is that partly because other parts of the world have neglected that area? That it's been, you know, an open area where there's been a lack of interest from other nations around the world?
Charity Wright: You are right on. Yes. So, there have been, you know, global technology companies and Western governments that have started projects but not completed them in those regions. And oftentimes there's just not enough financial gain for some of these governments and they've decided to not be as involved. And China saw the opportunity to fill that gap. So, while on one hand they are creating connectivity for these countries and providing 5G technology and Internet and cellphone technology to these countries, on the other hand, there is a risk involved, a digital risk, a security risk. Unfortunately, many of these corporations, companies and governments on the receiving end are not as security aware and they're as not as fluent in cybersecurity because they have – you know, they're still developing, and so oftentimes they don't understand the greater risk, the long-term risk in handing over proprietary data.
Dave Bittner: And what about other parts of the world beyond Africa? What were some of the other areas you looked into?
Charity Wright: We also had several case studies in Latin America and also in South Asia. One particular case study in South Asia was Papua New Guinea, I think is how you pronounce it. They had a contract for underwater data cables and providing extensive digital infrastructure on their island, and it turned out that an audit of their digital security discovered that their technology was inherently security vulnerable. And there were vulnerabilities not only in the hardware and the firmware, but every level of the technology that was supplied by Chinese companies were security vulnerable to a point where it would have had to have been purposefully created that way. And so the government of Australia stepped in, they did an extensive audit of the security issues, they wrote up a very long report about it, and were able to help get them out of that situation and pull them out of that contract.
Dave Bittner: I mean, is there backlash – as word gets out about these things, are are companies stepping away from China – I'm sorry, are nations stepping away from China? Is their reputation falling on the global stage when it comes to these sorts of things?
Charity Wright: It seems to me that there are many Western nations that are trying to counter this type of influence and create awareness around it. Recently, the G7 had a meeting and addressed some of these issues with China, and they're creating a plan to kind of counter China's influence by developing more infrastructure projects from Western nations that value security and are accountable to the global community. So there is some awareness, but I think that what we've discovered is that many of these nations, many of the governments, and many companies within those regions are willing to take the, let's say, digital welfare from China because it comes at such a low cost and is so affordable for them. So I think their number one priority is, we need to be connected to the rest of the world to then grow our own economies and businesses, and then we'll deal with security later. And what we're trying to do is raise awareness around the risks and the threats that come with this type of Chinese technology and the influence.
Dave Bittner: Is this the sort of thing that is beyond international norms? You know, have we not yet established what the rules of the road are when it comes to this sort of assistance in the cyber realm?
Charity Wright: That is a really good question. Now, we have some established norms, baseline security policies, that extend globally and most organizations recognize. But China is really trying to reshape how the Internet works. They're developing some new technology that they're proposing to really transform the way the Internet works, and they want to be the ones to lay that foundation. So, led by Huawei, a Chinese technology company, they are proposing a new standard of security and technology, which really involves more governance of the Internet. And they want it to be divided by nations. So they're proposing to nationalize the Internet and have much more surveillance and much more oversight in how citizens use the Internet, much like how they do in their own country with the Great Firewall and with, you know, extensive censorship technology.
Dave Bittner: What do you suppose the take-homes are here? Is this a cautionary tale? Are there are there particular lessons for companies from the Western world who are doing business internationally?
Charity Wright: I think it's applicable to both global organizations and governments in these regions, especially any organizations that may be considering contracts with Chinese digital technology companies. We're very concerned about not only the cybersecurity risks involved, but also the human rights risks. This report really looks into how surveillance technology, facial recognition technology is being used on populations and being used to target groups of people. And so there really are some very serious implications for how this technology is being used. And I think it's important for governments to understand what they're handing over, what kind of data they're handing over on their populations, as well as businesses doing business or hosting data in those countries. They need to be very aware of these risks.
Charity Wright: You know, looking towards the future, we did point out that we expect the Chinese Communist Party to increase their influence operations and espionage operations globally, especially as the Winter Olympics in Beijing nears. And we expect that they'll focus on modeling the benefits of a surveillance state, especially when it comes to how they've crushed pro-democracy movements. And we expect them to be managing the messaging around its minority human rights violations, especially, you know, what we've seen in Xinjiang, Hong Kong, and Tibet. So looking towards the future, we do expect that type of behavior from the CCP, but we're hoping that Western nations and developing regions of the world can counter the cyber risks through awareness and preparation.
Dave Bittner: Our thanks to Charity Wright from Recorded Future for joining us. The research is titled, "China's Digital Colonialism: Espionage and Repression Along the Digital Silk Road." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.