Stifling Beijing in cyberspace is now British intelligence’s number-one mission

CyberUK Regular attendees of CYBERUK, the annual conference hosted by British intelligence unit the National Cyber Security Centre (NCSC), will know that in addition to the expected conference panels, there is usually an interwoven theme to proceedings.

Last year the tech-security operatives’ event revolved around “securing an open and resilient digital future”, and the underlying message of this year’s strapline wasn’t much different: “Future Tech, Future Threat, Future Ready.”

There certainly was a future feel to this year’s event. Various discussions around the future of security technology attracted some of the biggest names in the field to the stage at Birmingham’s ICC – those focused on AI and post-quantum cryptography particularly caught the eye. But, it was the future threat presented by, and potential future conflict with, China that prevailed as the event’s true theme, seemingly seeping into nearly every discussion over the two-day all-things-cyber bash.

Many will read this and think “that makes sense” given the recent increase in anti-China communications emerging from allied governments about the Middle Kingdom, and especially its Volt Typhoon band of state-sponsored cyberspies.

For the past two years, however, the event has felt decidedly Russia-y, despite not explicitly being themed around it. In 2022, it was all about the Ukraine war, naturally. Russia was again a watchword last year but with more of a focus on the threat Putin’s country, and those who support it, poses to allied critical national infrastructure (CNI).

Of course, Russia is still Russia and it got its moment on day one. GCHQ director Anne Keast-Butler’s (AKB) opening speech hinted at the types of curiosities UK intelligence has spotted in Putinland over the past 12 months, including closer ties to the criminal underworld. Others at the event suggested the Kremlin may be hiding behind these proxies for plausible deniability of attacks.

“We are increasingly concerned about growing links between the Russian intelligence services and proxy groups and sabotage operations,” she said.

“Before, Russia simply created the right environments for these groups to operate, but now they are nurturing and inspiring these non-state cyber operations… and in some cases seemingly co-ordinating physical attacks against the West.

“The Russia threat is acute and globally pervasive. It requires constant vigilance and collaboration to defeat it.”

That said, Putin was barely spotlit this year. That’s not to say Russia is in the background – far from it – but more of a focus is being placed on China and the “epoch-defining challenge” (NCSC loves this wording) it presents.

This year’s CYBERUK flock of delegates would have been pushed to attend more than a single session that didn’t have a China flavor. While Beijing’s ambition for tech dominance is well-documented, the People’s Republic of China (PRC) is very clearly occupying the headspace of national security officials more than ever. 

AKB went so far as to say more resources are being spent on tackling China than any other single mission at GCHQ, if you needed any more of a sense of just how seriously it’s being taken.

It’s a major U-turn on the agency’s attitudes toward cybersecurity from as recently as 2021, when former NCSC CEO Lindy Cameron said ransomware was the foremost threat to the UK.

The people of China have contributed so much to the UK, AKB acknowledged, alongside its signing of the declaration on AI at Bletchley Park in November, but make no mistake: “China poses a genuine and increasing cyber risk to the UK.”

“China has built an advanced set of cyber capabilities and is taking advantage of a growing commercial ecosystem of hacking outfits and data brokers at its disposal,” said Butler.

“The PRC is looking to shape global technology standards in its own favor, seeking to assert its dominance within the next 10 to 15 years.

“Which is why the UK’s intelligence community is working alongside our allies in the Five Eyes and beyond, and also in partnership with our industry and academic colleagues to deter and combat cyber threats from nation-states and hostile actors.”

In the UK, APT31 is probably the best-known group of troublemakers-in-chief, having recently been outed for two major attacks on democracy, including the theft of Electoral Register data.

Volt Typhoon will be the group more familiar to those in the US, especially after it was pinned to various attacks on CNI networks. The activity here is concerning not just given the sensitivity of the target, but how it illustrates a worrying evolution in tradecraft.

Xi’s cyberspies ten years ago may have just been stealing intellectual property from universities, for example, but the attacks on CNI from multiple groups, not just Volt Typhoon, showed evidence of China trying to set themselves up for destructive attacks in the future.

Couple this with China’s 2021 data security law that requires all security vulnerabilities to be handed to Beijing before being disclosed, if at all, and the Middle Kingdom’s intentions become much clearer.

Russia is seen as the threat today… China is the threat of tomorrow. That’s the main takeaway.

The resilience opportunity

Followers of NCSC and Five Eyes government cyber messaging will be familiar with their narrative that hammers home the point of needing to build a cyber-resilient nation.

Consider again that 10-15-year timeframe AKB outlined regarding China’s bid for tech dominance. While that appears to be a decently large enough lead to make some kind of intervention, the reason why “resilience” is being thrust down our throats is that in reality, if allied nations want to quell the threat of China, that window isn’t as generous as it might sound.

Industry calls for vendors to take greater responsibility for the security of their products were being made many years ago, but as NCSC CTO Ollie Whitehouse said, the tech market is broken and he doesn’t see material change happening for at least ten years.

The market is just one piece of the puzzle to solve within that limited time. The industry also needs to work more collaboratively to out-innovate China, which has scores of intelligence workers dedicated to learning Western cyber tradecraft, and consuming every blog post, article, and speech that offers a glimpse at how we might be countering their work, purely to devise an effective block.

Whitehouse mentioned the need to incentivize boardrooms as well as vendors to assume liability for their security. When every organization is connected to something critical or otherwise sensitive in one way or another, the supply chain needs to be resilient so cyberspies can’t shut down a city after breaching a small software vendor.

There’s a limited window of opportunity to act to ensure the threat China presents doesn’t escalate beyond control. That’s clearly the thinking among intelligence agencies.

China doesn’t just want to keep pace with the West, but achieve supremacy in cyberspace and out-innovate it to the extent Western nations can’t defend against it.

“As the head of a world-leading tech organization and as a mathematician, it’s clear that technology and security are more tightly coupled than ever before,” Butler said.

“Collaboration across academia, the private and public sectors is crucial for developing cutting-edge science and technology solutions for national security. 

“To quote the Foreign Secretary, who spoke at the NCSC’s headquarters in London last week: we need to forge partnerships to out-cooperate and out-innovate our adversaries.” ®

Read More

Connor Jones