Extracts from a speech at the launch of the IISS Japan Chair — Tokyo, 5 June 2019
At a time of strained relations between our mutual ally, the Unites States, and China — much of it centred on technology competition and cyber threats — I wanted to reflect for a few moments on two great challenges for Japan, the UK and other democratic countries which arise from new global trends in technology.
Every democratic country is grappling with the same questions. How can we reduce the impact of cyber attacks on our citizens and our economies in the future? And, more broadly, how do we establish trust in the global technology supply chain? In particular, how should we interact with China as an emerging technology super-power?
No-one now doubts the severity of the global cyber threat. Most businesses and many individuals in this country will have experienced attacks. The overwhelming bulk of malicious cyber activity is, of course, criminal in origin — we see organised crime groups devoting the kind of resources and creativity that they typically dedicated to narcotics in the last century. The risks are low and the potential profits are huge. Global losses from cyber crime and cyber fraud over the next 5 years are expected to exceed $8 trillion.
And of course, in addition to criminal groups, there is also an assortment of individuals and groups, from ‘hactivists’ pursuing a political agenda online, to bored teenagers, from company ‘insiders’ unhappy with their bosses or bribed by criminals, to the new generation of terrorists who aspire to catastrophic cyber attacks but do not yet have the capability. All of these can cause significant damage and, as we discovered in the UK at the 2012 Olympics, such global events become a magnet for every kind of malicious attacker.
But at the high end of this cyber threat landscape are nation states. They have the most sophisticated cyber capabilities and, critically, the power to reach into industry and to use or misuse their power over the supply chain.
Looking back at the past three decades of malicious cyber activity, which has grown exponentially in volume and sophistication, nation state behaviour in cyberspace has been remarkably predictable. Actions by states in the cyber domain tend to mirror their actions in the physical world.
For example, North Korea’s policy priorities of acquiring foreign currency and attacking its neighbours — and any opponents or critics of its regime — are reflected in its cyber activity: Pyongyang attacked Sony Pictures in 2014 in retaliation for an unflattering documentary; it became the first nation state to rob a bank by cyber means in 2016, stealing over $80m from the Bank of Bangladesh; and it has not stopped since then, routinely attacking banks, bitcoin exchanges and perceived enemies in South Korea and across the region, and also in the UK and the US.
What makes North Korea significant is that its cyber operations are delivered primarily from outside the boundaries of the state. By reaching out to cyber criminal groups and using North Korean networks overseas, the DPRK is able to amplify its power. Indeed, the greatest development in cyber threats in recent years has been the emergence of a sophisticated ‘commodity market’ in hacking — where cyber tools and managed hacking services can be bought. More alarmingly, some nation states have begun to weaponise this cyber crime wave, using criminal groups as proxies and empowering them with nation-state grade tools. We saw this in the global ransomware attacks of 2017.
The larger and more sophisticated cyber nations also pursue traditional objectives through cyber means. If Russia, for example, is prepared to annex part of Ukraine, why would it not use cyber power to switch off domestic electricity supplies in order to exert political pressure, as it did it the Winter of 2015? In the same way, Russia’s attempts to influence elections in the US and across Europe reflect the regime’s consistent goals of undermining trust in democracy. Russia’ reckless use of destructive cyber power and fake information reflects the values of the Russian administration, its approach to international law and to civilian collateral damage. And Russia has paid a price for this in damage to its reputation.
China too has illustrated its priorities in cyber space. Although it is often forgotten in the West, the overwhelming bulk of China’s spending, creativity and innovation in cyber is directed at surveillance of its own people. Some of the programmes devised to exert social control are deeply disturbing to anyone living in a democracy. The 30th Anniversary of Tiananmen Square reminds us of this. But the key point, as IISS’ recent assessment illustrates, is that both the Communist Party and the PLA see cyberspace primarily as an ideological battleground in which China’s domestic insecurity could be exposed or manipulated.
China’s external cyber activities have involved espionage against perceived enemies — notably in Taiwan — but, more importantly, the theft of intellectual property on an industrial scale. We now understand much more about the complex ecosystem of state-linked groups and state agencies through which this IP theft is conducted. Over the past twenty years this activity has dramatically shortened R&D cycles in China. Again, this has been about domestic economic growth.
For many years, this approach to technology transfer was effectively tolerated in the West. I am not sure why. I have had the experience myself in government, and more recently in the private sector, of going to companies to tell them that their IP has been stolen by a China-based entity. Those companies either felt helpless to do anything about it, or regarded the theft as a cost of doing business.
That is now changing. At a geopolitical level, years of IP theft have had a corrosive effect on US trust in China. It is now having a direct impact on the trade talks. I am struck by the fact that even those sections of the US business community that are equivocal about the Administration’s approach to China, do not doubt that the playing field on technology has been skewed and now needs correcting. There is a sense that China is now reaping the results of its disregard for intellectual property law and the breach of its bilateral commitments on cyber espionage.
China’s critics are not exaggerating the cyber threat. We have seen a number of very sophisticated operations by Chinese state-linked actors, notably the so-called ‘Cloud Hopper’ attacks which, for some ten years, have infected global IT service providers in the US and many other countries. They have given Chinese agencies unprecedented access to the networks and data of the thousands of customers in dozens of countries using those providers.
This is no longer a secondary issue. It is not a coincidence that one of the key sticking points in the US-China trade talks has been technology transfer.
But beyond the issue of IP theft is a much broader geo-political challenge.
What makes China different is that none of the other cyber powers I have mentioned — whether Russia, North Korea, Iran or others — will become a technology superpower in this century. Even at the height of the Cold War, no-one hankered after Soviet consumer technology. [The Soviet Union was in fact advanced in some military and space areas but its application of technology, its manufacturing competence and its R&D quality were notoriously poor].
China, on the other hand, not only manufactures much of the world’s IT hardware and infrastructure, but has clear and credible ambitions to become a world-leader in some technologies, notably in Artificial Intelligence. President Xi Jinping has set out a plan for achieving this goal which is well funded and convincing. China is already a world leader in some other areas, for example telecommunications, and especially 5G radio equipment, as the recent controversy about Huawei has demonstrated.
More significantly, China is also rushing to reduce its dependence on the US technology which underpins much of its own industry — especially on advanced semi-conductors/chips. In 2016, China spent more on importing foreign chips than it did on importing oil. Most Chinese technology was heavily dependent on the US but that is changing fast: China is racing towards ‘silicon independence’, spurred on by the trade and political stand-off. It may not reach this point easily, and may miss its own ambition of reaching it by 2025, but few doubt that it will get there.
This presents a new kind of challenge to the democratic world. Is it really practical or desirable to cut ourselves off from world-leading Chinese technology simply because it is Chinese? Is there a better way of co-existing with a technology superpower which does not share our values?
Part of the answer is to be clear-sighted about the risks. We should be honest about the fact that the Chinese political and economic model allows the state to reach into any part of the Chinese private sector and exert its will. The recent Chinese Cyber Law makes this explicit, but in reality we have always known this. Nothing in China is ultimately beyond the rule of the Communist Party; it never has been.
Nor should we be naïve about China’s geopolitical ambitions, both here in Asia-Pacific and, through the Belt and Road Initiative, in Europe. And of course the BRI has a digital footprint as China invests in telecommunications and other infrastructure along the way. President Xi could not have been clearer about China’s determination to be a global power.
Knowing all this, the West is faced with a policy choice: cut ourselves off and build a digital wall, trying to isolate China and slow her progress; or put down clear lines on technology transfer and police them — and establish mechanisms for trust and verification in technology.
This is not much of a choice: a quick look inside the handset of your smart phone, which was probably made in China by a Chinese company under Chinese law, whatever the brand name, will reveal how intertwined and interdependent West and East are in everything from rare metals and components, to software and applications. Separating China from the rest of the world is unlikely to be successful in the long term and will not benefit either side.
Finally, this dilemma of course goes well beyond the risks presented by China. Because the reality is that neither governments nor companies fully understand the IT infrastructure and the supply chains on which they depend. They are complex and hard to map, and even harder to secure. And it is worth remembering that, viewed from Beijing, the internet itself and the US companies which dominate it are already part of a giant Western conspiracy.
It is therefore in the interests of all to establish ways of reaching assurance about the security of products and services, and of verifying this. The challenge of course is one of scale and complexity in modern technology, and the fact that this is more the domain of the private sector than of governments.
It has been the ambition of the West for fifty years to encourage China to take part in the international rules-based system. Rather than give up on that, we should extend it to technology and use interdependence as leverage. We should continue to call out and punish bad behaviour in cyberspace and show that abuse of the supply chain and theft of IP has consequences. To some extent, the current trade talks are doing exactly that.
For China too, there is a strong self-interest in changing its behaviour in cyberspace: it will not ultimately benefit from technological isolation and of course it also suffers from cyber attacks itself and is beginning to see the importance of IP protection as its own industries advance. Nor would it be sensible to assume that US and Western innovation in technology is in decline — a quick look at research in the US, Japan and the UK confirms that creativity and innovation are still vibrant.
Needless to say, finding internationally agreed mechanisms to ensure and verify security in technology supply chains — to manage the national security risk to all our satisfaction — will take time and the current international atmosphere does not look promising. But the benefits of legitimate exchange in technology and interdependence through a global internet are clear: human progress over the past 30 years, in health, business, education and communications illustrates this. These and future benefits outweigh the calls to break up the internet.
In the meantime, governments and private sector will need to continue to harden our cyber defences by getting the basics of cyber security right and changing behaviours at the individual, company and Government level. Cooperation between like-minded countries on cyber security — for example between Japan and the UK — has been impressive; but it needs to go further and faster because the threats are developing faster than ever.
We will also need to put right some of the inherent insecurities of the internet, which we now see was not built with security as a priority. And we will need to regulate to make sure that basic security standards are built into the next generation of technology, notably through the internet of things.
Japan, as a great technology power, has much to contribute both on regional and international cyber security, and in addressing the underlying problems of trust in the supply chain. I hope the task of restoring trust in the technologies of the future is one in which Japan will have a central role. And I hope that one of the things the IISS Japan Chair will be able to take forward is this critical intersection of geopolitics and technology.