CyberWire Daily - China's influence grows through Digital Silk Road Initiative. [Research Saturday]
Episode Date: July 31, 2021Guest Charity Wright, Cyber Threat Intelligence Expert in Recorded Future's Insikt Group, joins Dave to discuss her research "China’s Digital Colonialism: Espionage and Repression Along the Digital ...Silk Road". Through the Digital Silk Road Initiative (DSR), announced in 2015, the People’s Republic of China (PRC) is building an expansive global data infrastructure and exporting surveillance technologies to dictators and illiberal regimes throughout the developing world, in some cases trading technology for access to sensitive user data and facial recognition intelligence. Domestically, China uses this type of technology to assert authority over its citizens, censor the media, quell protests, and systematically oppress religious minorities. Now, over 80 countries are enabled to do the same with Chinese surveillance technology. The research can be found here: China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
China has been very busy with cyber espionage campaigns over the past decade,
but especially over the last few years.
And I started doing some research on some of their digital Silk Road projects.
That's Charity Wright.
She's a cyber threat intelligence expert with Recorded Future's Insict Group.
The research we're discussing today is titled China's Digital Colonialism,
Espionage and Repression along the digital Silk Road. on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
The Digital Silk Road is part of the, enhancing its commercial and political influence. So as I started researching some of these digital Silk
Road projects, I found some interesting findings around how they were using these projects to
influence regimes in certain regions of the world like Africa,
Latin America, and South Asia. So that's what prompted me to do a little more digging and find
out exactly the scope of these projects, what they're being used for, and what type of influence
China is gaining in those regions. Well, let's go through it together. I mean, can you take us
through, I guess, you know, region by region, the ones that really caught your eye, what you
discovered and what you make of it? I presented about, I think it was seven or eight different
case studies in this report. And there are several from Africa. The African region in particular has been working closely with the Chinese government through the Digital Silk Road projects to set up data centers, fiber optic cable, 5G technology, all kinds of telecommunication.
communication. And additionally, they're setting up smart cities and what they're calling safe cities, which involve a lot of online surveillance technology. So there are several different aspects
that we address in this report. Some of it has to do with China's influence and access to data in these regions by setting up this type of infrastructure,
both for espionage campaigns and for, I mean, it's basically unfettered access in institutions like
the African Union. China donated a very large building to the AU. They set up their internet infrastructure, and then it turned out
that China was basically siphoning tons of data from this organization and conducting espionage
on the political and diplomatic meetings that were happening through the AU. That's just one example,
and there are several others. But then we also discovered that there was an aspect of human
rights that we wanted to look at. China has been exporting digital surveillance technology.
digital surveillance technology. Now, what we're most concerned about is that this poses a critical privacy risk to citizens and businesses in these regions. We know that China is using surveillance
technology in their own country to surveil their own citizens, to also monitor minority groups, and to quell pro-democracy movements.
But they're also exporting this technology to illiberal regimes and authoritarian regimes to use in that same way.
use in that same way. Are these regimes going into these arrangements with China with their eyes open? In other words, do they likely know that in exchange for help building out this infrastructure,
part of that deal is going to be that China gets a view into what they're doing?
Yes. These authoritarian regimes that are working with the Chinese Communist Party
and with Chinese technology companies, I think they are very aware.
Several of them have actually been hosted to go to China
and observe how these surveillance technologies are used,
how to best utilize them to monitor certain
populations of people, to monitor individuals, and to also censor internet communications.
So they go over there, they see the example, they see what is possible, and then they can sign up
and enroll in whatever particular technology they want to implement in their own countries.
And in addition to that, the Chinese government has often sent diplomats and technology personnel to train these regimes in how to use the technology as well.
And what do we suppose is in this for the Chinese?
Is this, what do they want to access? Is it resources? Is it influence? What do you suspect
is going on here? Absolutely. I think there are two main components that they benefit from.
One is what we're most concerned about. It basically, the technology creates a backbone for the state support from China and very, very large financial loans to get these regimes going.
One of the stipulations is often that they will have access to the data in those servers and the data that's collected through the surveillance technology.
technology. I can't help wondering if, is that opportunity, is the opportunity, for example,
in Africa for China, is that partly because other parts of the world have neglected that area,
that it's been, you know, an open area where there's been a lack of interest from other nations around the world. You are right on, yes.
So there have been global technology companies and Western governments
that have started projects but not completed them in those regions.
And oftentimes there's just not enough financial gain for some of these governments
and they've decided to not be as involved. And China
saw the opportunity to fill that gap. So while on one hand, they are creating connectivity for
these countries and providing 5G technology and internet and cell phone technology to these
countries, on the other hand, there is a risk involved,
a digital risk, a security risk. Unfortunately, many of these corporations, companies, and
governments on the receiving end are not as security aware and they're as not, you know, as fluent in cybersecurity because they have, you know,
they're still developing. And so oftentimes they don't understand the greater risk, the long-term
risk in handing over proprietary data. And what about other parts of the world beyond Africa?
What were some of the other areas you looked into? We also had several case studies in Latin America and also in South Asia. One particular case study
in South Asia was Papua New Guinea, I think is how you pronounce it um they had a contract for underwater data cables and providing extensive
digital infrastructure on on their island and it turned out that an audit of their digital security
discovered that they were their technology was inherently security vulnerable. And there were
vulnerabilities not only in the hardware and the firmware, but every level of the technology that
was supplied by Chinese companies were security vulnerable to a point where it would have had to have been purposefully created that way. And so
the government of Australia stepped in. They did an extensive audit of the security issues.
They wrote up a very long report about it and were able to help get them out of that situation
and pull them out of that contract. I mean, is there backlash as word gets out about these things?
Are companies stepping away from China? I'm sorry, nations stepping away from China?
Is their reputation falling on the global stage when it comes to these sorts of things?
It seems to me that there are many Western nations that are trying to counter this type of influence and create awareness around it.
influenced by developing more infrastructure projects from Western nations that value security and are accountable to the global community. So there is some awareness, but I think that
what we've discovered is that many of these nations, many of the governments, and many
companies within those regions are willing to take the, let's say, digital welfare
from China because it comes at such a low cost and it's so affordable for them. So I think their
number one priority is we need to be connected to the rest of the world to then grow our own
economies and businesses, and then we'll deal with security later. And what we're
trying to do is raise awareness around the risks and the threats that come with this type of
Chinese technology and the influence. Is this the sort of thing that is beyond international norms? Have we not yet established what the rules of the road are when it comes to
this sort of assistance in the cyber realm? That is a really good question. Now,
we have some established norms, baseline security policies that extend globally and most organizations recognize.
But China's really trying to reshape how the internet works. They're developing some new
technology that they're proposing to really transform the way the internet works. And they
want to be the ones to lay that foundation. So led by Huawei, a Chinese technology
company, they are proposing a new standard of security and technology, which really involves
more governance of the internet and they want it to be divided by nations. So they're proposing to nationalize the internet and have much more
surveillance and much more oversight in how citizens use the internet, much like how they do
in their own country with the Great Firewall and with extensive censorship technology. What do you suppose the take-homes are here? Is this a
cautionary tale or are there particular lessons for companies from the Western world who are
doing business internationally? I think it's applicable to both global organizations and
governments in these regions, especially any organizations that may be considering
contracts with Chinese digital technology companies. We're very concerned about not only
the cybersecurity risks involved, but also the human rights risks. This report really looks into
how surveillance technology, facial recognition technology is being used on populations and
being used to target groups of people. And so there really are some very serious implications
for how this technology is being used. And I think it's important for governments to understand
what they're handing over, what kind of data they're handing over on their populations, as well as businesses doing business or hosting data in those countries. They need to be very
aware of these risks. You know, looking towards the future, we did point out that we expect the
Chinese Communist Party to increase their influence operations and espionage operations globally,
especially as the Winter Olympics in Beijing nears. And we expect that they'll focus on
modeling the benefits of a surveillance state, especially when it comes to how they've crushed pro-democracy movements. And we expect them to be managing
the messaging around its minority human rights violations, especially what we've seen in Xinjiang,
Hong Kong, and Tibet. So looking towards the future, we do expect that type of behavior from
the CCP. But we're hoping that Western nations and developing regions of the world can counter
the cyber risks through awareness and preparation.
Our thanks to Charity Wright from Recorded Future for joining us.
The research is titled China's Digital Colonialism, Espionage and Repression Along the Digital Silk Road.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.