State sponsored cyber attacks

There is a growing realisation that our digital society can be exploited and

abused in ways that are inimical to our values. There is also an increased

awareness that we are looking at highly sophisticated state-sponsored attacks

aim primarily for economic advantage. The attackers are growing in skills,

scale and determination.

There is no lack of reports or documents. This collection of facts is gathered

from open sources in order to give the reader an overview of the current

state of play regarding statesponsored cyber espionage. The collection

focuses on Chinese economic espionage hence does not claim to give a full

picture of state sponsored cyber activities neither does it draw other conclu-

sions than the sources cited have done.

It is clear that China runs an elaborate system to scout our technologies,

acquire them by all conceivable means and convert them into competitive

products – or military advantages. An industry, as the Swedish defense in-

dustry that spends 16% of their revenue on R&D, is a prime target for them

and other adversaries.

Awareness is vital, as it is only with an increased alertness of the threats and

the actors we can have an informed discussion and work together to secure

the safety of our digital society.

Robert Limmergård

Secretary General

Introduction

3

Background• Perceptions

• Development

• Effects

China’s rational• Economic development is an issue of national security

• Not distinguishing between public and private targets

• Six examples

A more vulnerable situation• 5G, Internet of Things and Industry 4.0

The legal situation• New Chinese domestic legislation but no international regulation

The legal role models of enhanced trust

Content

4

17

30

34

38

Perceptions

5PEW RESEARCH CENTER1, 2 PERCEPTIONS

Citizens’ perception of cyber attacks from other countries – global figures

Cyberattacks from other countries #3 global top risk

Perception fairly similar across regions

6

0 10 20 30 40

Damage reputation

Steal intellectual property

Steal customer data

Steal employee data

Theft of money/savings

Use your identity maliciously

Disrupt business (e.g. introduce a virus, takedown website, etc.)

Cause third party lawsuits

Other

I think our company is too insignificant forcyber criminals

None of our business data are digitallystored

We have fully functioning updated protectionin place

I haven't thought about this and have noopinion today

Don’t know

2016 (2600) 2015 (n=3000)

Potential effect on business of small and medium enterprises (SMEs) due to cybercrime in 2016Global survey reportNovember, 2016

ZURICH INSURANCE COMPANY3

Small enterprises perception of cyber attacks

PERCEPTIONS

How would cyber-criminals, if at all, affect your business?

• “Steal customer data” (26.5%) and “Damage reputation” (19.7%) are the most

common concerns in regard to cybercrime.

• A decreasing percentage of SMEs feel safe when thinking about cybercrime, with

theft of customer data being the most concerning effect.

• Beside the theft of customer data, business disruption is a major effect of cyber-

crime, especially in Europe and in the US.

• Europe: Significantly fewer SMEs feel safe when thinking about cybercrime and

incrementally more perceive reputation damage as a possible key effect.

7TREND MICRO4

Multinationals perception of cyber attacks

PERCEPTIONS

Cyber Espionage Tops the List as Most Serious Threat Concern to Global Businesses in 2017

• The research surveyed 2,402 enter-

prise IT decision makers across

Europe and the U.S.

• 20 % of global organizations rank

cyber espionage as the most

serious threat to their business,

with a quarter (26 %) struggling to

keep up with the rapidly evolving threat

landscape. In addition, one in five (20 %)

U.S. organizations have suffered a cyber

espionage-related attack in the last year.

• Businesses in Italy (36 %), France

(24 %), Germany (20 %) and Nether-

lands (17 %) topped the list for regions

who fear cyber espionage the most.

• As more of our critical data is being

moved online, nation states are now

targeting businesses to obtain this

data and businesses are struggling to

keep up, which could also be placing

critical infrastructure at risk.

Development

9

Bre

ache

s

100%

75%

50%

25%

0%

‘10 ‘11 ‘12 ‘13 ‘14 ‘15 ‘16

Financial

Espionage

FIG

Everything else

In 2016, financial and espionage were still the top two motivescombining to account for 93% of breaches.

VERIZON5

25% of all cyber-attacks are espionage

DEVELOPMENT

In 2016, 25% of all cyber-attacks across

all sectors were motivated by espionage.

Sectors targeted by financially

motivated attacks: Accommodation,

Food, Financial, Insurance, Healthcare

and Information and Retail.

Sectors targeted by espionage

motivated attacks: Manufacturing,

Public Administration and Educa-

tional services.

FIG= Fun, Ideology, Grudge

10

Frequency of incident classification patternswithin Manufacturing industry breaches (n=124)

Cyber-espionage

Privilegemisuse

Everythingelse

Miscellaneouserrors

Physical theftand loss

Web appattacks

Payment cardskimmers

Denial of service

Crimeware

Point of sale

Breaches

108

8

4

2

2

1

Varieties of data breached within themanufacturing industry (n=122)

Secrets

Personal

Internal

Credentials

Source code

Payment

Other

Copyrighted

Breaches

111

5

2

1

5

1

1

1

VERIZON6

94% of all cyber-attacks are espionage in the manufacturing sectors

DEVELOPMENT

Manufacturing sector includes all mechanical, physical, or chemical transfor-

mations of materials, substances, or components into new products.

When you make a product, there is always someone else who wants to make it better,

or at least cheaper. A great way to make something cheaper is to let someone else pay

for all of the R&D and then simply steal their intellectual property.

With that in mind, it will probably be of no surprise that cyber-espionage is by far

the most predominant pattern associated with breaches.

11BAE SYSTEMS7

Cyber-spies are highly active

DEVELOPMENT

90%Ten years ago security researchers at the top vendors would

have spent 90% of their time looking at criminal campaigns

– big botnets, worms, emerging banking Trojans. Today the same

researchers spend the same effort looking into targeted attacks,

many of which are nation-state backed and aimed at either

stealing secrets or at sabotage.

12 AIVD8DEVELOPMENT

Telecom networks potential espionage targets and tools

General Intelligence and Security Service of the Netherlands (AIVD) and

the Directorate General for Safety and Security (DGV) at the Ministry of BZK

– joint analysis of the risks from economic espionage

“Damage to interests in the telecom sector has an almost immediate

adverse effect on national safety and security. Communication,

including data communications, is vitally important to enable Dutch

society to function unimpeded. The telecom networks are being

targeted by foreign intelligence services (espionage).

This makes telecom both a core interest and a vulnerability. The vulner-

abilities in the telecommunication sector have direct repercussions on all

other sectors.”

• Categories of core interest

• Datasets and blueprints such as

patents

• Position and strategies such as

negotiating strategies

• Scientific innovations such as

nano technology

• Soft and hard vulnerabilities

• Hack, tap and monitor people

• Interconnectivity, storage, linked

storage, outsourced manage-

ment, data processing, data

warehousing

Analysis of vulnerability to espionage

13US HOUSE OF REPRESENTATIVES PERMANENT

Chinese state-sponsored cyber operations – reactions in Washington

DEVELOPMENT

• In August 2017, President Trump launched an investigation into Chinese acts, policies, and

practices related to technology transfer, intellectual property, and innovation.

• The U.S. Trade Representative (USTR) led the investigation under Section 301 of the Trade

Act of 1974 that concluded that China, for over 10 years, has conducted and still supports

cyber intrusions into U.S. companies to access their sensitive commercial information.

• The report acknowledged that China’s cyber activities represent a grave threat to U.S.

competitiveness and the U.S. economy and that China’s government-directed cyber capabil-

ities exist alongside an institutional framework that provides state-invested enterprises and

national champions with privileged access to various forms of Chinese government support

and information.

• The U.S. Intelligence Community judges that Chinese state-sponsored cyber operators

continue to support Beijing’s strategic development goals, including its S&T advancement,

military modernization, and economic development.

SELECT COMMITTEE ON INTELLICENCE9

Effects

15

>600 BUSDTotal global cost of cyber crime and espionage

~1%of GDP

Confidentiality

Integrity�

�

�

Availability

Three attack categories

Confidentiality means protecting and keeping your businesssecrets intact. Economic espionage and criminal data theft arethreats to confidentiality.

INTEL SECURITY, MCAFEE10

Estimated global cost of cyber crime and espionage

EFFECTS

16 DELOITTE11EFFECTS

90% of cyber attacks impact a company’s intangibles

• The direct costs commonly associated with data breaches are far less significant

than the “hidden” costs. In Deloitte’s scenarios, these account for less than 5 % of

the total business impact.

• The time horizon over which impact is felt is far more protracted than is often

anticipated. In Deloitte’s scenarios, costs incurred during the initial triage stage

of incident response account for less than 10 % of the rippling impacts extending

over a five-year period.

• Over 90 % of cyberattack impact is likely to accrue in categories that are

intangible. Given that these are less studied and more difficult to quantify,

organizations can be caught especially unprepared for these “costs” in areas

such as operational disruption, impact to brand and loss of intellectual property.

China’s rational

18

tween Xi and US President Barack Obama, held during 7–8 June 2013, the issue of cyber security was put at the top of the bilateral agenda – albeit without Xi giving any ground by acknowledging China’s culpability.69 One month later, there was the first meeting of the new cyber-security work-ing group within the framework of the annual US–China Strategic and Economic Dialogue.70 Xinhua, China’s official news agency, described the discussion as having gone well,71 but there was little evidence that the sides had made much progress. By that point rogue National Security Agency contractor Edward Snowden had begun to make revelations about the extent of cyber espionage carried out by the US and its Five Eyes allies (Australia, Canada, New Zealand and the United Kingdom). Snowden’s disclosures rein-forced Chinese perceptions that the US was using its privileged position within the cyber domain to perpetuate American hegemony, and that Wash-ington’s accusations against Beijing reflected double standards.72In making its case against China’s statesponsored

cyber industrial espionage, the US government sought to distinguish between conventional state-on-state spying for the purposes of national security – an activity that is not proscribed by international law – and the theft of intellectual property. The US argued that China had breached its treaty commitments as a member of the World Trade Organisation, specifically in connection with the Trade-Related Aspects of Intellectual Property Rights (TRIPS), which oblige govern-ments to protect intellectual property.73 This interpretation of TRIPS was contentious in that, as Chinese experts on international law quickly pointed out, it was never conceived of as having an extraterritorial dimension.74 Moreover, Chinese security officials privately made clear that, for China, economic development was an issue of national security, since the CCP’s failure to achieve its economic goals might give rise to widespread social unrest, creating an existential threat to the regime.75 In effect, these officials were saying that cyber industrial espionage was a quasi-legitimate way to

CHINA'S CYBER POWER (ADELPHI BOOK 456)

IISS12CHINA’S RATIONAL

In Chinese politics, economic development is an issue of national security

“Failure to achieve economic goals might give rise to wide spread social unrest, creating an existential regime threat to the regime”

19

“No other country has been the target of EMCE complaints to the extent

that China has, however. Furthermore, the United States has not specifically

complained about other countries’ EMCE1 to the degree that it has

cited China for such behavior. China, for its part, amay view EMCE as a

particularly attractive and legitimate form of espionage because of the closely

intertwined nature of the Chinese state and economy. Thus, distinguishing

espionage on public targets (legitimate) from espionage on private targets

(illegitimate) accords more closely with the U.S. political-economic system

than it does with China’s.”

p. 60

1) EMCE, Economically Motivated Cyber Espionage

Amy Chang:

“China’s network security policies

are motivated . . . by the Chinese

Communist Party’s goal of

maintaining its own governing

power . . . [by ensuring] domestic

stability, territorial integrity,

modernization, and economic

growth, while simultaneously

preparing for the possibility of

militarized cyber conflict in the

future” p. 4

RAND CORPORATION13

China’s cyber security policies – not distinguishing between public and private targets

CHINA’S RATIONAL

20 IDEFENSE (ACCENTURE SECURITY)14

China’s cyber-espionage activities aimed at technology transfer to regain historic levels

CHINA’S RATIONAL

After observing a downturn of activity in

China, iDefense expects China’s cyber-es-

pionage activities aimed at technology

transfer to regain historic levels.

China’s 13th Five-Year Plan (FYP), which is

now underway, may prompt the targeting

of companies active in the areas of

cyber-security, cloud computing and big

data, new energy automobiles, high-per-

formance computing, biomedical

materials, repair and replacement of tissues

and organs, deep sea key technology and

equipment, and smart grid technology

and equipment.

Historically, Chinese cyber-espionage

operations have heavily targeted foreign

technologies that overlap with FYP

goals. Newly created after a military-wide

restructuring, the Strategic Support Force

of the People’s Liberation Army (PLA) is

also tasked with supporting innovation and

military development, including support

through cyber-espionage means, and

many FYP projects will likely reinforce this

mission.

21IZA INSTITUTE OF LABOR ECONOMICS15

State sponsored espionage– a short cut to GDP growth

CHINA’S RATIONAL

This paper, investigates the economic returns to industrial espionage by linking information

from East Germany’s foreign intelligence service to sector-specific gaps in total factor

productivity (TFP) between West and East Germany. It demonstrates that the economic

returns to industrial espionage are primarily driven by relatively few high quality

pieces of information and particularly strong in sectors that were closer to the West

German technological frontier.

This paper presents the first systematic evaluation of the economic returns to state-

sponsored industrial espionage. The Stasi archives and their rich information on industrial

espionage. Findings show that the returns to industrial espionage were substantial, enabling

East Germany’s economy, at least to some extent, to keep up with productivity growth in the

West.

Arguably, few contemporary intelligence agencies have been able to make industrial espionage

as effective a tool as the Stasi did during the Cold War. While, since then, the relative benefits

of industrial espionage may have declined due to more integrated international markets and

easier access to new ideas through legitimate channels, its costs have likely fallen even more

in the wake of the digital revolution and the emergence of cyber-espionage as a new and

comparatively cheap method of illicit technology transfer. Most developed countries

nowadays therefore view industrial espionage as a severeand growing threat to their

economies, makingthe topic as relevant today as it was at the height of the Cold War.

The processes through which newly acquired information is translated into productivity

growth today may not differ much from the processes inplace in East Germany at

the time of the Cold War, especially in countries characterized by strong centralized

governments such as China and Russia.

Total Factor Productivity gap between West and East Germany at the end of the Cold War would have been 6.3 percentage points larger had the East not engaged in industrial espionage

Six examples

23

Mandiant APT1 23 www.mandiant.com

Aerospace

Chemicals

Construction and Manufacturing

Education

Energy

Engineering Services

Financial Services

Food and Agriculture

Healthcare

High-Tech Electronics

Information Technology

Legal Services

Media, Advertising and Entertainment

Metals and Mining

Navigation

Public Administration

Satellites and Telecommunications

Scientific Research and Consulting

Transportation

2006 2007 2008 2009 2010 2011 2012

TIMELINE OF APT1 COMPROMISES BY INDUSTRY SECTOR

International Organizations

FIGure 12: timeframe of aPt1’s cyber espionage operations against organizations by industry. the dots within each bar represent the earliest known date on which aPt1 compromised a new organization within the industry.

MANDIANT16 SIX EXAMPLES

The Mandiant report exposes systematic Chinese state sponsored economic espionage

Example 1:

Our research and observations

indicate that the Communist

Party of China (CPC) is tasking

the Chinese People’s Libera-

tion Army (PLA) to commit

systematic cyber espionage and

data theft against organizations

around the world.

APT11 is believed to be the 2nd

Bureau of the People’s Libera-

tion Army (PLA) General Staff

Department’s (GSD) 3rd Depart-

ment, which is most commonly

known by its Military Unit Cover

Designator (MUCD) as Unit

61398 (613989).

APT1 has systematically stolen hundreds of terabytes of data from at least

141 organizations, and has demonstrated the capability and intent to steal from

dozens of organizations simultaneously.

APT1 focuses on compromising organizations across a broad range of industries in

English-speaking countries. The industries APT1 targets match industries that

China has identified as strategic to their growth.

1) APT1 is one out of twenty specific Chinese group of Advanced Persistent Threat studied

24

15Operation Cloud Hopper

APT10 alignment with previous China-based hacking

10 https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf11 https://www.pwccn.com/en/migration/pdf/govt-work-review-mar2016.pdf12 http://www.pwccn.com/en/migration/pdf/prosperity-masses-2020.pdf

Espionage attacks associated with China-based threat actors, as noted above, have traditionally targeted organisations that are of strategic value to Chinese businesses and where intellectual property obtained from such attacks could facilitate domestic growth or advancement.

There has been significant open source reporting which has documented the alignment between apparent information collection efforts of China-based threat actors and the strategic emerging industries documented in China’s Five Year Plan (FYP).10 The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan. These aims outlined in the FYP will largely dictate the growth of businesses in China and are, therefore, likely to also form part of Chinese companies’ business strategies.

The latest FYP describes five principles which underpin China’s goal of doubling its 2010 GDP by 2020. At the forefront of these principles is innovation, largely focused around technological innovation, with China expected to invest 2.5% of GDP in research and development to attain technological advances, which are anticipated to contribute 60% towards economic growth objectives.11 The areas of innovation expected to receive extensive investment include, next-generation communications, new energy, new materials, aerospace, biological medicine and smart manufacturing.

In addition to the FYP principle of innovation, China is also promoting ten key industries in which it wants to improve innovation in manufacturing as part of the ‘Made in China 2025’ initiative.12

Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China. This targeting spans industries that align with China’s 13th FYP which would provide valuable information to advance the domestic innovation goals held within China. Given the broad spectrum of priority industries, the compromise of MSPs represents an efficient method of information collection. This strategy also provides additional obfuscation for the actor as any data exfiltrated is taken back through the initial compromised company’s systems, creating a much more difficult trail to follow.

‘Made in China 2025’

industries

Agricultural machinery

Next generation

information technology Numeric

control tools and robotics

Aerospace equipment

Ocean engineering equipment

and high-tech ships

Railway equipment

Energy saving and new energy

vehicles

Power equipment

New materials

Medicine and

medical devices

Figure 13: Industries of interest outlined by ‘Made in China 2025’ initiative

PWC UK & BAE SYSTEMS17SIX EXAMPLES

Operation Cloud Hopper – actor APT10 – highly likely to be a China-based threat actor

Example 2:

Who are the industrial targets?

PwC UK and BAE Systems assess

it is highly likely that APT10 is a

China-based threat actor with a

focus on espionage and wide ranging

information collection.

As a result of our analysis of APT10’s

activities, we believe that it almost

certainly benefits from significant

staffing and logistical resources,

which have increased over the

last three years, with a significant

step-change in 2016.

Espionage attacks associated with

China-based threat actors, as noted

above, have traditionally targeted

organizations that are of strategic

value to Chinese businesses

and where intellectual property

obtained from such attacks could

facilitate domestic growth or

advancement.

25INSIKT GROUP18 SIX EXAMPLES

MSS, Boyusec and Huawei links established

Example 3:

26

Enter the Cyber Dragon: Understanding Chinese intelligence agencies’ cyber capabilities 7

the advisory companies assisting the deal. Not long afterwards, the Chinese state‑backed company, Chinalco, became active as a blocking bidder for Rio Tinto. This led to the collapse of the merger and the loss to shareholders of potentially millions of dollars as a result.23

The gathering of terabytes of economic, political, technological and military information by the Chinese doesn’t always necessarily lead to its successful exploitation. For a start, because China doesn’t have a core mechanism to pull intelligence together into a common government position, much of the information will be shelved or not reach those who could exploit it most powerfully.

Another danger arises from the autonomy that the agencies work with. The central leadership lacks control over who perpetrates attacks, and where and how attacks are made, which could lead to incidents spiralling

out of control before the leadership can put a halt to them. However, a cynic would say that the plausible deniability and ‘invisibility cloak’ that this offers the central leadership is a fortunate coincidence.

It’s also true that stealing information isn’t the same as being able to use it. For example, during the Cold War, the Soviets ended up many generations behind the US in computing technology because they couldn’t develop equipment that they had copied from stolen US blueprints quickly enough. In the Chinese case, the success of their operations will depend on their ability to convert their skills at cloning other’s technology into comprehensive research and development and a true innovation culture. The shift from imitation to innovation will be the true challenge for China, and it’s not clear that the shift has started yet.

Table 2: Australian cyberattacks reported in the media

Date Target Industry Type of attack

Attributed to: China

September 2007 Defence Department + other agencies

Government No details

2007/2008 BHP Billiton ‑ Rio Takeover Mining No details

July 2009 Rio Tinto ‑ Stern Hu Mining No details

July 2009 Melbourne International Film Festival

Arts Vandalism

April 2010 Fortescue Metals Group Mining No details

April 2010 The Australian Associated Press (AAP)

Media Distributed denial of service (DDoS)

April 2010 ‘A financial institution in Australia’. (Knock‑on effects to Optus & News Ltd.)

Financial/Media/Telecommunication

DDoS

May 2011 Woodside Petroleum Oil and gas No details ‑ ongoing

March 2013 Reserve Bank of Australia Central Bank Malware

Atttibuted to: Chinese Government/ intelligence

April 2010 News Limited Media DDoS

September 2010 BHP ‑ Via Blake, Cassels & Graydon LLP + others

Mining/ Law firms Malware

March 2011 Ministerial computers (APH) + Parliament house network

Government Malware

SIX EXAMPLES

Australia under attack, 2007-2011

Example 4:

The high-profile case of Chinese economic intelligence gathering has been widely

reported in Australian media. The attempted merging of BHP Billiton and Rio

Tinto, which would have created the largest iron ore exporter in the world, led to

consternation in the Chinese mining industries.

The Chinese were anxious that the merger would create a monopoly that would be

able to exert greater control over the pricing of minerals largely exported to China.

Subsequently, both BHP’s and Rio Tinto’s computer networks were penetrated

27AUSTRALIAN STRATEGIC POLICY INSTITUTE (ASPI)19 SIX EXAMPLES

by hackers from China, who were gathering information on the merger and on the

advisory companies assisting the deal.

Not long afterwards, the Chinese state-backed company, Chinalco, became

active as a blocking bidder for Rio Tinto. This led to the collapse of the merger

and the loss to shareholders of potentially millions of dollars as a result.

28 THE GUARDIAN20SIX EXAMPLES

Dispute along cold war linesled to collapse of UN cyber warfare talks

Example 5:

Thirteen years of negotiations at the United Nations aimed at restricting cyberwarfare

collapsed in June (2017), it has emerged, due to an acrimonious dispute that pitted

Russia, China and Cuba against western countries.

Negotiations aimed at forging an international legal framework governing cybersecurity

began in 2004 including experts from 25 countries.

At previous sessions, officials accepted that the principles of international law

should apply to cyberspace, including the UN charter itself. Article 51 of

the charter states that nothing shall “impair the right of individual or collective

self-defense” in the face of an armed attack.

But in June, diplomats at the UN abandoned any hope of making further progress, amid

a row centered on the right to self-defense in the face of cyber-attacks.

Countries that oppose Article 51 “believe their states are free to act in

or through cyberspace to achieve their political ends with no limits or

constraints on their actions”

Mike Schmitt, professor of interna-

tional law at Exeter University and a

former US air force lawyer, has been

monitoring the UN GGE discus-

sions. He said he feared a calcu-

lated decision has been made by

Moscow and Beijing that the west has more to lose if there is no guaranteed

right to retaliate against cyber-attacks.

29SOUTH CHINA MORNING POST21 SIX EXAMPLES

China aiming for supremacy – building world’s biggest quantum research facility

Example 6:

China is building the world’s

largest quantum research

facility to develop a quantum

computer and other “revolu-

tionary” forms of technol-

ogy that can be used by the

military for code-breaking.

Pan Jianwei, China’s lead

quantum scientist who was playing a key role in the project, told local officials at a

briefing in May that technology developed in the facility would be of immediate

use to the armed forces, according to Anhui Business Daily newspaper.

Another key mission of the laboratory is to build the nation’s first quantum

computer that could break an encrypted message in seconds.

“Our plan is that by 2020, or maybe as soon as next year, to achieve ‘quantum

supremacy’ with calculation power one million times to all existing computers

around the world combined,” Pan was quoted as saying by Anhui Business Daily,

which is run by the provincial government.

Construction work is expected to finish in 2 ½ years with a budget of 76 billion yuan

(HK$91.6 billion).

The situation will become more vulnerable

31

5G will enhance existing and expand to new use cases

3

Massive Internet of ThingsEfficient, low cost communications with deep coverage

Enhanced Mobile BroadbandFaster, more uniform user experiences

Mission-Critical ControlUltra-low latency and high reliability

Smart homes/buildings/cities

Autonomous vehicles, object tracking

Remote control & process automation, e.g. aviation, robotics

Critical infrastructure protection & control, e.g. Smart Grid

Extreme mobile broadband, e.g. UHD virtual reality

Demanding indoor/outdoor conditions, e.g. venues

New form factors, e.g. wearables and sensors

THE SITUATION WILL BECOME MORE VULNERABLEQUALCOMM, IHS ECONOMICS &

New industrial applications in 5G increase the risk of economic espionage

5G will enhance existing and expand to new use cases and thus and to the risks of espionage

• Smart homes/buildings/cities

• Autonomous vehicles, object tracking

• Critical infrastructure protection & control, e.g. Smart Grid

• Remote control & process automation, e.g. aviation, robotics

• Massice Internet of things; Efficient, low cost communication with

deep coverage

HIS TECHNOLOGY22

The legal situation

33

7

All relevant national departments shall, depending on their own functions and responsibilities, work closely with the agencies for State intelligence work.

Article 6All state organs, armed forces, political parties, social orga-nizations, enterprises, public institutions and citizens shall provide support and assistance to and cooperate with the State intelligence work, and keep secret the State intelligence work that they know.

Article 7The State intelligence work shall be conducted according to the law, ensuring respect for and assurance of human rights and efforts to safeguard the legitimate rights and interests of citizens and organizations.

Article 8The State protects individuals and organizations that provide support and assistance to the State intelligence work, and rewards those who have made great contributions.

chapter ii: functions and powers of agencies for state intelligence workArticle 9Agencies for State intelligence work may make use of neces-sary methods, approaches and channels according to the law to carry out intelligence work within and outside of China, depending on their operational needs.

Article 10Agencies for State intelligence work shall legally collect and process the relevant information about activities jeopardizing

the national security and interests of the People’s Republic of China that are conducted by any overseas agency, orga-nization or individual itself, or by any other party under the instruction or assistance of such overseas agency, organiza-tion or individual, or by any domestic agency, organization or individual in collusion with an overseas agency, organiza-tion or individual.

Article 11Any overseas agency, organization or individual that con-ducts any activity within the territory of China to harm the national security and interests of the People’s Republic of China must be subject to legal liability. Agencies for State intelligence work shall provide intelligence information as a reference or basis to prevent, curb and punish such activity.

Article 12Agencies for State intelligence work may build up bonds of cooperation with relevant individuals and organizations, and entrust them to perform relevant work.

Article 13Relevant departments of the people’s governments at all levels, enterprises, public institutions or other organizations and citizens shall give necessary assistance to the agencies for State intelligence work for their operations and keep them secret.

Article 14Agencies for State intelligence work may, in light of their operational needs, adopt technical measures for investigation purpose after they have gone through strict approval proce-dures in accordance with relevant provisions of the State.

MANNHEIMER SWARTLING23THE LEGAL SITUATION

New Chinese foreign intelligence legislation

Required assistance to facilitate state–sponsored espionage – new in 2017

In addition to the power delegated to the intelligence agencies, the law mandates

that all Chinese citizens and organizations in China (including governmen-

tal authorities, armed forces, political parties, social organisations, state-owned

enterprises, private companies, and public institutions) shall cooperate with the

Competent Authorities (intelligence agencies) when they are performing their

duties by providing assistance.

Outside China, Chinese companies, whether state-owned or private – from

national champions to acquired ex-foreign companies may face similar

challenges from insider threats from Chinese nationals forced to facilitate

state intelligence activities.

34

3

economic espionage

to Cyber Operations (the “Manual”)4, is a useful tool for assessing a state’s responsibility vis-a-vis other states or private companies in other countries.

The Manual defines cyber espionage as an act underta-ken clandestinely or under false pretences that uses cyber capabilities to gather, or attempt to gather, information. This definition includes capabilities to monitor, capture or exfoliate electronically transmitted or stored communica-tion, data, or other information.

If the economic espionage is carried out by the state against its own nationals (legal or natural persons) such actions could trigger the domestic laws of that state, which will govern the relationship between the state and its subjects. When the violation of intellectual property rights or theft of trade secrets is done by a company against another, this is also usually handled under do-mestic laws. However, when a state is spying and stealing trade secrets of a company in another state, the actions transcend domestic law and pass into the realm of inter-national law.

4 The Tallinn Manual was commissioned by NATO’s Co-Operative Cyber Defence Centre of Excellence to apply existing international law to cyber-related issues, providing an expert-led policymaking reference tool on cyber security.

Lawful and unlawful espio-nage under international lawThe Manual analyses various types of cyber operations by a state, and provides guidance under international law as to when acts should be considered lawful or unlawful. Only if deemed unlawful, would the action trigger state responsibility under international law.5

the principles of sovereignty and non-intervention in cyberspaceThe principle of state sovereignty, which is a fundamental legal principle under international law, establishes that a state rules over its own territory, both internally by regula-ting and protecting its territory and subjects (e.g. natural and legal persons), and externally, i.e. that other states must respect its territorial boundaries. States may thus not engage in unlawful breaches of the principle of sovereign-ty or intervention (as defined below) against another state. If it does, the former may take countermeasures. These principles apply equally in cyberspace.6

5 State responsibility under international law is not regulated through any convention or treaty. The International Law Commission’s Article of State Responsibility have been commended by the UN General Assembly, but have not entered into force. Nonetheless, these provisions are frequently cited in courts and tribunals, see page 79 of the Manual.

6 See pages 11–17 of the Manual.

FIGURE 1: ILLUSTRATION OF ECONOMIC ESPIONAGE

Government A Government B

Company A

Company A Company A

International Law

Economic Espionage

Domestic Law

9

economic espionage

program was to deter China from conducting economic espionage.37

The EU has also considered using economic sanctions as a tool to combat cyber security threats and attacks. In June 2017, the EU Council released its conclusions on the adoption of a Cyber Diplomatic Toolbox, stating that the EU would consider using economic sanctions (restrictive measures) in response to malicious cyber activities.38 This was further reiterated in the Council Conclusions of 20 November 2017.39 To date, the EU has not yet started using economic sanctions in respect of economic espionage.

Bilateral political commitments against economic espionageEconomic espionage may, for the time being, be conside-red unregulated in the international law context or under international treaties, and some states have instead enga-ged in informal political or diplomatic commitments.

In September 2015, the United States and China made mutual political commitments, pledging not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage”.40 This commitment was made shortly after President Obama had issued the cyber-related sanctions program, which may have worked as an incentive for China to agree to U.S. demands.41 Whilst commentators have observed a marked decline in detected Chinese cyber-attacks on U.S. companies, there is disagreement as to the role of the agreement in prompting such a decline.42

37 https://www.washingtonpost.com/world/national-security/us-to-establish- sanctions-program-to-combat-cyberattacks-cyberspying/2015/03/31/7f563474-d7dc-11e4-ba28-f2a685dc7f89_story.html?utm_term=.5f2e108f6ec4.

38 Available at: http://data.consilium.europa.eu/doc/document/ST-9916-2017-INIT/en/pdf.

39 Available at: http://www.consilium.europa.eu/media/31666/st14435en17.pdf.40 As quoted in Ellen Nakashima and Steven Mufson, “U.S., China vow not

to engage in economic cyberespionage”, The Washington Post, 25 September 2015, https://www.washingtonpost.com/national/us-china-vow-not-to-engage-in-economic-cyberespionage/2015/09/25/90e74b6a-63b9-11e5-8e9e- dce8a2a2a679_story.html?utm_term=.026818f5ca97.

41 https://www.washingtonpost.com/world/national-security/administration-developing-sanctions-against-china-over-cyberespionage/2015/08/30/9b2910aa-480b-11e5-8ab4-c73967a143d3_story.html?utm_term=.b2974bac12d3.

42 See, for example, Mara Hvistendahl, “The Decline in Chinese Cyberattacks: The Story Behind the Numbers”, MIT Technology Review, 25 October 2016, https://www.technologyreview.com/s/602705/the-decline-in-chinese-cyber-attacks-the-story-behind-the-numbers/.

Other countries, including most of the United States’ partners in the so-called Five Eye intelligence alliance, have followed suit. Great Britain, Russia, Brazil and, Australia43 have reportedly all negotiated similar deals with China.44 In June 2017, Canada also required China to take on similar commitments in the course of free trade negotiations.45 Similar multilateral commitments have also been made in the G-20 in November 2015.46

These political commitments surely carry a strong political message, but are not necessarily legally binding bilateral deals or treaties. The enforceability of the com-mitments is also questionable. There appears to be no foreseen consequences for breaching these commitments, other than political damage. The option of a bilateral com-mitment appears relatively weak unless coupled with an-other instrument, such as the threat of economic sanctions (as shown by the U.S. case).

Summary The following table summarises the options reviewed above for challenging economic espionage.

CHALLENGING ECONOMIC ESPIONAGE

Option Summary of findings

International (customary) law challenge by state

Espionage is per se not unlawful. Other principles, such as sovereignty, would have to be violated

Domestic court challenge by affected company

Attribution and evidence, claiming non-state immunity

Bilateral Investment Treaty, by affected company

Company would have to have an investment in the state, and show a link to the failed investment

WTO (TRIPS) challenge Uncertain application, due to wording of provisions and geographical limitation of WTO commitments

Economic sanctions Possible as a unilateral measure, however requires a form of national security test

Bilateral commitments Lack of enforcement of commitments

43 Jamie Smyth, “Australia and China in pact against cyber theft”, Financial Times, 24 April 2017, https://www.ft.com/content/9df81164-28b5-11e7-9ec8-168383da43b7.

44 Adam Segal, “The U.S.-China Espionage Deal One Year Later”, Council on Foreign Relations, 28 September 2016, https://www.cfr.org/blog/us-china-cyber-espionage-deal-one-year-later.

45 Robert Fife and Steven Chase, “Canada and China strike corporate hacking deal”, The Globe and Mail, 25 June 2017, https://www.theglobeandmail.com/news/politics/china-agrees-to-stop-conducting-state-sponsored-cyberattacks-targeting-canadian-private-sector/article35459914/.

46 https://www.washingtonpost.com/world/national-security/worlds-richest-nations-agree-hacking-for-commercial-benefit-is-off-limits/2015/11/16/40bd0800-8ca9-11e5-acff-673ae92ddd2b_story.html?utm_term=.efe66043294.

DomesticLaw

THE LEGAL SITUATIONMANNHEIMER SWARTLING27

”The current state of play leaves economic espionage relatively unregulated, which

may explain why governments resort to other measures of unilateral nature instead,

such as economic sanctions, or negotiating political commitments from states

accused of engaging in economic espionage.”

Illustration of International and domestic law

Challenging economic espionage

State sponsored economic espionage is not regulated by international law

The legal role models of enhanced trust in cyber security

Table 1 Model Legislation Legal basis in the national legal order

Legal justification New legislation or amendments should rest on a fundamental legal interest such national security or protection of privacy.

Legal hierarchy A regime should rest on national legislation that has a certain significance in the national legal hierarchy (primacy) to avoid conflict of laws.

Autonomous assessments Legislation should serve to detach the assessment from political influences, to ensure objective and autonomous technical security assessment.

Scope and Assessments

Scope: What should be covered by the law

Clear framework, which includes in its scope at least three types of supply situations; equipment, services and outsourcing for public ICT procurement. Cover both public and private operators.

Mandatory Assessments Specific sectors or activities shall be subject to mandatory security assessments, specifically procurement in critical sectors including public ICT.

Authority and effects of assessments

Authority: Who should assess

One designated and centralized authority, which should have powers to collect or request relevant information. Assessment should be autonomous. Political considerations through consultation mechanism.

Effects of the assessment

A binding and enforceable regime is recommended. The authority should have mandate to take definitive e.g. through a authorisation, approval or declaration process. Non-compliance should be sanctioned.

FRENCH AND AUSTRALIAN LAW24 THE LEGAL ROLE MODELS OF

ENHANCED TRUST INCYBER SECURITY

The role models of enhanced ICT vendor trust

In order to ensure economic and societal benefits from 5G, IoT and Industry 4.0 countries can adopt in their domestic legislation essential mechanisms to screen for ICT vendors’ independence.

By comparing how the French and Australian regimes are constructed to limit

espionage threat from ICT infrastructure, a number of generic legal features should

be considered by legislators in other countries wishing to codify, implement, or

modify similar legislation.

The Model in table 1 incorporates the identified strengths, as well as proposed remedies to

the identified weaknesses of the respective French and Australian approach.

Sources:1 Globally, People Point to ISIS and Climate Change as Leading Security

Threats. Pew Research Center, 2017. http://www.pewglobal.org/2017/08/01/globally-people-point-to-isis-and-climate-change-as-leading-

security-threats/

2 Globally, People Point to ISIS and Climate Change as Leading Security Threats. Pew Research Center, 2017. http://www.pewglobal.org/2017/08/01/globally-people-point-to-isis-and-climate-change-as-leading-

security-threats/

3 Potential effect on business of small and medium enterprises (SMEs) due to cybercrime in 2016. Zurich Insurance Company, 2016. https://www.zurich.com/_/media/dbe/corporate/docs/whitepapers/global-survey-report.pd-

f?la=en&hash=482BDDF8D12B4CB94B3020207942D06AA5E3A9C2

4 Trend Micro, 2017. http://www.trendmicro.se/

5 Data Breach Investigations Report 10th Edition, Verizon, 2017. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

6 Data Breach Investigations Report 10th Edition, Verizon, 2017. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

7 Cyber Threat Bulletin, Number #21, BAE Systems, 2017. http://info.ai.baesystems.com/rs/308-OXI-896/images/Cyber_Threat_Bulletin_21 2017.pdf?mkt_tok=eyJpIjoiWXpJeE5UUmhZMk5rWVRSayIsInQiOiJ5eHFqeXNDcDh-VUFVzS2JSVXBWeEJuYmJ3NHE5XC9YdEJucHFrN1JTRnRTWU4xaWZMYTZt-eDZnTGo5amlzSnNnUmVVS3hxWUlVOVlsNWNWajNBaFkzcEwzSlViNTVCZ1FvTU5kYm-lrSjlJK2VcL0tMWGlvZXpIclpDaDNRVHowbmxYIn0=

8 Analysis of vulnerability to espionage, General Intelligence and Security Ser-vice of the Netherlands (AIVD), Directorate General for Safety and Security (DGV) Ministry of BZK (access Federation of American Scientists). https://fas.org/irp/world/netherlands/aivd-vuln.pdf

9 Findings of the investigation into China’s acts, policies, and practices related to Technology Transfer, Intellectual Property, and Innovation under section 301 of the Trade Act of 1974. https://ustr.gov/sites/default/files/Section%20301%20FINAL.PDF

10 Estimating the Global Cost of Cybercrime, 2017. https://csis-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf

11 Business impacts of cyber attacks. Forensic Foresight: July 2016. Deloitte, 2016. https://www2.deloitte.com/au/en/pages/media-releases/articles/business-impacts-cyber-attacks.htm-l?id=au:2sm:3li:4dcom_share:5awa:6dcom:media_releases#

12 China’s Cyber Power. IISS, 2016. https://www.iiss.org/en/publications/adelphi/by%20year/2016-d199/china--39-s-cyber-power-f1db

13 Getting to Yes with China in Cyberspace, RAND Corporation, 2016. http://www.rand.org/content/dam/rand/pubs/research_reports/RR1300/RR1335/RAND_RR1335.pdf

14 Cyber Threatscape Report, iDefense (Accenture Security), 2017. https://www.accenture.com/t20170721T220639Z__w__/us-en/_acnmedia/PDF-57/Accen-ture-2017-cyber-year-threatscape-report.pdf

15 Industrial Espionage and Productivity. IZA Institute of Labor Economics, 2017. http://ftp.iza.org/dp10816.pdf

16 APT1. Exposing One of China’s Cyber Espionage Units. Mandiant, 2013. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

17 Operation Cloud Hopper, PwC UK & BAE Systems, 2017. https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

18 Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Recorded Future (Insikt Gruop). https://www.recordedfuture.com/chinese-mss-behind-apt3/

19 Enter the Cyber Dragon - Understanding Chinese intelligence agencies’ cyber capabilities, Australian Strategic Policy Institute (ASPI), 2013. https://www.files.ethz.ch/isn/165376/10_42_31_AM_SR50_chinese_cyber.pdf

20 Bowcott, Owen. 2017. Dispute along cold war lines led to collapse of UN cyberwarfare talks. The Guardian. 23 August. https://www.theguardian.com/world/2017/aug/23/un-cyberwarfare-negotiations-col-lapsed-in-june-it-emerges

21 Chen, Stephen. 2017. China building world’s biggest quantum research facility. South China Morning Post. 11 September. http://www.scmp.com/news/china/society/article/2110563/china-building-worlds-biggest-quan-tum-research-facility

22 Designing the 5G Unified Air Interface. Qualcomm, 2015. https://www.slideshare.net/qualcommwirelessevolution/designing-the-5g-unified-air-interface

The 5G economy: How 5G technology will contribute to the global econo-my. IHS Economics & HIS Technology, 2017. https://www.qualcomm.com/documents/ihs-5g-economic-impact-study

23 National Intelligence Law, Mannheimer Swartling. 2017. http://www.mannheimerswartling.se/globalassets/publikationer/national-intelligence-law.pdf

24 French Penal Code, Article 226-4 of the Code Pénal and article 4 of the decree no. 2009-834 of 7 July 2009. https://www.legifrance.gouv.fr/Traductions/en-English/Legifrance-translations

The Australian Security Intelligence Act 1979. https://www.legislation.gov.au/Details/C2016C01133