Imagine that yesterday, there was a press conference in Beijing during which a senior Chinese government spokesperson claimed that the UK had been responsible for a ‘malicious’ and ‘hostile’ campaign of attacks targeting China’s political system. That would sound very serious, right? But then, the spokesperson clarifies that this series of malicious attacks was simply a case of UK intelligence personnel conducting online reconnaissance to determine whether the email accounts of senior Communist Party politicians were vulnerable to compromise, and ultimately failing to compromise any accounts. Hmm, I suspect most people would roll their eyes and think this was an ill-judged press conference, a bad case of exaggeration and over-reaction.
A failed effort to spy on fairly obvious political targets should not be described as a hostile, malicious campaign of interference in anyone’s system of government. Spying on political targets is not an attack on an adversary’s system of government. Even successful espionage against such political targets would constitute normal business between states like the UK and China. That is to say, the correct response when you uncover it is to remediate the incident and ensure that you are a harder target next time. Rhetorical exaggeration, sanctions even, would seem unwise if directed at activities very similar to those you might be doing yourself. The UK would not want its own spying efforts to be described as a hostile or malicious act. (I would just add here, given recent Reuters reporting that claims that the Trump administration conducted covert influence operations in China in 2019 and 2020, that this kind of activity would feel more like ‘interference’ than would the simple act of espionage accumulating information to provide insight.)
Now, no such press conference occurred yesterday in Beijing, but we did get a British parliamentary statement and a US Department of Justice statement both calling out ‘malicious’ activities by a Chinese government-associated threat actor, APT 31. Though there were differences between the UK and US statements, they both essentially called out the same long-running campaign(s) of Chinese cyber espionage against a range of targets.
I am sceptical about the UK announcement’s decision to describe apparently failed Chinese espionage targeting of UK legislators in 2021 as ‘hostile’ or ‘malicious’ interference with British democracy. This just looks like fairly standard political espionage to me, the kind that a lot of states reasonably believe they have a right to conduct, to ensure that they have insight into the internal deliberations of other significant actors. It doesn’t seem like the kind of activity to justify over-reaction. The prudent, pragmatic response would be one that focuses more on remediation and building up cyber security and resilience. In truth, these elements were part of the British statement, so the overall framing of the incident could have been constructed along these more pragmatic lines, rather than the more rhetorically fierce framing chosen by the government. This framing reflects the influence of geopolitical context more than it does a proportionate response to the fact that other states are interested in spying on UK political targets.
Part of the reason for the UK decision to elevate the rhetoric was that this wasn’t an isolated incident. In addition to political espionage-as-usual, there was evidence that an unnamed (possibly different) Chinese threat actor had compromised the UK Electoral Commission in 2021, stealing the personal data of around 40 million British voters. A cyber operation compromising electoral infrastructure could be interpreted in one (or a combination) of three ways: (1) as preparation to conduct a disruptive or destructive attack; (2) as an effort to undermine public trust in electoral infrastructure (along the lines of ‘if it’s so easily violated, who knows what might have been done to undermine the integrity of our elections?’); and (3) simply to acquire a bulk data set relating to British voters, which can be fused with other data sets to generate a powerful tool for improving future UK-orientated operations.
The UK statement contained no information suggesting there was any UK intelligence community assessment indicating the likelihood of the first motive, i.e. preparation to conduct a disruptive or destructive attack on the UK’s electoral infrastructure. The implication of the British statement is that such actions inherently produce the second effect (undermining public trust in electoral infrastructure), but again, there was no associated, declassified assessment indicating that this was the intended outcome of the operation. Moreover, the government minister delivering the statement (Deputy Prime Minister Oliver Dowden), was emphatic in explaining that no such compromise had occurred: everyone could still trust the UK’s electoral infrastructure. (You might reasonably wonder, therefore, if the chosen pyrotechnic framing of the incident - an attack on UK democracy - by the government was helping or hindering the delivery of that message.) The third motive, whilst possible (essentially the Commission as a rich pot of data, a target of opportunity), seems curious (there are surely other, less politically sensitive ways of accumulating similarly large data sets), unless that is there is also an element of motive 2, i.e. an intention to generally exert a nuisance effect on public trust in the UK’s electoral infrastructure.
Where does this leave us? The UK government appeared to hype Monday’s statement in revelations trailed to the press over the weekend. This generated a certain expectation that Monday’s statement would reveal more than the bare facts it outlined. There was no additional insight into the threat actors and no de-classified intelligence assessment about interpreting the intentions behind the wider campaign. The main opposition party asked about such an assessment and the government response (that ‘it is a matter for the Chinese to be able [to] justify their motivations’) was an embarrassingly weak ad lib – not necessarily the fault of Dowden, the government minister, who shouldn’t have been sent into the chamber without a better answer to that obvious and important question.
This was a missed opportunity for the government to develop cross-party support for its approach. Watching the parliamentary questions following the statement, you couldn’t help but notice that the general feeling was that the statement had been an anti-climax. Simply describing failed Chinese attempts three years ago to spy on a handful of political targets in the UK is a poor starting point for building that consensus. It might have been better to focus on developing a case based on the National Cyber Security Centre’s supporting statement, that the Electoral Commission data might have enabled ‘transnational repression of perceived dissidents and critics in the UK’. But again, this would be a starting point, and more would need to be done to ground the case. There was a sense that Monday’s statement - even though it dealt with historic (2021) cases - felt a bit rushed, as though the government needed more time to really land its argument and identify appropriate responses.
The government announced targeted measures against two Chinese cyber operatives and the wider threat actor. This was a relatively restrained approach given the rhetoric – it did not, for example, sanction the wider list of operators pursued by the US government, nor anyone involved in the political decision-making chain of command approving such operations. The UK is merely targeting some of the cyber foot-soldiers implementing part of China’s espionage campaign. It was clear from the parliamentary questions yesterday that there is a significant body of opinion amongst legislators - and not just in the ruling Conservative party - that would be in favour of stronger measures.
I am unpersuaded that the cases outlined yesterday would merit a stronger public response - except, in the case of the Electoral Commission hack, for me the more severe of the two cases, the government might have considered targeted measures against named individuals involved in the decision-making, as well as the operational aspects of the case. But, from the supporting statement from the National Cyber Security Centre, it looks like only the operational actors associated with the failed targeting of parliamentarians have been subjected to UK measures. It isn’t clear that the unnamed Chinese threat actor responsible for the Electoral Commission operation has been affected at all by the measures announced on Monday.
There was also a moment in the parliamentary proceedings when the government minister responded to a question about deterrence by implying – apparently in an ad lib remark, but possibly suggesting something more – that he would not comment on the operations of the National Cyber Force (he actually called it the cyber defence force, but I’m pretty sure he meant the NCF). Whatever might or might not be happening in this space, as ever, it’s always difficult to assess the totality of the UK’s response because some of it might be covert.
The bigger picture context is clearly the deterioration in relations between China and the West, with the UK and other countries increasingly perceiving China as a strategic threat. As legislators noted yesterday, this is a big change over the last decade – noting the more positive China policies pursued by David Cameron (the current foreign secretary) when he was prime minister (2010-16). The UK government’s position is that it has needed to change its policy as China has changed its own. There is merit to this argument, but the parliamentary theatre of yesterday doesn’t really improve our understanding of the nuances of the relationship. It was a missed opportunity for the UK government to provide clarity about the bigger picture, to carefully explain its assessment of China’s cyber campaign(s), and to build consensus for a cross-party approach. Instead, we saw what felt like an overhyped and underprepared statement.