U.S. and British Law Enforcement Agencies Issue Unprecedented Warning About Chinese Espionage Efforts

11 July 2022 Innovative Technology Insights Blog
Author(s): Steven M. Millendorf

On July 6, 2022, the heads of the U.S. Federal Bureau of Investigation (FBI) and the British MI5 law enforcement agencies issued an unprecedented joint statement warning about espionage and other economic threats from China. Addressing an audience that included chief executives of businesses and senior officials from universities, FBI Director Christopher Wray stated that the economic and national security threats posed by the Chinese Communist Party are “immense” and “breathtaking” while MI5 head Ken McCallum called them “game-changing.” Director Wray indicated that the Chinese government “poses an even more serious threat to Western businesses than even many sophisticated businesspeople realize,” and that China had interfered in politics, including recent elections. This statement was validated by the U.S. National Counterintelligence and Security Center in a separate statement that indicated that China has accelerated efforts to influence U.S. policy making through overt and covert means, ranging from open lobbying to collecting personal information about state and local community leaders, and uses economic incentives to reward or punish officials. MI5 head McCallum further elaborated that MI5 had more than doubled its countermeasures against Chinese activity in the last three years and is expected to double it again soon.

Cybersecurity Threats

Director Wray told attendees that the Chinese government was “set on stealing your technology – whatever it is that makes your industry tick – and using it to undercut your business and dominate your market.” He further indicated that China is using a wide range of tools, and that China had deployed cyber espionage to “cheat on a massive scale,” engaging in a level of hacking activity that rivaled every other major country combined. MI5 head McCallum added that the biggest risk from the Chinese Communist Party is to “the world-leading expertise, technology, research, and commercial advantage developed and held by people in this room, and others like you,” and highlighted that the risks posted by the Chinese government included covert theft, technology transfer, and exploiting research.

As further evidence of the immediate threat, MI5 head McCallum suggested that MI5 had thwarted a sophisticated threat against aerospace organizations and described sophisticated “recruiting” activities posed as job interviews designed to encourage technology experts to describe technical information about their work to Chinese intelligence officials. McCallum indicated that intelligence information about cybersecurity threats had been shared with 37 other countries.

While the joint statement did not directly address the impact that such cybersecurity attacks could have on critical infrastructure, many of the concerns apply equally to organizations involved in critical infrastructure, and such organizations should take the threats from the Chinese Communist Party and other similar nation state threat actors equally seriously.

Importance of the Statement

The joint statement is the first ever joint public appearance between the two directors, and an unusual statement for two of the largest national law enforcement agencies in the Western world. The unprecedented statement underscores some of the main cybersecurity concerns that are often overlooked:

  • Cybersecurity threats cross traditional international boundaries. Director Wray elaborated on the international scope of the threat posed by China and stated that the Chinese government posed the “biggest long-term threat to our economic and national security – and by ‘our,’ I mean both of our nations, along with our allies in Europe and elsewhere.”
  • While businesses often focus their cybersecurity efforts on the threats to personal information, the intellectual property held by many organizations may be even more valuable to many nation state threat actors in an effort to achieve economic superiority.
  • Defending against such threats may demand a coordinated, international response that includes the sharing of threat intelligence information between countries.

China’s Response

China denied that it engages in the activities that Director Wray and MI5 head McCallum claimed, and stated through a spokesperson in China’s embassy in Washington, D.C. that Beijing’s position is that it is a defender of cybersecurity, its government would never condone such activities, and that it is the victim of cybersecurity attacks. The spokesperson criticized the statements by Director Wray and MI5 head McCallum as “U.S. politicians who has been tarnishing China’s image and painting China as a threat with false accusations,” and accused the U.S. of launching a mass online surveillance campaign and that the U.S. should “be a truly responsible actor in cyberspace.”

What Business Should Do

Attacks from China (and other nation state threat actors) can come at any time. In fact, they are likely already be happening – Former FBI Director Robert Mueller once stated, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” To defend against such attacks, businesses of all kinds should consider the following actions to protect their intellectual property and critical infrastructure activities:

  • Review Patching Policies and Procedures. Nation state actors quickly and easily exploit systems that have failed to patch known vulnerabilities.
  • Address Insider Threats. Although Director Wray was careful to be clear that the threat was from the Chinese government and the Chinese Communist Party and not the Chinese people or Chinese immigrants, businesses should be on alert for the potential of internal threats to cybersecurity from all of their employees.
  • Security Audits and Penetration Testing. Engage an independent security company to conduct penetration testing and a cybersecurity audit to verify the strength of the business’ cybersecurity defenses.
  • Isolate Critical Assets on the Network. Consider moving the highest value technology and other trade secrets to isolated computing systems that do not have physical access to the public internet. While this may not be practical for some organizations that are still working remote, “sneaker net” can still be one of the best security measures when practical for the business.
  • Consider Risks to Business in China. Exercise caution when doing business in China. Director Wray also pointed to Chinese laws and regulations that pose risks to foreign companies operating in China, and encouraged business leaders to evaluate the risk of commercial interactions with Chinese partners. “Maintaining a technological edge may do more to increase a company’s value than partnering with a Chinese company to sell into that huge Chinese market, only to find the Chinese government and your partner stealing and copying your innovation,” he said.
  • Review Supply Chain for Technological Risks. Both the U.S. and British governments have launched efforts to limit or eliminate Chinese equipment from next-generation 5G telecommunications networks over concerns over potential malware and other malicious components. Businesses should review their supply chain for the potential for the introduction of malware – not just for physical parts, but also for software and other network components, such as firewalls, routers, wireless access points, laptops, telecommunications systems, anti-virus software, and other similar network devices that may touch or have access to data. Businesses should only buy such products and services from reliable sources and avoid products that may come from organizations that may be associated with nation state threat entities in countries that may be aggressive towards the West’s economic interests, such as China, Russia, and North Korea. Businesses may wish to consider NIST SP800-161 and NIST’s Software Supply Chain Security Guidance for guidance on reviewing and mitigating risks to their supply chain.
  • Plan for Geopolitical Supply Chain Disruptions. In addition to supply chain risks posed by malware and other malicious code, businesses should consider the potential impact of their supply chain due to geopolitical forces. Director Wray suggested that China was taking lessons from Russia’s invasion of Ukraine to insulate the impact of economic sanctions that could be imposed on it by the West, and highlighted that China could disrupt supply chains in an effort to hold Western organizations hostage, and the potential disruption that could result from a Chinese invasion of Taiwan or other economic retaliation would be much greater than those seen this year as a result of Ukraine.
  • Review Disaster Recovery Plans. While the focus from China is a little different than traditional ransomware, China may attempt to get an economic advantage over major businesses by deploying similar tactics used in double-extortion ransomware, namely exfiltration of information and depriving the business of availability of the information. On top of the actions described above, businesses should ensure that they have appropriate disaster recovery policies and procedures (including testing backup and restore capabilities) to ensure that the business can recover prior progress and maintain its business advantage.
  • Review Other Cybersecurity Policies and Procedures. Conduct a table-top exercise targeting the misappropriation of intellectual property and disabling of critical systems, and review and update other cybersecurity policies and procedures as necessary to further protect this important asset.

Conclusion

Perhaps the most encouraging statement in the warning was from Director Wray, who offered that “I know that this all sounds alarming. But while the threat is immense, that doesn’t mean the harm is inevitable.” Businesses should take the actions described above to review and update its cybersecurity practices. For more information and assistance regarding your business’ cybersecurity posture, please contact the author or any other Partner or Senior Counsel member of Foley’s Cybersecurity and Privacy practice.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Insights

What’s Next for Blockchain and Crypto?
01 December 2022
Innovative Technology Insights
Case Law Update: Disputes Relating to Supply Chain Disruptions Hit the Courts
01 December 2022
Manufacturing Industry Advisor
Foley Partner André Thiollier Moderates Global Venture Market Session at BayBrazil Conference
01 December 2022
Foley Ignite
Podcast Episode 96: Eric Williams, Associate
01 December 2022
Foley Career Perspectives
What You Should Know About Payor/Provider Convergence
25-26 January 2023
Los Angeles, CA
ATA EDGE2022 Policy Conference | American Telemedicine Association
7-9 December 2022
Washington, D.C.
CLE Weeks
5-16 December 2022
Milwaukee, WI
Foley Sponsors Ernst & Young Entrepreneur of the Year® Program
1 December 2021 - 30 November 2022
Michigan and Northwest Ohio Region