China for its part denies everything and can occasionally be found to make counter-accusations. Indeed, following the recent sanctioning and protest of a Chinese attempt to purloin the data of approximately 40 million United Kingdom voters, China responded with protests that such allegations were nothing more than “malicious slander.”
Why should CISOs care about expat Chinese nationals?
Those who China has determined are of interest live where we live, they work in the cubicle down the hall, they are a part of our societies. Individuals targeted by China may be active in dissent or they may have family members who are active dissenters. None raises their hand and asks to be targeted, yet so many are bribed, recruited or coerced to engage in the stealing of important data or secrets useful to Chinese intelligence services.
And while there is ample evidence that China is targeting those of Chinese ethnicity, one would be foolish to assume that is an inclusive targeting parameter. The parameters used are “access” — does the individual have access to that which is desired (information, technology, or another individual)?
It would be equally foolish to take a xenophobic perspective, that anyone of a given ethnicity, such as Chinese, is a significant risk. To reiterate, those who are being targeted by China are being targeted for their access to information of interest to China be it intellectual property, insider capabilities, or proximity to those whom the government may wish to silence.
What is true is that it is appropriate to have conversations involving all employees surrounding the threat posed by Chinese intelligence services. To help protect sensitive corporate information, it is vital to be aware of how infiltrators – willing or coerced — spot, assess, engage, recruit, and handle clandestine sources and how these organizations use surrogates to make the initial outreach to a potential source.
Public-private partnerships can help protect against nation-state attacks
While government noise and sanctions make great press, what is really needed are more public-private partnerships that can provide actionable information to non-governmental CISOs that they can use to protect their infrastructure, intellectual property, and personnel.
The Cybersecurity Infrastructure Security Agency (CISA) is well on its way to doing just that with its advisories and warnings, complete with “what you need to do” sections. The unfortunate side is that large enterprises are generally the ones who have the wherewithal to take the recommended action and the tools/infrastructure of the small-medium businesses may not be sufficient.
Nevertheless, knowledge is power and CISOs will be well served to pick up what CISA is laying down when it comes to threat warnings. Similarly, the power to educate your workforce, the human target, is within arm’s reach of every CISO.