In today’s globalised business world, what happens in Shenzhen or Singapore may be just as important as trends closer to home. To that end, I recently offered IDG Connect the following round-up of the past year in APAC, and a few notes on what we can expect from the months ahead. As Apple’s dire performance in China has shown, Asia increasingly matters to Western tech firms, their customers, shareholders and partners:
Asia’s technology market had more global exposure in 2018 than in many recent years. There’s just one problem: most of it was negative. President Trump has begun a de facto trade war with China which has now morphed into a full-fledged stand-off on several fronts, with cyber-espionage and perceived unfair Chinese trading practices at the heart of US grievances. As we head into 2019 expect tensions to increase, with other south-east Asian nations potentially benefitting as US firms pull their supply chain operations from the Middle Kingdom.
It could be an extremely nervy time for Silicon Valley CEOs.
The trade war continues
The tit-for-tat trade war started in 2018 might have so far steered largely clear of tech goods, although some firms have begun to warn of an impact on profits. But the industry has certainly been at the heart of the stand-off between the world’s superpowers. In January a deal between Huawei and AT&T to sell the former’s smartphones in the US collapsed after pressure from lawmakers worried about unspecified security concerns. Then came a seven-year ban on US firms selling to ZTE — the result of the Chinese telco breaking sanctions by selling to Iran, and then lying to cover its tracks. Although part of the ban was subsequently lifted temporarily, it highlighted to many in the Chinese government what president Xi Jinping had been saying for some time: the country needs to become self-sufficient in technology. It was reinforced when Huawei became the subject of a similar investigation.
This is about America, and Trump in particular, fighting back against what it sees as years of unfair trading practices by China. The argument goes that the Asian giant has been engaged in cyber-espionage on an epic scale to catch up technologically with the West, and unfairly forces IP transfers on foreign firms as the price for access to its huge domestic market. Thus, the coming year will see a ratcheting up of tensions. China on the one side will look to increase its espionage in areas like mobile phone processors to accelerate plans to become self-sufficient. And the US will continue to find ways to crack down on Chinese firms looking to access its market — probably citing national security concerns. There are even reports that the US has considered a total ban on Chinese students coming to the country over espionage concerns.
“Technology CEOs the world over with supply chain dependencies in China — so probably all of them — should be increasingly nervous and focused on their firms’ efforts to have viable contingency plans for a US-China technology cold war,” wrote China-watcher Bill Bishop in his Sinocism newsletter. That could spell good news for other ASEAN nations like Vietnam, where Samsung has made a major investment in facilities — although few countries in the region boast the infrastructure links and volume of skilled workers China does.
Cybersecurity takes centre stage
As mentioned, cybersecurity and online threats are at the heart of the Sino-US stand-off. The stakes got even higher after a blockbuster report from Bloomberg Businessweek which claimed Chinese intelligence officers had implanted spy chips on motherboards heading for a US server maker. Although the claims have been denied by Apple, Amazon and the server maker in question, Supermicro, they will confirm what many have feared about supply chain risk for a long time and accelerate efforts in 2019 to move facilities out of China. Further fanning the flames is a US indictment alleging Chinese spies worked with insiders including the head of IT security at a French aerospace company’s China plant to steal IP.
In a move likely to enrage China, the US also recently arrested and charged a Ministry of State Security (MSS) operative with conspiracy to steal aviation trade secrets. A major backlash is likely to come from Beijing. But more could also come from Washington after a combative congressional report from the US-China Economic and Security Review Commission called for a clampdown on supply chain risk and warned of China’s efforts to dominate 5G infrastructure and IoT production.
Aside from state-sponsored attackers, there’s a growing threat from Chinese cyber-criminals, according to one security vendor. Western firms suffer millions of attacks per year from financially motivated Chinese hackers, according to IntSights. Expect that to increase in the future as the state encourages criminals to focus their efforts outside the country, or even to team up with hacking groups at arm’s length. Also expect the country’s Cybersecurity Law to have a growing impact on how Western firms do business there. Ostensibly meant to vet such firms for interference by the NSA and CIA, the law could also serve as a pretext for Chinese officials to access sensitive IP and source code belonging to Western firms operating in China.
For other countries in the region, improving cybersecurity is vital to their efforts to attract more foreign IT investment and nurture start-up friendly environments. Although there are pockets of good practice, APAC is thought to be among the least mature regions worldwide. AT Kearney has called on ASEAN nations to increase cybersecurity spending to around $170 billion, warning that they are in danger of losing $750 billion in market capitalisation otherwise.
The threat from Chinese spies and local hackers is compounded by the growing danger posed by North Korea. Its state-sponsored hackers are acting with increasing impunity. FireEye recently identified a new group, APT38, which was responsible for the attacks on Bangladesh Bank and other financially motivated raids. Expect more attacks aimed at raising funds for the regime, as well as destructive campaigns and politically motivated information theft.
Taking a lead
On a more positive note, APAC is increasingly seen as a leader in emerging digital technologies: led by the two regional giants of India and China but also mature nations like Singapore, Taiwan, Hong Kong and South Korea. Microsoft believes that digital transformation will inject over $1 trillion to APAC GDP by 2021, with artificial intelligence (AI) a key catalyst for growth.
AI continues to be major focus for the region. Singapore is a leader in AI thanks to heavy government investment in schemes such as AI Singapore (AISG) and its AI Speech Lab, while government-owned investment company SGInnovate has recently unveiled its Deep Tech Nexus strategy. India is also is also poised to become “one of the most active centres of expertise in AI” according to experts, thanks to government backing.
Asia is leading the way on smart city projects. Investment in initiatives was set to reach $28.3 billion in 2018 in APAC (ex Japan), and is forecast to reach $45.3 billion in 2021 — partly out of necessity. The region’s cities are forecast to add another one billion citizens by 2040, which will require up to 65% of the UN’s Sustainable Development Goal targets to be met.
India’s Modi government has led the way with an ambitious plan to transform 100 cities, although 2019 will be a crucial year, given that recent reports claim 72% of these projects are still only at the planning stage. Many more examples are springing up all over the ASEAN region, however, from flood awareness programmes in Danang to a free public Wi-Fi and CCTV camera network in Phuket. IDC celebrates some of the best examples each year, showing the breadth of innovation in the region.
However, governments will need to do better in 2019 to tackle major barriers to digital transformation identified by the UN. These include excessively top-down approaches; security, privacy, and accountability problems; and digital exclusion. It claimed just 43% of APAC residents were internet users in 2016. There’s plenty of work for governments and the private sector to do next year.
Donald Trump made some questionable remarks this week that have rightly caused an almighty backlash. But one thing he did that may have more support, is sign an executive memorandum which will most likely lead to a lengthy investigation into alleged widespread Chinese theft of US IP. This is a big deal in Silicon Valley and something that has irked US business in general for years.
The question is, will this latest strategy actually result in any concrete changes on the Chinese side? As you can see from this new IDG Connect piece, I’m not convinced.
Years of theft
There are few things Democrats and Republicans agree on, but one is that China has had things far too long its own way when it comes to trade. The US trade deficit between the countries grew to $310 billion last year, helped by the growing dominance of Chinese businesses. Many of these have been able to accelerate their growth and maturation thanks to IP either stolen by hackers from US counterparts or take via forced joint ventures and tech transfers. Many of them are selling back into the US or their huge domestic market, undercutting American rivals.
Chinese firms don’t have the same restrictions around forced JVs and tech transfers to enter the US market. In fact, the likes of Baidu even have Silicon Valley R&D centres where they’re able to recruit some of the brightest locals, while government-backed VC firms have been funding start-ups to continue the seemingly relentless one-way IP transfer.
There are, of course, more nuances to the dynamic, but you get the point.
So, will this investigation get us anywhere? After all, it will empower the President to take unilateral action including sanctions and trade embargoes. Well, on the one hand, little gain can be made from stopping Chinese IP hackers, as they have stopped outright theft ever since a landmark Obama-Xi deal in 2015, according to FireEye Chief Intelligence Strategist, Christopher Porter.
“If anything, discontinuing straightforward theft of intellectual property for strictly commercial purposes has freed up Chinese actors to focus more on these other targets than ever before, so the risk to companies before and after the Xi Agreement depends heavily on what industry that company is in and what sort of customer data they collect,” he told me via email.
That’s not to say the Chinese aren’t still active in cyberspace, but it’s less around IP theft, which is the focus of this investigation, Porter added.
“We have seen an increase in cyber threat activity that could be Chinese groups collecting competitive business intelligence on US firms selling their products and services globally—several companies that were targets of proposed M&A activity from would-be Chinese parent companies were also victims of Chinese cyber threat activity within the previous year, suggesting that they may have been targeted as part of the M&A process to give the Chinese company a leg-up in negotiations,” he explained.
Which leaves us with JVs and tech transfers, which have provided Chinese companies with vital “know-how” and “know-why” over the years. To my mind, if there’s any area where the US can and should focus its diplomatic and negotiating efforts, it’s here. However, as reports in the past have highlighted, it took China years to construct a gargantuan, highly sophisticated tech transfer apparatus, and it won’t be looking to bin that anytime soon, especially with the Party’s ambitious Made in China 2025 strategy now in full swing.
Neither side will want to become embroiled in a trade war. The US has too many companies which count China as a major market – it’s Apple’s largest outside the US, for example – and Chinese firms are doing very well selling into the US, as that huge trade deficit highlights.
In the end, my suspicion is that this is just another bit of Trump tough talk which will actually produce very little.
“This long-awaited intervention should also probably be viewed in the larger picture of the way the Trump administration operates: in terms of ‘carrot and stick diplomacy’,” Trend Micro European Cyber Security Strategist, Simon Edwards, told me.
“It is also well documented that the US administration is trying to use trade deals to get action on the situation in North Korea; and perhaps this is more of a stick to be used with the accompanying ‘carrot’ of a greater trade deals?”
Time will tell, but it’s unlikely that US tech companies operating in China, and their global customers, will be any better off after this latest test.
The South China Sea is an increasingly dangerous place to be in cyberspace. And as China is involved in territorial disputes over the area that bears its name with virtually all of its neighbours, there are no shortages of targets for its army of state-sponsored operatives.
F-Secure is the latest security vendor to confirm what most of us know already – that Chinese hackers, most likely working for the state, have been systematically stealing data from organisations with interests in the region for years now. It’s new report, NanHaiShu: RATing the South China Sea, details a new piece of information-stealing malware used in campaigns targeting government and private sector firms. Why? They were all involved, directly or indirectly, in a recent UN tribunal over ownership of a group of rocks in the South China Sea. Victims included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the tribunal
F-Secure cyber security adviser, Erka Koivunen, told me he suspects a nation state was behind the attacks, although definitive attribution is always hard.
“Admittedly the malware itself may not be the most sophisticated piece of code there is. That doesn’t however mean that the operation wasn’t sophisticated,” he said via email. “The lack of zero-days and bleeding edge alien technology may admittedly seem a bit boring, but in fact is a sign of cold calculation and professionalism on the level of execution.”
This report is the latest of a long line of similar intelligence highlighting extensive cyber espionage in the region related to Beijing’s interests in the South China Sea and the rocks, reefs and islands that dot the landscape. Late last year a ThreatConnect report revealed an alleged PLA cyber espionage campaign dating back five years and targeting the Philippines, Singapore, Thailand, Vietnam and many others in the region. US interests have also been attacked.
William Glass, threat intelligence analyst at FireEye, believes this is just the beginning, as China begins to flex its muscles in the region.
“More recently, we have seen the list of targets expand to energy companies, legal firms, and even GitHub, targeted by China’s Great Cannon in March 2015,” he told me. “Beyond simply stealing information, Beijing has found there are benefits to using cyberspace to propagandise and attempt to influence behaviour.”
He claimed that the army’s new Strategic Support Force may see disputes in the area as the perfect opportunity to test its significant capabilities, which could range from range from “typical cyber espionage to learn of plans and intentions of commercial companies to efforts designed to influence companies’ decisions to invest or operate in the South China Sea.”
“Recently, the Chinese media has singled out Australia and Japan for particularly harsh criticism following the tribunal ruling,” Glass explained.
“It’s possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
For starters, firms working in the energy, logistics and shipping, and political and legal advocacy sectors in the region would do well to redouble their cyber security efforts. But the truth is that any organisation that deals with China or works in an industry where Chinese companies have interests – which is virtually every organisation – should consider the threat of state-sponsored attacks from the East. Yes, it’s more likely they’ll encounter ransomware than an info-stealing RAT guided by the PLA. But the threat is there, and as UK organisations increasingly look to the Middle Kingdom in this post-Brexit world, it’s one they should all take seriously.
I’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.
The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.
“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.
“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”
So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.
“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”
As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.
“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.
“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”
Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.
As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.
“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.
It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.
I seem to have chosen the wrong time to come back from Hong Kong. Just a fortnight after landing back in Blighty, the US raised the stakes between the two superpowers, and mortally offended China’s honour, by indicting five PLA soldiers on charges of hacking US firms for economic gain.
I’ve written enough about it here and here already, so I won’t go into the pros and cons of this high risk strategy again. Safe to say that Beijing already appears to be retaliating in the most effective way possible; by making things decidedly difficult for US tech firms in the Middle Kingdom. Already reports have emerged that Cisco and IBM could be in trouble.
Is a new Cold War about to begin?
Well, if it does, one company it might be worth keeping an eye on is threat intelligence firm Cyber Squared. The firm’s ThreatConnect Intelligence Research Team has an interesting and very thorough analysis of new APT-style cyber attack campaigns in the disputed South China Sea (SCS) region, as I wrote about here.
“What’s that got to do with us?” you might ask. Well, potentially quite a lot, according to Cyber Squared chief intelligence officer, Rich Barger.
“There is a risk of increased data loss for Western firms that routinely work with Vietnamese, Filipino, and other SCS region companies,” he told me. “Unit 61398/APT1 operates on the whim of the PRC, and cyber espionage has been adopted as the preeminent ‘low risk – high payoff’ medium for strategic intelligence collection.
“We typically see companies that are infrastructure related being targeted. Industries such as energy, oil & gas, mining, and transportation may find themselves directly or indirectly impacted.”
The message is loud and clear; if you have any military, economic or geopolitical stake in the SCS region, be aware that Chinese cyber operatives are increasing their activity.
“China has had a long standing national and regional interest within the South China Seas region,” explained Barger.
“It offers them a strategic economic advantage in terms of regional and global energy development and trade. From a military perspective, a strong Chinese presence within the SCS also counters the US pivot to South East Asia where China’s military modernisation, especially its navy, and regional assertiveness have come to an intersection.”
Barger argued that the various disparate groups at risk in the SCS need to start sharing information on attacks and “observing both the technical picture and the geo-political context”.
“It is important for those within these targeted industries to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations,” he concluded.
“It is equally important that technical leaders effectively interpret and articulate regional threats and the context surrounding them to corporate business leaders.”
Verizon’s annual Data Breach Investigations Report is out and several headlines have pointed to it highlighting China once again as the biggest source of global cyber espionage threats, however we need to be careful drawing such conclusions.
The report revealed that when it comes to cyber espionage, the majority (87%) is state affiliated rather than committed by organised crime (11%) and is targeted at victim organisations outside of the country of origin.
When it comes to “victim countries”, the US (54%) accounts for by far the majority, followed by South Korea (6%) and Japan (3%), although this is more of a reflection of the intelligence sources that inform the report than anything else.
More interestingly, it pegged “external actors” operating from Eastern Asia – mainly China and North Korea – as the most prolific worldwide, accounting for 49%.
Eastern Europe was next (21%), followed by Western Asia (4%), while North America and Europe were way down with just 1% each.
So what does this tell us? Well, those looking to prove that China is once again the arch bogeyman when it comes to global state-sponsored attacks should think twice, according to Verizon.
Report co-author and senior analyst, Kevin Thompson, told me that the results reflect the fact that large numbers of North American companies participate in the study and relatively few hail from East Asia – with none from China and Japan.
“We have been trying to recruit a partner organisation from China, Japan, or South Korea to increase our visibility into that part of the world,” he added. “Since many of our partners that investigate cyber espionage are based in North America they tend to only see attacks that are aimed at North American companies.”
Also, out of 511 total cyber espionage incidents recorded, more than half (281) were removed because no country could be attributed as the source of an attack.
“East Asia is the most commonly seen espionage actor when our partners are able to identify the country at all, which is not even half of the time,” Thompson explained.
“There tends to be more research around East Asian espionage than other countries, especially among North American partner organisations. Since there is more research in that area, it is easier for a partner to identify espionage from those regions while espionage from North America or Europe might be labelled ‘Unknown’ and would not be included in figure 59 of the report.”
If the NSA revelations have taught us anything it’s that the 1% figure for North America-based attacks is likely to be way smaller than in reality.
Verizon also claimed in the report that “the percentage of incidents attributed to East Asia is much less predominant in this year’s dataset”.
The real growth in activity is actually coming from Eastern European attackers, it said, adding the following:
At a high level, there doesn’t seem to be much difference in the industries targeted by East Asian and Eastern European groups. Chinese actors appeared to target a greater breadth of industries, but that’s because there were more campaigns attributed to them.
Malicious email attachment (78%) and web drive-by (20%) are still the most popular method of gaining access to a victim’s environment.
As for advice on how to lower the risk of a compromise, Verizon reiterated the basics.
These include: patch all systems and software so they’re fully up-to-date; use and keep an updated anti-malware solution; maintain user training and awareness programs; segment your network; log system, network, and application activity; monitor outbound traffic for data exfiltration; and use 2FA to stop lateral movement inside the network.
Earlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.
The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.
Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.
Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.
My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.
Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.
Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?
Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.
“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.
“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”
Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.
Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.
It may be time to revisit those SLAs.