The personal details of members of the UK’s armed forces appear to have been the latest target of China’s prolific cyber spies, with the Ministry of Defence’s payroll system containing the names, bank details and some addresses of up to 272,000 people on its books targeted by hackers. The government though is directing its fury at the hapless MoD contractor whose systems were breached, rather than the suspected perpetrators in Beijing.
Defence secretary Grant Shapps said the attack was carried out in recent days and was ‘the suspected work of a malign actor’. He would not name the actor, though in multiple background briefings China was identified as prime suspect – a ‘fabricated and malicious slander’, according to the Chinese embassy in London. Speaking in the House of Commons Tuesday, Shapps said, ‘We think the private contractor has many questions to answer,’ pledging ‘the strongest action’ in the case of negligence.
Unlike the hacker, the contractor was later named as SSCL, which manages the MoD’s military personnel payroll. The government said an initial investigation found that although the system had been breached, there was no evidence that data had been copied or removed from it and that the hacked system was not part of the MoD’s central network – though that may well have been the ultimate target.
In addition to the armed forces, SSCL manages the payroll of more than half a million civil servants. It was set up as part of a government effort to cut costs and claims to have saved the taxpayer more than £400 million. It provides business services to 22 government departments and agencies, processes more than £363 billion in payments every year, and has processed more than 1.2 million government recruitment applications, according to the company’s website. A potentially rich fishing ground for Chinese hackers, in other words – especially if income from those lucrative contracts was not invested in robust cyber defences.
Hacking the systems of third-party suppliers – a supply chain attack as it is known by cyber security experts – has become a modus operandi of Beijing’s cyber spies. As the main targets, in this case the Ministry of Defence, have hardened their systems, so hackers have looked for sideways routes into their computers, with suppliers frequently laxer in their cyber security systems and practices.
Obtaining personnel data on UK soldiers, seafarers and air force pilots could help China target individuals for recruitment or coercion as well as building a broader map of British defence capabilities. The incident has worrying echoes of a 2015 hack of more than 22 million records held by the Office of Personnel Management in the United States, which included applications for security clearances. That attack was also blamed on Beijing. China is a prolific hacker of personnel databases – which is often characterised as a ‘vacuum-cleaner’ or ‘thousand grains of sand’ approach to espionage. This is misleading as it implies a scattergun approach, whereas in reality it is carefully targeted. More worrying still, China is developing the capability through artificial intelligence (or at least machine learning) to better analyse, cross-reference and look for patterns in these stolen databases.
The latest hack comes just weeks after it was revealed that Chinese hackers had accessed the personal information of 40 million voters held by Britain’s Electoral Commission and attempted to target the email accounts of MPs critical of China. In that case, the government did blame Chinese state actors, though it did so in coordination with America. The action taken – sanctioning two Chinese officials and a government-linked company – was heavily criticised by MPs as underwhelming and failing to hold China to account for an attack on Britain’s democracy. The hack could help fuel Beijing’s growing disinformation machine ahead of the general election expected later this year.
Britain’s cautious approach is in stark contrast to America’s, but also increasingly to Europe’s. There has been a sharp increase in Chinese espionage (or at least its detection) in Europe. In Germany, police have detained three German citizens on suspicion of arranging to transfer information about sensitive technology to China. A close adviser to a leading member of Germany’s far-right Alternative für Deutschland party (AfD) has also been arrested on suspicion of spying for China. The German interior minister, Nancy Faeser, has said that if proven the case is nothing less than ‘an attack on European democracy from within’.
Shapps’s reluctance to utter the word ‘China’ in the case of the MoD hack – at least publicly – may well reflect caution in attributing blame without greater certainty. The hack was recent, and attribution is difficult in the smoke and mirror world of cyberspace. It could well be that the security services want more time to carry out digital forensics. In this dark world investigators talk about the balance of probabilities rather than beyond reasonable doubt. That is understandable. It is less understandable if the caution is political rather than technical and is caught up in the intractable wrangling over the UK’s China policy. In this respect, the response to the Electoral Commission hack is not encouraging. Prime Minister Rishi Sunak insists Britain’s approach to China is ‘robust’ but has appeared reluctant to formerly designate China a threat under new national security laws. This would require greater scrutiny of Chinese controlled entities and those acting for them. Based on Beijing’s behaviour this designation would seem self-evident and long overdue, but there is push-back from ministers, including business secretary Kemi Badenoch, who are concerned about the ‘business and trade implications’. This argument has long been at the root of Britain’s incoherent China policy and hardly seems a credible deterrent to China’s increasingly brazen army of hackers.
Comments