Western governments have been caught off guard and have still failed to implement basic risk management. Yet this is not the story of Covid-19, but of cyber-espionage of personally identifiable information (PII).
The theft of foreigners’ PII by state intelligence services for national security reasons is an extension of traditional spy-craft distinct to cyber-criminal identity theft, intellectual property theft, or government surveillance, although it has received less public or academic attention.
That is starting to change. This month, the UK, U.S., European Union, NATO, Australia, Canada, New Zealand, and Japan issued a joint statement pointing to the March 2021 Microsoft Servers (MS) hack, which they said was “highly likely to enable large-scale espionage, including acquiring PII.” The implications of this statement – the largest ever cyber-intrusion against the Five Eyes intelligence partnership and other Western allies, resulting in the theft of personal information about millions of individuals from 250,000 Microsoft servers worldwide – were lost in media coverage, which focused on the (unsurprising) attribution of the threat-group Hafnium as a Chinese state-backed actor.
Data-mining such huge volumes of PII enables a “mosaic” approach to intelligence-gathering – analysts aggregate discrete pieces of sensitive data, using artificial intelligence (AI), into detailed databases on rival populations, enabling the surveillance of critics, the recruitment of agents, and the micro-targeting of voters.
PII cyber-espionage comprises a genuine national security threat, with at least four potential uses – as demonstrated with the following illustrative, yet realistic, examples from the MS hack:
- To acquire secret information and target dissidents or persons of interest, like European Bank officials, via blackmail, bribery or deception;
- To data-mine at scale, identify linkages and predict behavior “upstream”, for example leveraging NHSrecords to build a detailed database of the UK population;
- To facilitate traditional intelligence activities more cost-effectively, such as recruiting infectious disease specialists as spies online; and
- To manipulate personal data, engage in digital deception, and influence public opinion, by targeting democratic institutions like the Norwegian parliament.
Despite the evidence of foreign intelligence services exploiting PII, the Five Eyes states have failed to understand or sufficiently defend the value of their citizens’ sensitive information. Government statements narrowly focused on China’s IP theft, since Hafnium used zero-day exploits (previously unknown software vulnerabilities, typically discovered by hackers) to target law firms, defense contractors, and policy think tanks. However, emphasis on economic espionage misconceives the long game that China is playing, leveraging human intelligence to manipulate targets’ future decisions.
It is important to see MS as part of broader patterns of Chinese PII cyber-espionage, including hacks of the Office of Personnel Management in 2014, Cloud Hopper in 2016, the Australian National University in 2018, and the Zhenhua Data hack in 2020. As FBI Director Christopher Wray said last year: “It is more likely than not that China has stolen your personal data.” The fact this data has not leaked to the cybercriminal market begs the question of why China would penetrate these networks if it did not see some long-term intelligence value.
The lack of public discussion of this cyber-threat is particularly unsettling because open liberal-democratic societies, like the UK and U.S., are especially vulnerable to the maximalist collection of citizens’ sensitive data. The collection and monetization of our online presence have been enormously useful for individuals and created huge wealth for tech entrepreneurs for the last three decades. Egregiously, Hafnium first exploited Microsoft security flaws on January 6, the day much of the world was fixed on television coverage of the Capitol Riots in Washington DC.
Geopolitics matter in cyberspace. Each state’s approach to intelligence-gathering, of which cyber-espionage constitutes a legitimate technique, is grounded in national strategic culture and contemporary regional politics. Whilst Five Eyes perceive cyber as a fifth domain, China embeds it within information operations. Scraping and analyzing data from an “astronomical” number of victims supports China’s twin objectives as an authoritarian rising power: to catch up with the West and expand domestic social control. PII cyber espionage is thus a great equalizer.
Traditionally a reference to education and death, the great equalizer concept intimates the potential of information to subvert established hierarchies and the concomitant risks of taking Western hegemony for granted. Underlying the MS story is the fact that the Five Eyes have not coped with rapid technological or geopolitical changes and have thereby exposed our sensitive personal data to rivals.
For individuals, basic cyber-hygiene is critical. Secure passwords and data encryption are digital equivalents of washing hands and wearing masks. Since greater public awareness is paramount, the limited coverage that MS received is an ominous sign. Just as earlier contact tracing could have minimized the covid pandemic, a greater understanding of PII’s potential as a threat vector may counter its equalizing effects before it is too late.