While the government attempts to microwave its cold war with Russia, a more menacing adversary may have already breached the national firewalls. I speak, of course, of the other emerging power in the new tri-polar world: China.
In many ways, the new Chinese imperialism is very similar to the nineteenth century British version. China is seeking – by fair means or foul – to become the world’s leading technological power. At the same time, it has used its recent economic growth to accumulate sufficient gold reserves to underpin a new “petro-Yuan” that (if necessary) can operate independently of the US Dollar. These two developments have allowed China – like nineteenth century Britain – to make loans to developing states to enable those states to purchase the Chinese technology required to develop their economies.
So it is that China has been buying up large swathes of the critical infrastructure around the world. In sub-Saharan Africa, for example, China has been building railways and ports designed to redirect cash crops away from Europe toward China. The same is being done in the Middle East with oil; China is now the biggest importer of Saudi Arabian oil, and is also looking to secure a large part of the oil (and gas) from the Caspian basin via new pipelines across Russia.
What has this got to do with Russian cyber attacks on UK critical infrastructure?
Firstly, those cyber attacks are not going to happen. This is simply because the computer systems that operate critical infrastructure are not connected to the outside world. Even the UK Tory government is not incompetent enough to connect oil refineries, transport networks and nuclear power stations to the internet. Not least because they will have been fully briefed about the US/Israeli “Stuxnet” attack on Iranian nuclear power facilities in 2010. The myth being that the Stuxnet “worm” found its way into the facility on a thumb drive, because there was no means of hacking from outside.
The myth may well, however, be wrong; and this has serious implications for the security of the UK’s critical infrastructure. According to Jon Fingas at Engadget:
“Researchers now know that the sabotage-oriented code first attacked five component vendors that are key to Iran’s nuclear program, including one that makes the centrifuges Stuxnet was targeting. These companies were unwitting Trojan horses, security firm Kaspersky Lab says. Once the malware hit their systems, it was just a matter of time before someone brought compromised data into the Natanz plant (where there’s no direct internet access) and sparked chaos. As you might suspect, there’s also evidence that these first breaches didn’t originate from USB drives.”
In other words, compromised hardware is a far greater threat than any attempted (software) cyber attack from the outside. How, then, might a state actor compromise the hardware components of – to pluck an example out of thin air – the new Hinkley Point C nuclear power station? It is technically possible to do this. But the prevailing wisdom is that the odds of the compromised hardware making its way through the supply chain from the manufacturer to the end user are so high as to rule out this kind of attack. As is so often the way, however, the prevailing wisdom may have just been proved wrong. As Jordan Robertson and Michael Riley at Bloomberg report:
“In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies… To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression…
“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
“During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
The alarming point here is that the Chinese did not need to figure out how to get a compromised motherboard through the supply chain because all of the motherboards were compromised:
“One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc…
“One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.”
If the Bloomberg report is correct, then Chinese state actors have undermined US defence and critical infrastructure. It is unlikely that they would have limited their activities to the US without also going after its NATO allies; among which, Britain is the most heavily tied in with China. As a 2014 Pinsent Masons bulletin noted:
“China Invests West: Can Chinese investment be a game-changer for UK infrastructure?’, China is set to invest £105 billion into UK infrastructure by 2025.
“Of the £105 billion, the leading recipients will be the energy, real estate and transport sectors. The UK energy sector will be the biggest target for Chinese capital, with investment in projects including nuclear energy, wind power generation and photovoltaic power generation could be set to reach £43.5 billion by 2025. The real estate and transport sectors could receive £36 billion and £19 billion respectively over the next decade.”
Richard Anderson at the BBC confirms the Chinese interest in UK critical infrastructure:
“Almost half of all China’s global investments have been in the energy sector, many of them designed specifically to provide power for the Chinese. While the country’s overall population may not grow significantly beyond its current 1.4 billion, an explosion in the middle class as wealth increases will see demand for energy rocket.
“And as China develops technologies to satisfy this demand, it will become increasingly keen to export them. This is precisely why China is so keen to showcase its nuclear technologies in the UK.”
China also holds large stakes in UK finance, transport and utilities. This opens the way for Chinese state actors to ensure that orders are fulfilled with compromised computer hardware that may be activated at a later date either to gather information or to disrupt operations. These concerns were raised in a recent paper by John Hemmings from the Royal United Services Institute:
“Chinese investment is increasingly led by its state-owned enterprises (accounting for more than 60% of the value of new investments), many of which are proficient in large capital-intensive projects, such as new infrastructure. Seems like a match made in heaven: Chinese money and British infrastructure.
“However, as a recent study by the Henry Jackson Society argues, while Chinese investment into the UK should be welcomed, its financial backing of Britain’s digital and critical national infrastructure is not without risks.
“Indeed, there is a trend in Europe, the US and, now, Australia of checking China’s investment surge. Security experts argue that such investments should be monitored and – on occasion – blocked from key parts of the British economy.”
According to Hemmings, UK security arrangements are woefully inadequate to meet this challenge:
“While the UK does have a number of mechanisms – such as the Competitions and Markets Authority (CMA) and the Communications-Electronics Security Group (CESG), now part of the National Cyber Security Centre – to ostensibly do this job, they are poorly resourced to analyse security deals, given the current investment surge.
“As a 2013 Parliamentary Report discovered, British firms that own or run parts of the UK’s CNI are not required to inform or consult the government before they award a contract with a foreign firm, putting the onus on the government to monitor large numbers of potential deals at any given time.
“This past year, Global Switch, the UK’s largest data cloud centre, sold a 49% stake to a Chinese consortium. Despite winning UK government approval for the deal, it was found that the consortium includes AVIC Trust, a subsidiary of AVIC – one of China’s largest defence industrial concerns.”
In comparison to this very real – and presumably very expensive to fix – security threat to Britain’s critical infrastructure, the Russian “threat” – which, in the US, turned out to be thirteen people posting second-rate memes to Facebook and Twitter – is far simpler to manage for a government that is drowning in the self-inflicted carnage of Brexit. If, however, computer hardware within Britain’s critical infrastructure has already been compromised by Chinese state actors, then going after hypothetical Russian hackers is akin to trying to swat a fly when there is a hungry tiger sat on the floor behind you.
As you made it to the end…
… you might consider supporting The Consciousness of Sheep. There are four ways in which you could help me continue my work. First – and easiest by far – please share and like this article on social media. Second follow my page on Facebook. Third, sign up for my monthly e-mail digest to ensure you do not miss my posts, and to stay up to date with news about Energy, Environment and Economy more broadly. Fourth, if you enjoy reading my work and feel able, please leave a tip.