Well, hello everybody and welcome to today's event. Uh, my name is Conrad Prince. I'm a fellow at the Royal United Services Institute and I help to oversee our cyber and tech research program. Um today's panel is on the evolution of Chinese cyber statecraft and it's part of our cyber statecraft series funded by the defense science and technology laboratory through the engineering and physical sciences research council in partnership with the research institute for sociotechnical cyber security. Now we're all very familiar with the way that uh China is emerging as a tech superpower in its own right and the associated sort of technology competition with the west and today we want to focus on if you like the cyber aspect of this developing Chinese challenge because China's approach to cyber um and cyber operations does appear to be changing in particular with the discovery of Chinese prepositioning capability for destructive effect uh on critical infrastructure in the United States. And this development seems like uh a significant shift perhaps from China's historical focus which has been on using uh cyber for very large scale espionage, intellectual property theft and so on. So what does this evolution mean? What's behind it? What are the wider implications? So I'm delighted today that I'm joined by um three expert panelists to help explore this this very um uh challenging topic. So we have Kieran Martin, the professor of practice at the Blvatnik School of Government at the University of Oxford and of course the founding CEO of our National Cyber Security Center and probably Britain's leading commentator on cyber security matters. Welcome Kieran. Uh I'm also delighted to introduce Eugeneio Benincasa from the center for security studies at ETH Zurich and in fact uh in a very timely fashion uh Eugeneo has published just this morning his latest report on China cyber which is entitled before Vegas. It's a report on the emerging Chinese hacker culture talent development in China in the early days and how that's been kind of pulled through since then. It's a really interesting paper and I and I strongly recommend people take a look at it on the CSS website. And then I'm also delighted to introduce Luise Marie Hel from our cyber and tech team here at Rusei. So Louise, thank you very much for joining us today. So uh brief housekeeping before I get started. Uh today's discussion is all on the record. Um, we've got a lot to cover, but um, I am aiming to have a bit of time at the end to address some audience questions. So, uh, if you have a question for the panel, please can you use the Zoom Q&A function to enter it. Um, and I will, um, try to read some out towards the end of the session. And this is a a one-hour session today. So, with that, um, I'd like to get started really. And um I'll start with an opening question for Kieran. So Kieran, you've been very vocal, rightly so, about the significance of these latest developments in Chinese uh cyber operations that I talked about at the start, particularly those by the so-called Vault Typhoon Group. Um can you just tell us why you think these developments are so important? you know, what do you think has changed in China's cyber posture? You know, is it genuinely new? What should we take away from it? Thanks, Conrad, and thanks to you and Russi for putting on the event. I think it is significant for a number of reasons. Yesterday, there was a report in the Washington Post which said we're in the golden age of Chinese hacking. Now, that might be too strong, but I certainly think it's more strategic, coordinated, and effective. The way I'd look at it is that we're a quarter of the way through this century. It's all been the digital century and there have been three phases of Chinese cyber capabilities. Phase one, I think you can date roughly to around 2015, which is noisy thief, occasionally strategic with the office of personnel management and so forth, but mostly commercial, not caring about consequences, not especially technically sophisticated, but large scale and disorganized. Phase two, which you might put from 2015 to sometime around the turn of the decade, you might call the phony ceasefire. And like a lot of ceasefires, actually the other side uses it to regroup and reorder its capabilities rather than uh down tools and indeed does a lot of covert activity. Um, I think that while at the time, and certainly I felt this at the time, uh, President Obama's, uh, diplomacy and sanctions threats seem to have an effect, I think actually the greater driver was China's response and terror over what had been revealed in the Snowden leaks and it's um, see seeing it as an imperative to have a system that matched if not um, outpaced that. So you have the fundamental reorganization of the state infrastructure. you have the much greater emphasis on uh covert um hard to detect operations and you have um that alongside the expansion of the Chinese tech ecosystem just means that there are much better capabilities at its disposal and I think in phase three from around the 2020s uh you start to see that in action and it's mostly been effective. I don't want to overdo it. uh it's not um an omnipotent uh force that cannot be uh resisted. But I think you see um uh three things really. Uh one is you know there is a much greater strategic coherence to what it's trying to do. It's still trying to spy um both on government and commercial but it's got wider objectives that that I'll come to. I think it's much more integrated into a wider Chinese tech ecosystem. So it's very good. Um technically it's more or less monopolized vulnerability disclosure which gives it a huge impact a huge advantage over uh more democratic um states uh and and so on. But I think the final part of this um phase three is is the most significant uh which is that it's prepared to do it appears to be prepared to do disruptive attacks and that's the significance of vault typhoon. Um, over the years, lots of us will have had some very awkward but fascinating encounters with Chinese cyber officials and they'll always tell you uh that communist China has never invaded anybody and it's never done a disruptive cyber attack. And at this point in time, both of those things are essentially true. Um the significance of Vault Typhoon is that um you know the noisy uh data thief has not just become a more uh surreptitious and effective data thief but is actually prepared to do um disruptive attacks on infrastructure to hold western critical infrastructure at risk. I know the Americans have said recently that they believe that most of Typhoon has been neutered but I think that's kind of beside the point. If there's a doctrinal shift in the willingness to disrupt civilian infrastructure in the west, that's a very very big deal. It's entirely new and it's profoundly important. Thank you. And just to follow up on that, so so why this doctrinal shift now then? I mean, I can see what you're saying about the evolution and becoming more strategic, more capable, more concerned about not being found out and so on. But why do you think we're seeing this shift away from a focus primarily on espionage, stealing data to something that's much harder edge, that's much more destructive? What's prompting that today? Well, they're still doing the data uh theft part and still in large scale and and better. So, that's an important caveat. The other caveat is I don't fully know. um the two uh um eminent scholars on the uh on on on the panel um might know more but of course we can't definitively know unless they absolutely publicly um explain it. Um so my hunch put it no more strongly than that is that partly because you know they've reorganized things in a more strategic way. I think they understand the nature of modern cyberpower better than they did. You look at, for example, I'm I think that not just what the Russian state has done in Ukraine, mostly pre-invasion rather than posted, but you actually look at what um criminals have been able to affect in terms of disruption, what they might see as the West's low pain threshold, and then you look and match that to their capabilities. They say, well, why? And you look at, for example, the real difficulties in deterring and punishing such behavior um um as as we've seen with the criminals, they think, well, why wouldn't you do this? um if at a time when essentially in the great western China rivalry and Louise will be know more much more about this than I would but at a time when you're looking up when you're looking to tot up what capabilities uh do you have that can be used um to your advantage then the west's digital vulnerabilities your own skills and the easiness with which it the easiness of disruption um would seem to be an obvious place to go um it's the classic difference between just because they can do it doesn't mean they will. I mean vault typhoon is obviously something that is executable. Um in terms of large scale disruption of western infrastructure um if if if you look at what happened to Markx and Spencers in this country recently you know it's very easily within China's capabilities to do 10 or 100 of those at the same time. That doesn't mean they're going to do it tomorrow, but it does mean it's a part of an arsenal that can be deployed um should the situation arise. And and finally, I want to turn to Eugenio and Louise in a second, but finally for you on this aspect and and how do you see this fitting into that kind of much broader um China tech superpower evolution, you know, China West tech conflict. Um I think it's becoming more integrated uh into it. I think that you may look and Eugene may have a different and probably better view but if you look back at say the first um 10 years of this century a lot of the Chinese hacking looked a bit like Russia's but for a different purpose you know it was it wasn't it was detached from a sort of wider aim of developing China's um uh cyber power it was largely cheating on western infrastructure and so forth you now look at I mean um I I think at a techn technical level, China looks like outskilling Russia. And I think part of that is when you're building your own tech and you've got skilled engineers working at some of the world's top companies, you have some of the top technical universities in the world and so forth. And you have this um at best fuzzy distinction between the public and private spheres. Uh you can bring in a lot of those um you can bring in a lot of those um skills. um I mentioned earlier which I think is a good example so apologies for repeating it but the easiest way to understand this is what they've done on vulnerability research you know they are saying look um obviously uh the Chinese tech ecosystem is so vast it's in its own interest to secure it so they'll have lots of people looking at exploitable vulnerabilities and trying to detect them and they've said no you're not going to operate in a free market you're going to give it to us so that's an example of how I think the wider tech competition ition is manifesting itself in the sort of gray area of cyber activity. Right. Thank you. So, Eugene, if I if I could turn to you and I want to get on to the question of, you know, how cyber China cyber has evolved over time. Get on to that later. But, but just for now then, I mean, what are your you've written very extensively on Chinese cyber operations. What are your perspectives on what China's trying to achieve through vault typhoon through these disruptive potentially disruptive operations? Um why now? What's the thinking behind it? Where does it fit? Yeah, absolutely. Uh thanks Conrad. So I think when it comes to the intent, there's been quite coherent commentary from intelligence companies and US uh authorities uh across the board that this is about a preposition activities. We have seen reporting from some threat intelligence company. I can think of secure works for example that traces the group as um bronze silhouette or something along those lines that basically singled out only multifoon espionage uh activity but um of course that does not invalidate the the prepositional activity. If anything, it complements it because for example, the target list that secure works mentioned like US government institutions was was different from the the ones that Bon is being accused of targeting such as electricity systems, water utilities, military organizations and so on. And also this report was released I believe on the same exact day that Microsoft released its own uh report and the US government as well. So if if this was a coordinated approach then it just corroborates the complementing uh aspect of it and also yeah so especially from a target perspective then there is little um there is there is quite agreement on that and also beyond just targets the MO just the behavioral pattern of the of the group some researchers have said that this does not look like something that doesn't look like a signaling activity that they would want to be discovered just to send a message but it is uh was conducted in quite some uh secrecy and I think another sign of intent that we have Kanto um mention about China's military uh we haven't had um I think we have there has not been much strategic attribution behind this but this is likely to be uh in fact I think it was one uh Washington Post article in particular that mentioned US officials claiming that this was the the Chinese military but I think it would be to have more strategic attribution from industry also because as we've seen some alternative explanation that uh has come out to what Vultuma actually want to achieve has come out from China itself uh it's pretty interesting in when in last year China's um C CVRC so the national computer virus emergency is a conspiracy but was put together by the US just to get money from taxp payers in US Congress and it looks more like a like a cyber criminal ransomware activities than anything. And and while this is I mean this really comes across as at least to me as a poorly fabricated uh push back but what it does show is that you can really take advantage when there are some vacuums in the narrative specifically when it comes to strategic attribution. uh and when it comes to what uh where this all fit uh I mean I I agree uh everything that Kieran said and also adding on building on that uh we can look at also the evolution of of the PLA uh strategic doctrine in cyber and also the reorganization that has taken place recently so we don't have many strategic documents from the PLA we had uh we only had four since the 1990s or 80s uh but the latest one in 2020 really broadened the approach to to cyber security in general much more nuance uh doctrine approach much more offensive offense forward approach compared to the previous one. Um and in last year we also had the reorganization of the PLA following the the previous reorganization in 2015 and um and this one just uh just separated basically what the the PLA strategic support force that existed before into three arms information support aerospace and cyber and cyber security forces. So this this just show a trend of doctrinal evolution, organizational reform and so on. But we can uh I think happy to chat about more about that later. Come on to that in a minute. But from what from your perspective, you know, there's no doubt what we're dealing with here. It's not about signaling. It's a clear attempt to preposition for destructive effect and it kind of reflects you know just the evolving doctrinal approach that will come on later. Okay, Louise, I mean, so we we talked clearly we're focusing here on what the United States has seen, what the United States has discovered on its own aspects of its own critical infrastructure, but sort of stepping away from that, you know, have we seen any changes in the way that China in the cyber context is operating or behaving in the global south and and any reflections from you on how this fits into any kind of wider changes in in China cyber behavior or approach. Yes, absolutely. And um I think obviously the media coverage um very much concentrates in like the US and let's say UK and and allies. Uh but I think if we look at global south countries and what China has been doing there, we can learn quite a lot because at the end of the day, they're testing some of these tactics and techniques in those operations and then scaling them up or you know making them more sophisticated as they try and and do something like Volt Typhoon, right? And obviously we've talked a lot about prepositioning so far, but if we just take a step back like just in 2020 from 2020 to 2022, China conducted uh a cyber campaign um focusing on the Indian electric uh electric power grid and what they did was very similar. they preposition not only in the power grid um and just to you know just an important point there it was not just like a random selection of power grids I mean they did do that but they also focus quite strategically uh in the contested border uh between China and India right obviously this was within the context of you know the post2020 clashes within the border where Indians and Chinese soldiers were uh you know were killed in that confrontation and they used uh lots of prepositioning in the power grid. Well, one thing that did happen is that Mumbai went offline. Uh in that sense, I mean like the stock market was down, you know, the health services were down and think about it, it was 2020, so it was the peak of COVID. Uh so you could see that they have been trying a couple of things. So I would definitely stress that that is something that we should look at. we should look at how China has been testing some of these things for many years now and it's not surprising that it has been doing this now in the US and the prominence that he has um taken now in the you know broader media coverage one thing that I would say that characterizes the way in which China operates uh in global south countries or conducts those cyber campaigns firstly leverages you know the the let's say the economic cooperation it leverages the digital infrastructure development in their favor. One very interesting case, I mean usually we associate that with like the BarRi with uh with the digital silk road kind of initiative like the belt and road initiative. Obviously the digital silk road is part of that. Uh but you know in 2012 um just an example here um China gifted to the African Union their headquarters and that also came with data centers and you know not a surprise there were two back doors installed in those data centers. So from 2012 to 2017, every day from midnight to 2:00 a.m. data was being excfiltrated from the AU headquarters. And that is because you see and that was what Kieran was saying and I think this is a key word even though it's part of like the the bingo of like words that we use here is integration. how they integrate economic development and use and leverage that not only for let's say economic coercion but how they use that also to you know insert back doors and then exploit those um and it's interesting because you see that developing countries usually use hedging techniques between you know US and China and others and in those cases they're in a very tricky position um so one thing is leveraging kind of that economic cooperation uh to then conduct some campaigns which usually they are let's just data exfiltration so um cyber espionage they test and trial in crises or conflict situations such as uh the India China kind of border dispute uh but also what we see is that they are expanding their uh expertise in going from crisis to conflict right and and changing their cyber capabilities or adapting to from crisis to conflict and if you look at the Philippines obviously The South China Sea is a very disputed area. Um the the island um that the Philippines uh disputes over there, they have been China has been conducting several cyber campaigns targeting uh Philippines throughout the past couple of years as well to make sure that they have strategic advantage when it comes to the negotiations around the South China Sea. There was a case uh a court case um around um you know recognizing that China had actually could dispute the the the Philippine kind of um island over there in the Sprouty Islands but that was effectively denied uh by UNL and what happened is that China conducted cyber espionage campaigns throughout that process right and it continues to do so. So these are just examples of how we can learn by looking at cyber campaigns in the context of the global south and how China seeks to integrate these different um let's say levers of government to actually um enhance their cyber capabilities or you know vice versa. Yeah thank you very much. I mean there's there's a lot to go out there, isn't there? But I think your point about looking elsewhere in the global south to see how China is developing capabilities, developing tactics, techniques, doctrine is a really powerful one. And I think the integration point comes out very very strongly in what you've said and how China is, you know, as we've been saying throughout this kind of approaching this in a in a more strategic, more coherent way than we've seen before. Thanks Louise. So, so if I can now turn again to you Eugeneia, I mean you've including today um in the report you published have studied a lot the way that China has organized itself for cyber operations, you know, strategy, doctrine, its institutions, how it partners. Um can you just sort of just give us a few reflections as to how the way that structure that thinking has changed over time and kind of what should we take away from that what what should be what should our be our conclusions be from that? Yeah definitely. Um so when it comes uh ability purely so if you see the focus as for example the P as the main actor we go back for a moment to the the 2000s uh you can see for example the cyber security environment industry was still in essence um and they focused very much on information flow and descent when it cames to cyber operations conducted mostly attributed to the PLA as K mentioned that's where these were very much noisy kind of rudimentary and you can see during that time that also uh there was still unexpect It was still an experimentation phase when it came to civilian talent integration mostly because as I discussed also in the report talent development t identification and assessment capabilities were not really there and this really started growing after the 2010s and this uh this is a big uh of course it's a big uh factor to when you look at China's uh capability since so much relies on the on the private sector and a lot changed during the 2010s uh so uh a few strategic shocks definitely contributed to that. For example, the geopolitical cyber instance funeral. So for example, stockset in 2010. This is constantly mentioned. For example, in the 2020 uh a few times in the 2020 strategic doctrine of the PLA, the Snen revelations constantly mentioned by PLA uh PLA uh authorities as well as top top hackers in China as being uh the US operating in gut mode and finally uh that being as a national wakeup call for China's cyber and that um and that has very much triggered a series of of reforms of strategic change and so on and so forth in particular after Sinping comes into power very much uh willing to turn China into this is very famous quote from him a cyber powerhouse so elevating international cyber security uh national security priority and kind of ecosystem alliance uh alliance after that so you see the industry uh their industry really starts booming uh the PLA reform that Kieran's mentioned in miduh 2020 2010s building the strategic uh support force And around the same time you also see a greater military civil fusion uh so integration with civilian talent also because in very much um facilitated by the growth of this of the industry during the time. You can see for example around 2017 uh China started in uh increasing its approach of building cyber militias within uh in cooperation with with university as stateowned enterprises. subber militia basically referring to um for civilian forces that can support regular regular military forces in a case of emergency or or crisis and this uh over time have evolved um that including into big cyber security companies such as for example Ju 360 and antihist some of the the ones with closer military civil fusion uh civil corporation there's actually a great report that came out recently on this issue by Kieran Green for maj research called mobilizing cyber power to really recommend reading which really analyzes the evolution of the cyber militias over the past uh decades and then as we mentioned before in 2020 um the strategic and optimal approach also evolves becomes more nuanced it becomes uh you can see more a little bit more towards offense it's more centralized institutionalized uh and then in 2024 uh the the PLA as we as we discussed also reorganizes once again And um so but I what I would say is that al overall recent times the what the bigger the greatest contribution to China's ecosystem is really being able to create a scalable subber force thanks to it civilian uh ecosystem that really benefits from private sector and academia. Thanks very much. And so so we've seen really quite a significant evolution and you know on the face of it quite a thoughtful and um strategic approach to creating scalability which is you know one of a critical challenge for everybody. But can you just tell us a bit more about the the role of the private sector and academia and and how the Chinese state has used it to build those cyber capabilities. Yeah. Yeah definitely. So the Chinese government as uh drew heavily as just mentioned from private sector and academia for its cyber capabilities. So I just just as a I think it's important to define also what cyber capabilities means in the Chinese context and this has been defined recently for example the ch China's minister of education published a white paper in 2022 that really outlined what it means to have practical hacking skills and identified four main categories um attack and defense capabilities vulnerability mining uh engineering development and combat effectiveness and also outline ways uh how these are developed and these are mostly hacking competition, crowdsourcing initiatives such as back bounties and attack defense exercises such as basically uh powered by cyber ranges for example and as mentioned this really took off in in in 2010s in the 2010s uh as before the system was quite uh immature and with the ICT sector uh cyber security sector booming you also have changes in academia so for just to give an example before 2015 in the 2000s especially cyber security was not really never really had its own dedicated majors or programs in university. They were not cyber security school per se. These were usually integrated within computer science courses uh and they were mostly theoretical. Um but in 2015 the Chinese government really elevates cyber security to a what is so called a first level discipline. So this is really serves as a push for uh university to have cyber security majors to create cyber security schools and so on. But what I really what I really think stands out when it cames when it comes to capability building um as something that I've looked at a lot in the last few years is really the hacking contest ecosystem that China has that uh where some of the best teams do come from elite technical universities in China. So Shingua University, Shanga, Chaotong universities and so on. And this ecosystem is very uh is very uh let's say comprehensive very vast and for example you have very specific uh very sector specific uh hacking competition for example tailored to the law enforcement ecosystem to even the the health healthcare ecosystem uh which I think is pretty uh is pretty interesting and uh many are also sponsored by state agencies including PLA and China's intelligence uh the uh the NSS And what is what is interesting is that in recent years particularly starting in 2020 these CTF these hacking competitions champions have been really the drivers of the industry. So you have here academia feeding directly into the ecosystem becoming the driver of it. Uh because for example if in the 2000s this elite hackers were mostly selftaught today they're supported by a much larger ecosystem as we just described and this this uh growing industry is very much focused on attack defense capabilities. So the what basically what this hacking contests tests students and professionals uh to do and at the same time this attack defense ecosystem is likely is likely to uh enable the AP the the threat uh cyber threat ecosystem uh in China as military and intelligence particularly definitely tap into uh these talents and we had a great examples uh with uh research and special information leaks from recent year recent years that corroborated is uh this extraordinary. Thank you very much. So I mean really a very significant um development of capabilities and using multiple levers to draw in academia the private sector um to encourage development of skills to build the kind of capacity that that China wants. I mean Kieran do you think that you know this this evolution this increase in the sky this the style the scale the capability of China's cyber uh elements do you think that's really registered in in democratic capitals in western capitals do you think we've really absorbed the the what we've been hearing this morning which is kind of a very fundamental shift uh and some very significant shifts in China's capabilities and approach a bit um and I would have a lot of sympathy with western capitalism. I mean I think the technical and professional organizations you know the GCHUS the NSAs the NC's and so forth do uh understand it and in terms of policy makers um they have an awful lot else to contend with. I mean I think Eugene has just given a fascinating insight into the way this ecosystems grown. I think we do need to be um uh we need to be mindful of it. We don't need to be completely overly intimidated by it. We need to take it seriously. It's got its own flaws. Um we saw with the ISON leaks for example, the leaks from one of the private contractors. I mean assuming it's not a Chinese info. Um then you know you see there a lot of the tensions laid there. You see a lot of the tensions about the sort of commercial competitive system that Eene's outlined. They're now moaning about the hacking competitions aren't as good as they used to be. They can't go to the international ones etc. because of the compelled vulnerability disclosures. One of them's talking about being so bored they're going to play some games in the office. Could you imagine that in our day at GCHQ, Conrad? I mean, unthinkable. Um, so um, you know, like any other system, particularly an authoritarian one, it has its own tensions, contradictions, limitations, and so forth. And I think it does help to spend more time understanding some of its weaknesses as well as some of its strengths if we're going to contest it. Having said all that, if you take the sort of top end of the threat, the sort of disruptive ones and the major strategic espionage, I think one of the problems for Western policy makers at a time when they have an awful lot else on their plate, even with China, as Louise will tell you, you know, there are many other things to worry about with um China than just it cyber capabilities, never mind what's going on in the rest of the world. It's sort of what do you do about it? I mean if you take vault typhoon and deterrence I mean if vault typhoon is ever activated then deterrence has failed fundamentally and more broadly because it will it will be used in the situation where you know tensions have escalated to such an extent um that all other attempts have failed. If you take cyber offense, offensive cyber, what what activity are you going to do? Um, that will hurt. You could hold Chinese critical infrastructure at risk, I guess, and that would quite rightly not be disclosed and would be a a covert operation. But there's not a great deal else you can do, and there'll even be sort of both ethical and effectiveness issues about about doing that. I think where I think there's more that can be done in terms of awareness is actually the whole understanding of how this puts on our own defenses. It puts so much um public risk in private hands. So if you take the two typhoons um very quickly. So I think salt typhoon is is fascinating because as Eugene has said and I think Louise mentioned this I mean one of the things I think western policy makers have been slow to understand is just how impactful Snowden was in terms of Chinese attitudes to these things. how transformative it was and you know um in the agencies of China I'd imagine when they executed salt typhoon successfully as they appear to have done that must have been a champagne moment of you know we've actually you know we've reached the stage of effectiveness against them that they did to us uh if you um as as measured by the this the Snowden papers I mean and Salt Typhoon this is this very large very large scale sorry very large scale American communication service provider Yeah. So, it's the major US telos, all the household names and and basically their um non-national security um uh traffic. I think I think to I don't think it's exa uh exaggerating or hyperbole to say the economic cost to the American Telos of Salt Typhoon is zero zero dollars. They you know the their commercial services worked absolutely fine throughout um the it's it's a classic sort of externality. It's a strategic disaster for the US. But the comp the companies do have a incentive to stop the vault typhoon because that would disrupt them from working. But salt but spying doesn't. So, you know, I think we need to rethink that. I mean, the UK actually has rethought it with 2022 um uh legislation that places at their request obligations on the telecoms company. So, they have a legal obligation to prevent this um sort of thing. But then again, I think um we need to think about um what we care about most. High level espionage does matter. Lots of other data exfiltration matters a bit less. But in most western societies, including the one we're speaking um uh from today and the one that Reese's hosted in, historically uh we have incentivized all organizations that carry strategic risk to prioritize uh data security over service provision. And in conflict or near conflict situation, service provision most of the time matters more. Um at least in terms of the homeland in obviously intelligence um acquisition by adversaries does matter too. But I think we need to really rethink that balance because at the moment we're telling everybody in healthcare and lots of other things prioritize records o the security of records over the ability to continue to pro uh to be able to continue to provide vital services. And I think Volt Typhoon offers something of a to use that dreaded cliche wakeup call in that respect. Absolutely. And I think you can see similar things in the ransomware landscape where precisely ransomware really you know the real issue is about preventing organizations doing their dayto-day business. I mean that is by far the more significant impact really. Yeah. and and really quickly I mean the ability of mostly not exclusively as we saw with Marks and Spencers but mostly Russian-based criminals to inflict havoc on individual organizations will not be lost on the strategists in China. Exactly. Brilliant. Thanks Karen. Um Louise I I want to turn to you. Do you before we move on to talking about broader China cyber diplomacy and so on. Anything you want to add to this aspect of the discussion? Yes. No absolutely. I just wanted to go back to what Oenu said. um about like the civil military cooperation or fusion and the public private let's say inshment uh because obviously he talked about like this you know how you're developing like the talent then how this talent for various reasons then goes on to develop the next generation of let's say CTI companies which is what the latest report that Ojen you just published talks about which is wonderful highly recommend and then the other like so what that I would add to this equation is you know as we've seen operationally like this public private fusion this civil mil military fusion which is inspired by this mauist notion of like the people's war right we're ready to mobilize um what I would say it's that it also helps in terms of obuscation and misattribution so it enhances deniability in many ways and one example of some of the recent campaigns also in other countries right? Uh is that in 2022 there was this um alleged like ransomware attack like targeting like the Brazilian presidency. It was uh it was said to be just a ransomware uh attack, but at the end of the day, what it was is um it was a threat actor group most likely associated with uh you know uh state sponsored Chinese actors, but still you don't know if it's actually that um that they were using ransomware to kind of obfiscate the fact that they were running a cyber espionage campaigns. So what you see is is this uh this use of ransomware and they mobilize these other actors in order to kind of just create that you know smoke screen of what is actually happening. So that is quite interesting like also you know the the the added strategic value of this fusion is also enhancing deniability and make it harder for CTI companies as they have been struggling to know like oh is it actually like Chinese actor is it North Korean is it a mix of both. Uh, so I think that's actually quite interesting. I would add to that. Great. Thank you very much. So I I'll just stick with you D if I may because just to sort of broaden it out into um kind of broader Chinese cyber diplomacy, Chinese activity. I mean, have you seen any particular developments there that you would draw attention to? Are there any new things that are happening on that landscape? What I would say is actually an evolution of the things that they have been building. uh obviously cyber diplomacy is a huge umbrella right so I'll take the poetic license to to just like drill down on on a few topics so obviously as I said previously like leveraging the economic diplomacy uh to to have access to certain types of systems and to do that mostly with like developing countries that is a key part of of what China has been doing and I don't think I mean right now we have over 140 countries that are part of the BarRi initiative so I mean Just think of that 140 countries that are part of of of that. Um, obviously what we see is uh a a China that is way more willing to engage in many discussions uh with the bricks. Uh you see the expansion of the bricks uh and that is quite helpful for China and quite unhelpful for other countries such as Brazil that is definitely not happy with that. India might also not be happy with that and that also factors into like expanding the minilateral approach uh from a Chinese perspective right I mean within the BRICS context for example they have had multiple resolutions and working groups on incident response on CTI trying to advance some of the conversation within that context and obviously talking about information security as well because that's what Russia you know that's the Russia kind of um way of thinking but at the same time now you have this expansion let's say of the bricks and now having to expand the conversation let's say around incident response or CTI or information sharing within those particular context so it's an interesting diplomatic strategy uh if you look at the UN uh open-ended working group uh that just ended its its mandate so from 2021 to 2025 u China wasn't actually quite vocal I mean uh or fiery throughout the process as as one could think they might be at some points. There were some was some contention around gender um within the reports and just for those that are not familiar the open-ended working group on cyber security within the UN is the one place where states discuss uh what responsible state behavior looks like. So they develop the norms and the interpretation of how international law applies to cyerspace within that space and that has just ended. But obviously there has been a bit of back and forth between China and the US around prepositioning with the US in the threat section saying that you know talk about votes in Salt Typhoon and China just denying that um in in the context of the wider uh planner uh which is also quite interesting to see that. So that is what I'd say like just a continuation of the diplomatic the economic diplomacy and within the economic diplomacy I talked about the AU and one thing that's quite interesting you know the the gifting of buildings to other countries that is part of their diplomacy they have gifted over 14 buildings of different for of like presidential buildings across Africa in the past five years of yes in in the past 5 years or so and you've also had uh gifting of like vanatu right so you have that competition also in that sense and I think it's nice for us to position the cyber conversation within that broader context um and I shouldn't go without saying that a big change in the Chinese posturing has been with regards to public cyber attribution as we know they have been quite silent about uh publicly attributing in the past few years and we have some stages of their public cyber attribution, the evolution of their cyber attribution. Right from 2019 to 2022, you had mostly Kioo 360, Pangu Lab, which are like the big CTI companies in in uh in China attributing to the US and other states. So they have started to do that. Um then from 2022 uh you start to have the government or sever right with these private companies jointly attributing and from 2023 you have this third phase which is the sever and the MFA also being way like just leading those attributions. I mean we can talk more about that but I'll stop here and I'm happy to unpack kind of this and I know Ojeno has also kind of written about this so I'm happy to just um dive a little bit deeper. Okay well thank you very much Louise for all of that. Um so maybe we just hover on the attributions thing. Maybe I do bring in Eugeneio at this point. Um so this what Louise has set out which is China having gone from really not playing in the attribution space to now in a quite a distinct phased approach getting much more active. I mean what's your take on that and is there anything distinct about that? How how do you what what what should we take away from that? Yeah. Yeah. I think it has been been a really interesting development. It's been really uh slow. We've been wondering for years when China would actually start doing this seriously because as as Louis has mentioned uh uh the evolution timeline of this at the beginning really this that the attribution efforts were very much uh you could say recycled information from uh leaked information including from uh snow leaks. So it didn't really show independent attribution capabilities in China and then and then kept going as we said with also with the following phases but what really changed uh this year in particular over the last three months three four months has been like very very different kind of attributions both to Taiwan and the US you had first attribution to Taiwan operatives that really uh so what's interesting about this first of all is that really came to mirror the US approach not to the same extent but uh on the lines of the US approach. For example, the Taiwan attribution this year, for example, the the posts uh like show the photos of the of the Taiwanese operatives that have been exposed uh their their names, their their their job titles, the al they also detail the dynamics internal to the work environment within Taiwanese cyber forces which really could be a psychological operation, but it it really would uh aim to show really the granularity of this alleged intrusion into their systems. which I think was really interesting and then we had later on the really the an attribution against US alleged US NSA operatives which really was a first and it was very much interesting because it was done by a local but the Harbin uh police uh um NPS department. So it kind of resemble uh to me the FBI style indictments that the US releases. Uh but in this case we have no photos. We have only three uh three names. It's a one-pager statement that says that these operatives basically aim to disrupt the the the fe the Asian winter games that took place in February this year. And so that's why probably the local police uh the police office in Harbin was the one taking uh taking on this. Um so so yeah I think this has been the the greatest the the biggest change with really it's something that resembled really China's own independent attribution cap capabilities but something distinct that we mentioned at the beginning of the this session as well is China using also public attribution for uh retaliation purposes when it came to vault typhoon. So again saying the B tun was a conspiracy theory um that it was used to get to to get money for Congress for US cyber authorities that it was more of a ransomware group or cyber criminals and this so this I don't I don't I don't remember seeing cyber attribution being used as a retaliation tool to counter a narrative uh against another attribution. So I thought that was uh that was particularly interesting and and distinct. Thank you very much. Louise, you wanted to just chip in on that? Yes. Uh, can we just kind of can we just talk about the fact that the Taiwanese uh the sever report uh attributing to Taiwan um to Taiwanese like threat actor and like US authors is called operation futile. Uh it's it's so interesting how they have been kind of creating this branding right. So I mean you know genu you said quite a lot of this but if I had to summarize it would be it has become more frequent. Um and I don't think we can necessarily fully explain I think I'm going go back to like Kieran like unless they really spell it out we can't necessarily say why there is this shift of like now we're going public now we're doing public attributions. Previously there is this notion of saving face right that's why the early like the early US kind of public attributions against China were very like actually shook them because you know they weren't saving face but I think as it became more frequent right there and as they developed their own kind of cyber capabilities and their institutional capabilities it became you know I think they got to this point where they're like okay it's let's just do it now uh but it's hard to say what triggered that change but so it's more frequent it's more government-led uh it is a mix of like this public and private kind of ecosystem as we discussed I think it's more professionalized if you look at the NSO one uh which was I think Jen you correct me if I'm wrong was like 2023 or 2022 was before right uh so this attribution that they made to like the the the NSA sorry um was still it was some somewhat technical but not too technical I mean far from being like a technical report but they started to include things there but what we saw with the Taiwan attribution that is a technical report more in the CTI style so we can definitely see that now and it's also in English and I think that's quite important to stress they haven't published in English up until like the Asian winter games report and this latest one on Taiwan so we should expect that kind of uh strategic communications being mobilized also from their side very Good. Okay. Thank you. Very thoughtprovoking. Okay. So, I'm conscious of time. We're into the last uh sort of uh 10 minutes or so, nine minutes. I mean, I just wanted to move into kind of looking at some responses here. So, perhaps I can start with you, Kuran. So, and you you touched a little bit earlier on on, you know, some of the practical challenges of how we respond to this. Um the UK government announced uh a little while ago that the that our national cyber strategy would would would have be refreshed um this year. Um so with that in mind, I mean would do you see Kieran that any of what we've been talking about today, the full breadth of what we've been talking about, does any of that require a change in our approach in the national cyber strategy? Is there something we should be doing differently or emphasizing differently? How would you be kind of reshaping it if you would um in response to what we've been talking about? It's a great question. I'll try not to, as you say, covered a bit of it earlier. I'll try not to be too self uh repetitious. I think they're broadly two points and they're more panwestern than UK. Um I think there is a point around um resilience and service continuity versus data protection getting that balance right and it's all under the umbrella of private risk in public hands. I mean that's the one almost sound bite that I would think needs to be ringing through the corridors of power at this point. It's something we thought about generally during co when we saw the way you know the fragility of economic and social structures and so forth and I think in terms of digital security uh this should be a stimulant for a focus on that not least because you know it is to use that horrible phrase threat actor neutral if things improbable though it may seem right now get better with China something else will come along and it's the same type of threat I noticed it's a question about you know use of AI one of the things I worry about more generically is the costs of entry into being disruptive in cyber uh being lowered. So you don't have to just worry about a wellorganized elite force like the Chinese, you can worry about a bunch of other people. So if you're thinking about national cyber strategy, I think whilst the sort of particularly the vault typhoon, the military disruptive threat is a driver, it would have wider benefits. I think the second thing then is um and this is more um a remark um aimed at the US although I think it matters to the UK as well but given the US's scale and and leadership role is to think quite seriously um Euene has talked about it eloquently in the other direction about the purpose um power and limitations of offense you know it's very fashionable in the US particularly when the Republican sees power for somebody to say right we have one hand behind our back we need to be taking the fight to Um the follow-up question which people find it very very difficult to answer is what type of activity do you have in mind? You know I I do think in policym terms we do sometimes labor onto this myth that there are some almost magical invisible capabilities that we're choosing not to use because we're too timid. And I just think I mean you're an operational expert. You're an impartial chair. So I'll not try and draw you into this conversation too much. These are sets of tools with some impact. Some of them work on us. some of them work on them that's not symmetrical. So I think we need to be realistic and I would try to banish this oh you know we're just being too restrained um because actually I don't think that is the case. I just think it's a genuinely hard pro uh problem. So I think there has to be this focus on um domestic resilience particularly in the private sector and then a realistic assessment of what is possible to deter to punish and so forth through statecraftraft. That's what I'd like to see. No, thank you very much. Well, yes, defense is the best offense in many ways. Um, kind of whilst I've got you, I mean, we do have just to pick out one question. I'm sorry we're not going to have a lot of time to do Q&A, but George Snow has asked the question, you know, given China's integration and its kind of diffuse approach. How do countries manage the cyber security risks while actually maintaining the engagement with China that is economically diplomatically necessary and Joyce highlights for example the the proposed Chinese embassy uh in the UK which has been quite controversial but you know so how what what's your view as to how countries go about managing this kind of very delicate relationship or balance Um, I think there's a balance to be struck between just geopolitical signals and technical risk. And they're not quite the same thing. I mean, we went through all of this with 5G where eventually the geopolitical signal um became preeminent over some of the technical stuff. Um, no one, even the most hawkish American, um, seems to be advocating complete disengagement from uh from from China. But there are some areas where complete disengagement just makes um uh makes uh sense. So I think there are two things. One is um again be realistic about the capabilities in the other direction and don't fall for the beguiling notion that banning China is enough. So Salt Typhoon is a brilliant example of this. What is the US's response to to the major espionage operation on US Telos? Congress finally unlocks about $360 million of funding to remove the remaining Chinese kit from US telco infrastructure. What is the relationship between the hacking operation and Chinese kit in the US? Absolutely none. It was all western vulnerable kit. So banning China might make you feel better, but it wouldn't have stopped um uh vault uh sorry it wouldn't have stopped uh salt typhoon. So that's one thing. I think the second thing um and this is an issue for the UK because the US are on this big time is actually what are you going to do about your own industrial capabilities? So every so often we'll have a ridiculous story. We had one a few months ago. Should people working at sensitive military sites in the UK who drive BYDs be forced to park at least 2 miles away? That's a nonsensical question because you can ban BYD completely from the UK. It'll make EVs more expensive. you can't ban Chinese components from EVs because otherwise you won't have any. Um, so what are you going to do about this problem and what are you going to do about sourcing capabilities yourself? What are you going to do about actually regulating the way these vehicles work etc etc uh rather than looking I mean by the time you're working about does somebody have to park two miles away from port and down before they go in it's too late. Yeah. Yeah. So it feels like a lot of those kind of often quite unhelpful or sterile debates at the time of Huawei. We still need to work through that and kind of all of this. Thank you. So we got the final final two minutes then Louise. I mean we're talking here about what do we do about it? I mean you're you're doing a project for Russi on cyber deterrence. Uh anything very briefly that you'd say about deterrence in this Chinese context? I mean dropping the cyber deterrence term is the start of a new panel on its own. Uh but what I would say in the last like two minutes that we have obviously as um what I would say is of course Kieran already highlighted and I think you know the SDR introduces an interesting language of getting ready like war fighting kind of posture. Uh it talks about NATO first. Uh it talks about integration our favorite word of the panel. uh it talks about a new way of of conducting a new way of war, right? And you also see like Emily Goldman's speech at SYCON and obviously like with the UK context actually the cyberm uh the integration of like cyber and other let's say um domains and electromagnetic spectrum. I think that's quite indicative of an attempt to do more cross-domain deterrence right that thinking and operationalization whether that's going to you know how you're going to actually mobilize those capabilities in practice it's something that we're actually going to see uh but at the cyclon speech you see Emily Goldman also talking about a full spectrum approach which is I would say another term for um for cross-domain deterrence where she talks about campaigning persistent uh cumulative but on the Chinese side it's quite interesting because at least since 2013 and know you also check here uh since checking what we see is that China has mentioned cyber as part of their deterrence approach right uh in like official kind of documents but what is interesting is that they don't necessarily use as clearly the term deterrence it's uh very much something like compellance they talk about the struggle and the spirit of the struggle which is this continuous friction and you know just making sure that they continuously do that and leverage all of the different parts of the government. So I would say like they have been using that concept for quite a while uh which you could argue is just another interpretation of cross-domain deterrence but it's nice to see that thinking the Chinese thinking we can't we don't have time to unpack that but I think the examples that we discussed here kind of illustrate a bit of that. Brilliant. Thank you. Um you know we we have zero minutes left. Um what one thing should we learn from how China has evolved its approach to cyber? One thing the top thing okay the top thing would be always my favorite. So talent development is always the one that I would bring up. Uh really trying to learn from China's robust hacking cons ecosystem. I think that really is at the base of of everything or of many things. Uh so yeah, skill development and just really quickly building on on Kan comments, I think it was super interesting that he said also when it comes to what kind of offensive capabilities are we talking about because you hear that more and more and if you look at really how China outsources collaborate with private companies, they outsource not only capabilities such as the case in the US but also the operations as a whole and they're also selfstarters in many in many times. like a quasi market system. They really created an incentive scheme for these companies to go on their own, look for uh bridge targets and then try to sell them to government authorities. So, of course, you have really have to kind of re uh take everything into consideration and see how far you can go with this. But, uh yeah, I think that's an interesting debate that we'll we'll have and yeah, you So, some some more radical things to think about there maybe. Well, and very fortunately, we've run out of time. Uh and apologies I didn't get a chance to get on to more questions. Um been a really fascinating debate. I think it's very clear we've seen a significant evolution in the in China's approach. Much more strategic, much more integrated, much more broad-based. It's not without its problems. We shouldn't be, you know, uh overly terrified by it, but it is a really, you know, it's a significant shift and we need to make sure we understand that and work through what that means for us. Um so fascinating stuff. Many thanks indeed to our panelists. Um Kieran, Eugenio, Louise, thanks to you for joining us. It's great to have you with us. Um do have a look at Eugenio's paper and keep an eye on the Russy website for future events. So with that, thank you very much everybody.