Header image

Should you fear China?

China is being portrayed in some quarters as a global threat to cyberspace. To what extent should this rhetoric affect your approach to cybersecurity?

Lindy Cameron, head of the UK's National Cyber Security Centre, recently claimed: "China is not only pushing for parity with Western countries, it is aiming for global technological supremacy."

While acknowledging that the country has a right to compete in global technology markets, she emphasised that the playing ground might not be entirely level.

Last year marked the first anniversary of China's Data Security Law which requires researchers to report vulnerabilities to the state before disclosing them to other entities, thereby delivering strategic advantage, she said.

"China continues to use cyber in pursuit of its comprehensive global intelligence collection and surveillance platform, to acquire intellectual property and achieve its strategic geopolitical goals,” Cameron added.

This comes in the wake of the recent TikTok bans and a warning by FBI director Christopher Wray that "Chinese hackers" outnumber all of the agency's cyber agents and intelligence analysts by a ratio of 50:1, although he didn't distinguish between criminal and nation-state activity.

"The scale of the Chinese cyberthreat is unparalleled," he told a congressional committee.

"They've got a bigger hacking programme than every other major nation combined and have stolen more of our personal and corporate data than all other nations big or small combined."

Of course, China is not the only threat. The US remains top of the list for countries that send spam. Many other countries – notably Russia, North Korea and Iran – regularly feature in stories of nation-state hacking. And whatever activities countries such as the US and UK might be engaging in are shrouded in secrecy.

What should you do?
Ultimately, what does this mean for you?

"CISOs need to protect their companies against threats that originate from anywhere in the world, not just China," says Graham Cluley, security expert and host of the 'Smashing Security' podcast.

"In addition, attention should be paid to the fact that sometimes the biggest risks to your organisation may come from within, not from an external hacker."

You need to focus on the threat itself, says Ross McKerchar, CISO at Sophos.

"The threat posed by China is unique in several ways. A lot of groups based in China are known to target perimeter-based devices and have a high degree of technical competence in this area."

But rather than obsess about the source of attacks, take a good look at yourself, McKerchar adds.

"Each organisation is unique, with its own threat model and risk factors, and should develop a tailored analysis and approach to what threats it believes it needs to defend against.

"Following good security practices and having well-designed controls will improve an organisation's chance of defending the majority of attacks regardless of the source."

Infrastructure concerns
There have been widespread concerns raised about the use of China-sourced technology in computing and telecoms infrastructure, especially 5G networks. But again, it's crucial to focus on your own threat situation.

"I'm sure some companies are looking at the origin of the software and hardware they deploy in their enterprise, measuring the likelihood that pressure could be put on the foreign manufacturers to build in backdoors that could be used to siphon data or cause disruption," says Cluley.

"Although there are undoubtedly legitimate concerns over the influence the Chinese authorities have over Chinese companies, the sad truth of the matter is that you will be hard pressed to find a piece of hardware technology which doesn't rely upon a Chinese company in its manufacture or supply chain."

Above all, it's important to keep a sense of perspective.

"The danger is that organisations think that they can't possibly protect themselves so have a debilitating case of learned helplessness, particularly with purported nation state attacks," says Bernard Montel, EMEA technical director and security strategist at Tenable.

"They use this misperception as justification for failing to exercise a reasonable standard of care for their systems and the data they are entrusted with protecting. The reality is that almost all high-profile breaches show absolutely zero evidence of sophisticated techniques, regardless of threat actor and that includes nation-state involvement."

Text by: Steve Mansfield-Devine

Upcoming Events


Beyond Cloud Security Posture Management:

Validating Cloud Effectiveness with Attack Simulation

image image image image