NATO condemns China for cyber activities

1 August 2021

On the 19 July, NATO joined the “Five Eyes” member nations (Australia, Canada, New Zealand, United Kingdom and United States), European Union and Japan in a media offensive accusing China of orchestrating a global cyber hacking campaign, including a large attack on Microsoft first disclosed in March and which was believed to be the work of hackers tied to the Chinese Ministry of State Security (MSS).

The statement from NATO—its first criticism of Chinese hacking—called on China to “uphold their international commitments…including in cyberspace”. The statement from the White House accused the MSS and affiliated criminal groups of the attack on Microsoft and a broad array of other malicious cyber activities, declaring the behaviour “inconsistent with its stated objective of being seen as a responsible leader in the world”. Some cybersecurity experts criticized President Biden’s response as weak and “not proportionate to the severity of the breach”, while others assessed that his response was properly calibrated to the risks. The coordinated approach is certainly in keeping with Biden’s strategy to build a coalition of like-minded nations to confront China over its activities. This was evident at the NATO summit in June, which described China as presenting “systemic challenges”.

The coordinated statements did not attempt to set out any policy or sanctions to punish China for its alleged actions. China's foreign ministry spokesman said the accusations were “fabricated” and that the US forced its allies to make “unreasonable criticism” against it, adding that China opposes all forms of cybercrime.

Asked how the tactics from the Chinese differ from similar attacks they see coming out of Russia, a senior US official said they sometimes see connections between Russian intelligence services and individuals, but the MSS use of criminal contract hackers “to conduct unsanctioned cyber operations globally is distinct". Several US agencies, including the FBI, NSA and the Cybersecurity and Infrastructure Security Agency, also simultaneously released an advisory listing the tactics, procedures and techniques used by Chinese state-sponsored cyber actors. Among the trends, officials say these actors are "using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools”. The advisory also states that they are using a "full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information".

Less than 24 hours before these synchronised statements condemning China were released, a consortium of 17 media organizations revealed that a private Israeli surveillance firm had been selling spyware to several governments for use in terrorism and criminal investigations, some of whom then used it to target activists and journalists. There has been no censure of these activities by NATO officials.

The recent NATO Summit communiqué describes cyber threats to the security of the alliance as “complex, destructive, coercive, and becoming ever more frequent”. In response, the leaders endorsed a new “Comprehensive Cyber Defence Policy”. The policy document remains classified, but the communiqué reaffirms “NATO’s defensive mandate” and “that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis”. The possibility of military action against hackers is set out further in the paragraph: “Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack”. And “If necessary, we will impose costs on those who harm us. Our response need not be restricted to the cyber domain”.

While Russia and China are usually identified by NATO officials as the main source of cyber threats, at least 12 NATO member states were recently identified in an independent report as using social media to spread computational propaganda and disinformation, while two (the UK and United States) were shown to have high ‘cyber troop’ (government or political party actors tasked with manipulating public opinion online) capacity.