The Canada-China cyber agreement has little apparent “upside” to Canada, writes David Swan. China is unlikely to change its approach to hacking or intellectual property, so more cyber attacks should be expected.

By David Swan, Dec. 8, 2017

In June 2017, Canada and the People’s Republic of China (PRC) signed their first ever cyber agreement, which stipulated that neither government would support or sponsor the theft of intellectual property (IP). This would be a worthy agreement IF both countries meant what they said. A review of China’s history of hacking in Canada, its infrastructure to undertake such activities, and the PRC’s lack of treaty compliance, suggests this is an agreement of little value.

Many Canadians are unaware of the extent of Chinese hacks and hacking campaigns against Canada. Canadian businesses have been targeted and in some cases destroyed, while intellectual property and trade secrets were laundered in China.  Here are a few examples of Chinese cyber campaigns:

Campaign Description
NORTEL NORTEL’s networks were hacked for up to ten years before the company’s demise in 2009.
Potash Industry In 2011-2012, the PRC invested heavily in acquiring potash for fertilizer production. Hacking targets included potash producers, such as Saskatchewan’s Potash corporation, the federal government and even Bay Street law firms. It was estimated that more than 250 organizations were hacked in the campaign.
National Research Council In 2014, Canada’s premier research and development network, the National Research Council, was hacked. The breach was attributed to the government of the PRC. The cost was estimated at “hundreds of millions of dollars.”
University / Research IP A University Security Team back tracked a hack that compromised a secure server and sensitive Intellectual property (IP). The trail led to an internal server in a Chinese university. The Chinese server included a menu with links to more than 30 Canadian universities and research Institutions – among many others. The menu included tools to defeat security systems. (Sources and detail withheld due to Non-Disclosure Agreement)
Other Government of Canada Hacks The Communications Security Establishment (CSE) responded to a question in the House of Commons in 2016 by releasing the following statement: “government systems in the energy and resources sector suffered 2,078 'system compromises' in 2016. This compares with 2,493 such compromises against all other federal government sectors during the same period.” CSE did not disclose where the attacks originated. Yet many attacks seeking intellectual property and/or trade secrets have originated in the PRC.

The PRC has never admitted to conducting ANY hacking despite indictments against officers of the PLA and criminal hacking indictments and convictions in multiple jurisdictions. In Canada, for instance, indictments for cyber theft and selling to the PRC have included shipbuilding secrets (2013), satellite technology (2016), and espionage by a Toronto Permanent Resident (2017). Cyber forensic investigators, ranging from university computer security teams to cyber security firms, have provided overwhelming evidence of PRC cyber attacks. A general categorization of PRC hackers follows:

1. People’s Liberation Army (PLA) Cyber Units There are a number of PLA “hacker” units that engage in hacking ranging from senior units directly controlled by Beijing to regional and local PLA units that work with universities and/or businesses.
2. Govt / University / Business Partnerships In these three-way ”partnerships,” intellectual property is targeted, stolen and then “reinvented” in PRC universities. The technology is used to launch new/government sponsored businesses.
3. Govt Affiliated Business There are a number of rising PRC companies that have been founded by PLA officers or Communist Party of China members, based on stolen IP.
4. Business Sponsored Hacking / IP Chinese businesses hire “computer security companies” or hackers to steal intellectual property and trade secrets.
5. Criminal Hacking Groups Chinese criminals have been arrested and deported from call centre operations and hacking teams in several African and Asian countries.
6. Hacking Groups / Associations One of the best known Chinese hacking groups are the “Apple” group(s), responsible for creating many Apple apps as well as iOS malware and cracks.
7. Individual Hackers This is hacking by individuals, often university students, that ranges from politically motivated Distributed Denial of Service Attacks (DDoS) to theft of intellectual property and includes the entire spectrum of criminal hacking.

Experts on China have documented PRC government links through all levels. Links can be direct, such as military chains of command or they can be casual, based on media “calls to action.” One example of "casual" attacks was when Chinese students outside of mainland China launched Distributed Denial of Service (DDoS) attacks against the Republic of the Philippines.

The main objective of PRC cyber attacks appears to be the acquisition of intellectual property and trade secrets. Interestingly, the Joint Communiqué issued on June 22 stated in part: “The two sides agreed that neither country’s government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” The Globe and Mail noted that: “This new deal only covers economic espionage – hacking corporate secrets – and does not preclude China from conducting state-sponsored cyberattacks against the Canadian government or military as it did in 2014, when Chinese hackers broke into the main computers at the country’s National Research Council.”

Another way to validate PRC intentions is to see if the PRC has honoured other similar agreements. One of the first cyber agreements China signed was with the United States during the Obama administration. According to FireEye/Mandiant, the quantity of hacking attacks from the PRC against the US “dropped significantly” since the agreement was signed. That said, hacking from the PRC, including cyber attacks by the PRC government, have not stopped. Some intelligence organizations believe this indicates a change in tactics, shifting to more specific targets and using more sophisticated techniques, rather than a change in behaviour.

If the PRC has not stopped hacking the US, why would they stop hacking Canada?

The People’s Republic of China has published their intention to grow all aspects of the country in their “Five Year Plans.” This includes the “need” to catch up with the western world. In order to accomplish this the PRC has been operating hacking campaigns for more than a decade. Consequences have been minimal. In many ways China has already “caught up.” However, as economic plans change, so will the requirements of the PRC leadership. Stated another way, this is the motive for future hacking.

The Canadian Security Intelligence Service (CSIS), CSE, Department of National Defence and the RCMP are fully aware of the People’s Republic of China’s hacking endeavours in Canada. Their information should have made its way to the Minister of Public Safety and the Department of Global Affairs. These organizations should have advised the Prime Ministers Office that the PRC are unlikely to comply with a cyber agreement.

The Canada-China cyber agreement provided a photo-op and the appearance of good will between the countries but there is no apparent “upside” to the agreement for Canada. The PRC has managed to have the Liberal government “overlook” hundreds of millions of dollars in cyber thefts and damage due to hacking. China has not changed its hacking infrastructure nor its political requirement for western intellectual property, so more cyber attacks should be expected. Given the history of hacking and the expectation of more IP theft, why sign a cyber-agreement and risk political embarrassment?

David Swan is a retired Canadian Army Intelligence Officer (Reserve) who lives in Vulcan, AB. He is the Director of the Cyber Intelligence Defence Centre (CIDC), a component of the Centre for Strategic Cyberspace and Security Science.