In February, the National Counterintelligence and Security Center (NCSC) released an unclassified version of its report on Chinese intelligence efforts against U.S. citizens.
The report provides a scathing breakdown of how China has been stealing data, including DNA files, which are like a biological ID of your health data and medical background, to pursue its economic, security, and foreign-policy goals.
On the face of it, China is using legally and illegally acquired healthcare data as part of an effort to become the global leader in biotechnology and medicine. But this data theft reflects a more sinister ambition.
In addition to financial gains, China is using stolen data to target dissidents, foreign intelligence officers, and even its own citizens, including ones spying on their government.
In data, China sees control; in control, it sees security.
Who’s Big Brother?
Beijing’s focus on data and the creation of a security state where every movement, interaction, and transaction is monitored makes George Orwell’s “Big Brother” look like a petty amateur.
China’s interest in stolen data isn’t new, but it was only in the early 2010s that it ramped up its data-collection efforts. Around that time, the Chinese security services discovered just how deep U.S. intelligence had penetrated China’s security and military apparatuses.
The Chinese government’s interest in data exceeds traditional security norms. For example, in 2015, the U.S. government revealed that Chinese hackers broke into the U.S. Office of Personnel Management (OPM) and stole sensitive data — including security background forms, fingerprint records, and health and financial data — from millions of current and former U.S. officials and applicants for federal jobs.
Although the OPM hack was an attempt to map out the U.S. national-security community in general, it primarily targeted the intelligence community to determine who works there.
The purloined data compromised several former and current intelligence officers. Equally concerning is the fact that it might endanger future officers and operations and may make the future recruitment of assets inside and outside of China more difficult.
Further, the OPM data offers Chinese intelligence services ample information with which to recruit U.S. assets through blackmail or financial enticement.
Indeed, through successive cyberattacks, China has taken hold of the personal data of much of the American population, regardless of their occupation. (Chinese firms also gather this data by investing in U.S. companies and through partnerships with U.S. researchers.)
In addition to the OPB hack, in the last decade alone, China has stolen about 500 million travel and personal records from the Marriott hotel chain, 145 million financial and personal records from Equifax, and 78 million financial, healthcare, and personal records from Anthem.
While data itself used to be hard to come by, the advancement of bulk-data collection over the past 20 to 30 years has made processing, interpreting, and analyzing it in a timely fashion the bigger challenge.
In the 1990s, access to so much data didn’t necessarily translate into actionable intelligence, but investments in and rapid improvements to artificial intelligence are changing that.
Different methods of categorizing and storing data won’t necessarily solve the problem.
“The most [technologically] advanced security can often be bypassed using an analog [and simple] method. We’ve seen a number of different strategies being tossed around in the public discourse, from mounting a stronger offense to focusing almost exclusively on buffering our critical infrastructure defenses,” a former Air Force officer with a background in joint special operations and intelligence told Insider.
A more aggressive cyberwarfare strategy might be the solution, and the Biden administration has indicated that it will be more active in the cyber realm.
But according to Privacy Matters, a digital security and privacy publication, there are important considerations to make before opening Pandora’s box of cyberwarfare, where there are still no established norms, even among state actors.
What About You?
According to the NCSC report, the ethnic diversity of U.S. healthcare data, as well as that data’s accessibility, makes it especially appealing to China.
China’s aggressive bulk-collection strategy, especially of DNA files, poses risks for private citizens.
As the NCSC states, the loss of your DNA isn’t like losing your phone or credit card. You can’t replace your DNA, and its theft can affect you as well as your immediate family and relatives.
Unfortunately, the theft of financial or travel data by Chinese or Russian hackers may not concern people who aren’t immediately affected. But losing your DNA is a completely different proposition, as it’s literally your biological identity and can be used to track you or to design a biological weapon tailored to you.
“Things can seem pretty helpless from an individual perspective, especially when we read headlines suggesting the NSA has had their own cyber hacking tools stolen and reused against them,” the former officer said.
“We can’t very well defend our financial institutions or other companies from Chinese hackers, but we can know what to do when that inevitably occurs and our personal information is leaked online (along with millions of others),” the officer said. “All of this is to say that maintaining an understanding of your online privacy and digital security is an individual responsibility — all else is supplemental.”
For a private citizen, caught in a cyberwar between world powers, there are few responses to such theft. Understanding the threat and acting to safeguard the information you can beforehand is probably the best defense.
This report was written by Stavros Atlamazoglou and originally published on Insider.