Data Driven Image Credit: Pete Linforth / Pixabay

Data Driven

How COVID-19 and cyberspace are changing spycraft

Cover of AFA9 SPY VS SPY

This extract is featured in Australian Foreign Affairs 9: Spy vs Spy. To read the full issue, log in, subscribe or buy the issue.

In mid-November 2019, WeChat users in China started discussing a new virus spreading in Wuhan. The words and phrases SARS, coronavirus, novel coronavirus, Feidian (the Chinese equivalent of SARS), shortness of breath, dyspnea and diarrhoea all began to increase in use across China’s most popular messaging app. As the virus spread, volunteer open-source researchers in China began collecting and archiving online material, including through GitHub, a Microsoft-owned coding and collaboration platform, to protect and preserve information at risk from China’s internet censors. Later, some of these open-source researchers, web archivists and citizen journalists would be detained, their online projects shuttered.

We will never know how many governments were monitoring and collecting these early signs of COVID-19, and we will only hear snippets about what they found. Like advice from public health agencies and diplomatic cables, intelligence provides another source of information for governments. And for those intelligence agencies that pivoted quickly as the virus spread around the world in early 2020, online open-source collection, including data scraped from Chinese social media networks, blogs and archived databases, had the potential to alert them to the seriousness of what was to come.

On 6 January 2020, eight days before the now infamous tweet by the World Health Organization announcing that Chinese authorities had “found no clear evidence of human-to-human transmission of the novel #coronavirus”, cyberespionage actor APT32 was on the hunt, trying to find out more about the unnamed virus spreading in Wuhan and beyond. APT32 (also known as OceanLotus), long believed by cyber-security researchers to be operating on behalf of the Vietnamese government, used COVID-19-themed malicious email attachments in an attempt to compromise the professional and personal email accounts of officials working for the government of Wuhan and China’s Ministry of Emergency Management.

We don’t know how successful APT32’s attempted cyber intrusions were, or what prompted this operation. But we do know that Vietnam – like Australia – acted quickly, closing its 1400-kilometre border with China on 1 February. By the end of April, the Vietnamese government had reported no deaths and fewer than 300 cases of COVID-19.

Alongside most industries, intelligence agencies – including Australia’s – will be assessing whether the global disruption caused by COVID-19 will change the way they operate. Will it accelerate evolutions in tradecraft? Will the expectations and priorities of intelligence customers shift as these types of global events become more frequent?

They will need to take stock of their response. As the virus began its rampant spread, were they set up and resourced to respond in a timely fashion? Crucially, as other sources of information signalled danger, were they able to move fast to collect information, much of which, in the early stages at least, was not necessarily “secret”? For governments wrestling with difficult decisions such as border closures and public safety measures, having accurate data about the virus and its spread was essential.

But responding quickly isn’t always easy because intelligence collection is challenging, labour-intensive and complicated. Agencies can’t ordinarily pivot quickly between targets. In China, which has invested heavily in sophisticated surveillance and public security technologies to monitor and control its population, collecting on-the-ground human intelligence is becoming more dangerous and expensive. The demands of dealing with, and protecting, sources means that human intelligence may not be easily redirected. Signals intelligence also needs time to change course; penetrating a network requires figuring out a way in, and exploitable vulnerabilities are hard to find. Only certain intelligence collectors, like those working in open source and geospatial information gathering, can manoeuvre more readily.

Intelligence collection during the early months of COVID-19 would have required agencies to work creatively and flexibly. They would have had to gather information, much of which only existed in, for example, municipal and provincial medical circles, high-resolution satellite imagery or archived online databases and Chinese social media channels. This would have raised another challenge for intelligence agencies: as the data poured in, were they able to quickly process and analyse what they had?

But the most important questions are the ones that can’t be answered yet. With nations still emerging from this crisis, intelligence communities need to forecast what a world after COVID-19 abates will look like. Because they need to make decisions now about how they will operate in this new environment.

Spying in cyberspace

For as long as – and perhaps even longer than – there have been states, there have been spies. In Australia, the intelligence community comprises not just those in the field but also those conducting analytical, technical, signals, operational and geospatial functions.

Today, all of this work is being transformed by exponential changes in cyberspace and technology. Relatively cheap, everyday devices can be far more valuable sources of intelligence than a wiretap or a bug installed in a light fitting. A fridge that alerts someone when they need butter, cheese or ice-cream, and relays that information over the internet to them and their grocery store, provides not just an insight into their diet and the condition of their arteries, but also the potential capability to listen, watch and learn about that person, all from a safe distance. Apps on a smartphone are opportunities to learn about a person’s habits, to listen in on their conversations, to steal their data and to understand what makes them tick – and what may make them vulnerable. Researchers in the United States, Japan and China have demonstrated they can secretly activate artificial intelligence–powered virtual assistants (such as Siri) by shining laser pointers at their microphones and sending them commands undetectable to the human ear. Few people completely separate their work and home lives, and in a work-from-home environment it’s almost impossible, making the exploitation of these devices more valuable for intelligence agencies.

However, much online collection relies on more overt, but often hard to find, sources. The ability to hoover up multi-language social media content (and its associated metadata), foreign government documents, databases and traditional foreign media reporting is becoming increasingly important as more of the world’s population and activities move online. This open-source collection is cheap, quick and can provide in-depth understanding of countries where traditional diplomatic reporting is hampered by a lack of official access and where it may be too difficult to operate a sustainable pipeline of on-the-ground collection.

Cover of AFA9 SPY VS SPY

This is an extract from Australian Foreign Affairs 9: Spy vs Spy. To read the full issue, log in, subscribe or buy the issue.