The cybersecurity link to the Chinese spy balloon episode

By Prayukth K V
February 14, 2023
The cybersecurity link to the Chinese spy balloons

In the last eight days, US fighter jets have eliminated 4 Chinese spy balloons. The fourth one was shot along the border of Alaska and Canada last Saturday.  The US Defense Department has attributed the increase in the detection – and shoot-downs – of suspicious flying objects to increased scrutiny of U.S. airspace and the enhancements it has made to its radar systems to detect these very balloons. The US is currently on a state of high alert to detect and neutralize similar air space violations in the days to come.

While the episode has been evaluated threadbare by analysts, there is one aspect that has been overlooked – China’s growing appetite for raw intelligence data. This article examines the reason behind this growing appetite and its implication for governments and enterprises. 

The cybersecurity link to the Chinese spy balloons

The cyberspace/cybersecurity link

In the second half of 2022, China moved up a notch to become the country harboring the most active APT groups in the world. Cyberattacks from China have picked up both in volume and quality in the last 9 months. In addition to diplomatic cables and Intellectual Property, Chinese APT groups also went after defense vendors, healthcare providers treating (or holding records of) politically important persons, and infrastructure connected with critical manufacturing facilities.  

Chinese intelligence operates at four levels viz., data gathering, validation, analysis, and deployment. Various enablers are involved at each stage. In recent times, China has paid extraordinary attention to data validation by recruiting more information sources to cross-check the information already on record. It has also figured out ways to hack into non-traditional sources of data to assess the quality and significance of information already collected. The validation used to happen at two facilities located in Eastern China. Now, however, China’s Ministry of State Security (MSS) has started commandeering private sector companies to help in refining collected data to derive intelligence value. This includes firms with big data analysis capabilities and those with proven and working AI models to determine the link between unconnected data sets and the validation of raw data by looking for pre-established patterns of authenticity.  

Also Read: How to get started with OT security

Intelligence data processing occurs at huge scales in China. Thanks to the availability of facilities from private enterprises, China doesn’t have to invest in building these facilities in-house and spend time, resources, and energy in recruiting manpower and maintaining them. This frees up a big chunk of manpower to focus on upstream intelligence-gathering activities.   

Every event of significance is validated from multiple independent data sources to confirm its strategic utility. For instance, if an asset of interest is moved across locations, then this movement can be confirmed by not just tapping into different sources of intelligence data but also looking for post-event indicators residing in petabytes of collected data. Such bits of intelligence are priceless from a strategic decision-making standpoint.

Private sector participation in intelligence data processing is encouraged by the Chinese government. Some of the private companies participating in this effort do receive some form of discrete funding or non-monetary and tax benefits from the MSS or the Chinese government. Those that don’t readily agree are coaxed and forced to participate.        

Why is China investing in newer methods of intelligence data collection?

With the establishment of a huge capacity for crunching raw intelligence, China ran into a problem in the early half of the last decade. It had to figure out a way to keep these facilities churning. China then started to look for new sources of intelligence information to continue utilizing the established capacity. China is aware that any break in data collection, validation, or analysis could lead to a partial degradation of intelligence processing capabilities in the long term. Thus the entire intelligence information assembly line is kept active with information and datasets fed at regular intervals. This is why China needs to constantly harvest information across HUMINT and SIGINT channels.

Further, China is also testing newer military hardware that performs optimally under certain atmospheric and local weather conditions.  With greater awareness of atmospheric conditions and other regional factors including accurate views of strategic military installations, China can afford to work with more operational insights to better plan and execute the use of military hardware, systems, and personnel in the event of a formal/informal declaration of hostilities. 

This also offers a strategic advantage in times of geo-political crisis, trade negotiations or confrontation such information gives a clear advantage to the country involved. It can even help factor in a potential response from an adversary.

Also Read: Complete Guide to Cyber Threat Intelligence Feeds

Given this backdrop, we expect China to stay invested in expanding its intelligence-gathering capabilities and facilities. Such efforts will also be augmented with other means as the raw data processing and refining capabilities improve. The growing capabilities of Chinese APT groups in cyberspace is another undisputable evidence that points to the adoption of this approach by China. With its increasing appetite for intelligence data, this trend will define China’s approach toward cyberspace and beyond in the days to come.       

Nine key points

  • China’s Ministry of State Security is constantly expanding its appetite for raw intelligence data
  • China has significant downstream intelligence processing capabilities that include capacities drawn from the private sector 
  • The spy balloon episode points to China looking for new, innovative, and less obvious avenues for harvesting raw data
  • The private sector in China is contributing significantly to achieving China’s strategic geo-political goals 
  • Raw SIGINT data gathered is not deployed or used for decision-making without validation. Validation is done using data collected from multiple sources
  • By outsourcing raw data processing which is an expensive and processing power-intensive process, the MSS doesn’t have to invest in establishing, running, and maintaining expensive facilities the resources thus saved are invested in setting up new and more innovative data-gathering methods like spy balloons
  • Private sector entities do not have a choice when it comes to assisting the MSS. They are however rewarded through funds, and tax exemptions, and in some instances the government allows them to retain commercially valuable data and IP    
  • The need to keep downstream intelligence processing operations available at all times at optimal capacity is another reason for China continuing its data harvesting operations in cyberspace and elsewhere.
  • All NATO countries are on the radar of MSS. For some countries within NATO, China has evolved and deployed specific strategies to harvest data. This includes sniffing diplomatic communication through multiple APT groups
  • The Hainan Island incident in April 2001 involving a United States Navy EP-3E ARIES II signals intelligence aircraft and a People’s Liberation Army Navy (PLAN) J-8II interceptor fighter underscored the importance of airborne surveillance to China. This incident also prompted the Chinese government to examine ways to conduct aerial surveillance on its adversaries discretely.    

We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds

Defence in depth without contextual threat intelligence is an unlit alley 1

Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

Comprehensive asset discovery with vulnerability and threat assessment 1200 Ă— 630px
Comprehensive Asset Discovery with Vulnerability and Threat Assessment See our IoT and OT Security solution in action through a free demo

Key Points

Get the latest news and insights beamed directly to you


    Key Points

    Get the latest news and insights beamed directly to you


      The cybersecurity link to the Chinese spy balloons

      Read More

      Protecting your critical assets is only a few steps away

      Scroll to Top