Chung Ching Kwong gave evidence.

We will now hear oral evidence from Chung Ching Kwong, senior analyst for the Inter-Parliamentary Alliance on China. We have until 3 pm for this session.

Q Thank you for coming to give evidence. What methods are hostile state actors using to infiltrate UK essential services, and what can we do to prevent that?

Chung Ching Kwong:

Just to give some background, I am a senior analyst for the Inter-Parliamentary Alliance on China, and a PhD candidate in law at the University of Hamburg, focusing on data protection and data transfer. My expertise is not entirely on critical infrastructure security, but I do a lot of analysis on China’s legal system and also how it works in general. That is how I can contribute to this evidence session.

The threat posed by the CCP to our critical national infrastructure, such as water, energy and transportation, has shifted from espionage—stealing secrets—to pre-positioning, or preparing for sabotage. We cannot understand the threat without understanding the civil-military fusion of the Chinese state. Chinese companies operating in our CNI are not independent per se, in the way we would normally think about that in our country—in other words, private entities that operate on their own and have their own decision-making mechanisms. They are legally obligated under at least article 7 of China’s national intelligence law to co-operate with the state, to provide information, to provide help with decryption and to gather information at the request of the Government.

As highlighted by the NCSC, groups such as Volt Typhoon are pre-positioning within utility networks in the States. They do not use malware; they live off the land, using legitimate administrative credentials to proceed undetected for years. That is not for financial gain; they do it until the time is right for them to pull the trigger and cause a crisis.

In the transportation sector, there are a lot of cellular IOT modules embedded in e-buses and EVs. These devices require constant communication with servers in China to function, so they are constantly feeding data back to China for maintenance, remote access of data and that kind of thing. It could all be innocent and a feature for operational and functional purposes, but if—and only if—Beijing orders that data to be handed over and actions to be taken, it will become a problem.

That is the context of the risk we are facing when it comes to China, especially in terms of state-sponsored attacks. All entities, be they foreign companies in China or local Chinese-founded companies, have an obligation under Chinese law.

Q I was thinking specifically about data. There is a back and forth about digital IDs, for example, but the reality is that a lot of people’s data already exists on the internet. Is it your view that it is not necessarily about the short-term financial gain that the data can provide, but a long-term process of gathering information?

Chung Ching Kwong:

Gathering information and data is definitely one of the main goals, but it is not limited to data transfer. Right now, in the UK, they do not need to rely only on access to critical infrastructure; under the Data Protection Act here in the UK, it is legal to transfer personal data through contractual clauses, so they can have access to personal data as long as they have that.

Of course, gathering data gives them insight into what is happening in the UK; if they want transportation data or power grid data, they can gather those data by different means. But it is also very important to understand Xi Jinping’s comprehensive national security concept. I think this is the reason why they are so determined to collect information, not only in the UK but worldwide.

In that kind of comprehensive security concept, political security, defined as the survival of the regime, is paramount. It overrides anything—not economic gain, not whether or not the GDP of China is going to grow in the next year, but any information or action that they see as necessary to make sure that the CCP is in control. That means it is gathering data of dissidents overseas, it is gathering data on the power grid, it is gathering data on transportation—anything they might find useful for a different purpose, which is, ultimately, to serve the goal of the survival of the regime.

That was a far better answer than my question. Thank you.

Q Thank you for coming to give evidence this afternoon. I have two questions. First, what more could the Government be doing to make regulated sectors aware of the risks you have just laid out and what they can do to address them?

Secondly, it has been reported recently that communications of senior Government aides were hacked by Chinese state affiliates between 2021 and 2024. In view of that threat to telecoms networks, what are the potential cyber-risks to communications infrastructure that you see arising from the intended location of China’s super-embassy in the City of London?

Chung Ching Kwong:

On the first question, about what can be done to help sectors understand the risks, education is paramount. At this point, we do not have a comprehensive understanding of what kind of risks state actors like China pose. We are very used to the idea that private entities are private entities, because that is how the UK system works; we do not see that organisations, entities or companies associated with China or the Chinese state are not independent actors as we would expect, or want to expect.

There is a lot of awareness-raising to be done and guidance to be issued around how to deal with these actors. There is a lot of scholarly work that says that every part of Chinese society—overseas companies and so on—is a node of intelligence collection within the system of the CCP. Those things are very important when it comes to educating.

Also, the burden of identifying what is a national security risk and what is not should not be put on small and medium-sized businesses, or even big companies, because they are not trained to understand what the risks are. If you are not someone specialising in the PLA and a lot of other things academically, it would be very difficult to have to deal with those things on a day-to-day basis and identify, “That’s a threat, and that’s a threat.”

Sorry, what was the second question?

Q It was about China’s super-embassy in London. What cyber-security risks do you think that poses, given your experience and background?

Chung Ching Kwong:

There is not a lot of publicly available information on the sensitive cabling that is around the area, so I cannot confidently say what is really going to happen if they start to build the embassy and have such close contact with those cables. The limit of this Bill when it comes to the Chinese embassy is that it cannot mitigate the risks that are posed by this mega-embassy in the centre of London, because it regulates operators and not neighbours or any random building in the City. If the embassy uses passive interception technology to harvest data from local wi-fi or cellular networks, no UK water or energy company is breached. There is no breach if they are only pre-positioning there to collect information, instead of actually cutting off the cables, so when they do cut off the cables, it will be too late. There will be no report filed under the Bill, even if it is under the scope of the Bill when it comes to regulation. The threat in this case is environmental and really bypasses the Bill’s regulatory scope.

Thank you for coming in to talk to us this afternoon. The Bill includes Q a couple of backstop powers for the Government to compel information and things like that. Are those powers sufficient to guarantee national security?

Chung Ching Kwong:

I think that to a certain extent they will. For hackers or malicious actors aiming for financial gain with more traditional hacking methods, it will definitely do a job in protecting our national security. But the Bill currently views resilience through an IT lens. It is viewing this kind of regulatory framework as a market regulatory tool, instead of something designed to address threats posed by state-sponsored actors. It works for cyber-criminals, but it does not work for state actors such as China, which possess structural leverage over our infrastructure.

As I said before, we have to understand that Chinese vendors are legally obliged to compromise once they are required to. The fine under the Bill is scary, but not as scary as having your existence threatened in China—whether you still have access to that market or you can still exist as a business there. It is not doing the job to address state-sponsored hackers, but it really does help when it comes to traditional hacking, such as phishing attempts, malware and those kinds of things.

Q For the avoidance of doubt, I will put on the record that I am a member of the IPAC caucus in this Parliament. Thank you for coming in to see us. You have spoken about the threats from hostile and adversarial states. Given the scope of what we are talking about, can you give us any insight on what comparable western nations are doing to protect themselves?

Chung Ching Kwong:

The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.

That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.

Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.

A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.

Q I, too, put on the record that I am a member of the IPAC caucus in this Parliament.

Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.

Chung Ching Kwong:

The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under Clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.

Q From the other perspective—I am thinking about a UK Government in the future overreaching—do you think there is any risk from this legislation?

Chung Ching Kwong:

It is always a double-edged sword when it comes to regulating against threats. The more that the Secretary of State or the Government are allowed to go into systems and hold powers to turn off, or take over, certain things, the more there is a risk that those powers will be abused, to a certain extent, or cause harm unintentionally. There is always a balance to be struck between giving more protection to privacy for ordinary users and giving power to the Government so that they can act. Obviously, for critical infrastructure like the power grid and water, the Government need control over those things, but for communications and so on, there is, to a certain extent, a question about what the Government can and cannot do. But personally I do not see a lot of concerns in the Bill.

Q I want to move from software to hardware that is particularly vulnerable to potential cyber-attack, particularly from the integration of Chinese tech into SIPs, possibly making them vulnerable to cyber-attack by someone who knows the code into those bits of hardware. Should we be doing more to protect against that vulnerability? Should that be covered by the Bill?

Chung Ching Kwong:

It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.

That brings us nicely to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, I thank our witness for her evidence.