Intelligence and Security Committee China report/Case Study: Industry

​

​

333. As made clear in Part One of our Report, China's national imperative is the continuing dominance and governance of the Chinese Communist Party (CCP). However, it is its ambition at a global level—to become a technological and economic superpower, on which other countries are reliant—that represents the greatest risk to the UK.
334. Today, China has advanced research, development and manufacturing capabilities across a broad range of high-tech sectors, from nuclear energy to telecommunications. But, in order to understand China's approach to technology today, you have to look to the past: China's ambition to be a global technological and economic superpower is rooted in its history. China's perception that the Chinese nation—one of the world's great civilisations—was humiliated repeatedly by more technologically advanced Western nations prior to the CCP takeover in 1949 is key to understanding why economic and technological development is central to China's ambitions today. The Intelligence Community, in evidence to the Committee, were unambiguous about the importance China places on this:

     The Communist Party of China (CCP) deems both economic well-being and technological advancement as essential to its national security and maintaining power, and to mitigate perceived threats from the West … China's overall aims are to gain technological parity with the West, and eventually to surpass them, in a process it identifies as 'national rejuvenation'.^[1]

335. China is seeking technological dominance over the West, particularly in emerging technologies, such as artificial intelligence (AI), 5G telecommunications, supercomputing and quantum computing. An assessment by the National Cyber Security Centre (NCSC) summarised the thinking as:

     Modern great-power dominance has been based on the mastery of key technologies. China is investing huge sums in a series of 'Manhattan Projects',^[2] intended to make it a leader in advanced technologies, which it almost certainly intends to export worldwide.

     Success will enable China to project its economic, military and political power globally, as steam and computing did for Britain and the US [United States] respectively in the 19th and 20th centuries.^[3]

     ​
336. China has underpinned its economic and technological aspirations with a number of strategic documents, including the Made in China 2025' strategy. This strategy lists the ten key industrial sectors in which the CCP intends China to become a world leader—many of which are fields in which the UK has particular expertise:
     • electric cars and other new energy vehicles;
     • next-generation Information Technology (IT) and telecommunications;
     • advanced robotics and AI;
     • agricultural technology;
     • aerospace engineering;
     • new synthetic materials;
     • advanced electrical equipment;
     • emerging biomedicine;
     • high-end rail infrastructure; and
     • high-tech maritime engineering.^[4]
337. China is willing to employ a 'whole-of-state' approach, using all levers of Chinese state power to support its technological goals. This includes legitimate routes using influence via investment, directing the huge resources of the Chinese state into vast research and development programmes, and investing in high-tech overseas companies with a view to transferring legally the technology to China and undercutting Western competitors. It also includes espionage on an industrial scale—stealing the fruits of Western research and development efforts and high-value Intellectual Property (IP) so that it can develop and manufacture technologies faster and cheaper than the rest of the world. As the NCSC explained, China can "shortcut [its] need to do research and development by targeting Intellectual Property".^[5] MI5 was equally clear, telling the Committee that China is using "intelligence collection … to support [its] commercial mercantile ambition".^[6]
338. In 2019, when the Intelligence and Security Committee of Parliament issued a statement on the inclusion of Huawei in the UK's 5G network, we warned that the problem was far bigger than that single issue: the West is over-reliant on Chinese technology and must act now to tackle China's technological dominance.^[7] The same month that our statement was released, the Intelligence Community accepted that China's rising technological dominance posed a genuine threat to the West, with SIS telling the Committee that "the biggest risk from China is that the alliance of state control and 21st century technology will allow China to dominate technologies that shape our world".^[8] This is a long-term issue, and one on which we are already lagging well behind. As MI5 told us: ​

     the challenge of the rise of China absolutely raises huge questions for the future of the western alliance … At the moment, it is still the case that, broadly speaking, the Chinese are seeking to use espionage and influence to steal advantage that the West itself still holds, and then clearly the balance of that will tilt across the next few years and China will become—has already, in effect, become—the world's leader in many areas of manufacturing, and may become the world's leader in almost all the world's areas of manufacturing.^[9]

339. We asked the NCSC about the threats to the UK from China and were told that 'Made in China 2025' is a "classic Chinese long-term programme with the most profound implications for us and our allies".^[10] If China achieves technological dominance, it will make it harder for the UK to protect its information and retain defence, economic and intelligence advantages. A 2018 Joint Intelligence Committee (JIC) Assessment noted that China is the main hostile state threat to UK prosperity.^[11] The actions of China against UK Industry therefore pose both a threat to national security and a threat to our economic well-being.

340. As an advanced and open economy, the UK is a clear target for China. The UK has a reputation for being open to foreign investment, and China invests in the UK more than in any other European state. Foreign Direct Investment into the UK from China between 2000 and 2017 was approximately £37bn (with the next largest recipient of Chinese investment being Germany, at £18bn).^[13] ​
341. Since 2017, the majority of Chinese investment in the UK appears to have been strategically driven, with clear links between areas of investment and Chinese state objectives. When we questioned the Intelligence Community on this, the JIC Chair emphasised the importance that China places on the UK as a centre of scientific and technological excellence, noting that the UK has world-class research and development (and, in some cases, industrial activity) in many of the technologies mentioned in the 'Made in China 2025' strategy.^[14] Chinese science and technology requirements therefore correspond closely to UK strengths in military capabilities, and industrial and emerging technology.
342. The UK sectors of particular interest to the Chinese include defence, telecommunications, new or emerging digital technologies and other strategic industries not necessarily part of the UK's Critical National Infrastructure (CNI), but which are nevertheless considered sensitive (for example ***).^[15] Director General MI5 told us:

     ***^[16]

343. When targeting UK Industry, China has two key priorities: the acquisition of IP and technology, and the acquisition of data.

344. Intellectual Property (IP) refers to creations of the mind, such as inventions, literary and artistic works, designs and symbols, and names and images used in commerce. IP rights give the creator an exclusive right over the use of his/her creation for a certain period of time and enable him/her to earn recognition or financial benefit from what they invent or create. IP is protected in law in various ways.^[17]
345. China's apparent unwillingness to recognise (or enforce) IP rights has been an issue since the country 'opened' to the world in the 1970s. Originally, this was centred on copyright and trademark infringement with pirate DVDs, CDs and counterfeit goods being readily produced by Chinese companies. Today, it is focused on much higher value goods, in particular cutting-edge technology. However, the same principle applies—by stealing IP, the Chinese save money on research and development, thereby lowering the overall 'to-market' cost so that they can undercut the original product and dominate the market.

​

346. The Chinese also target data. The UK Government has said that it considers data and "its associated infrastructure" to be a "strategic national asset",^[18] as the NCSC explained:

     data has both economic and intelligence value. It can be used to train artificial intelligence systems and identify individual targets of interest for future exploitation. It also has applications in research and development and commercial decision-making.^[19]

347. Much of China's data acquisition is conducted with a view to maintaining the stability of the Communist regime. GCHQ told us that China's overarching aim is to identify and monitor the threat posed by its population.^[20] The Intelligence Community explained:

     the Chinese state views surveillance and big data analytics as essential tools to maintain Chinese social and economic stability and national security. It collects data from a wide range of sources, such as China's public surveillance apparatus, privately and commercially available, and open source information. The collection and aggregation of personally identifiable information and bulk datasets enables the ChIS [Chinese Intelligence Services] to identify and track targets of interest, and will aid technology development, such as the training of AI systems. China is investing heavily in AI through academia, the purchasing of AI technology companies, and through indigenous development.^[21]

348. However, the Chinese are also assessed to target data for intelligence purposes. The Intelligence Community cited the hacking in 2015 of the United States (US) Office of Personnel Management with the loss of personal information of more than 20m US government officials—as evidence of this. MI5 explained that even apparently innocuous personal information can be useful when combined with other sources of data:

     in isolation most of these data sets don't enable you to do much at all, but when you build a layered mosaic [of data sets] it does then enable *** it enables them potentially to talent spot people that they might be able to make a recruitment approach to ….^[22]

     The Chinese Intelligence Services (ChIS) may use bulk data to provide additional intelligence to support their targeting efforts against UK politicians.^[23] We were told that using data in this way could "identify background details on the [potential] target, including finances, personal weaknesses and the circles of the people they are close to".^[24]

349. Data comes in many forms, and data-collection platforms all have potential intelligence value. China's Personal Information Protection Law (PIPL), billed as a Chinese version of the General Data Protection Regulation (GDPR), came into effect in November 2021. This law asserts state power over data belonging to both Chinese and foreign companies. ​ According to legal experts, "the PIPL exerts certain exterritorial jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyse or assess the behaviours of individuals located in China". This means that, on the basis of the PIPL, the Chinese government can force Chinese and other companies to turn over their data as soon as it involves any Chinese citizens. However, as in practice it is not possible to compartmentalise Chinese citizens' data, the Chinese government is likely to get access to whole datasets, including information pertaining to non-Chinese nationals. It has been suggested that the data collected by ride-hailing applications may be of interest to authoritarian regimes such as China due to the potential for it allow the gathering of data on individuals of intelligence interest.^[25] When combined with the Chinese government's sweeping powers to force companies operating in China to co-operate, this means that data acquired legitimately by such companies may find its way into the hands of the Chinese state, for further exploitation and analysis.
350. GCHQ observed that China’s advanced AI and machine learning industry means that it can process large amounts of raw data, which it can then attempt to leverage in order to meet strategic aims:

     increasingly [the Chinese] are just looking to collect very large quantities of personal information and personal data … with not a huge amount of focus.

     ***with those data sets … it increasingly allows them to control their own … state [and also to attempt to influence the] large anti-Chinese community outside China.^[26]

​

351. Many of the methods used by China to acquire UK technology, IP and data are entirely legal under UK law. Indeed, in October 2020, the Acting NSA made it clear that "there is much licit Chinese activity in this country that we welcome and that we want to continue … there is no way that we can cut ourselves off from China".^[27]
352. We have already considered China's overt use of Academia to acquire information at the 'front end'—i.e. at the research or development stage. Once technology has been developed, and is in use by a company, China exploits all possible avenues to acquire it by legitimate means—whether that be through licensing agreements, buying the company, obligations placed on foreign companies investing in China, opportunities offered by trade shows, or influencing standards-setting bodies to favour Chinese products. The DNSA told us in December 2020 that "[China] understand[s] the interdependencies between all of those things. So it's a very sophisticated joined-up programme of work that seeks to exploit whatever is the most expeditious route to the Intellectual Property that they're targeting."^[28]

353. In the past, China has made use of legitimate licensing agreements, entered into in good faith by UK companies, to advance its technological capabilities. Through such agreements, China pays for the technology and the skills, equipment and expertise it requires to produce the technology, without taking ownership of the IP itself.
354. For example, in the 1970s, China entered into an agreement with Rolls-Royce to manufacture, under licence, the Rolls-Royce Spey Mk 202 jet engine. This gave China access to advanced technology that it could not, at that time, produce itself. In time, the Chinese produced their own variant of the Mk 202 engine, which was subsequently used in the JH-7 fighter-bomber aircraft used by the People's Liberation Army (PLA) (and produced for export, with the potential to undercut UK and other Western defence exports).^[29]Thus, British technology is used today by the Chinese armed forces to advance the CCP's ambitions.

355. Notwithstanding a notable, more recent, hardening of the Government's rhetoric and action towards China,^[30] it is likely that the UK Government—as well as the Devolved Administrations and local government—will continue to court investment from China to a greater or lesser degree. The (then) Prime Minister said in October 2021: "I am no Sinophobe—very far from it. I'm not going to tell you that the UK Government is going to pitchfork away every overture from China."^[31] Indeed, it was reported in February 2022 that the (then) Prime Minister had asked the (then) Department for International Trade to set up a meeting ​ of the ministerial-level UK-China Joint Economic and Trade Commission, which had not met since 2018.^[32]
356. While foreign investment is often positive, it also provides a legitimate route through which the CCP can acquire technology to which it may not otherwise have had ready access, and which it can transfer to China and use in ways which may be against the interests of the UK and its allies. When proposed investments are in high-tech industries with potential 'dual-use' (i.e. civilian and military) applications, this is of particular concern from a national security perspective.
357. In 2020, the JIC assessed that the main potential threats from foreign investment were that: our adversaries' defence and intelligence capabilities are thereby developed; CNI and related supply chains are interrupted; and ***. Investment can also enable espionage and be used to gain influence, credibility and leverage over the UK.^[33]
358. All of these considerations are relevant to Chinese investment in the UK. The assessment acknowledged that the majority of Chinese investment in the UK is almost certainly in non-sensitive sectors,^[34] but noted significant investments in sensitive sectors including ***. Furthermore, investments in areas not traditionally considered sensitive can also have national security implications.^[35]
359. The CCP views investment in UK companies as a legitimate means to access and transfer "strategically important knowledge" to China.^[36] This information is not restricted to the design of the technology in question, but often includes the knowledge needed to manufacture the product, including "physical skills (e.g. machine use), labour organisation, factory and machine design and construction, research skills and quality assurance procedures".^[37] As a consequence, "acquisitions by Chinese companies of UK defence and aerospace companies often include a plan to improve the production capability of the Chinese company and the construction of a new factory in China".^[38]
360. This is the 'added value' that China obtains from its legitimate investments. A 2019 Intelligence Community assessment paper noted:

     Foreign Direct Investment allows Chinese entities to master the complex interconnected systems involved in manufacturing a product from concept to production. There is a remote chance individual human experts or data acquisition alone could provide this level of insight in most cases.^[39]

361. While Chinese acquisitions in a broad range of sectors could be of potential national security concern, the risk is most acute in the defence sector. The Intelligence Community told the Committee that acquisitions of UK defence companies by Chinese companies ​ present a threat to UK national security ***.^[40] Due to China's legal requirement for co-operation by its companies and citizens, and its Civil-Military Integration doctrine, it is highly likely that defence-relevant technologies in China will be incorporated into its military supply chain, which is dominated by state-owned enterprises.^[41]
362. Civil-Military Integration is a key driver of Chinese military modernisation as it exploits civilian technology for military applications with no acquisition cost to the state. The Intelligence Community told the Committee that as China advances economically this will almost inevitably lead to Chinese military advancement, since commercial power in the technology field provides "extensive opportunities to support military technological advancement and expansion".^[42] Commenting on the highly integrated nature of the Chinese state, MI5 told the Committee:

     China … is absolutely determined to accelerate as rapidly as it can its rise to global pre-eminence across a range of economic and technological fronts, and I don't think within their system that a distinction is drawn between national security or economic prosperity. I think they absolutely see these two things as intertwined and … within their own doctrine of Civil-Military Integration, they are very explicit about that and they are also very explicit about expecting both state-owned enterprises and private sector companies, as so far as that means anything in a communist state, to contribute to the whole-state strategic goals. So we … [have] a China that integrates its own efforts in a very strong and effective way.^[43]

363. The threat is exacerbated by the fact that the provenance of an investor is not always readily apparent. While in most cases Chinese investment in a foreign company is overt, it is highly likely that the Chinese state, and some Chinese companies, would attempt to obfuscate Chinese ownership in order to avoid scrutiny when purchasing or investing in UK companies.
364. Despite increased scrutiny, Chinese investment remains a significant concern. In September 2020, *** assessed that there was a risk that China would seek to buy companies in financial difficulties (particularly due to Covid-19) at cheap prices in order to acquire valuable IP in areas including emerging technology, advanced manufacturing and military development.^[44]

365. In addition to China's own foreign investment plans, inward investment into China has offered opportunities for technology acquisition. A foreign company investing in certain industries in China was, until 2019,^[45] required by law to enter into a joint venture with a Chinese company. In such joint ventures, the foreign company could not hold the controlling interest and may have been subject to requirements under which they had, in effect, to ​ transfer their technology to the Chinese partner.^[46] A decision to invest in the lucrative (and expanding) Chinese market is, therefore, often a trade-off between short- to medium-term gain and the likely loss of control of proprietary information.
366. The Intelligence Community previously reported examples of China targeting UK Industry (***) to obtain intelligence, broader information and skills through such joint ventures:

     ***^[47]

367. Such actions may have been entirely legitimate commercial engagements under Chinese law, with UK companies being aware of the risks they were subjecting themselves to. However, it is also possible that joint ventures could be used to steal technology and data. MI5 told the Committee that China could:

     spot something it likes, to get quite close to that, [and] to get to the point where you are looking at a joint venture, you host a visit, you get lots of the [employees of the] Chinese company that you are going to do the joint venture with coming round, they look at how you are set up, they look at your factory, they spend lots of time and then—at the last minute—the joint venture collapses and a few months later you see [your own technology] produced by China cheaper.^[48]

368. The critical and far-reaching importance of technical standards set by international bodies was raised by Director GCHQ in evidence to the Committee in October 2020, when he noted that the Chinese strategy to increase its presence at standards-setting bodies meant that it had now begun to dominate them. He cited the International Telecommunication Union and 3rd Generation Partnership Project influential telecommunications technical standards-setting bodies—as organisations in which China has acquired disproportionate influence, including numerous leadership positions.^[49] The Intelligence Community judge that:

     China is using international forums to shape emerging international standards on key emerging technologies. Defining international standards will enable China to shape technology to suit its own values and priorities, which may differ substantially and be at odds with those of the West. There are significant concerns over the susceptibility of data to state acquisition and exploitation, and the compulsion to accept Chinese norms and standards even if they do not comply with our own. An example of this would be concerns over a free and open internet, compared to China's commitment to central state control over information flow.^[50]

369. Influence over international standards-setting fora is extremely valuable from a commercial perspective. If companies from a given country in this case, China—own the ​ 'standard essential patents' necessary to implement the technical standards in question, all other companies will have to license the patent.^[51] As well as an immediate commercial gain, such influence can also have long-term, strategic consequences, as future technology development may rely on the same or similar patented technology, thereby helping to embed a commercial and strategic advantage. In other words, if China has influence over the technical standards, it can influence the long-term direction of travel for technology development—with all the economic and national security implications that this would have for the UK and its allies.
370. One example of this is the use of Chinese technology in so-called 'smart cities' (or, as the NCSC has referred to them, 'connected places') which rely on Information and Communication Technology and the Internet of Things devices to collect and analyse data to improve municipal services.^[52] The online forum 'Just Security' has reported that smart cities are an integral part of what it describes as China's "AI-driven domestic repression, with highly escalated surveillance capacities" and that China is shaping the international debate around normalising the use of such technology "by flooding the zone of multi-lateral tech-related diplomacy". It cites China's "ability to exert influence at tech-standard setting bodies, like the International Telecommunications Industry (ITU) where interoperability standards for the future are set [and where China's] aim has been to push China's preferred protocols as the global default for Internet of Things and other emerging technologies".^[53]
371. MI5 told the Committee that Chinese dominance of technical standards would *** create opportunities for China to influence the future of the internet:

     if China, say, were to be in a position to substantially influence or even control the future generations of technical standards, with large parts of the globe then essentially following a Chinese technological agenda … that would inevitably … ***, because at the moment the global standards essentially were set in the US in the 70s around the internet protocols and so forth.

     If gradually over the next few decades you were to shift to a model where states control the internet, that has huge obligations for freedom of speech and very long-term national security implications in that sense, because … China could be in a position to persuade a lot of other states to side with it around having a more kind of authoritarian view, not just on the standards of how the internet runs technically, but what control states are able to have over content within their own borders.^[54]

​

372. While China is adept at exploiting legitimate routes to advance technologically, it also utilises the full range of its espionage capabilities. The NCSC told the Committee:

     to fulfil any national strategic outcome … [the Chinese Communist Party] will use the [intelligence] capabilities they've got-be it cyber espionage [or] human espionage—and they really don't seek a distinction... of using those capabilities for purely national security reasons. They see the whole spectrum of strategic national outcomes as being fair game for those capabilities.^[55]

373. China uses its covert capabilities to target other countries' technology, IP and data in order to—as previously noted—"bypass costly and time-consuming research, development and training".^[56] This gives it a significant commercial advantage and, over time, strategic advantage.
374. This looks set to continue—and to increase: ***.^[57] ***.^[58]

375. The ChIS have *** human intelligence (HUMINT) capabilities. They seek to identify individuals who have access to sensitive information which is of particular value to them—"*** providing easier access to otherwise restricted UK military or commercially sensitive information".^[59] For example, China uses opportunities provided by ***, or by social media to recruit individuals. MI5 told us that:

     the use of LinkedIn, the social/professional networking site, for example, is very widespread … well over *** UK-based individuals [have been] the subject of a very light initial approach ***, where someone is presenting [themselves] as maybe a consultant who is interested in an article this person may have written or wishes to invite them to a conference and … seeing whether they can suck this person into some … form of communication away from the LinkedIn site, perhaps email—and then maybe, if this develops, there is an invitation to a conference or a seminar, or somebody gets paid a small sum for writing an article …^[60]

376. ***.^[61] ***.^[62]

​

377. ***.^[66] According to the Ministry of Defence (MoD), Chinese delegates make more requests to visit defence industry and defence sites than any other nationality and are by far the most numerous nationality to visit sites controlled by the MoD's International Visits Control Office (IVCO), showing particular interest in sites connected to the aerospace sector.^[67]
378. The Committee was told that, whilst attending visits, Chinese delegates have ***, been extremely forward in their questioning, ignored instructions not to photograph items of interest, and may in some cases have smuggled cameras and recording equipment onto visit sites.^[68] The Committee is concerned that such events may have been used to collect industrial information (potentially including IP) as well as personal information on individuals of interest working within the defence sector. ***^[69]
379. When we asked about the scale of the problem, MI5 told us:

     we do from time to time hear reports from *** of visits of whatever sort where Chinese individuals have sort of taken photographs when they've been told not to, that sort of thing … as a general rule, people in particularly advanced technology sectors, when they are receiving Chinese delegations, would be wise to be alert to the possibility that their visitors will be seeking to acquire more in depth insight or information than their host intends, so it pays to manage those kinds of visits carefully.^[70]

     However, MI5 noted that to a certain extent some such activity might be expected from any foreign delegation, and emphasised the need to keep such incidents in proportion: "***".^[71]

380. When we asked the Chief of Defence Intelligence (CDI) what more could be done to prevent the exploitation of trade shows, he acknowledged that there were significant difficulties in doing so, but suggested that instead the focus should be on ensuring that both ​ the authorities and industry representatives were aware of the threat in order to limit any potential damage:

     It's difficult, I think, in that circumstance to prevent people from coming often to those defence exhibitions which are not MOD controlled; [they] are often commercial activities. *** China is an exporter of weapons, sells about 5% of the world's exports currently …

     *** banning those Chinese companies who of course have a commercial right to be able to sell their goods would be a difficult thing to achieve.^[72]

381. Equipment Interference (EI) (described in Part One of the Report) refers to techniques used to obtain communications, equipment data or other information from a range of types of equipment. It is, relatively speaking, a low-cost means of acquiring IP and data—it can be conducted remotely, deniably and at-scale, and as such is a technique highly valued by China.^[73]
382. In 2015, the UK and China signed an agreement that prohibited cyber-enabled theft for commercial (rather than strategic) advantage. China subsequently made similar bilateral declarations with the United States, G20, Australia and Germany.^[74] ***.^[75]
383. We were told that there was frequent Chinese cyber targeting of UK companies and academic organisations, much of which ***. Chinese cyber victims include those with legitimate relationships with Chinese partners on science and technology ***.^[76] ***.^[77] ***.^[78]
384. As well as conducting EI against UK-based organisations, the Committee was told that attacks have included targeting Academia, as well as supply chains and third-party service providers (including Managed Service Providers for instance, companies which provide outsourced IT functions).^[79] EI can be used to obtain technical information or to harvest Bulk Personal Datasets ***.^[80] ***.^[81] ​
385. The cyber threat from China emanates principally from the Ministry of State Security and the PLA. These organisations are almost certainly responsible for ***, and their cyber activity is closely correlated with the Chinese government's economic and military development goals.^[82]

     APT10

     APT10^[83] is one of the best-known Chinese hacking groups, and has carried out numerous malicious cyber campaigns on behalf of the Chinese Ministry of State Security (MSS). *** it has targeted government, defence, mining, information technology, *** with victims identified worldwide, including in Europe, Asia, and the United States ***. ***.^[84]

     In 2016, *** it was detected that there had been a large-scale compromise of a number of Managed Service Providers (MSPs) (companies which provide IT and network support, including hosting emails). The attack, widely known as 'Cloud Hopper', facilitated economic and strategic espionage.

     The UK Government publicly attributed the Cloud Hopper MSP campaign to APT10 in December 2018, linking the group explicitly to the MSS. This was the first time that HMG had publicly named elements of the Chinese government as being responsible for a cyber campaign.^[85]

386. China's sophisticated cyber capabilities could, in theory, be employed to conduct a cyber attack against UK infrastructure. ***. In the words of NCSC:

     on cyber attacks that [the Chinese] undertake, ***.

     *** they use their intelligence capabilities very much for ***. They do have offensive cyber capabilities. *** exercising those cyber capabilities *** … around the blurring of some of their capabilities … I think absolutely we're alive to them using cyber as a means to enable HUMINT and the other way round and so work very closely together to sort of make sure that ***.^[86]

​

387. As noted previously, the CCP is clear—including through its 'Made in China 2025' strategy—about its ambition to become the world leader in advanced technologies such as AI and new synthetic materials. UK scientists and academics are at the cutting edge of the development of many of these technologies, however, despite this, successive UK Governments have been criticised for failing to act to protect UK science and technology against Chinese economic influence and espionage. This is a point which the Government has acknowledged. In December 2020, the Committee was told by the Deputy National Security Adviser (DNSA):

     in the past we have perhaps not had as rigorous a process at identifying, across the board, what needs to be protected based on our sovereign interest. We've had a very sophisticated process in some areas, so for example Critical National Infrastructure, which includes energy and so on. We've been weaker [historically] in other areas, for example emerging technology, potentially strategic suppliers and interdependences and data and telecoms infrastructure particularly.^[87]

     However, the DNSA emphasised that there was now increasing recognition of the problem, and that matters were beginning to improve:

     I think we have, over the past couple of years, been very conscious that we needed to both fix the system and get after some of those very specific threats in a more cohesive way across the whole of Government, and with a structured policy framework and new infrastructure …^[88]

388. In August 2020, the Government had, through its Emerging Technology Board, identified a number of critical and emerging technologies:
     • Artificial Intelligence and Machine Learning;
     • Robotics and Autonomous Systems;
     • Quantum Technologies,
     • Engineering / Synthetic Biology;
     • Mobile or Consumer Telecommunications;
     • Advanced Materials;
     • Novel Connectivity,
     • Digital Finances;
     • Imaging, Sensors and Photonics;
     • Space-related Technologies; ​
     • Smart Cities;
     • Fuels from Alternative Sources;
     • Energy Storage;
     • Privacy Enhancing Technologies;
     • Human Augmentation; and
     • Nanotechnology.

     We were told that the next step was for a cross-HMG agreement as to "the technologies the UK wants to Own, Collaborate and Access". As part of this effort, the Cabinet Secretary commissioned a review to:

     look at the wider issues for delivering strategic advantage through S&T [science and technology] alongside making 'clear, proactive and strategic policy choices on the science and technologies that will matter most'.^[89]

389. In June 2021, the Government announced the establishment of a new Cabinet Committee, the National Science and Technology Council, to "provide strategic direction on the use of science and technology".^[90] The Council is supported by a new Office for Science and Technology Strategy, based in the Cabinet Office, which is intended to "strengthen the Government's insight into cutting-edge research and technologies" and "identify what is needed to secure and protect the capability in science and technology required in the UK to deliver the Government's ambitions".^[91] The Government's Chief Scientific Adviser was additionally appointed as the National Technology Adviser.
390. In terms of the Intelligence Community's contribution, SIS and GCHQ have also been tasked to collect strategic intelligence ***. In 2019, SIS and GCHQ were tasked to:
     • ***
     • ***
     • ***.^[92]
391. We were subsequently advised that this tasking would be replaced with the following policy outcomes to which their intelligence is expected to contribute:
     • ***
     • ***
     • ***.^[93]
     ​
392. Director General MI5 told the Committee that he had seen an improvement in joined-up thinking on these issues:

     I think I would be more concerned if we remained in a position we probably arguably were in five or ten years ago, where the national security community within Government and the prosperity community weren't really talking to each other—because I think that to do this well we really do need to integrate our understanding across both these domains to make the best possible choices.^[94]

393. As noted in the main body of the Report, the Government has previously failed to take national security into account when considering foreign investment. Two developments in recent years have improved the situation: the introduction of new legislation to strengthen the Government's powers to intervene in potential investments on national security grounds; and the introduction of new processes for the Intelligence Community routinely to provide input to central Government on the security implications of potential investments.

394. Prior to 2022, the power for Government to intervene in mergers and acquisitions was drawn from the Enterprise Act 2002. It set a very high bar for government intervention: the Intelligence Community were clear that, under the Enterprise Act, "levers for HMG intervention in Foreign Direct Investment cases [were] limited".^[95] Ultimately, it proved to be an ineffective mechanism from a national security perspective: in October 2020 the DNSA told the Committee that the Act had "only been used six times between 2004 and 2009 and then six times since 2017, so it is not a thing we can very readily bring to bear in some of these cases [of national security concern]".^[96] Four further interventions were made in 2021. Of these 16 interventions, none had resulted in a deal being blocked.
395. The Government sought to remedy this situation through the National Security and Investment (NSI) Act 2021. The NSI Act, which entered into force in January 2022, designated the Secretary of State for Business, Energy and Industrial Strategy (BEIS) as the single decision-maker in cases of acquisitions (of companies, assets and IP) which may have an adverse impact upon UK national security.^[97] The Secretary of State was to be supported by a newly created Investment Security Unit (ISU) sitting in the (then) Department for Business, Energy and Industrial Strategy.
396. The ability of a Secretary of State now to intervene in mergers and acquisitions was described to the Committee as a "big upgrade" in the Government's "investment screening capabilities and powers".^[98] Interventions may be made in any acquisition that grants control of a company, regardless of company size or sector, as long as there is a sufficient connection. to the UK. The NSI regime also utilises a combination of comprehensive market monitoring ​ and notification by industry (both voluntary and mandatory, dependent on the threshold), although interventions are not strictly contingent on notification. In 2018, the Government anticipated that there would be 200 notifications from industry each year, of which around half would raise a national security concern. However, by September 2020, HMG was estimating that there would be between 1,000 and 1,800 notifications per year from industry—although they still considered that fewer than 100 would be called in for review under the legislation.^[99]The remainder are subject to a national security assessment. If the Government decides national security is at risk, it could impose remedies where necessary and proportionate.
397. NCSC explained that Huawei's 2012 purchase—from the East of England Development Agency, then a UK Government non-departmental public body—of the Centre for Integrated Photonics (CIP), is the sort of case in which the Government should intervene:

     one of the things is we have allowed foreign investment to take early-stage technology out of the UK. … Huawei bought [CIP] for 70 million quid [British pounds] because it was going under. That's how they got a head start on 100GB optics. That's not something we should allow to happen. There was no law in place … that would allow us to stop that.^[100]

398. As noted above, under the NSI Act, a team called the ISU was established in BEIS to co-ordinate advice and expertise from across Government on the risks from potential foreign investments. It took an 'actor-agnostic' approach to investment scrutiny, considering each case on its merits rather than solely through the prism of country of origin. The ISU replaced the Investment Security Group (ISG), which had been established in May 2017 as part of the Cabinet Office and which had been performing a similar function. During the passage of the NSI Act, Parliament was told that the ISU "will work closely with the security agencies and other departments with real sector expertise".^[101]
399. The Intelligence Community's input into the ISU is now channelled through ***, a joint team from the Centre for the Protection of National Infrastructure (CPNI—accountable to MI5) and NCSC (part of GCHQ). Established in July 2020, it is designed to "bring coordination to the identification and mitigation of the national security risks posed by a sub-set of foreign investment transactions".^[102]These new arrangements enhance the Intelligence Community’s ability to draw on secret intelligence to inform the work of the ISU and ministers’ decisions.
400. As of September 2021 (when the NSI regime had not entered fully into force), the joint team was providing support to the ISU on *** investment cases.^[103] Between July and September 2021, the joint team received *** 'triage' requests from the ISU, a quarter of which related to proposed investments or acquisitions from China (not all triage requests will result in ongoing support from the joint team).^[104] Following the NSI Act entering into ​ force in January 2022, the joint team has sight of all notifications under the new Act, and provides advice ***.
401. ***^[105]
402. The Joint State Threats Assessment Team (JSTAT), NCSC and DI also provide *** reports to inform the work of the ISU.^[106] In addition, the National Security Strategic Investment Fund (NSSIF)—a collaboration between the UK Government and the British Business Bank—provides ad hoc advice to policy-makers in respect of investment security matters.^[107]
403. MoD also provides subject matter expertise and advice to help inform investment scrutiny processes and export licensing decisions (the latter being a separate issue from foreign investments, but nevertheless highly relevant to the protection of the UK's IP. A new Defence Investment Security Team was established in 2017 to co-ordinate this work within the Department and link into wider cross-Government investment security processes. CDI told the Committee:

     we provide advice both through [the cross-Government investment security process] and directly to the Department of International Trade on end user[s] of high-tech goods and looking at export licence applications. So in 2017 there were *** export licence applications for China looking at the security goods; [in] 2019, there were ***, so they are expanding; we've received over *** this year so far. That proportion is probably about ***% of the export licences that we review using the intelligence available to us and so far this year we’ve recommended a refusal of *** of those applications, because we believe they’ve met the threshold where those technologies should not be transferred out to China. Then, of those, over *** have been refused by DIT, *** are still being considered and *** were overturned.^[108]

404. Overall, the challenge of disrupting malign Chinese investments is a significant one. As MI5 told us:

​

as we get into places where Chinese investments in our economy are as much of a threat as Intellectual Property stolen across a cyber domain or by a spy, that is a deeper and broader issue ***

… a lot of the damage, some of it is not deeply clandestine, some of it is sort of hiding in plain sight—but trying to form wise judgements across the whole of Government and beyond, into Academia and elsewhere, is a genuinely difficult challenge and that is where I think we will face, over the next few years, some really interesting things about how do we build that teamwork to meet a whole-of-state Chinese approach with, as it were, a whole-of-nation, UK approach.

The answers are not always straightforward, but it is the changing nature of it—well beyond, as it were, the intelligence domain—that is the trickiest part.^[121][122]

405. As noted in the main body of the Report, MI5, CPNI, and GCHQ (through the NCSC), provide vital advice on protective security and cyber security to Industry, with a view to increasing the UK’s resilience to threats (including from China). MI5 highlighted the importance of this engagement:

     We need to have a resilient, well-protected, well-educated industrial base that protects itself in its dealings with China, and we obviously do, I think, a good and professional job in using the finite operational capacity that we have *** the worst and most damaging parts of what’s going on…^[123]

406. In July 2019, the Chief Executive Officer of the NCSC told the Committee: "In our role trying to defend the UK from cyber-attacks, China's ambitions to steal IP is one of the principal things that we worry about."^[124] One of NCSC's key tasks is therefore to engage with Industry in order better to understand the vulnerabilities in their systems and to share information about threats they may face. While much of the information they provide is 'actor-agnostic', it is highly applicable to the cyber threat from China.
407. Examples of NCSC's recent work with Industry include collaborating with small Voice over Internet Protocols providers to improve their protection against cyber attacks; ​ working with the Prudential Regulation Authority to issue guidance on Cloud-based security to companies in the finance sector; and partnering with MoD to deliver workshops on secure IT networks to companies in the defence sector.^[125]

408. CPNI—accountable to MI5—has a preventative and advisory role, providing protective security advice to Industry and the Government. It follows a "threat-focused and intelligence-led" approach to engagement, allocating resources to sectors, industries and businesses where there is evidence of Chinese desire to gain technology, IP and Information Data.^[126] Around ***% of CPNI's work is directed towards countering Hostile State Activity (HSA), and it works with cross-government partners "to raise awareness of the threat, identify vulnerabilities, and to provide advice and mitigations".^[127]
409. *** CPNI says that it has been able to feed in information to MI5 that has been reported to it by Industry, resulting in leads and investigations being opened, the development of existing investigations, or the successful conclusion of an investigation.^[128]
410. Action is being taken to provide advice on the risks presented by certain types of engagement or approaches from Chinese actors. One such initiative—Project CONISTON^[129]—was an awareness-raising campaign run by CPNI that highlighted the use of social media by hostile actors to target and recruit UK nationals working in HMG and Industry. During the campaign, CPNI released information about an investigation to allow Industry partners to assess their level of exposure and set up groups (***) to allow Industry partners to share the results of their internal investigations.
411. There is some indication that the message is getting out to the right places. MI5 told us that:

     awareness is growing, but it's not yet as fully embedded in the sort of UK bloodstream as it will need to be in the years to come. So we do these days receive more proactive tip-offs from people who have realised that they have received some kind of approach, whereas ten years ago more often we were noticing first and then alerting the individual or company involved.

     … [the] balance is shifting through good work done in lots of places over the last decade or so, and I think the … public discourse around things like Huawei and 5G, Hong Kong and so forth is … raising wider awareness within the business community that they need to be quite thoughtful about the risks they may be exposed to; and then on particular things like the 'Think Before You Link' campaign that we've run, that has ​successfully … generated more awareness and more leads for us to pursue into possible intelligence activity.^[130]

412. CPNI also briefs Industry where intelligence indicates there is specific Chinese intent to target certain companies or sectors. For example, NCSC worked with CPNI to assess security practices at a *** site. This involved a comprehensive review of site risks ***. As a result, additional measures were put in place at the site. However, given the wide range of individuals, assets and organisations, it is clearly difficult to detect and disrupt every incident.

413. DI also provides briefings to industry and government partners where it has information and expertise to share. CDI told the Committee that DI provides focused intelligence briefings to elements of the defence industry in order to ensure that they understand the level of threat posed to them, and also to provide oversight and assurance "to ensure that they're adopting the appropriate security protocols to protect themselves".^[131]
414. In addition, DI provides security advice to Defence Equipment & Support (DE&S), a part of MoD that provides security accreditation for defence contractors and controls access of foreign nationals to UK defence industry sites through the International Visits Control Office (IVCO).^[132]

415. In September 2020, MI5 told the Committee that "in line with HMG policy, we are now seeking to identify where MI5 can add further value to defend our economic resilience".^[133] Director General MI5 described this as "widening the aperture", a process he said was necessary given "Chinese investments in our economy are as much of a threat as Intellectual Property stolen across a cyber domain or by a spy".^[134]
416. In addition to providing support to the Government's investment security processes through the aforementioned joint CPNI and NCSC team, and providing advice to Industry, MI5 also has a key role in disrupting the most acute economic espionage threats from China. In relation to IP and data theft, MI5 say it focuses on: ***.^[135]
417. Under current UK law, it is not a criminal offence to be an agent of a foreign intelligence service, and, as such, prosecution of suspected Chinese spies committing economic espionage in the UK is rarely possible. While the Government has committed to bringing in new legislation to rectify this,^[136] and MI5 has supported the introduction of a specific 'economic espionage offence', at present MI5 has to rely on a range of non-legislative tools ​to effect disruptions; in practice, many of these are the same as for other forms of espionage. These sit under a range of HMG tools, which are outlined earlier in this Report, and include:
     • interviews: there may be a discussion arranged with an individual ***;
     • the removal of security clearance from British nationals with access to sensitive information who pose a national security risk, including those who may have been in contact with foreign intelligence services (***);
     • the lawful expulsion of intelligence officers should they be found to engage in activities contrary to the UK national interest;
     • the issuing of MI5 'Espionage Alerts' to affected industries and foreign partners, to increase awareness of the activities of suspected intelligence officers^[137]; and
     • visa action: as is standard, the Home Office can consider revoking a visa on the grounds that someone’s presence in the UK is 'not conducive to the public good' (***); and official reprimands, under which a warning is conveyed to foreign liaison officers regarding the activities of foreign intelligence services.

418. GCHQ engages in cyber operations that expose and disrupt the activities of Chinese state-sponsored hackers. This acts both as a 'tactical' tool, in that it counters individual groups, and 'strategic', in that it has the potential to undermine the credibility of such groups within China—with ramifications for China's credibility as a state actor ostensibly opposed to cyber operations. The Intelligence Community have noted that they have dedicated significant effort to identifying and building knowledge of the Chinese cyber actors ***. ***. The naming of APT10 in December 2018 is a key result of this Intelligence Community effort.

419. In 2020, DI told the Committee that it provides Analysis & Assessment to MoD and HMG partners (such as CPNI, JSTAT and the ISG) and policy-makers on the threat to the UK defence industry from China. In one such example, DI provided assessment on a case that allowed the (then) Secretary of State for BEIS to intervene in the acquisition of a British company (***) by a Chinese-owned company (***). A public interest intervention notice was issued under the Enterprise Act 2002, meaning that the transaction was subject to a ​ report by the Competition and Markets Authority, and leading to the Chinese-owned company withdrawing from the purchase.^[139]
420. CDI further explained the role that DI and its partners play in ensuring the physical security of both MoD and industry sites:

     We’ll also ***, often in conjunction with MI5 and other partners, to ensure that we test the security and efficacy of both our own facilities but also part of the commercial facilities as well***.^[140]

421. DI also plays a role within the National Cyber Force (alongside wider MoD personnel, GCHQ and SIS). The Agencies told us that "the National Cyber Force (NCF) … is expected to deliver a step change in the nation's cyber capability, and enhance the UK's position and reputation as a top-tier cyber power. The growth of the NCF will make increased [offensive cyber] capacity available".^[141] The Agencies noted that:

Since the NCF was stood up, on China specifically ***^[142]