- China has been stealing data, including DNA files, to advance its economic, security, and foreign-policy goals, the US government says in a recent report.
- China's acquisition of healthcare data is ostensibly part of an effort to become the global leader in biotechnology and medicine.
- But that DNA data, which is like a biological ID, could allow China to target political opponents, foreign spies, and even its own citizens.
- See more stories on Insider's business page.
In February, the National Counterintelligence and Security Center (NCSC) released an unclassified version of its report on Chinese intelligence efforts against US citizens.
The report provides a scathing breakdown of how China has been stealing data, including DNA files, which are like a biological ID of your health data and medical background, to pursue its economic, security, and foreign-policy goals.
On the face of it, China is using legally and illegally acquired healthcare data as part of an effort to become the global leader in biotechnology and medicine. But that data theft reflects a more sinister ambition.
In addition to financial gains, China is using stolen data to target dissidents, foreign intelligence officers, and even its own citizens, including ones spying on their government.
In data, China sees control; in control, it sees security.
Who's Big Brother?
Beijing's focus on data and the creation of a security state where every movement, interaction, and transaction are monitored makes George Orwell's "Big Brother" look like a petty amateur.
China's interest in stolen data isn't new, but it was only in the early 2010s that it ramped up its data-collection efforts. Around that time, the Chinese security services discovered just how deep US intelligence had penetrated China's security and military apparatuses.
The Chinese government's interest in data exceeds traditional security norms. For example, in 2015, the US government revealed that Chinese hackers broke into the US Office of Personnel Management (OPM) and stole sensitive data - including security background forms, fingerprint records, and health and financial data - from millions of current and former US officials and applicants for federal jobs.
Although the OPM hack was an attempt to map out the US national-security community in general, it primarily targeted the intelligence community to determine who works there.
The purloined data compromised several former and current intelligence officers. Equally concerning is the fact that it might endanger future officers and operations and may make the future recruitment of assets inside and outside of China more difficult.
Further, the OPM data offers Chinese intelligence services ample information with which to recruit US assets through blackmail or financial enticement.
Indeed, through successive cyberattacks, China has taken hold of the personal data of much of the American population, regardless of their occupation. (Chinese firms also gather this data by investing in US companies and through partnerships with US researchers.)
In addition to the OPB hack, in the last decade alone China has stolen about 500 million travel and personal records from the Marriott hotel chain, 145 million financial and personal records from Equifax, and 78 million financial, healthcare, and personal records from Anthem.
While data itself used to be hard to come by, the advancement of bulk-data collection over the past 20 to 30 years has made processing, interpreting, and analyzing it in a timely fashion the bigger challenge.
In the 1990s, access to so much data didn't necessarily translate into actionable intelligence, but investments in and rapid improvements to artificial intelligence are changing that.
Different methods of categorizing and storing data won't necessarily solve the problem.
"The most [technologically] advanced security can often be bypassed using an analog [and simple] method. We've seen a number of different strategies being tossed around in the public discourse, from mounting a stronger offense to focusing almost exclusively on buffering our critical infrastructure defenses," a former Air Force officer with a background in joint special operations and intelligence told Insider.
A more aggressive cyberwarfare strategy might be the solution, and the Biden administration has indicated that it will be more active in the cyber realm.
But according to Privacy Matters, a digital security and privacy publication, there are important considerations to make before opening the Pandora's box of cyberwarfare, where there are still no established norms, even among state actors.
What about you?
According to the NCSC report, the ethnic diversity of US healthcare data, as well as that data's accessibility, makes it especially appealing to China.
China's aggressive bulk-collection strategy, especially of DNA files, poses risks for private citizens.
As the NCSC states, the loss of your DNA isn't like losing your phone or credit card. You can't replace your DNA, and its theft can affect you as well as your immediate family and relatives.
Unfortunately, the theft of financial or travel data by Chinese or Russian hackers may not concern people who aren't immediately affected. But losing your DNA is a wholly different proposition, as it's literally your biological identity and can be used to track you or to design a biological weapon tailored to you.
"Things can seem pretty helpless from an individual perspective, especially when we read headlines suggesting the NSA has had their own cyber hacking tools stolen and reused against them," the former officer said.
"We can't very well defend our financial institutions or other companies from Chinese hackers, but we can know what to do when that inevitably occurs and our personal information is leaked online (along with millions' of others)," the officer said. "All of this is to say that maintaining an understanding of your online privacy and digital security is an individual responsibility - all else is supplemental."
For a private citizen, caught in a cyber war between world powers, there are few responses to such theft. Understanding the threat and acting to safeguard the information you can beforehand is probably the best defense.