The end of Hong Kong? | Russia's historic cyber-attack

😠 Do better 2021.

*Before we get started, we’ve got a few very quick questions (<3 mins) we’d love you to answer. You can find the survey link here and again at the end of this email*

Good morning! A warm welcome to the 58 new subscribers joining the International Intrigue community.

So, we took this week off, what did we miss? Oh right. The whole insurrection thing. There’s really nothing funny about what happened in Washington this week, except maybe this:


Jay Kay subsequently assured fans that despite being known for virtual insanity, he wasn’t at the Capitol. In other news, Twitter (and other social media) banned Trump. There were lots of hot takes, including from one of us.

So this week, we think you can be forgiven if you missed everything else that was going on in the world. It’s our job to catch you up!

  • 🌄 53 democracy activists were arrested on ‘suspicion of subversion’ in Hong Kong

  • 💻 Russia hacked into critical US organisations in an historically sophisticated cyber-attack

If you like International Intrigue or if it’s your first time reading, we hope you’ll consider subscribing so we can continue to grow our community!

🌄 Hong Kong: one country… one system?

On 6 January, 53 Hong Kong pro-democracy politicians and activists were arrested under the territory’s National Security Laws:

  • Why? They were detained on ‘suspicion of subversion’, i.e. undermining the Chinese government’s authority.

  • What did they do? They ran for office in Hong Kong’s elections, which were ‘COVID-postponed’ anyway.

Most days, these events would have been front-page. But it’s 2021, the metastasised version of 2020. And, in terms of distractions, Hong Kong authorities really could not have timed it better. Global media fixated on the US capitol riots - Chewbacca bikini bloke got a lot of airtime - and rumours swirled on Kimye’s divorce 🥱.

Distractions aside, the events in Hong Kong are important because:

  • ⚖️ They show how Hong Kong’s vaguely-worded National Security Laws (enacted last year to target ‘separatism, subversion, terrorism and collusion’) will be used.

  • 🐒 They deter future subversive acts by cracking down hard on dissidents - a classic example of the Chinese idiom ‘kill the chicken to scare the monkey’ 杀鸡吓猴.

  • 👮🏻‍♂️ A foreign citizen (an American) was arrested for the first time under the laws, highlighting China’s confidence about enforcing these laws without fear of rebuke.

Back to basics: what is ‘one country, two systems’?

To understand how we got here, it’s helpful to know Hong Kong’s history:

Hong Kong was a British colony for 150+ years, thanks to the Qing Dynasty’s anaemic efforts in the Opium Wars. The Brits ‘leased’ Hong Kong for 99 years as the spoils of war: a solid win for Britain which allowed access to Hong Kong’s o̶p̶i̶u̶m̶ ̶m̶a̶r̶k̶e̶t̶ deep harbour and gave proximity to Asia.

When the lease ended in 1997, the Brits (fronted by a glum Prince Charles) dutifully ‘restored’ Hong Kong to China with the proviso that China would govern it under a separate political and legal system until 2047. Hong Kong would have rights like free speech and assembly until then, and would keep its capitalist economic system.

To many, the ‘Asian Dragon’ Hong Kong of the 1990s and 2000s was the pinnacle of capitalism (some liken it to an Ayn Rand creation). With its free market economics, low taxes, and limited government, Hong Kong made the Wolf of Wall Street look like Fargo. It reigned as the world’s freest economy for 25 years, until Singapore beat it in 2020.

The slow erosion of Hong Kong’s political autonomy

Hong Kong's political and legal systems were largely insulated from Beijing, which provided a high degree of political freedom. This meant it was treated as a separate entity to mainland China, and was able to establish special deals with other countries (e.g. the US).

For a while, Hong Kong was seen as a beacon for democratic values and rights. But Hong Kong was always on borrowed time until 2047 when it would ‘officially’ revert to full Chinese control, but few expected the clampdowns to come down this hard or fast.

The erosion of freedoms during 2014’s Umbrella Movement, 2019’s Extradition Protests, and 2020’s National Security Laws shocked governments globally.

The latest clampdown is meant to deter those who disagree with the central government’s agenda - very on brand with China these days. How outrageous in a democracy to try and replace a leader you don’t agree with by winning an election!

Zoom out: still China’s golden goose?

Is this the end of Hong Kong as we know it? Its prized political independence is gone, and its economy represents only ~3% of China’s GDP (down from ~18% in 1997).

On the other hand, Hong Kong will probably remain a key global financial hub for the foreseeable future. Why? Because of its economic importance to China:

But, the National Security Laws are increasingly choking out Hong Kong’s remaining political freedoms. And the more chickens slayed to scare the remaining monkeys, the higher the risk that the golden goose also takes a hit.

💻 Six questions you didn’t know you had about the Russian cyber-attack

1. What happened?

Russia is up to its old tricks again. Take your eye off them for a minute, or four years, and they get all overexcited and hack into critical infrastructure. Guys, come on (though it’s not like the US doesn’t do it right back).

Because cyber warfare is secret, whatever becomes public is just the tip of the iceberg. We can only guess at what lies beneath, but we do know:

  • Around March 2020, Russia's elite intelligence agency, the SVR, compromised a US IT company called Solar Winds. The SVR installed malware into a popular Solar Winds product designed to manage networks in big organisations.

  • Not knowing they’d been hacked, Solar Winds pushed out an update which was then downloaded by its customers, giving Moscow access to the networks of about 18,000 organisations that were using the software.

Unfortunately for the US, Solar Winds’ customers include but are not limited to:

  • 🏛 the US Departments of Defence, State, Treasury, Energy, Homeland Security, and others

  • 🌍 NATO and the EU Parliament

  • ✈ Boeing, Microsoft, Cisco, and AstraZeneca.

💡 In short, it's not good. Moscow has/had direct control over some very sensitive (but probably not classified) information.

For deeper background, watch this interview with a former NSA executive.

2. What was/is Russia looking for?

These types of hacks aren’t generally looking for any one thing. In fact, the value often comes from collecting millions of seemingly unimportant puzzle pieces that, when fitted together, become a very useful whole.

For example, imagine what Russia could do by piecing together:

  • people who receive government health care

  • airline passenger records

  • hotel loyalty program data

  • the names of people who've undergone government background checks

Well, actually that's precisely what China did in 2015 to find America's spies overseas.

💡 Thanks to advances in computational power, processing millions of pieces of innocuous data now means hacking targets aren’t always classified or protected systems.

3. Why would Russia attack small private companies?

The Solar Winds hack is what's known as a 'supply-chain attack'. Less sophisticated companies in a supply chain are easier and cheaper to hack, and they might in turn have access or information about how to hack a more difficult target.

It’s kind of like how your mum used to ask your friends whether you skipped school instead of asking you directly - she got access to privileged information, upsettingly easily.

💡 In a connected world where private and public companies are integrated, supply-chain attacks are potentially catastrophic and almost impossible to stop.

4. Sounds like some cold war s***. Can't we solve this diplomatically?

At International Intrigue, we often bang on about Cold War 2.0. So if the threat during Cold War 1.0 was nuclear weapons, why can’t we just come up with some globally agreed 'rules of engagement', and develop a deterrence strategy for cyber attacks?

Well, the truth is that not enough thinking has been done about the bigger picture of cyber warfare. For example:

  • What constitutes an attack, and how can we tell how serious it is?

  • If a bank gets hacked, is that a threat to national security? What about 12 banks?

  • What is a proportional response, and what would be legal under international law?

💡 Given that North Korea, China, Iran, and Russia have advanced cyber warfare capabilities, any globally agreed détente seems very unlikely.

5. Can we stop these attacks?

Experts argue that cyber security policy is dominated by perverse incentives to attack rather than defend:

You don't get to shake the President's hand because you patched 100,000 servers, you get that photo because you blew up Iranian centrifuges.

- Alex Stamos, cybersecurity expert

As a result, the US and its five-eyes network have by far the most powerful offensive capability in the world. But offensive power doesn't really deter asymmetrical supply-chain attacks. For that, countries need a:

… defence-dominant strategy, including a defence-only cyber agency, particularly because cyber attacks are likely to be a precursor to a hot war in the future.

- Alex Stamos, full of great quotes

Okay, so we got a fever, and the only prescription is more c̶o̶w̶b̶e̶l̶l̶ government! But sadly, it's not that easy.

💡 Even if the US (or any country) created a defence-only cyber agency, they can't monitor and protect every single private company in the country.

6. Well, that is suboptimal... but how does it affect me?

What’s needed is a re-thinking of the regulatory environment. If the power of a supply-chain attack is that its targets are disaggregated and weak, then we need national frameworks to strengthen them.

In the future, we might see business environments in free-market economies change significantly:

  • 📜 National reporting requirements: if a company has been hacked, it will have to disclose it. Currently, that really only exists for personal data (eg. credit card numbers).

  • 🚑 Liability reform: companies need protection from being sued for being hacked, otherwise there will be an incentive to hide and obscure critical information.

  • 💾 Mandated software installations: vulnerable companies might be required to install software to prevent and report hacks

  • 🤝 A national collaboration mechanism: for real time sharing of data and collaboration around threats

  • 🎓 Increased tech-literacy: Boards, shareholders, and investors might begin to factor in the ‘tech-literacy’ of executives, business owners and employees before making decisions.

Ultimately, the rate of change of technology is the key problem. Even following best-practices, bureaucracies and business can't keep up with possible threats. But as this Russian hack exposes, the way we think about cyber security isn’t just a little behind - it’s rooted in the 1990s. It needs to catch up, and fast.

➕ Extra intrigue

🔎 Intriguing recommendations

Helen: Prince Charles helped launch the ‘Terra Carta’ this week. It’s an effort to integrate and embed climate change considerations into business decision making. Check it out, I think it’s probably something we’ll all need to be across in the future.

John: Now that you’ve had your dose of high-brow, it’s my time to shine. Quant Fund or Metal Band? is the best website I’ve seen in a long time. I got 68% right after 14 guesses… only metal fans (or fund junkies) will beat that!

Thanks for reading! If you enjoyed this edition, hit the like button to let us know.

We have an ask of you, dear and loyal readers: would you mind filling out a very quick survey about International Intrigue? We want to build new things and bring you more irreverent but insightful analysis of foreign affairs and geopolitics - your views will help us!

It’ll take <3 mins, and we really appreciate your time 😇

Take the survey!

Please keep the feedback coming, and please keep telling your friends about us. You sharing International Intrigue is the only way we grow.

Until next week!