The Digital Silk Road | Investigation
46:01 Share

Welcome to True Spies. Week by week, mission by mission, you'll hear the true stories behind the world's greatest espionage operations. You'll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position?

This is True Spies. If China's implementing this technology in this way, our concern is, are they teaching other regimes around the world how to implement this technology in the same way against minorities, against religious groups, against pro-democracy movements? This is True Spies. Episode 78, The Digital Silk Road. Every time you browse a website that uses cookies,

Every time you unlock a device with your fingerprint or your face, every time you give it permission to listen for your command, every day you lead a digital life. You're vulnerable to digital espionage. If you're listening to this podcast in an English-speaking country, you might worry most about occasional data breaches and stolen passwords. But in many parts of the world, cyber spying is sponsored and sanctioned by national governments. It's not some looming future threat.

It's already happening every day, all over the globe. And the danger is only growing. Sometimes it's hard to explain to people what the end goal is because we're very short-sighted by human nature. We see what's right here in front of us, what's happening right now. We think we understand what's going on, but unless you zoom out and look at the big picture of humanity,

Some of our adversaries have the long game in mind. And oftentimes our weaknesses, we only see short-sighted. We see what's right here in front of us for the next couple of years. They're looking 10 years out. They're looking 20 years out. China has objectives that are 30 years out already. Chinese espionage isn't something shrouded in secrecy or tucked away in the shadows. It's out in the open, where everyone can see. You just have to be someone who knows where to look.

My name is Charity Wright. I'm a cyber threat intelligence analyst. Charity Wright cut her teeth as a Chinese linguist for the US Army and the National Security Agency. Today, she uses her knowledge of the Mandarin language and her 15 years of experience working in intelligence in the private sector to identify and analyze nefarious activity in the digital world. Threat intelligence is big business these days.

Every major company wants to protect its data. And a lot of bad actors want to get their hands on that data. But it isn't just about protecting the digital security of corporations. The information that threat analysts like Charity dig up can have massive implications for governments and everyday people worldwide.

I've been collecting on Chinese intelligence since 2007, so China has always been my focus, monitoring how they're developing, how they're conducting cyber espionage. Earlier this year, Charity published a report outlining the sprawling scope of China's digital influence as part of its ambitious Global Infrastructure Plan.

and her findings were stunning. It took me several months to complete this report. It was very challenging. There's some parts of this research that was really scary because we're zooming out and we're looking at strategic intelligence, which is what's happening right now, where are things heading, and is this the direction we want the world to be going? Charity works primarily with open source data.

You might be surprised how many unsavory activities take place in plain sight and how much information about them is readily available to anyone who wants to learn. Open source intelligence, which is what you can find publicly, especially if you know where to look and how to find it. There's a lot on the internet that you can find and we spend a lot of time on the open internet and in more hidden websites and on the dark web analyzing threats.

But let's back up. If objectionable online activity is taking place right where anyone can see it, could anyone be a threat intelligence analyst? What do they know that we don't? In the world of cyber espionage, there are hackers, digital trespassers who steal passwords and secrets. There are corporations and nation states that leverage huge troves of data in order to grow their power.

And then there are threat analysts who try to root out bad behavior. The ones who work above board to retrace digital footprints. People like Charity. We are digital spies.

We go undercover. We create false personas. We take on different personalities. Cyber espionage is a complex art. I'm sure there are many in my industry that would call it a science too. What happens is anytime you conduct an activity or a transaction on the internet, you leave some type of trace behind.

Most people do not anonymize their presence on the internet, so those traces can be found if you know how to look and where to look. Cyber spies like Charity get a rather flashy nickname.

They're called threat hunters. Threat hunters know how to analyze network traffic that is open to the public. So you're looking for IP addresses, you're looking for domains that have maybe some trace of malicious behavior in the past. You're looking for patterns and deciphering those patterns and discovering where they're coming from, who's conducting that activity,

what their target is, and what their tactics are. If you're a regular listener to this podcast, you know how often spies find themselves in situations they never expected. They might be stationed in far reaches of the globe, mingling with formidable criminals, proffering carefully crafted lies for closely held secrets. But you never know where life will take you. And that's especially true for a cyber spy.

I started my career in the U.S. Army in 2005. I was attending the University of North Texas

And I was approached by a very large man in an army uniform. And he approached me in the food court of the university campus and said, hey, can I sit down and talk with you? And I was very intimidated. He looked like Shaquille O'Neal in uniform. And he told me about the United States Army Linguist Program.

If the idea of a linguist makes you think of horn-rimmed glasses and elbow patches, think again. A linguist for the US Army can have a rough-and-tumble career. Someone like Charity would likely be sent to a conflict zone to work as a translator or an interpreter behind enemy lines. Now, to be clear, Charity wasn't exactly what you'd call a language person.

Her Spanish was decent enough, after stumbling through classes in high school and stints working in Tex-Mex restaurants at home in Dallas, Texas. But she had no idea that learning new languages was a hidden strength, at least according to the army. I did a battery of tests over a few weeks to test my intelligence and my capability to learn a foreign language.

And somehow I tested into the highest category of foreign language. Unlike in other branches of the military, army recruits don't get to choose what they study. That's up to the army to decide. When Charity was recruited, the Iraq war was in full swing. Naturally, she assumed she'd be learning Arabic, then shipped off to the Middle East.

However, after I graduated basic training, there was 20 of us linguists that graduated together. 19 of them were assigned to learn Arabic and I was assigned to learn Mandarin Chinese. For Charity, the idea of learning Mandarin in just 18 months was daunting and, well, fair enough.

The program is extremely intense. We start our day doing Army physical training at five in the morning.

and we're in a classroom by 8 in the morning. And from 8 a.m. to 4 p.m., you're only using Mandarin. I never really had great grades. I always considered myself a little bit behind as an academic. And up until that point, I really just didn't believe in myself. But the Linguist Program gave me that opportunity.

and testing into it gave me confidence that, hey, if they say I'm capable, then I'm going to give it my 100%. After her training, she was assigned to work for the National Security Agency, doing real-time translation and intelligence analysis.

I worked at NSA from 2007 through 2011 in Hawaii. I worked in a SIGINT role, Signals Intelligence, and my work at the NSA really helped me hone my language translation skills, especially related to Chinese military terms and topics.

and really gave me the insight I needed into what is China doing behind the scenes that nobody else sees. Four years at the NSA laid the groundwork for a dynamic career in intelligence. But by 2011, Charity was looking for a change.

I gained many years of experience in the national security and intelligence community, and I came to a point in my life where I had to make a transition. I'd gone through a really tough divorce and became a single mom of two kids, and I knew I need to provide for these children on my own.

When I moved back home to Dallas, Texas, I was looking for jobs in the intelligence community, which is what I was familiar with. But there's no government agencies here that really needed Chinese linguists. Charity wasn't going back to working in a Tex-Mex restaurant. She didn't learn Mandarin for nothing. Then she stumbled on a job as an intelligence analyst for a private sector cybersecurity company.

I might have met one out of 10 or 11 requirements, but at that point I was really desperate for a solid career. I really wanted to establish myself and provide for the kids. So my first job in cybersecurity was, I consider it my big break. The role was called cyber threat intelligence analyst.

And they needed somebody with an intelligence background like myself to help establish their intelligence program to protect them and their customers. In the private sector, Charity has probed the dark web and taught other analysts how to conduct business deals with criminals. She roots out online disinformation in the deepest recesses of the internet.

But China has always been her speciality, and her background as a Chinese linguist has come in handy, especially recently.

Over the past few years, China has rapidly developed. And so we're monitoring very closely how that development is happening, how they're exporting digital technology around the world, and how that digital technology that's native to China gives their government a foothold for cyber espionage operations. The CCP severely restricts what Chinese citizens can access online.

Behind the Great Firewall of China, individuals and tech companies face widespread censorship. China has its own versions of all of the largest global internet companies. It has, effectively, its own internet. But the Chinese government isn't just advancing its agenda at home.

As Charity explains it, the nation is now exporting its influence all around the world, along the Digital Silk Road. The Digital Silk Road is a set of cyber projects that the Chinese government is pushing through their Belt and Road Initiative. People in the know call the Belt and Road Initiative the BRI, or sometimes the New Silk Road.

It's the Chinese government's push to invest in trade and infrastructure. And to date, 140 countries around the world have signed on to take part. The Chinese government, through their big technology companies that are native to China, they're exporting digital products and setting up digital infrastructure all over the world, especially in developing regions of the world like South Asia, Africa and Latin America.

So that's what they call the Digital Silk Road. It's just a big initiative within their Belt and Road Initiative projects. The BRI is expected to cost over US$1 trillion, not to put too fine a point on it. It's a massive undertaking with massive implications for participating countries. And one can imagine that many of those countries, especially in developing parts of the world, are grateful for the injection of resources.

Sometime back in 2020, Charity says she started reading between the lines of what the CCP was actually investing in.

I was really reading a lot about certain case studies where organizations around the world had invited Chinese technology into their country, whether it was 5G technology or laying underground cable, you know, implementing new Chinese applications in the workplace. And these case studies really explored how they discovered that the Chinese government was stealing data from them.

So siphoning data from their servers into private servers in China. And those espionage cases really piqued my interest. That's when I started asking some really important questions. That is how a threat hunter kicks off an operation. Say you want to become a cyber threat analyst, working, as Charity does, with open source data. Your first task is to identify the questions you want to answer.

For Charity, those questions were, how big of a threat is there from Chinese technology around the world? And then I honed it down to, what is their objective in the digital Silk Road? Are they laying a foothold for espionage through this technology? And how big is this scope?

We know through evidence-based studies and through investigations, we know that the CCP has infiltrated government networks and private networks alike to steal data, to steal proprietary information, science and technology, to then implement in their own country, in their own markets, in their own military technology.

So it starts with some questions, brainstorming, thinking about what are the threats and what are the risks, because I'm a threat intelligence analyst. So that's step one. Know what you're looking for. Step two is to know your enemy.

The concept of knowing your enemy comes from a book called The Art of War, written by an ancient Chinese scholar. So it's not a new concept, but I think it's something that the Chinese military and intelligence services understand deeply. And it's something that everyone else strives to understand. Knowing how our enemy thinks, what drives them, motivation, culture,

All of these things feed into the psychology of intelligence analysis. We cannot counter a threat unless we understand the threat deeply. Fortunately, after the past 15 years, Charity's got a pretty good sense of who she's up against. With my experience spying on China for so long and getting to know the CCP intimately, getting to know some of the leadership and their profiles and what drives them,

I feel like that fed into this research and I was able to really pull out, here's what the CCP's goals are and here's how they're achieving them. Of course, it's not just about knowing how your adversary does what they do. Equally important is understanding why they do what they do. And so we go to authentic sources. We go to the Chinese government websites, which...

Surprisingly, they're very open about their direction and their objectives and their long-term goals. This is something that I refer to often analyzing Chinese intelligence. They have the advantage of singularity. They have a single party that drives their national objectives forward. When it comes to getting familiar with an enemy, training with the U.S. Army makes for a pretty good start.

as does gaining four years' experience with the NSA. But just as important is being a generally curious person and a skilled Internet sleuth, because it doesn't take a lot of snooping around to identify the goals of the CCP. It certainly doesn't take a security clearance. In fact, you might be surprised just how forthcoming the Chinese government can be.

I was just reading a document yesterday that outlines their propaganda manual. Everything is outlined very clearly. They talk about how they're going to do what they do. So for us as threat researchers and analysts, it's just a matter of do we know what their intentions are? And does the behavior and the tactics and techniques and procedures that they're doing, does that align with what they've stated they're going to do?

To be clear, the CCP isn't owning up to exporting nefarious surveillance technologies, but it's not exactly coy about its desire to grow its power either. Sometimes the best way to get to know someone is just to listen to what they have to say. So, identify your questions, then make sure you know your enemy. Then it's time for step three. Figure out who you're going to be.

Hello, True Spies listener. This episode is made possible with the support of June's Journey, a riveting little caper of a game which you can play right now on your phone. Since you're listening to this show, it's safe to assume you love a good mystery, some compelling detective work, and some of the most interesting stories in the history of the show.

and a larger-than-life character or two. You can find all of those things in abundance in June's Journey. In the game, you'll play as June Parker, a plucky amateur detective trying to get to the bottom of her sister's murder. It's all set during the roaring 1920s.

And I absolutely love all the little period details packed into this world. I don't want to give too much away because the real fun of June's journey is seeing where this adventure will take you. But I've just reached a part of the story that's set in Paris.

And I'm so excited to get back to it. Like I said, if you love a salacious little mystery, then give it a go. Discover your inner detective when you download June's Journey for free today on iOS and Android. Hello, listeners. This is Anne Bogle, author, blogger, and creator of the podcast, What Should I Read Next? Since 2016, I've been helping readers bring more joy and delight into their reading lives. Every week, I tag all things books and reading with a guest and guide them in discovering their next read.

They share three books they love, one book they don't, and what they've been reading lately. And I recommend three titles they may enjoy reading next. Guests have said our conversations are like therapy, troubleshooting issues that have plagued their reading lives for years, and possibly the rest of their lives as well. And of course, recommending books that meet the moment, whether they are looking for deep introspection to spur or encourage a life change, or a frothy page-turner to help them escape the stresses of work, socializing,

school, everything. You'll learn something about yourself as a reader, and you'll definitely walk away confident to choose your next read with a whole list of new books and authors to try. So join us each Tuesday for What Should I Read Next? Subscribe now wherever you're listening to this podcast and visit our website, whatshouldireadnextpodcast.com to find out more.

When I conduct research on China, I have a set of false personas that I adopt to log into certain sites, to read original sources on Chinese government websites, to track Chinese state-affiliated media.

and monitor what's happening in the state-affiliated media, what their narratives are, any bias that is coming through. And I use those false personas to protect my identity, as well as using technology that anonymizes my internet connections so that the Chinese government is unable to track me. Once you've taken precautions to protect your identity, you're in good shape for step four.

the real meat of the operation. Chances are, you already possess some invaluable threat hunting skills. You'd be surprised, it starts with simple Google searches. Start with Google, see what pops up, see what people are talking about. Seeing what pops up means following threads and tumbling down rabbit holes. And sometimes it means following your gut, even if you're not quite sure what it's trying to tell you.

A lot of people that I work with are very technical. They came from cybersecurity academic backgrounds, and I really don't consider myself as technical or as technically competent as them. But I found an area that I excel in.

that I just can't explain very well, and that is intuition. And I think a lot of spies around the world have that intuition. Maybe it's learned, maybe it's trained, maybe it's just being a person who doesn't trust very easily. But I always encourage junior analysts and people that are new to the field that during your investigation, if something is telling you, "What about this?" or "What about that?" or "Maybe you should look over here,"

go take a peek. I mean, there's no harm in following that instinct and you never know what you'll uncover. Now that you're well-versed in the tradecraft of a threat hunter, let's venture with Charity down the digital silk road. As she put one foot in front of the other, she began to get a sense of the vast scope of the problem. And it truly was vast. When I first put this report together, I think there was a lot of terminology that

made the report stand out as kind of extreme. Like, not fear-mongering necessarily, but it is scary content. So as an analyst during the review process, I had to hone in on the facts. And I'm so grateful for my colleagues that said, "Charity, you don't have to use the word authoritarian 20 times in this report. You don't have to use the word extreme. Let the facts speak for themselves."

It wasn't long after starting her research that Charity found herself wading through some unsettling material. Being that this information, there's so much of it, there's so many use cases of espionage around the world that's being implemented through Chinese technology, it was a lot to take in. So as a threat analyst...

I divided it into two different threats or risks. One was the threat of cyber espionage through multiple layers of Chinese technology from, you know, underground cable to 5G towers, satellites, the Internet of Things, devices and applications that are owned by Chinese companies.

They really do have access to everyone's information from the physical level all the way to the application level. And what that gives them is access to user behavior. So the threat of cyber espionage was one half. And then also the threat of invasive surveillance technology being implemented in some of the most vulnerable countries in the world. That was the other side of the report.

As Charity said, there's a lot of information to wade through. So let's take these objectives one by one. The threat of Chinese cyber espionage was itself no surprise. China has eyes everywhere. But as she dug deeper in her research, Charity uncovered several distressing use cases. Among the most notable, China's thoughtful gift to the African Union.

The African Union headquarters building in Ethiopia was gifted by the Chinese government, which seemed very generous. It not only included a huge headquarters building, it's very beautiful, but also a data center. And it was donated, quote unquote, by China's gift to the friends of Africa in 2012.

What's the harm in that? In January of 2017, computer scientists at the African Union headquarters discovered that every night between midnight and 2 a.m., massive amounts of data were being transferred out of their data centers

two unfamiliar servers in Shanghai, China. They immediately raised some alarms and said, "Hey, this is very abnormal. We just detected this activity. And from what we can tell, this has been happening for the past five years." These computer scientists learned that Chinese actors were spying on their activities and poaching their data, not just in the data center, but across the entire building.

They even discovered that there were wiretaps under some of the desks and that many of their meetings were being spied on by China, by the Chinese government.

Now, of course, the Chinese government denied these accusations, denied any tie, but there was significant evidence in this case to prove that the building was bugged from the beginning. The bugs were built into the desks and the walls. So it was very clear from the very beginning of this relationship that this gift was more like a Trojan horse.

But perhaps even more alarming were the episodes of digital repression that Charity found in her research. I discovered that there were many case studies where China was exporting digital surveillance technology to illiberal regimes. That is, parts of the world where citizens are restricted in what information they consume, how they act and how they express themselves.

I discovered that the technology that China is exporting to certain countries in Africa and Latin America was being used by these regimes for invasive surveillance on their populations. But even more than that, China is sending trainers to those countries to teach them how to monitor groups of citizens.

how to counter pro-democracy movements and how to implement social credit systems like what China is using. In other words, the governments of these countries are playing ball with China in exchange for the Chinese playbook.

One of the things that triggered me was that China has an explicit contract with some of these countries where they say, "We will provide the surveillance technology to you and your government. We will train you on how to use it however you want." Which many times is, "Hey, we saw how you use it in China to manage crime and to control the population and to censor the media. Teach us how to do that too."

According to Charity's research, China is exporting facial recognition tools to countries in Africa in order to improve its own facial recognition technology. AI algorithms more commonly recognize light-skinned faces than darker-skinned ones, and having a broader sample of faces would improve the Chinese dataset and, by extension, the technology itself.

In nine different countries, the technology is being implemented under the guise of a Safe Cities initiative. A trade agreement between China and these countries made clear: We'll give you the technology if you give us the data you gather. With that data, Charity says, comes the danger of persecution and political targeting against ethnic minorities. The reason I'm concerned about this is because there is evidence

that the Chinese government is using this surveillance technology to mass incarcerate and monitor and surveil the Muslim population in Xinjiang, the Uighur Muslim population. This nefarious use of surveillance may ring a bell for True Spies listeners familiar with episode 60, The Destroyed Man.

In cases like these, espionage tools are used to perpetrate human rights abuses. Basically, there is genocide happening in China right now and re-education camps similar to what was observed in World War II. So,

If China's implementing this technology in this way, our concern is, are they teaching these other regimes around the world how to implement this technology in the same way against minorities, against religious groups, against pro-democracy movements in order to quell protests?

in order to incarcerate anyone that disagrees with the regime or criticizes the regime. And additionally, they're using it to censor their media and censor journalists and target those individuals that are opposing the government. By exporting its technologies and undertaking massive infrastructure projects abroad, the CCP was clearly flexing its muscles.

As she researched, Charity became aware of what she calls digital colonialism in action. We define digital colonialism as the use of digital technology for political, economic and social domination of another nation or territory. I think most developed regions of the world that have been ahead in the technology game

They have also grappled with this issue of digitizing indigenous data without fully informing the people of that nation of how their data is going to be used, stored, and secured. That is a major concern. The difference I see between Western nations and their technology companies and China and their big tech champions is,

is that the Western nations tend to be more accountable to their governments and to people and to certain processes that have been set up to protect and secure people's data. On the other hand, the Chinese tech companies are accountable to their government, which may not have the best interest in mind of the recipients. Remember the question that fueled Charity's research? How big a threat is Chinese technology to nations around the world?

Faced with troves of information in many reports of repressive Chinese digital technologies put to use abroad, Charity had her answer. This research could have gone for a very long time. I try to work within a framework, some boundaries. And I know when I'm going down the rabbit hole too far and I start discovering new interesting things that are not directly related to the topic at hand,

I take a note and I say, "You know what? That would be great for a different report." Of course, Charity isn't just a researcher. She's an analyst. She's got to make her findings intelligible to a broader community of readers. She wants her work to make a difference in the world. From there, I start putting together the big picture. And this one was difficult because it is so expansive. Charity was able to distill her work down to three major findings.

We discovered that China's digital Silk Road projects in the least developed regions of the world create a power imbalance between China and the recipient nations. And that results in a high risk for privacy and cybersecurity in those regions.

Two. China's export of intrusive artificial intelligence-enabled technologies and ideologies to illiberal regimes around the world enables authoritarianism and systemic oppression, and it also degrades democratic values. Three. Chinese digital dominance poses both a critical cybersecurity threat to the world and a

a growing threat to competitors' markets, basically through the assertion of a new Chinese-style standard of Internet governance. So what now? Imagine yourself in charity's shoes. You've gathered together a hugely incriminating dossier and one of the biggest players on the geopolitical stage. But you no longer work for the US government, and there's no guarantee your report will end up in the hands of key decision-makers.

What do you do, knowing the devastating impact these technologies could have on so many people's lives? How do you feel, faced with the knowledge that all of that important information could very well fall on deaf ears?

That's where I started becoming very concerned going, okay, I'm just one cybersecurity analyst. How can I affect change or influence policy going forward? A lot of people tell me, Charity, this is really scary information. How do we handle this? How do we, where do we go from here? I don't know if I have the answers yet.

As a researcher and analyst, yes, my job is to make recommendations on how we can implement security, how we can mitigate the risks and the threats involved with this type of intelligence. But when you get up to this high of a level, who am I advising? Regimes, nation states, G7, NATO, WHO, I mean, you name it.

Don't you want to shout your warning from the rooftops? Shake your politicians by the shoulders and tell them to wake up to what's happening? Or does publishing this information just feel like screaming into the void?

As an analyst, I have enough experience to know my job stops when I hand off my recommendation. I don't have much reach beyond that. I provide facts, I provide analysis, I provide likelihood and probability of events happening.

And then I leave it in the hands of leadership. And the real leaders will look at that intelligence, weigh the risks and benefits of their decisions and go forward. In the end, just doing the work, bringing all that data and all those case studies to light, has to be enough. Like Charity's colleagues told her, the information has to speak for itself.

To those who will listen, it can speak volumes. It became clear to me that we have to be aware of how China is trying to reshape the way we govern the internet and the direction that they would like to see it go because they're gaining significant influence in the world and in technology sector. Charity's work describes how, with help from the Digital Silk Road initiatives, nation-states are able to severely restrict civilians' internet freedom.

By proxy, the report alleges China is effectively remaking the global internet in its own image. As it continues to realize its digital Silk Road projects, its digital dominance will only grow.

And we have to decide if we don't want to go that direction, how are we going to shape governance going forward? How are we going to counter Chinese competition in the tech sector? And how are we going to protect our people, our governments, our nations from the threat of Chinese espionage? Charity doesn't have the answers. Those are new questions, best answered by policymakers, tech companies, security agencies,

Her work is to present the facts with clarity and precision. And that alone is a huge responsibility.

I care very much about human rights and I care very much about people's privacy, which is one thing that motivates me in this career. It gives me a sense of duty like I had when I served on active duty in the army and when I served at the National Security Agency helping to protect U.S. people and U.S. military assets. In the cyber realm, it's not so different. There is so much fulfillment and positivity in knowing that

that oftentimes our intelligence helps save lives and help deter battles and war in real life. And oftentimes we in the cyber world are able to protect millions of people or government networks from a foreign adversary. And it's those days that I focus on and feel grateful for. Charity Wright is hard at work on her next operation.

You can read her report, China's Digital Colonialism, Espionage and Repression, along the digital Silk Road at RecordedFuture.com. I'm Vanessa Kirby. Here's a taste of next week's encounter with true spies.