 My name is King Fitzgerald. I am the security and defence researcher here at the Institute for International and European Affairs. My research generally focuses on great power competition and its implications for the R security environment. I am delighted to welcome you here to this IIA webinar where we are joined today by Professor Nicholas Timiades, Professor of Homeland Security at Penn State Harrisburg and author of Chinese Intelligence Operations, who's been generous enough to take time out of a schedule to speak to us today. Professor Timiades will give a presentation to us for about 30 minutes and following this we will proceed to a Q&A with the audience. You'll be able to join the discussion using the Q&A function on Zoom, which you should see on your screen and then please feel free to send your questions in throughout the presentation as they occur to you and we'll come to them once Professor Timiades has come to his presentation. Just a quick reminder to everyone that today's presentation and Q&A are both on the record and if you'd like to join the discussion on Twitter please use the handle at IIA. So I now formally introduce Professor Timiades and then I'll hand over to him. Nicholas Timiades is a professor at Penn State University and author of the book Chinese Intelligence Operations. He's a member of the Graduate Faculty teaching Homeland Security, Intelligence and National Security Policy. He conducts research on China's economic espionage, intelligence and immersion threats and disruptive technologies. Mr. Timiades retired from a 34-year government career in intelligence and diplomacy and has extensive experience and has published widely on China and the national security space. Mr. Timiades held senior appointments to the Department of Defense Science Board, the Department of Homeland Security Advisory Council and the Office of the Director of National Intelligence Council. He's also a senior fellow at the Atlantic Council and Auburn University, McCray Institute for Cyber and Critical Infrastructure Security. Professor Timiades, the floor is yours. Thank you very much. It's a pleasure to be here. Let me just start out by just saying one thing that my comments do not represent Penn State University. So I'm speaking as an individual today. What I'd like to do is take the next 25 minutes or so to give you an overview of Chinese espionage. Okay, sorry about that. Sorry for the slow start. I only have 30 minutes to share a lifetime's worth of knowledge. I've been tracking the subject for the better part of 30 years. And it's only the past couple of years anyone around the world has really cared about it. And it's a good thing because people are starting to wake up and understand the significance of exactly what China's been doing, what it's been doing for decades and actually escalating in tempo and capabilities over the course of the past decade. So let's just jump into this and take a look at the overview. There are a couple of ways of cataloging what the media will typically call espionage. Right? You know, there is covert action, which is covert influence. And I think actually you've recently had a case of that of spying against the diaspora and influencing parliament, things like as we see in the UK on now it appears multiple occasions. So there's traditional espionage, which in the United States is coded 18 USC 790 series. It's an actual series of espionage violations that you do against governments in secret, you know, taking out secret materials. Economic espionage, which is probably one of the more extensive activities that China conducts. And that includes technology and trade secrets. The United States estimates its losses anywhere between four to, or you know, four to 600 billion a year due to this type of technology and theft of trade secrets. I probably put that a bit lower at 386. 87% of even all the fake products that are coming into the US come from China. 82% from Europe, or rather 82% of the fake products coming into Europe, you know, come from China and 80% to Canada has that figure of 80%. So we get a lot of theft of trade secrets, reproduction of items and things like that that come into the country, which really affects the economic base. This all comes under one category of economic espionage. Illegal exports. In addition to just stealing technology and trade secrets, we have stealing, stealing physically items that are not, you know, set for export, not releasable for export. As an example, semiconductors, which I know you have production there. And a lot of other items that China just steals and in fact has been able to support its military that way. Research violations. Lastly, research violations. We had quite an aggressive campaign against this in the United States to actually look at the theft of research done out of universities, primarily out of universities and research institutes. I'll give you a bottom line up front. And the bottom line is that foreign technology is highly prized, you know, for Chinese intelligence collectors. Covert influence is also top on the list of their activities. Their commercial selection efforts in, you know, stealing technology and trade secrets are primarily technology are really identified in PRC's national planning documents, such as made in China 2025, 50 year, 50 year plan for development of space technology and a number of agricultural technology and a number of seminal documents produced by the party at the highest levels. Over the last 20 years, I can tell you because I'm watching this and show you a trend line that China has aggressively expanded its espionage networks. That much I think is, sorry, pretty obvious. Lots participate in Chinese intelligence activities, which is why we call it a whole of society approach. Okay, differing from Western services where you generally just have, you know, in America, the CIA, maybe the FBI and a few other agencies that are engaged in espionage, that's not the case in China. In fact, in China, you have state-owned enterprises, private companies, individuals and select universities all conducting espionage activities. If you want to think about the vastness of this state-owned enterprises, there are, used to be 300, but there are 150,000 of them in China. 50,000 of them are which are at the national level and about 120 or so are prized national economic security state-owned enterprises and many of them have well over 100,000 employees each, research institutions, etc. All this is levied as part of the collection apparatus that China has specifically towards foreign technology and trade secrets. Lastly, it's interesting because because you have so many players in this whole of society approach, you have a wide variance in what we call trade craft, the espionage techniques that are used. Sometimes you even have that you see that variance within agencies, like within the Ministry of State Security. So there's a wide variance in how they conduct and you can actually catalog it against specific industries. Cyber is probably exception and they show pretty standard techniques in that. So if you're looking at economic espionage along a continuum, you see just the vast number of capabilities that they bring to bear. Starting on the left, you go from open source literature to science and technology exchanges, trade fairs, Chinese scholars and students, buying foreign experts, acquisition and mergers all the way up to economic espionage and that and all these are leveraged in support of the state. These are the ones that we'll look a little more seriously at today. The types of collectors, whereas again, I pointed out that we in the US are, are, you know, I think in the West, I should say rather, you know, typically have our government agencies involved with this with China, the Ministry of State Security and Public Security are the traditional collectors, the Joint Intelligence Bureau under the Central Military Commission. They're military collectors. They had the Political Work Department Liaison Bureau, again, military entity, traditional collectors, but they also use, and this is a Western definition, right? It's not a Chinese definition. They also use non-traditional collectors, state-owned enterprises, CCP organizations, as I mentioned, such as United Front Work Department, university scholars companies. Now these can operate independently of the PRC intelligence services. So you look at just the vastness of the enterprise that they have actually out collecting and it's a pretty, pretty formidable, formidable collection of organizations. Let's look at some of the espionage categories, overviews. Now what you're seeing now is a compilation of information out of my database. And my database has about 770 something cases, details on 770 cases of, quote, espionage. That's the big word, espionage, but all the economic and trade theft and espionage and covert influence operations all under that. So we have about 772 cases and it's very, very detailed for each one. And what that allows you to do is to really understand what is going on and who's doing what with relative to, sorry, China's activities. So if we were to just look at economic espionage, you would have state-owned enterprises conducting a total of 174 cases out of that database. You would have 24% being done by state-owned enterprises, more than half of them done by private companies. You have 11% done by the Ministry of State Security. The PLA very marginally involved in economic espionage and others such as universities and research institutes at 10%. So if you're looking at this from a defense of posture or from a posture or from a legislative posture even, your primary problem here are Chinese companies that are stealing. And this doesn't even include the forced transfer of technology. It's just the stealing of technology from your own companies, from Western companies. I should also make it a point that I don't do a lot of cyber tracking. And the reason I don't do a lot of cyber tracking is there are a lot of experts out there that do. And it's difficult to get real details on the actual cases. No one likes talking about them, certainly not the least of which are people who've been penetrated and lost their intellectual property. Here we have a great way of looking. There are some cases that I do track, as you can see on the left. But here we have a great way of looking and understanding the trade craft involved. And this I do primarily for security services and such, and actually to such greater lengths. But we have tailor made devices of third country meetings. Sorry about that. On the left, or rather on the far right, you can see no trade craft and open communications and true names is the preferred type of technique that's used for this. So it means we're just looking at straight theft. And yet we do have also a notable amount of false names that are used for this type of thing, or use of third parties to steal technology and intellectual property encryption standards or meetings held in China. So for an insider threat specialist or for security specialist, you can start to determine, well, if there are a lot of meetings held in China, this is what I'm looking at. I'm looking at a lot of this person keeps going back and forth to China. It's what they would call as an indicator in that world that something might be missing something to start to look at, but specific components of the trade craft and what is actually used to collect information. Okay, if we, sorry, move a little more towards our understanding, if we move a little more towards our understanding of PRC organizations conducting espionage, and this gives you a breakdown of what you're looking at. This is espionage, espionage, across the whole board, not just economic. So if you take a look, you can see that private companies of about 150, in cases like that, state-owned enterprises, 123, Ministry of State Security, you can see 126, the People's Liberation Army, 134, and other elements, meaning universities and research institutes at 148. So if anything illustrates the case for a whole-of-society approach, this does. You see, and the MSS alone has 100,000 employees, it's estimated at. And it's not by only means the only one playing in this game. So there are a lot of organizations playing on a global collection effort, and this is one of the reasons that China is able to build its military and to build its economic wealth. It's one of the reasons it makes it almost impossible to compete, because all those decades and billions of dollars that are invested in R&D are lost because they're stealing it. And I'll give you an example of one company that I worked with, which had a $400 million loss in energy company when one of their employees had been going back and forth to China, allegedly visiting family, and ultimately they were able to discover the fact that he was uploading that information onto a server on the web and it was being accessed in China. So for them, now they have a competition and a loss of $400 million or so in research, research dollars. Once again, just their use of espionage tradecraft. And this is not economic espionage, but this is espionage sort of as a whole. And you can kind of take a look when you look across the board where no tradecraft, no espionage tradecraft or techniques are employed, what are simply false names or documents and third party usage and just basic encryption standards and meetings held in China. So the tradecraft differs depending on what type of theft that you're actually looking at, whether you're looking at economic espionage and dealing with corporations or whether you're taking a whole swap and looking at including national espionage against government secrets and influence operations. The type of tradecraft differs depending not only that, but the industry that you're looking at that you're assessing in the case of covert action. And let me clarify here for our purposes, for our purposes, covert action are, I mean, not everything is espionage, right? So the example of Christine Lee with the UK, and I'll go into that just a moment where a person was influencing parliamentarians and giving money. And of course, you know, they probably don't know where that money is coming from, but she's actually being paid to influence them. That's a covert action because it's not really espionage, but it's a covert activity done at the behest of a nation state. So in that case, when you take a look, again, you see massive players, the United Front Work Department, tens of thousands of people in the United Front and offices and associations span out globally. The People's Liberation Army, the Ministry of State Security and the Ministry of Foreign Affairs are all engaging in covert action or covert influence. This is a slide which just shows the number of cases tied to the specific type of espionage, as I mentioned earlier. In the U.S., ITAR, IEPA, EAR, and ACA are all illegal export of technology, military-related technology. So you could actually combine those into one and you get 140 cases that actually having occurred. EAR, Export Administration Regulations, is the illegal export of dual-use technology, and I hope that's separately. And then we have kind of the standards, research violations, 31 cases, espionage cases, 128 economic espionage cases, 124, and civil actions, 24. So you can kind of get a spread of what China's doing across all boards relative to a whole-of-society approach and their massive collection apparatus. We'll just take a quick look at a couple of cases. This is Christine Fang, otherwise known as Fang Fang. She was in 2015, she fled the country because it was an FBI investigation. There she is in the center with Congressman Swalwell, who she worked closely for and even up to the point that he was running for presidency. She had built a number of relationships. She was a student at the college in San Francisco and she became president of the Chinese Student Scholars Association, president of the Asian Pacific Islanders, American Public Affairs Association. She used these for what we call cover for status and cover for action. She used these to allow her access into the Chinese American community and having influence and action in the Chinese American community. She was able to turn around to U.S. politicians and say, hey, I had this type of access and immediately she was accepted into political ranks as support, as an advisor. But in the meantime, the reason the FBI identified her was because that she had been meeting with an intelligence officer out of the San Francisco consulate. Ultimately, they picked up on her and said, well, wait a minute, who is this person? And they tracked her down and saw that she had a relationship of undisclosed sorts with Congressman Swalwell. In addition, she was also having, which they did announce, multiple affairs, two of which were with mayors in the Midwest of the United States. So she would travel out there and the FBI would follow her. And then she would report back to the San Francisco consulate. At the same time, the MSS officials were also running the staffer, the driver and local representative for Senator Diane Feinstein, who was also reporting to the Ministry of State Security. Christine Fong had access to Representative Swalwell, Mayor Harrison, and Representative Kana, all of which he was doing volunteer work and even actually placed an intern in the office for Swalwell. So as we say, she had access, she had close access, she had good cover for status and action, was doing reporting. As far as we know, going back to the Ministry of State Security, potentially influencing every one of those individuals that she had access to in contact. And we saw some of that in their trips going to China. And when the FBI approached at that time, Congressman Swalwell, she fled the country. Christine Lee, who was actually originally identified in 2015, was only recently that the Brits took any action against her. Christine Lee, the MI5 put out a notice of security service, put out a notice to Parliament about her, the affiliations that she had, and the fact that she was working in the embassy, she was a UK citizen, but working, actually dual with China as well, but working in the embassy for the United Front Work Department located in the embassy. And meanwhile, she was controlling a number of, not only associated with the Overseas Friendship Associations, which are elements of the United Front, but she had established a British-Chinese project, had a number of parliamentarians under it, was allegedly representing the Asian population in the UK. But the reality is that she was taking orders from the United Front Work Department. So they put out a notice about her, and everybody cut contact. She had contributed 600,000 pounds to primarily one British parliamentarian, but to other parliamentarians as well from both parties. So you can see her background here, that Barry Gardner, an MP, which she made 200,000, rather 600,000 in donations to him, her son was working for her, she placed her son in the office working for that, working for him, her finances, and this is where I'm guessing the MI5 came on to this, her finances were illicit or shady finances that were coming out of China and Hong Kong to her office, you know, to turn around and to give to her members of parliament, whereas in the meantime she had local regular contact with the PRC embassy in London. So you can see the British-China project, the British-Chinese project to the top, top left is that was actually run by her other son, Michael Wilkes. So she got pretty well, she had her reach that went out to Scotland and to Scotland Parliament as well. So we have a similar problem in the Congress, and I've had members of Congress tell me that, look, someone comes in my door and they're from my district, and I have no idea who they are, what background they are, I have no idea what the connections are with my companies. So this is a problem that I know we wrestle with, and I'm assuming it's going to be the same pretty in democracies all over the world. You want to serve your constituencies, but you don't know who's walking in your door at any given point in time. Okay, so we've looked a little at the covert influence cases. Let's look at some real hard court cases. This is one of my favorite ones. Shu Yan Jun, he was a MSS officer, he was an actual MSS case officer, and he was lured to come to Belgium. This is his, his, his, his forms from being in the MSS, and on the right you see a translation for his appointment form. So he was originally worked at a Jiangsu province, and he was with the Jiangsu State Security Bureau, and he lured through Nanjing University of, of aviation and aerospace, he lured a US scientist, David Zhang, out of, you know, the US and came to, came to China to speak. He was introduced under the cover of a, of a local, the Jiangsu Association for Science and Technology, and in other words, that's a daisy chain, what we call the university brings him over at the heads of the Ministry of State Security, so they're closely cooperating, they bring him over and then they turn around and pass him off to, to that, you know, to the local department, to the, you know, to the local Ministry of State Security undercover as the, as the National, as the Science and Technology Association, Nanjing Science and Technology Association. So what we have in the center here is Shu and his contacts, and this trick, I'll call it, but this work where universities inviting them and then introducing them to the local Nanjing Science and Technology Association work, and you can take a look at the individuals that he went and, and actually entertained and brought over to give speeches at Nanjing University. Now, really, while he was there, if you take a look at, you know, not only did they try and bring people over repeatedly, so they eventually could put them on a recruitment path, but while they were there and he was entertaining them as that representative of the Science and Technology Association, these are the people that he had the eighth division actually attacking their laptops. So, you know, I, I read the text that he was sending back and forth to people and in the Ministry of State Security, those individuals you see on the left, Shu Hong and Chen Feng, and as they are, as they're having a party toasting the person, toasting the invited guest who's giving a speech, he's up inside your hotel room with others trying to break into their laptops and with other technical experts trying to get into their laptops, and the emails going back and forth are extraordinary. Now, you know, we're going to need at least three hours to get into this laptop and they're literally, as their, you know, as their host is sitting there, you know, drinking and eating right next to him saying, no, no, no, we can only keep this guy here for another hour. It's, you know, you've got to make it happen within that time. And in several cases, they're inserting a virus. There's some interesting work that was done against saffron aviation. On the upper left, Gu Zhen and TNC were locals working inside of saffron in China, and they were both recruited. Gu Zhen was a, in charge of cyber security for saffron in China, and he was recruited. And of course, they, they tried to put a virus, actually, they didn't plant a virus into Frederick Haskell's laptop when he went, he went to actually present in China. And as his pictures, as the slides came up, they didn't seem to be working. And they said, well, what's, no, no, no, you need a codec upgrade. And they gave him an upgrade. And that was about, oh, it was a virus that they had implanted into his computer. So we have a number of cases where there are invitations that come out, paid invitations that come out for, for lectures and presentations or cooperation, you know, within China, that is used as a stepping stone for eventual recruitment of the individual. And lastly, it's also used to, to do technical penetration. So they're pretty comprehensive in, and how they approach their target set. I'll note, lastly, on this slide, Xu Yanzhong was using a cover name of Zhang Hai, and he was using that on LinkedIn, which he did a lot of approaches on LinkedIn, specifically Linda Lee on the lower left. But Ji Chaochun was a US Army reservist. He was actually recruited in China. And he recently got convicted for, and Xu Yanzhong was his case officer handling him. He was actually became a Mormon, which is interesting and was targeting people who were in the Mormon church, Chinese or in the Mormon church who were traveling to China, specifically aerospace engineers. So really interesting the way their intelligence service works. It kind of branches out and uses local context to be able to conduct tradecraft. Okay. I think that's actually done a bit early. But that's sort of my baseline. I'll just give you, I didn't want to go over. So, but if you take a look at my website, I have, like this presentation will be on, I have a lot of presentations that are on a lot of reports, a lot of articles, it's all in the library section, or a publication section, and you can just, you know, go. And if it's useful for you, great. You'll also see things like online courses and stuff that on this subject that you can look at as well. Anyway, that's all I have immediately. And I'm guessing we have a fair amount of time for questions and answers.