EXCLUSIVE SUBSCRIBER+MEMBER INTERVIEW — Chinese Foreign Ministry spokesman Wang Wenbin says there is “no such thing as an overseas police station” but U.S. counterintelligence officials beg to differ. U.S. officials say that Chinese offices being set up across major American cities - allegedly used to spy, harass, and threaten – are just one of the ways that modern espionage is taking on a new form.
Acting Deputy Director of the National Counterintelligence and Security Center (NCSC) Mirriam-Grace MacIntyre told The Cipher Brief during a recent Subscriber+Member briefing that in some cases, members of the diaspora community report back about certain individuals of interest. “We also have seen them use private investigators or local police to collect and provide information.”
NCSC is a component of the Office of the Director of National Intelligence, responsible for leading and supporting the counterintelligence and security activities of the US government.
In March, the NCSC and the FBI published a joint public bulletin titled ‘Don't Be a Pawn’ in a bid to blunt espionage efforts and raise awareness about how foreign intelligence services may be seeking leverage "to advance their own transnational repression goals,” according to MacIntyre.
In that bulletin, the agencies identified foreign intelligence entities "working on behalf of repressive regimes [that] have sought to use U.S.-based persons ... to threaten or harm perceived critics and opponents.” It specifically named China and Iran as principal actors.
The Cipher Brief welcomed Acting NCSC Deputy Director Mirriam-Grace MacIntyre for a briefing on espionage efforts inside the U.S. that include private sector companies as targets.
Mirriam-Grace MacIntyre, Acting Deputy Director of the National Counterintelligence and Security Center (NCSC)
Mirriam-Grace MacIntyre oversees the daily operations of a national center dedicated to protecting America from foreign intelligence threats. From 2021-2023, MacIntyre served as the Director for Counterintelligence at the National Security Council where she led the development of counterintelligence policy under the Biden-Harris Administration. MacIntyre joined ODNI cadre in 2016 first as the National Counterintelligence Officer for Russia, Europe and Eurasia and later as the Deputy National Intelligence Manager for Counterintelligence and was responsible for leading the development of strategies, plans, and initiatives to advance the Intelligence Community’s (IC) counterintelligence mission and address the needs of U.S. Government decision makers.
This transcript of our interview has been lightly edited for length and clarity.
The Cipher Brief: Can you talk about today's counterintelligence landscape and what concerns you most?
MacIntyre: We define the counterintelligence landscape by three things; the first is more actors, more capabilities, and more targets. Let me unpack that for you.
Historically, even as I thought of this title of this discussion today, Hunt for Spies, it makes one think of looking for people with trench coats and fedoras and this older day of espionage. But in reality today we live in a world with more threat actors. Russia, China, Iran are the main ones out there, but there are a number of non-state actors and terrorist groups that are involved in this space. There are more targets as well. Again, historically, and as we look back there was a great deal of interest in accessing US government or other government secrets. But the reality is that today a lot of the information that foreign intelligence services and spies want are in the unclassified realm.
For example, foreign intelligence services aggressively going after US data, technology, and talent to advance their goals. And that is part of this environment we find ourselves in. And then lastly, we see that there are more capabilities out there. More and more there are commercially available tools that enhance the abilities of previously unsophisticated intelligence services that can now operate at the level of a state factor. And so when we consider all of that put together, we find ourselves in an area where the counterintelligence landscape is increasingly complex and the responsibility to protect it is much broader than only within the US government.
The Cipher Brief: When we talk about Russia, China, and other nation-state threats, what can you tell us about those respective intelligence services?
MacIntyre: If I could compare the two of them, I would say both Russia and China are national security threats. The defining difference between the two is that China also poses an economic security threat to us. Let me start with Russia. Russia continues to pose espionage influence and cyber threats to the US government. They are certainly seeking information that can advance their own government efforts, and I think given the sanctions that have been placed on them, it has made them have to seek opportunities to carry out more illegal actions.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
They're also seeking to divide alliances and sway public opinion.
On the China front, because they are also an economic security threat, they have aggressively gone after US data, technology, and talent. The Chinese government itself has noted that they are committed to achieving technological and manufacturing independence, and they seek to displace the United States as the global economic and military power by 2049. In order to do that, they must use all levers within their state to be able to acquire information. We see that they use illegal, legal and quasi-legal methods. They're also willing to use proxies or non-traditional collectors, and they carry out cyber activities.
The Cipher Brief: Let's talk about the private sector. You've talked about how easy it is for other actors to get into the business of espionage. Can you talk about who some of those players might be and some of the tactics that they're using that people might not expect?
MacIntyre: Some of the tools that are commercially available, like commercial spyware for example, include capabilities that can be used on phones and we've seen this around the globe over the past couple of years, in efforts to collect information against dissidents or opposition party members, but sometimes against diplomats as well. An intelligence service or any actor who seeks to purchase and use these kinds of technologies, whether they're criminal organizations or not, finds themselves in a realm where they can operate like a state actor may have acted previously.
The Cipher Brief: We're reading a lot about transnational repression. What is it and how widespread of a problem is it?
MacIntyre: This is an area where we see a growing trend of intelligence activity by foreign governments and spies. We've seen them increase their harassment and intimidation and in some cases, we've also seen assault of dissidents and opponents here in the United States and around the world. They're leveraging some of those commercial tools to assist or enable their ability to target dissidents. I note that this is a particularly concerning thing because not only does it violate US law and infringe on individual's rights and liberties, but it's really an effort to silence dissidents, to get information from them, or to in some cases, repatriate them. There are a couple of ways we've seen this happen and some of the tools that are being used. One, we have seen even as recently as the past few months, the use of overseas police stations in countries around the world, in particular here in the United States.
The FBI made an arrest of some individuals involved in an illegal Chinese government police station up in New York that was being used to monitor and harass dissidents. In some cases, we see that these intelligence services will use members of their diaspora community to report information back about individuals that they are interested in. And we have also seen them use private investigators or local police to collect and provide information. From NCSC's perspective, we have an important outreach function. We published - in conjunction with FBI - a public awareness document called Don't Be a Pawn, and it's intended to raise awareness among the diaspora community about how foreign intelligence services may be seeking to leverage their access to individuals to get information to advance their own transnational repression goals.
The Cipher Brief: What advice are you offering in the public awareness document in terms of what to look out for to avoid being caught up as a pawn in these endeavors, when to ask more questions, and when to go a little deeper with diligence on someone who wants to hire you, for example?
MacIntyre: Sometimes police officers or private investigators may be unwitting. We recommend that an individual who's being sought out for information really does their own due diligence, try to know your customer. First, ask 'who is this person or this entity that's asking you to find this information and why do they want it'? Second, be wary of gifts or promises that they are making. Have a little bit of suspicion over things that are being offered in return.
The Cipher Brief Threat Conference is taking place October 7-10 in Sea Island, Georgia. This is the nation’s premiere conference for professionals working in the field of national security and cybersecurity. Space is limited. Apply today for your seat at the table.
Third, we've also recommended that private investigators or police officers be careful not to abuse the access to personal information that they might have. Really consider the kinds of access an individual or a business or a private entity might have and whether that should actually be provided as part of this support.
The Cipher Brief: NCSC is very involved in providing assistance to U.S. companies that operate in China but what prompted you to issue that bulletin right now?
MacIntyre: Since the mid-2010s, the Chinese government has undertaken a pretty significant effort to issue and update laws related to data privacy, cybersecurity, and espionage. What really drove our effort to get this out now, is China's new updated counter-espionage law - which was originally produced in 2014 - went into effect on July 1st, and it really expands the definition of espionage from covering state secrets to covering broader things like documents, data or materials related to national security. The problem is that they don't actually define what that means, which means that US businesses or foreign entities operating in China could be considered to be involved in espionage when they're really only engaged in due diligence activities that any firm would be involved in. Additionally, this new counter-espionage law includes exit bans, and these exit bans could be used to compel participation in Chinese government investigations.
As you saw in the chart that's included in the bulletin that highlights some of these data privacy, cybersecurity, and counter-espionage laws from the Chinese government, it really puts into place a legal framework that makes it far riskier for foreign and US businesses operating in China. It allows the Chinese government to compel Chinese citizens to assist in their investigations and in some cases, it requires those firms to provide data to the Chinese government. We wanted to make sure that US firms operating in China, were taking this into consideration in their operations.
The Cipher Brief: How hands-on is NCSC in terms of having conversations with these companies, either one-on-one, or in small group settings?
MacIntyre: We engage with industry associations and private companies. We've been doing this for a number of years on a range of issues as we've watched the foreign intelligence threat landscape change, and we try to put guidelines out there. In addition to putting out these public documents as part of our regular cadence and outreach, we're regularly sharing information about foreign intelligence threats.
The Cipher Brief: Last year at our Threat Conference, NCSC Deputy Director Michael Orlando talked about some of the other threat factors that US companies are facing, particularly from China, including illegal tactics, quasi-legal tactics - which you've already mentioned - and acquiring IP and other data. Can you give us an update on how those tactics are trending six, seven months later?
MacIntyre: Those tactics are all still in use. We think of it in two categories of activities. On the illegal activities side, we're talking about Chinese government efforts to recruit insiders to provide data, technology, or expertise in a particular area. They're also using cyber means or supply chain means to be able to acquire information of interest. Then on the legal and quasi-legal side, we see that they're also still very much engaged in the joint ventures and mergers and acquisitions and using those kinds of opportunities to gain access to data and the technology. I think that when you add on top of that, the legal framework that we just talked about, it's that combination of things that provides both the legal backing for the Chinese government to carry out some of their activities and also provide various vectors in which they can access this information of interest.
The Cipher Brief: Can you talk about the ways the People's Republic of China may be targeting US technology startups in particular, through investment schemes or other techniques?
MacIntyre: Startups, are probably in some of the most vulnerable positions because they're at the beginning stages of developing something hot and their technology or proprietary data is of interest and they find themselves in a place where they need financial investments. Some of the ways that we have seen this threat evolve is via foreign governments leveraging venture capital firms or sovereign wealth funds, to finance some of these startups to get access to data. But in some cases, they can also do it without making an investment.
There's opportunity there for a venture capitalist to ask a lot of questions about the underlying data or technology that a startup is developing. In the hopes of providing or getting funding, this startup could be providing a lot of information without ever receiving any of the funding. When we talk to startups or when we try to get this threat information out there, we encourage people or institutions to be thinking about what's most important to them. What is their company's crown jewels and how much do they need to share as part of a VC pitch, recognizing that they will have to share some information and that they should be wary of if some of these questions are venturing too far and if they are unintentionally providing their secret sauce to a foreign adversary.
The Cipher Brief: Can you provide an update on key US emerging technologies that China is targeting the most?
MacIntyre:China laid out in it's 'Made In China 2025 plan' - which it rolled out in 2021, their goal for achieving self-sufficiency in 10 global industries. Next-generation information technology, automated machine tools and robotics, aerospace and aeronautical equipment, maritime equipment and high-tech shipping, modern rail equipment, new energy vehicles, power equipment, agricultural equipment, new materials and biotechnology, and advanced medical products. And we've seen - even as part of their five-year plan - that the Chinese government has focused on pulling ahead of America in major tech industries like artificial intelligence, quantum computing, microchips, biotech, and the like. We have seen that each of these areas has become a key target for China using many of the vectors that I talked about.
The Cipher Brief: A year plus or so ago, some the intelligence gathering operations that were happening inside universities that are in the US, is that still a trending problem?
MacIntyre: That's still a problem that exists in addition to the illegal methods, we have seen that the Chinese intelligence services are willing to use proxies and non-traditional collectors. We have seen them go after the research ecosystem, whether it's scientific collaboration or trying to recruit some of these researchers to China, often giving them lucrative deals or labs at Chinese universities or providing the opportunity to speak at large conferences. They have been targeting both the academic institutions and private industry.
Read more expert-driven national security insights, perspectives and analysis in The Cipher Brief because National Security is Everyone’s Business