Geopolitical Risks: Chinese Technical Collection and Western Pushback

This week, the United Nations General Assembly (UNGA) convenes for its 78^th annual gathering, drawing global leaders and top diplomats to discuss the pressing challenges of the times. At the top of the scheduled agenda are discussions on solutions to the intertwined global challenges to advance peace, security, and sustainable development, with special focus on the concerns of the Global South. Geopolitical rivalries, however, will shape the conversations and the outcomes, whether in the form of big infrastructure development pledges to counter China’s Belt and Road Initiative and its associated debt traps or mobilizing new coalitions to push back against Chinese abuse of emerging technologies for collection of data to surveil, influence and repress individual freedoms and commercial activities.

The hardening of the U.S.’s China policy has been gradual and bipartisan, picking up steam during the Trump and Biden administrations. However, the view of China as a national security threat is still far from a domestic consensus. It took years to build the consensus that Huawei technology is a clear and present danger to U.S. critical infrastructure and to rally the support necessary to bar it from the telecommunications backbone. The ongoing debate over the risks of Chinese-owned TikTok to American citizens’ personal data reflects a pervasive view that quality of life (i.e., the fun factor) outweighs concerns over the significance of the vulnerability. While some large U.S. tech companies have opted out, many U.S. businesses, with the lure of the huge Chinese market, have proven willing, if not eager, to make compromises on providing the Chinese government access to proprietary information in exchange for doing business in China. As Americans have struggled with defining and assessing the risk, the Chinese government has moved forward with purpose to establish information dominance through an integrated strategy of cyber and national security laws requiring individuals and companies to provide data Beijing wants, while building world-class cyber collection infrastructure (nation-state-controlled hackers).  

Beijing Collection through “Rule by Law”

According to the U.S. National Counterintelligence and Security Center, since 2015, the Chinese government has passed or updated comprehensive national security, cybersecurity and data privacy laws and regulations, expanding Beijing’s oversight of domestic and foreign companies operating within China. Beijing’s legal codes are broad and vague, allowing the government to apply them as needed. For example, the 2021 Personal Information Protection Law authorizes the government to collect personal data for actions Beijing deems to be in the public interest. The 2023 Counter-Espionage Law requires Chinese citizens and companies to provide any document, data, materials or items that can be considered relevant to national security, effectively making individuals and entities arms of Chinese intelligence. The 2021 Data Security Law expands Chinese intelligence access to and control over companies and data within China and expands Beijing’s reach to control the outbound flow of data.

The 2021 Cyber Vulnerability Reporting Law is particularly pernicious, requiring all companies based in China to report cyber vulnerabilities discovered in their systems or software to Chinese intelligence. These vulnerabilities cannot be otherwise publicly disclosed or shared until Beijing completes an assessment or a patch is made available. In practical terms, this allows Chinese intelligence to exploit these vulnerabilities until another outside-of-China source publishes a security patch. This intelligence on vulnerabilities builds the Chinese cyberattack tool kit.

The U.S. Cybersecurity & Infrastructure Security Agency issued a warning notice on PRC state-sponsored cyber activity in May 2023, noting how Beijing exploits vulnerabilities to “live off the land” within a network, blending in with normal system and network activities. The timing of this warning coincides with a breach of U.S. government email accounts, including the account of U.S. Commerce Secretary Gina Raimondo, the U.S. ambassador to China and the assistant secretary of state for East Asia. China-based threat actor (APT) Storm-0558 compromised email accounts of around two dozen government agencies. Raimondo, during her September 2023 trip to China to establish guardrails in the bilateral trade relationship, complained (to no avail) that hacking her and American emails only eroded trust in U.S.-Chinese relations.

Export Controls on Technology to China

This past week, Washington hosted the inaugural plenary meeting of Subscribing States to the voluntary Code of Conduct of the Export Controls and Human Rights Initiative (ECHRI). ECHRI is a multilateral effort, with 25 signatories, intended to counter state and non-state actors’ misuse of goods and technology to commit serious violations or abuses of human rights by using export controls in pursuit of national security interests. ECHRI should be viewed as an international extension of the U.S. effort to block exports to China (and other human rights abusers) of technology that is used to influence and repress individual freedoms and commercial activities. Subscribing states agree to apply export controls in preventing the proliferation of goods, software, and technologies that could enable serious human rights abuses.

Like at home, Washington has struggled with partners on aligning the threat perception on China. However, the Ukraine war has been a game changer. As a consequence of the rupture with Russia and the impact on European energy security, European leaders’ views have shifted on the risks of economic coercion. European leaders are adjusting their policy towards China to de-risk overdependence and prohibit sensitive domestic industries from Chinese acquisitions. Initial wariness to ban Chinese technology from their communications backbones has given way to increased coordination with the U.S. on security policies. In June, the European Commission presented its own economic security plan consisting of stronger controls on exports and outflows of technologies that could be put to military use by rivals such as China. The EU is now studying the new U.S. restrictions on investments in Chinese entities in the semiconductors and microelectronics, quantum information technologies, and certain artificial intelligence systems sectors. As little as two years ago, the EU declined to even consider such measures. 

Implications for U.S. Businesses

During the UNGA meetings and side events, there will be meetings between the U.S. and partners coordinating policy approaches on China. On both sides of the Atlantic, there is determination to de-risk economic relations with China, not to sever them (de-coupling). However, there will be steep challenges in managing this process, and official engagement between governments is only one leg of the stool; businesses and people-to-people relations have their own dynamics and can assist or derail policy planning.

For U.S. businesses with operations inside China, anti-American sentiment is growing along with increased regulatory requirements for businesses to provide Chinese authorities access to proprietary information, including intellectual property (IP), data and systems. Insider risks increase as Chinese citizens are motivated by nationalist calls to protect domestic security by providing insider access to foreign companies’ operations. The cost of doing business in China is going up as risks increase. 

Businesses do not need to be in China to be targeted by intelligence collection operations. According to the Federal Bureau of Investigation, the annual cost to the U.S. economy of counterfeit goods, pirated software and theft of trade secrets is between $225 billion and $600 billion. According to the “Made in China 2025 Plan,” China seeks to reduce its reliance on foreign technology in information technology, computer numerical control machine tools and robotics, aerospace equipment, marine engineering equipment, advance rail transportation equipment, new energy automobiles, electric power equipment, agricultural equipment and biomedicines and high-performance medical instruments. The Chinese government uses numerous methods to illegally or surreptitiously gain access to technology, including hacking operations, social engineering exploiting personal information of Americans, recruitment of insiders, mergers and acquisitions, joint ventures, front companies, and academic and research collaborations. U.S. businesses in higher risk sectors should conduct security assessments and due diligence to understand and assess their vulnerabilities to Beijing’s collection operations.