We study the problems of technology produced by the People’s Republic of China and suggest policy solutions to protect the security, privacy, and prosperity of the people of the United States. A threat is an expression of intent to inflict injury or damage.
There are three categories of threats associated with the PRC information technology. These are:
- Malicious hardware, software, and components
- Data theft and exfiltration
- Unethical and illegal business practices
Malicious hardware, software, and components
Many PRC information technology inputs are designed with the intention to infiltrate, disrupt, damage, or otherwise compromise the integrity of the product. For example, a backdoor is a malicious hardware or software that negates the regular process to access a computer system or device. Backdoors enable unauthorized remote access to elements within a system (files or databases) and/or empower an unauthorized user or use to execute commands in the network. It is a covert method to bypass the authentication or encryption. The presence of backdoors and other tech threats prompted Congress to restrict the use of Huawei in the US. Similarly, devices from Lenovo and Hikvision have been restricted for purchase by the military.
Data theft and exfiltration
Data theft and exfiltration is the unauthorized or malicious transfer of data from a computer, device, program, or system. This is frequently done through hacking or the exploitation of a weakness in a system to gain access to personal or enterprise data. PRC hackers include an ever-changing mix of official, military, civilian and even robot actors, which may engage in state-sponsored, freelance, or independent attacks. One example is the PRC hack of the Office of Personnel Management, the US government’s human resource department for federal employees, conducted to capture millions of individuals’ records including fingerprints and designation for security clearance.
However, hacking is not the only problem. PRC companies themselves may provide user or enterprise data to the government. The PRC’s 2016 Internet Security Law asserts the country’s sovereignty over cyberspace, authority over all internet products and services made in PRC, and obligations of Chinese producers of internet products and services to the Chinese state. The PRC’s 2017 National Intelligence Law compels any Chinese subject to spy on behalf of the state. As such, the PRC’s information communication technology (ICT) firms can be compelled to collect data or conduct surveillance on any piece of technology at any time for any reason anywhere. Customer information collected on Chinese devices anywhere can also brought to PRC. Indeed, many contracts with Chinese IT providers stipulate as much. However, data need not be taken out of the United States to be available to the Chinese government. The PRC does not honor US, United Kingdom, or European Union privacy and data protection laws.
There is little to no ability to challenge PRC decisions in Chinese court. There is no warrant for the request of data or due process should a plaintiff want to challenge an intrusion.
Users by accessing PRC technology providers like TikTok, WeChat, or AliPay expose themselves to the PRC’s Social Credit System and other PRC data processing. The PRC keeps a database on foreign nationals for a variety of purposes.
Unethical and illegal business practices
Many emerging technologies are developed in unethical conditions, for example the development of facial recognition technologies by coercing the participation of Uighur Muslims. Illegal practices include predatory pricing, dumping, and lack of financial, regulatory, or other disclosure per relevant laws. A related issue is the development of artificial intelligence, facial recognition, and other technologies in unethical situations which are subsequently integrated in products and services consumed by Americans.
We focus on the government of China, not the people of China
China Tech Threat is bringing attention to threats and risk of information technology (IT) produced by entities owned and affiliated with the government of People’s Republic of China (PRC). This is a specific set of problems with a specific set of solutions. Note that the government of the PRC is related to a system, a set of institutions, and an organized community called the Chinese Communist Party, the founding and sole governing political party of the PRC.