In 2015 the Chinese government launched the “Made in China 2025” plan and targeted 10 global industries which the country should dominate in 10 years (including information technology, pharmaceuticals, robotics, automobiles, strategic manufacturing etc.). The Chinese are succeeding on executing their plan to date, gaining global market share for everything from phones and mobile services to telecommunications infrastructure for smart cites. Countries and firms around the world need to consider what this means for their local economies and industries.
The US-China Economic and Security Review Commission (USCC) explains that China’s strategy includes providing incentives for American and other international companies to manufacture in China “while at the same time pursuing opportunities to obtain key intellectual property and technology from those companies with the ultimate goal of indigenizing these technologies.”
The USCC describes the process over some 30 years in which it moved from the periphery to the center of the global supply chain. China’s entry into low end computer component market, strategic investments in R&D, efforts to attract foreign investment (first with tax breaks then, once it grew big, with concessions). For foreign companies to do business in China, the government requires these companies to surrender source code, store data on servers based in China, invest in Chinese companies, and allow the Chinese government to conduct security audits.
As the USCC report details, citing an earlier US House Permanent Select Committee on Intelligence Report, “national champions’ dominate through a combination of market protectionism, cheap loans, tax and subsidy programs, and diplomatic support in the case of offshore markets. Indeed, it is not possible to thrive in one of China’s strategic sectors without regime largesse and approval.” China has a similar strategy with IT equipment makers such as Huawei. As the USCC notes further,
Government support can take many forms, but it often includes preferential financing rates, preference in government contract bidding, and sometimes oligarchy or monopoly status in protected industries. In the case of Chinese national champions, the support also appears to include officially sanctioned or officially conducted corporate espionage designed to improve the competitiveness of Chinese firms while potentially advancing other government interests. Huawei, Zhongxing Telecommunications Corporation (ZTE), and Lenovo are three Chinese ICT companies that exhibit some of these characteristics.
The most recent USCC annual report details how Chinese Communist Party leadership exercises direct and indirect control over key sectors of the economy and allocates resources based on the perceived strategic value of a given firm or industry.
In 2017 China passed the National Intelligence Law to advance “technological reconnaissance measures”, also known as spying. The news website Quartz describes the law as “giv[ing] sweeping powers to monitor and investigate foreign and domestic individuals and institutions. It allows Chinese intelligence agencies to search premises, seize property, and mobilize individuals and organizations to carry out espionage. It also gives intelligence agencies legal ground to carry out their work both in and outside China. Those violating the law will be subject to detention of up to 15 days, and can be charged with a crime.” Chinese companies have downplayed the law, but it is the Chinese law nonetheless, and it is important for countries and companies outside of China to be mindful of the risk. It is unlikely that the Chinese government would have implemented a law so quickly and forcefully if they did not intend to enforce it.
There has been limited scrutiny to China’s role in information technology supply chains. While intelligence agencies and security analysts around the world have highlighted technological threats, the appetite for products and services made from companies with connections to the Chinese government and military grows. As digital and smart technology products made in China further penetrate worldwide markets, the risks to business trade secrets and the threat of sensitive personal and national security data being transferred to Chinese firms – or the Chinese government – grow as well.
Chinese companies have a history of jeopardizing national security, stealing intellectual property and compromising personal privacy
There are numerous examples of Chinese actors penetrating American military and corporate networks to steal secrets. In recent years, Chinese hackers stole or compromised design plans of the F-35 Joint Strike Fighter, C-17 transport plane, F-22 fighter jet, Patriot missile system and various naval platforms. A growing number of Justice Department indictments have demonstrated how state-sponsored Chinese actors have led phishing campaigns to target U.S. government agencies as well as private sector aviation and aerospace firms.
A 2018 report by the U.S.-China Economic and Security Review Commission calls out the supply chain risks not just from Huawei and ZTE, but also Inspur, Legend Capital/Holdings, Lenovo, Lexmark, Lishen Power Battery Systems, Tianma Microelectronics, TPV Technology Ltd, Tsingua Holdings, and Shenzen Laibo HiTech Co. Ltd. These firms are reportedly involved with China’s military, nuclear, and/or cyberespionage programs. Products or services from these firms could present itself as a supply chain attack or fail through a compromised product, such as batteries, acoustic components, magnets, shielding materials, or cables and power connectors. Such information might even be shared outright in a corporate intelligence sharing agreement, whether voluntary or compelled as a requirement of doing business with the Chinese firm.
Similarly, the largest maker of computers, Lenovo, has been called out for its support from the Chinese government, access to state owned intellectual property, and reported links to Chinese state-led cyberespionage efforts. Notably, its products are banned by use of intelligence agencies in Australia, Canada, New Zealand, the United Kingdom, and the United States (Five Eyes Countries) since the mid-2000s, when British military intelligence discovered “backdoors” and suspicious components in Lenovo products. Concerns about the company have been raised by the Department of State, US Navy, Department of Defense, and Department of Homeland Security.
ZTE was fined $1 billion by the Commerce Department for illegally trading with Iran and North Korea.
Intellectual Property Theft
A 2017 report by the bipartisan IP Commission concluded that Chinese theft of American intellectual property currently costs between $225 billion and $600 billion each year. In one high profile example, Huawei is currently under criminal indictment for stealing designs for T-Mobile’s testing robot, “Tappy,” which imitates a person using a phone and monitors phone metrics. Huawei was already found guilty in a civil lawsuit in 2017.
IP theft has been a major issue for non-Chinese companies for many years. While China has taken some steps to protect intellectual property in China (notably since its own companies started to patent technologies), it still has a long way to meet the standard of the USA and most European countries.
There is increasing focus on personal privacy on internet platforms (search engines, social networks, ecommerce marketplaces etc), online services, and digitally connected devices. How digital personal information is used and protected is highly regulated in the European Union, and the United States is in the process of strengthening its framework. China does not share the Western democratic tradition and its focus on individual rights, freedom of speech, due process, and so on. Consumers in the US and Europe buy many electronic products from China, and many of these products are connected to one’s mobile phone with Chinese software which collects personal data which is then stored and processed on servers in China. It is not clear whether and to what extent these products and services comply with US and EU privacy and data protection laws.
The backdoors and software on devices manufactured by Chinese companies can expose personal information and track online activity without a user’s knowledge. One example is Lenovo installing “Superfish” software in as many as 750,000 personal computers between 2014 and 2015.
In 2017, The Federal Trade Commission and 32 state attorneys general settled with the company over charges that it harmed consumers by preloading software on some laptops that compromised security protections to deliver ads to consumers that they would not normally see. The software thwarted basic consumer protections by hijacking encrypted web sessions, allowing attackers to snoop on browser traffic and potentially steal sensitive data, such as banking and financial information.
Former FTC Acting Chair Maureen Ohlhausen explained, “It’s the online equivalent of someone intercepting your mail, opening it, reading it, closing it back up and then putting it back in your mailbox.” A security analyst called it “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” More recently, the company endured criticism for its Fingerprint Manager Pro, which potential exposed login credentials and fingerprints to hackers, and its Watch X, which sent unencrypted communications about user locations to a Chinese server.
The Chinese tech threats to national security, intellectual property, and personal privacy are real. Government, industry and consumers need to focus on these challenges.