For Chinese firms, theft of your data is now a legal requirement

Original article published by The Hill.

In late December, the Department of Homeland Security (DHS) released a significant but largely overlooked advisory to American businesses, warning of the risks associated with the use of data services and equipment from firms with ties to the People’s Republic of China. The advisory noted that this presents a major threat to data security for the U.S. government, businesses and people, because China will have the ability to access data covertly through entities it influences or controls.

The advisory highlights the persistent risk of Chinese government-sponsored data theft because of newly enacted Chinese laws — specifically, the National Intelligence Law of 2017, Data Security Law of 2020, and Cryptology Law of 2020. These laws compel Chinese businesses and citizens — including through academic institutions, research service providers, and investors — to support and facilitate China’s government access to the collection, transmission and storage of data. This violates the letter or intent of U.S. and international law and accepted policies. Companies may be required to store data within China’s borders and to permit access by the Chinese government of data under the pretense of national security.

These risks result from the decision by the Chinese Communist Party (CCP) — and thus, the Chinese government — to generate laws that coerce Chinese firms into providing data and relevant information to them. Of great concern to non-Chinese firms, Chinese laws and initiatives compel Chinese firms and entities to cooperate secretly with Chinese security and intelligence services. These laws may be used to compel Chinese firms to provide Beijing with data, encryption keys and other technical information, as well as to install “backdoors” or “bugdoors” (a backdoor that masks itself as a computer “bug”) in equipment which create security flaws vulnerable to exploitation by Chinese entities.  

The DHS advisory noted that data centers owned or operated by Chinese firms, foreign data centers built with or otherwise operating Chinese equipment, such as Huawei and ZTE — or “rebranded” Huawei or ZTE equipment — and Chinese partners in joint ventures are required to provide information. Moreover, China’s laws introduce vulnerabilities for software and Apple and Samsung mobile device applications, such as TikTok, and fitness wearables and other devices that can provide location and other data to the Chinese government. 

The intent of these laws is to augment and accelerate China’s ambition to rise to superpower status. The laws provide a legal foundation to advance the goals outlined in the “Made in China 2025” plan, as well as the Digital Silk Road and the Military Civil Fusion efforts, the intent of which is to make China the leading global technological superpower by 2049, the centenary of the communist revolution.  

Additionally, the CCP has indicated that it will aid Chinese companies in their efforts to replace foreign companies as engineers, designers and manufacturers of key emerging and foundational technologies. Through state-sponsored theft of data, such as intellectual property and trade secrets, the CCP plans to shift from industrial manufacturing to information technology and the life sciences, with a particular emphasis on genetic research.

Consequently, China’s sponsored data theft accelerates not only the reduction of foreign competitors’ domestic market share, but also China’s technological dominance in critical markets long dominated by the U.S. and European firms — aerospace, semiconductors, robotics, artificial intelligence systems, biometrics, cyber intelligence, genomics, pharmaceutical medicines and sustainable/green energy materials.

Inevitably, there also is a military dimension. Stolen intellectual property has been essential to the modernization of the People’s Liberation Army, other military services, and China’s intelligence community, equipping them with advanced warfighting and information capabilities. China employs foreign data as a tool to map the activities and vulnerabilities of key individuals, including Chinese dissidents. This data collection aids China’s diplomacy and global opinion, particularly regarding human rights abuses of its Muslim and Tibetan minorities, and to wage political warfare against the West.

The DHS advisory should be heeded by not only U.S. firms but also those outside of the United States. Because of China’s laws and policies, any entity interacting with Chinese firms risks intellectual property theft, data theft and exploitation. Even if U.S. firms do not trade with China, those that do — such as European or Japanese firms — introduce the risk of indirect theft. The economic, legal, political and human rights consequences of this are yet to be fully realized by American firms and the American people. 

Accordingly, the November 2020 Regional Comprehensive Economic Partnership agreement, and German Chancellor Angela Merkel’s decision to reach the Comprehensive Investment Agreement between the European Union (EU) and China are regrettable. These agreements were reached despite significant human rights concerns regarding China’s widespread violation of the political, religious and civil rights of the Chinese people; its clash with India that resulted in the deaths of about 20 Indian soldiers; and its violations of international treaties, such as the 1984 Hong Kong agreement. They are manifestations of the willful ignorance of the problem of economic partnership with Chinese entities. Cooperation and partnership with Chinese firms means cooperation and partnership with the CCP, as well as the predatory mining of data and other property of non-Chinese firms. 

In particular, the fact that Germany would ignore China’s gross human rights abuses and concentration camps for Muslim minorities is not simply a dissonant strategic misstep; it is a grotesque historical reminder of the dangers of Merkel’s foreign policy. The agreement will permit investors to acquire companies in a number of sectors and allow foreign employees to work in other markets. Additionally, it was a snub to President-elect Biden’s administration, which has expressed a desire to work with the EU against China.

The DHS warning is stark: All firms, people or entities choosing to use data services and equipment from Chinese firms, or to store data on software or equipment developed by such firms, should be aware of the economic, reputational and legal risks associated with doing business with these firms. Were this warning to be heeded by Western and other firms, it would protect non-Chinese firms and people, and could slow China’s rise.  

In the wake of China’s increasing belligerence and behavior during the coronavirus pandemic, the world should have recognized that engagement with China comes at too great a cost. China’s laws have simply codified this.