Microsoft’s disclosure over the summer of a Chinese espionage campaign that used forged credentials to break into U.S. government agencies and businesses is a reminder that China has sophisticated cyber capabilities and is willing to use them. But this is more than just having a product with vulnerable code.
If companies have business operations in China — as many of America’s largest and most influential tech companies do — they may be unwitting accomplices to China’s surveillance operations, according to a new report published by the American Security Project. Yet this remains absent from discussions of risk in many technology firms’ public financial statements.
It is a curious omission, because the risks are high: Chinese law requires that companies located there provide the Chinese Communist Party’s security services with access to source code and other sensitive data if demanded. Chinese law also requires that security researchers — including those working for tech companies — share vulnerabilities in computer code with the government first.
Ten years ago, then-National Security Agency contractor Edward Snowden leaked classified documents purporting to show that American tech companies were required under U.S. law to furnish information about foreigners to the U.S. intelligence community. In the painful aftermath of the leaks, American tech companies faced such grave reputational harm that many of them reported the risks as material in their financial disclosures. They also fought hard for — and won — the right to be more transparent with their customers and the broader public about how often the U.S. intelligence community required them to cooperate. If U.S. surveillance posed such a grave risk to the business fortunes of American tech companies, surely China’s must as well.
To be sure, there is a world of difference between the American legal framework for intelligence operations and China’s. Ours is embedded in a democracy, with limits prescribed by law and subject to layers of oversight by all three branches of government. We openly debate the contours of this framework, as Congress is doing now with respect to the surveillance authorities authorized by the Foreign Intelligence Surveillance Act. China gives security services carte blanche to pursue their investigations and operations, with no known limits.
The risks of Chinese cyber operations do not stop at a company’s financial bottom line. The Office of the Director of National Intelligence has warned that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services” in the United States, including rail systems and oil and gas pipelines. Here in California, for example, a Chinese cyber-espionage campaign targeted the Metropolitan Water District of Southern California, which provides water to 19 million Californians.
Now, it is true that many U.S. tech companies’ relations with China are complex. China is a huge market with a long history of making foreign companies build a business footprint in the country in order to sell there.
It also has an enormously talented tech workforce that tech companies want to tap into by basing some of their operations in China. When it comes to espionage, however, those China-based organizations ultimately answer to the Chinese Communist Party, not American tech giants’ management.
Representative Ro Khanna, D-Santa Clara, a member of the House Select Committee on China, is right that American tech companies must rethink their relationships with China. At a minimum, it is time for tech companies to be more transparent about their business operations in China and how they manage risks. They could publish aggregate statistics on the volume of surveillance requests from China, and if the Chinese government prohibits such disclosure, the companies should say so publicly.
It is time that Congress asks American tech giants to explain how they assess and address these risks.
Andrew J. Grotto is a visiting fellow at the Hoover Institution and a security fellow at the Center for International Security and Cooperation at Stanford University and was the senior director for cybersecurity policy in the Obama and Trump administrations.
