Last week, I spoke at Arizona State University on “Cybersecurity and the Future.” I was a panelist with the state’s director of homeland security, the CEO of a cybersecurity company, and the CEO of a health care company (an industry with significant cybersecurity challenges). It was a great event and I really love engaging with college students because they’re just the right mix of curious, skeptical, and impressionable.
Whenever I do an event like this, one of my main goals is to raise awareness about how protecting our personal data is about more than credit scores and embarrassing texts. It really is about national security.
Inevitably I’ll get the question, “Why would China want my data? So what if they have my social media videos—I don’t care if they see me flossing.” This is when I launch into my spiel about how it’s about more than just one person’s data, it’s about the comprehensive insights a nation like China can derive when it’s getting troves of personal information from hundreds of millions of Americans. I then typically use my go-to metaphor, where I ask the person to imagine waking up to a news story reporting China has secretly deployed 100 million sensors around the United States and has been clandestinely collecting our personal contacts, photos, GPS locations, online purchasing and viewing habits, and even our keyboard swipes and patterns. I tell them this would obviously cause an uproar and then, feeling very pleased with myself, I lower the boom by telling them this is exactly what is happening every day with the more than 130 million American users of TikTok. Typically, this causes the person I’m chatting with to pause, to admit that my scenario sounds bad, and then, at least half of the time, they say something like, “Well, I mean, everyone else has my data too so I might as well keep having fun.” At this point I thank them for coming to the event and I start thinking about which near-by bar is likely to serve the best old-fashioned.
It’s not that I don’t understand—I do. The challenge of cybersecurity can feel like a battle that’s already lost. Like we’re all so far down the rabbit hole that the only thing we can really do is sit back and enjoy the ride. It’s a type of helplessness that’s made even more unattractive by the seemingly high cost of having to “miss out” on apps, games, and other things that can be genuinely enjoyable and even helpful.
Maybe you feel this way. Ultimately, it’s a decision that we each must make individually. And, while I can’t make this choice for you, I can help you make a more informed decision and equip you to help your friends and families make their choices. To that end, I’d like to explain how our data fits into China’s ambitions.
To begin, we need to understand the big picture.
China wants to build and use geopolitical influence and the Chinese Communist Party (CCP) has rightly concluded that, over the long term, this influence depends on how well the nation is able to build and use emerging technologies like artificial intelligence, robotics, autonomous vehicles, and biotechnologies. But, in the past, Beijing also knew that its tech companies were not able to develop these technologies independently and so the CCP fused its government and industry so that both could benefit from coercive economic policies and aggressive espionage and rise to the technological challenge. Stealing data is a core part of this strategy and supports three goals: economic energy, internal social stability, and external political power.
First, data are key for economic energy. Harvard professor and business strategist Michael Porter observes, “Innovation is the central issue in economic prosperity.” This is certainly true for the United States, where, before the pandemic, every consumer technology sector job supported almost three non-tech jobs in the American economy, and where the U.S. tech sector supplied $1.3 trillion in annual wages, $503 billion in tax revenue, and contributed nearly 12 percent of national GDP (about $2.3 trillion). While numbers for the last two years are less clear, the tech sector has been one of the few parts of our economy to grow during COVID-19 and it’s reasonable to believe technology is more important economically than ever before.
Similarly, in China, electronics and technology sales revenues topped $630 billion in 2019, and eight of the world’s 20 largest internet companies are now Chinese. While economic numbers coming out of China are notoriously suspect, a Tufts University survey ranks the nation as the world’s most rapidly evolving digital economy and there is little doubt that China’s financial future is closely linked to its technology industry. Thus, the systematic and sustained gathering of intellectual property, proprietary secrets, trade secrets, and other data is still critical for China’s economic growth.
Second, data are understood by the CCP as essential for internal social stability. It can be said that the CCP’s primary concern is its own security, and that data harvesting is a key means of achieving these ends. Specifically, data collection is used by the CCP to manipulate public attitudes and behavior and to suppress anyone who is thought to challenge the government’s authority.
Beijing’s social credit score regime exemplifies the nation’s cultural shaping operations. Here, the CCP leverages wide-scale surveillance and data collection to check citizen’s economic, social, political, and online habits to incentivize “good” behavior and constrain “bad” behavior. If you advance the party’s priorities, your social score goes up—giving you greater freedom of movement and increased access to benefits like public services and travel. If you engage in unapproved behaviors, however, you may not be allowed to apply for certain jobs or to leave your hometown.
The situation is even worse for religious and political minorities. The sheer scope of the CCP’s ubiquitous monitoring of Uyghur Muslims, primarily in China’s Xinjiang region, is staggering. It is also emblematic of the government’s willingness to use data to monitor, harass, and target anyone considered a threat to the state. In Xinjiang, Uyghurs face near total surveillance, regularly have their devices searched and copied, and are even required to download government surveillance software on their mobile devices. Their communications, images, medical data, economic spending, online viewing, and their family and social interactions are all known by the government—often with the help of the country’s leading tech companies, which collect, process, and analyze this data.
Finally, the third goal of China’s data collection is external political power. Aggressive data collection and exploitation not only helps economic growth and government stability, but it also enables all the other elements of national power. Government and corporate espionage are the backbone of China’s military industrial base, its diplomatic strategies, its intelligence enterprise, and its international treaties and trade practices.
So that’s why China wants your data. Here’s how they go about getting it: open-source data stores, government espionage, and corporate theft.
First, easily available, open-source information is a deep well of data. Consider the following statistics:
Nearly 90 percent of the world’s data has been created in the last two years.
Every minute of every day, nearly 700 hours of video are streamed on YouTube, 240,000 photos are posted to Facebook, 167 million videos are watched on TikTok, and 575,000 tweets are posted on Twitter.
Humans produce 2.5 quintillion bytes of data every day (for perspective: 2.5 quintillion pennies, if laid flat, would cover the earth’s surface five times); and
It is projected that people will produce 463 exabytes every day by 2025 (again, for reference, if a gigabyte is the size of the earth, an exabyte is the size of the sun).
Most of this data exists in commercial networks at the core of the “knowledge economy.” Central to this economy are a group of “data brokers” who compile, analyze, and sell this data. Just one of these data brokers, estimated the Federal Trade Commission all the way back in 2014, “has 3000 data segments for nearly every U.S. consumer.” Another “has information on 1.4 billion consumer transactions and over 700 billion aggregated data elements.” And still another “adds three billion new records each month to its databases.” These numbers have likely grown exponentially in the last eight years (but there are no legal reporting requirements for data brokers so it’s difficult to find the details).
These deep pools of data enable a near-total reconstruction of an individual’s identity, location history, interpersonal relationships and networks, entertainment and purchasing preferences and habits, and even future economic, social, and political choices. And all of it is for sale to anyone willing to cut a check. Or to steal it.
Data brokers are also a key target for CCP hackers. In 2017, suspected Chinese black hats compromised the Equifax credit brokerage firm, exposing critical information for hundreds of millions of people. Two years prior, China broke into the Anthem Inc. insurance company and stole the names, birthdates, addresses, Social Security numbers, and employment data for more than 78 million customers. It gets worse.
Second, traditional government espionage is another source of data for the CCP. Earlier this year, FBI Director Christopher Wray said:
When we tally up what we see in our investigations—over 2,000 of which are focused on the Chinese government trying to steal our information and technology—there is just no country that presents a broader threat to our ideas, our innovation, and our economic security than China. The Chinese government steals staggering volumes of information and causes deep, job-destroying damage across a wide range of industries—so much so that, as you heard, we’re constantly opening new cases to counter their intelligence operations, about every 12 hours or so.
This is after Wray warned previously that:
If you are an American adult, it is more likely than not that China has stolen your personal data … Of the nearly 5,000 active FBI counterintelligence cases currently under way across the country, almost half are related to China.
In terms of military and intelligence compromises alone, the CCP has stolen American plans for supersonic anti-aircraft missiles, stealth technology, and, of course, troves of personally identifiable information on Americans within the U.S. intelligence community when it hacked the Office of Personnel Management in 2015. But it’s not just the Chinese government who is spying.
That brings us to the third source of data, corporate espionage. This is an area of growing concern for the United States but there is still too little action. It obviously includes traditional efforts by companies to steal intellectual property and other secrets, but the CCP is going even further by enacting national security and cybersecurity laws that apply to every company inside China and to every Chinese company—wherever it operates—that require these companies to steal everything they can.
For example, the Huawei telecommunications company has a long track record of stealing the intellectual property of others (it even had an employee incentive program that rewarded such theft). Added to this, the country’s cybersecurity laws require all companies operating in China—including foreign-owned companies—to arrange and manage their computer networks so that the CCP has access to every bit and byte of data that is stored on, transits over, or in any other way touches China’s information infrastructure. Even more, Beijing applies these laws extraterritorially to Chinese companies—meaning they must comply even when a company like TikTok operates outside of China. This, of course, is illegal in the United States, but Chinese law also forbids companies from disclosing their cooperation and so it becomes a giant shell game.
So where does this leave us? Here are three bottom lines:
First, we must individually understand we’re part of something bigger than ourselves. The United States is hemorrhaging data to the Chinese. The nation cannot be secure if these losses continue at their current pace. It’s just that simple. And, while our cybersecurity vulnerabilities extend well beyond individual consumers, they certainly include us, and we have a lot of agency when it comes to our own protection. Our personal decisions matter and they matter to more than just us personally.
Second, the government cannot pass the national security “buck” to private citizens. I believe the threat of Chinese data theft is clear and easily proven. In government circles, this reality is now broadly understood and agreed with; and yet, we continue to let the challenge grow. Asking American users to understand and to mitigate the risks of Huawei, TikTok, DJI Drones, and other Chinese companies operating in the United States simply will not work. Instead, our government needs to remove these and many other companies from our markets until the CCP ends its coercive and distortive practices. Yes, this will be disruptive—blame Beijing. But I also believe this policy offers the best opportunity to change China’s approach and to build a free and fair global economy where all responsible parties can participate and thrive.
Finally, American tech companies and investors must also do their part. Companies like Apple and Google don’t have to distribute apps like TikTok. I understand not doing so would mean not supplying a service that consumers are demanding. But, at this point, these companies understand the threat of Chinese data theft as well as anyone and they are also the one’s constantly telling Congress and the American people how concerned they are about cybersecurity. Likewise, U.S. data brokers do not have to sell to Chinese buyers. Yes, these buyers would likely use third-party cutouts to get this information anyways, but why make it easy for them? Finally, U.S. investors should not be funding companies and technologies that support or enable the Chinese military. It’s insane that this even needs to be said, but the unwillingness of some to see this simple self-protective measure makes it increasingly necessary for some form of government review of outbound investments like the way the Committee on Foreign Investment in the United States (CFIUS) reviews foreign direct investments for national security concerns.
So, to conclude, the world is awash in data, and nations that harness and secure this resource will be best positioned to thrive and those that don’t will face existential challenges. The United States, however, has been too slow in securing itself and is at risk of ceding its security and interests to the nation’s chief international rival. Even so, there is growing consensus in the United States on confronting China and there is good reason to expect a more serious approach in the near-term. For this to happen, however, we must all understand the strategic value of data and do our part to protect it.
That’s it for this edition of The Current. Be sure to comment on this post and to share this newsletter with your family, friends, and followers. You can also follow me on Twitter (@KlonKitchen). Thanks for taking the time and I’ll see you next week!