The Chinese Threat to Privacy

As The Kitchen Sync transitions to paid subscriptions, I want to ensure your thoughts and views are known. Please click the “reader survey” button below to have a direct influence on the future of this newsletter. Thanks and enjoy the article.


These days, it is widely understood that, in the words of The Economist, “the world’s most valuable resource is no longer oil, but data.”[1] The massive scope of cyber-enabled data theft perpetrated by China over just the last decade supports this assessment. Already back in 2011 the Office of the National Counterintelligence Executive was assessing that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.”[2] Ten years later, it has been discovered that Chinese hackers have compromised more than 400,000 Microsoft Exchange servers in 115 nations, including more than 30,000 in the United States, giving Beijing full access to the victims’ emails and leaving them vulnerable to further exploitation.[3]

If the United States is going to prevent China from systematically syphoning “the world’s most valuable resource,” it must understand the strategic rationale of the Chinese Communist Party (CCP) for hoarding data, how that data is subsequently employed, how it is being collected, and what can be done to mitigate the threat. 

China’s Targeting of Data is Rational

China is like every other nation in the history of the world in that it seeks to build and wield geopolitical influence to secure itself and its interests. The CCP has also determined that collecting and using this influence will, in part, depend on the nation’s leadership in emerging technologies that are shaping modern governance and economics. It has specifically identified the following industries as priorities: information technologies, robotics, “green” energy, aerospace, ocean engineering, power equipment, new materials, medicine, and agriculture.[4]

But Beijing likewise knows that American technological leadership will not be easily overtaken, and that China’s domestic technology industries are not robust or mature enough to win on their own. The CCP, therefore, is pursuing a strategy of “military-civil fusion,” where the Chinese government and the country’s industries partner on mutually-beneficial priorities and objectives – often leveraging state monetary and espionage capabilities in the process. 

To put it simply, Beijing is attempting to prove a new concept of governance that links the wealth of its version of capitalism with the stability and security of technological totalitarianism. If successful, China will likely find a host of would-be authoritarians around the world eager to sign up for this new model, and it would be well-positioned to supply the capabilities and infrastructure needed for its implementation in those places. Indeed, techno-totalitarianism could become a key export along China’s Belt & Road.

At the root of this strategy is the acquisition and use of data, which the CCP uses to build wealth, to secure itself, and to shape the international environment.

The Three Roles of Data

Data is not valuable in and of itself. Data must be examined, assessed, and leveraged toward some broader objective. But, when this is done effectively, data can provide a decisive advantage. To this end, the CCP’s data acquisition efforts can be understood as supporting three goals.

First, data is key for economic energy. Harvard professor and business strategist Michael Porter observes, “Innovation is the central issue in economic prosperity.”[5] This is certainly true for the United States, where every consumer technology sector job supports almost three non-tech jobs in the American economy, and where the U.S. tech sector supplies $1.3 trillion in annual wages, $503 billion in tax revenue, and contributes nearly 12% of national GDP (~$2.3 trillion).[6]

In China, similarly, electronics and technology sales revenues topped $630 billion in 2019, and nine of the world’s 20 largest internet companies are Chinese.[7] While economic numbers coming out of China are notoriously suspect, a Tufts University survey[8] ranks the nation as the world’s most rapidly evolving digital economy. There can be no doubt that the nation’s financial future is inextricably linked to its technology industry. 

Thus, the systematic and sustained gathering of intellectual property, proprietary secrets, trade secrets, and other data is critical for China’s economic growth. One in five North American-based companies now say China has stolen their intellectual property.[9] As of 2019, this was projected to have cost the U.S. economy more than $600 billion.[10] Beijing has clearly concluded that its prosperity is best achieved by leveraging that of others.

Second, data is seen as essential for internal social strength. It can be said that the CCP’s primary concern is its own stability and security, and that data harvesting is a key means of achieving these ends. Specifically, data collection is used by the CCP to manipulate public attitudes and behavior, and to suppress anyone who is thought to challenge the government’s authority.

Beijing’s social credit score regime exemplifies the nation’s cultural shaping operations. Here, the CCP leverages wide-scale surveillance and data collection to monitor citizen’s economic, social, political, and online habits in an effort to incentivize “good” behavior and constrain “bad” behavior. If you advance the Party’s priorities, your social score goes up – giving you greater freedom of movement and increased access to benefits like public services and travel. If you engage in unapproved behaviors, however, you may not be allowed to apply for certain jobs or to leave your home town. 

The situation is even worse for religious and political minorities. The sheer scope of the CCP’s ubiquitous monitoring of Uyghur Muslims, primarily in China’s Xinjiang Province, is staggering. It is also emblematic of the government’s willingness to use data to monitor, harass, and target anyone deemed a threat to the state. In Xinjiang, Uyghurs are under nearly-total surveillance, regularly have their devices searched and copied, and are even required to download government surveillance software on their mobile phones. Their communications, images, medical data, economic spending, online viewing, and their family and social interactions are known by the government – often with the help of the country’s leading tech companies, which collect, process, and analyze this data. 

Finally, the third goal of China’s data collection is external political power. Aggressive data collection and exploitation not only facilitates economic growth and government stability, it also enables all of the other elements of national power. Traditional and corporate espionage are the backbone of China’s military industrial base, its diplomatic strategies, its intelligence enterprise, and its international treaties and trade practices. Put another way, a robust pipeline of data feeds China’s engagement with the world by informing and shaping its ends, ways, and means.

Three Ways In Which Data Is Collected

The Chinese government draws data from three primary sources: open-source data stores, government espionage, and corporate espionage.

First, in discussing open-source information, consider the following statistics from 2020:[11]

  • Nearly 90% of the word’s data has been created in the last two years;

  • Every minute of every day, 500 hours of new video are uploaded to YouTube, 147,000 photos are posted to Facebook, 41 million messages are shared on WhatsApp, and more than 212 million emails are sent; 

  • Humans produce 2.5 quintillion bytes of data every day (for perspective: 2.5 quintillion pennies, if laid flat, would cover the earth’s surface five times); and, 

  • It is projected that people will produce 463 exabytes every day by 2025 (again, for reference: if a gigabyte is the size of the earth, an exabyte is the size of the sun).

The majority of the data discussed above is generated by, and exists within, unclassified networks that constitute the heart of the “knowledge economy.” At the core of this economy are an array of “data brokers,” who compile, analyze, and sell this data. Just one of these data brokers, estimates the Federal Trade Commission, “has 300 data segments for nearly every U.S. consumer.” Another “has information on 1.4 billion consumer transactions and over 700 billion aggregated data elements.” And still another “adds three billion new records each month to its databases.”[12]

That data can enable a near-total reconstruction of an individual’s identity, location history, interpersonal relationships and networks, entertainment and purchasing preferences and habits, and even future economic, social, and political outcomes. And all of it is available for sale to anyone willing to cut a check.

Or to steal it. Data brokers are a key target for the CCP. In 2017, suspected Chinese hackers compromised the Equifax credit brokerage firm, exposing critical information for hundreds of millions of people. Two years prior, China broke into the Anthem Inc. insurance company and stole the names, birthdates, addresses, social security numbers, and employment data for more than 78 million customers. While Americans are increasingly concerned about how data collection affects their domestic freedoms and privacy, there is still too little understanding of the national security implications of these practices. 

Traditional government espionage is another primary source of data for the CCP. In July 2020, FBI Director Christopher Wray noted publicly that:

If you are an American adult, it is more likely than not that China has stolen your personal data … We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours. Of the nearly 5,000 active FBI counterintelligence cases currently under way across the country, almost half are related to China.[13]

In terms of military and intelligence compromises alone, the CCP has stolen American plans for supersonic anti-aircraft missiles, stealth technology, and, of course, troves of personally identifiable information on Americans within the U.S. Intelligence Community when it hacked the Office of Personnel Management in 2015. Chinese hacking of defense contractors and others in the private sector is so pervasive that last year, the Department of Homeland Security issued a Data Security Business Advisory, with the following warning: 

Businesses expose themselves and their customers to heightened risk when they share sensitive data with firms located in the PRC, or use equipment and software developed by firms with an ownership nexus in the PRC, as well as with firms that have PRC citizens in key leadership and security-focused roles (together, “PRC firms”). Due to PRC legal regimes and known PRC data collection practices, this is particularly true for data service providers and data infrastructure.[14]

The third source of data leveraged by China, corporate espionage, is perhaps the most poorly understood – and poorly addressed – vector of Chinese data theft. Yes, it obviously includes traditional efforts by companies to steal intellectual property and other secrets. However, the CCP is going even further by enacting national security and cybersecurity laws that apply to every company inside China and to every Chinese company, wherever it operates.

In January 2020, for example, a new cybersecurity law required all companies operating in China — including foreign-owned companies — to arrange and manage their computer networks so that the Chinese government has access to every bit and byte of data that is stored on, transits over, or in any other way touches China’s information infrastructure. Laws like this one are at the root of American concerns about Chinese companies – like Huawei and TikTok – operating in the United States. These companies do not need to have “backdoors” that Chinese hackers can access. Nor do they need to be malevolent in their intentions. They simply need to be compliant with Chinese law. And, in China, anyone who is not compliant is not in business for long.

Any one of these sources of data constitutes a critical capability for Beijing, and a critical vulnerability for the United States. Taken in total, they constitute an existential liability that must be addressed urgently and comprehensively.

Recommendations for the New Administration

In its March 2021 Interim National Security Strategic Guidance, the Biden administration promised to “confront unfair and illegal trade practices, cyber theft, and coercive economic practices that hurt American workers, undercut our advanced and emerging technologies, and seek to erode our strategic advantage and national competitiveness.”[15] Here are three broad steps that are needed in order to see this policy through.

First, stop the bleeding. The United States is hemorrhaging data to the Chinese. The nation cannot be secure as long as these losses continue at their current pace. In addition to ongoing efforts to increase scrutiny of Chinese investment and operations in the United States, the Biden administration should investigate the national security equities at stake in the data brokerage industry, and offer a path forward that can be fully implemented within 18 months. Washington should also develop a coherent framework for evaluating what technologies and platforms are truly strategically essential – and therefore in need of aggressive defense – and those which are valuable, but where losses or dependency are not catastrophic to American strength. The methodology offered by former Google CEO Eric Schmidt’s and Jigsaw CEO Jared Cohen’s China Strategy Group (CSG) is an excellent place to start.[16] Finally, in the context of traditional government espionage, there is already a great deal of effort underway in the classified environment. Thus far, however, we do not appear to have changed Beijing’s strategic calculus regarding increasingly aggressive cyber operations. This must change, and we must be prepared to use every element of national power to force this evolution on the CCP. 

Next, we have to build an alliance for the trusted development and deployment of emerging technologies. Even if the United States were able to unilaterally dominate emerging technologies for the next century, its national security and foreign influence would be critically weakened if our global partners and allies fail to keep pace – or even worse, it they are subsumed by Chinese technological expansion. Here again, the CSG offers a helpful suggestion by calling for a new multilateral forum to “bring together key countries to coordinate responses to technological competition.”[17] This “T-12” should include the United States, Japan, Germany, France, Britain and Canada, the Netherlands, South Korea, Finland, Sweden, India, Israel, and Australia. The specific forms this alliance could take may vary, but such a construct is essential and must be pursued as a core objective of American foreign policy.

Finally, the United States must prepare for a “splinternet.” As has been discussed above, Washington and Beijing have two increasingly different notions of modern governance, but both understand data and networks as being critical for securing and spreading those visions. In much the same way that the world was divided into competing spheres of influence between the West and the Soviet Union during the Cold War, the world’s networks may soon be divided between a Western and a Chinese internet – each with its own norms, rules, and infrastructure. To be sure, such a development would be incredibly disruptive to globalized economies and to the digital global commons more generally. Yet the techno-totalitarian model being pioneered by China requires at least some decoupling from the Western world. China, Russia, and other nations are already building regional internets in the name of cybersecurity, and there is little the United States can do to prevent these efforts from maturing. American bans on Chinese companies like ZTE and Huawei are being mirrored by Chinese bans on Western equipment. These are all telltale signs of the coming “splinternet.”

Conclusion

The world is awash in data and this deluge will only deepen for the foreseeable future. Nations that harness and secure this new strategic resource will be best positioned to thrive in the emerging geopolitical environment. Those who do not, will face existential challenges. The Chinese government is heeding the ancient wisdom, “To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.”[18] The United States, however, has been too slow in securing itself, and in so doing, risks ceding its security and interests to the nation’s chief international rival. Even so, there is growing consensus in the United States around this challenge and there is good reason to be hopeful – but to do this we must understand the strategic value of data and protect it accordingly.


The above essay was originally published in the American Foreign Policy Council’s Defense Dossier. You can read the other essays in this volume by clicking here.


[1] “Regulating the internet giants: The world’s most valuable resource is no longer oil, but data,” The Economist, May 6, 2017, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data[2] Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, https://www.hsdl.org/?view&did=720057.  [3] “A Basic Timeline of the Exchange Mass-Hack,” Krebs on Security, March 8, 2021, https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/.[4] Scott Kennedy, “Made in China 2025,” Center for Strategic & International Studies, June 1, 2015, https://www.csis.org/analysis/made-china-2025.[5] Barry Jaruzelski, “Innovation’s New World Order,” Forbes, November 16, 2015, https://www.forbes.com/sites/strategyand/2015/11/16/innovations-new-world-order/[6] “PRESS RELEASE: Tech Sector Supports 18 Million U.S. Jobs, Represents 12% of GDP ….” Consumer Technology Association, April 29, 2019, https://www.cta.tech/Resources/Newsroom/Media-Releases/2019/April/Tech-Sector-Supports-18-Million-U-S-Jobs,-Represe[7] “How Dominant are Chinese Companies Globally?” CSIS ChinaPower, n.d., https://chinapower.csis.org/chinese-companies-global-500/[8] “Digital Evolution Index,” Tufts University Digital Planet, n.d., https://sites.tufts.edu/digitalplanet/tag/digital-evolution-index/[9] Eric Rosenbaum, “1 in 5 companies say China stole their IP within the last year: CNBC CFO survey,” CNBC, March 1, 2019, https://www.cnbc.com/2019/02/28/1-in-5-companies-say-china-stole-their-ip-within-the-last-year-cnbc.html[10] James Lewis, “China’s addiction to intellectual property theft,” Hinrich Foundation, March 25, 2021, https://www.hinrichfoundation.com/research/tradevistas/us-china/china-ip-theft/[11] Jacquelyn Bulao, “How Much Data Is Created Every Day in 2021?” TechJury, March 18, 2021, https://techjury.net/blog/how-much-data-is-created-every-day/; “Data Never Sleeps 8.0,” Domo, n.d., https://www.domo.com/learn/data-never-sleeps-8[12] Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability, May 2014, https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf[13] Christopher Wray, Speech before the Hudson Institute, Washington, DC, July 7, 2020, https://www.fbi.gov/news/speeches/the-threat-posed-by-the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states.[14] U.S. Department of Homeland Security, “Data Security Business Advisory: Risks and Considerations for Businesses using Data Services and Equipment from Firms Linked to the People’s Republic of China,” n.d., https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf[15] Biden Administration, Interim National Security Strategic Guidance, March 2021, https://www.whitehouse.gov/wp-content/uploads/2021/03/NSC-1v2.pdf[16] China Strategy Group, Asymmetric Competition: A Strategy for China & Technology, Fall 2020, https://www.documentcloud.org/documents/20463382-final-memo-china-strategy-group-axios-1[17] Ibid.[18] Sun Tzu (Griffith), The Art of War, Oxford: Clarendon Press, 1964. Print.

Comments (1)
Join The Dispatch to participate in the comments.