The markets are sharing a collective — if temporarily — sigh of relief as China and the United States reached a 90-day tariff deal. What cannot be avoided, however, is the underbelly of China’s relations with the U.S. and other advanced economies — namely, the unrelenting pursuit of sensitive data and technologies.
Press coverage of TikTok might lead some to think that the platform’s capabilities and Chinese ownership pose a singular challenge to regulators and law enforcement officials in the United States, Europe and other democracies seized with concerns about protecting privacy, personal data and ultimately, their nations’ security.
The reality is that China’s premeditated path toward legally and illegally seeking and gaining access to Americans’ personal data began more than a decade ago when the PRC hacked and gained access to the Office of Personal Management’s (OPM) database related to security clearances, exfiltrating the sensitive personal data of more than 20 million U.S. citizens approved for access to classified government material. The PRC’s purpose in seizing the data of current and former U.S. officials does not require much imagination.
Since then, China’s methods have become more sophisticated and largely focused on commercial approaches leveraging the growing digital environment. Also, the vast distribution of software and hardware supply chains over the past 20 years, especially to China, have further facilitated the Chinese Communist Party’s (CCP) aims. Globalization ironically has been the grand enabler of President Xi’s vision to dominate the world economically and militarily on a foundation of stolen knowledge.
Technologies upon which the consumer market relies offer optimal access to sensitive personal data. Consider the payment systems in U.S. stores, where point-of-sale terminals made by PAX Technology, a Chinese company, have become widely used by banks and across the retail sector. In October 2021, the FBI raided PAX’s U.S. offices following reports of unexplained network activity and concerns about potential data vulnerabilities. A U.S. Treasury Department investigation later confirmed that PAX was sending encrypted data to unknown third-parties.
It’s not just financial information that is of interest to China. Access to Americans’ DNA through companies that are focused on health care and identifying ancestry appear even more ominous in the wake of the COVID-19 pandemic.
But setting individual data-rich companies aside, Chinese entities have also secured stakes in U.S. and allied cloud infrastructure platforms, raising questions about who ultimately controls or can gain access to sensitive enterprise and government data.
The challenge facing the U.S. and allied governments is how to protect systems, citizens, infrastructure and industries from China’s multi-front assaults. There are multiple approaches currently being used and new ones to be considered.
Imposing fines, such as the $600 million one imposed in May on TikTok by the Irish Data Protection Commission following claims that the app unlawfully transferred residents’ data to China without protection from government surveillance, is one method. Another is regulation on specific transactions. Interagency bodies such as the Committee on Foreign Investment in the United States (CFIUS) can effectively block a transaction involving Chinese entities acquiring U.S. companies with sensitive data.
The Executive Branch together with Congress are poised to continuously update the varied regulatory and legal regimes that touch on these matters. In addition to CFIUS and Export Control Reform Act (ECRA) authorities, there are Defense Department supply chain regulations focused on software and hardware supply chain security, integrity and resilience. These efforts are being expanded beyond the Pentagon to the Departments of Homeland Security, Energy, and Transportation, to cover critical non-defense-related data and infrastructure.
Market-based incentives — such as tax credits, loan guarantees, and preferential procurement approaches can effectively support domestic and allied alternatives to Chinese technologies. Fostering more opportunities and inducements for American innovation can help reduce dependence on foreign suppliers especially from risky countries.
But what about the Chinese companies that are already operating with impunity in the United States? Or corporate structures and state-directed investment funds that funnel money through seemingly non-Chinese-owned entities?
It may be timely to establish an interagency council concentrating on identifying high-risk threats, identifying gaps and coordinating mitigation strategies, thereby building on agencies’ work already underway. One option may be to consider means by which additional transparency requirements related to personnel and technology sources could be required – not only in relation to U.S. government contracts – but for non-Five Eyes foreign-influenced tech firms operating in the United States in critical infrastructure, data services, health care, and financial technology. To reinforce such an endeavor, America should deepen cooperation with its NATO allies and Indo-Pacific partners and collaborate in securing procurement pathways, as well as developing trusted platforms. Finally, focus is critical – assessing where China could gain a dangerous advantage and how best to leverage limited government resources.
The mission is vital. Not only do Americans deserve to know who controls the systems that collect and store their data, where that information might ultimately go, and for what purposes, they deserve to be protected from our adversaries’ malign actions. Safeguarding data is not enough. Across the board, from the hardware in our weapons systems to the software in our payment systems, the time to smartly reduce our exposure is now. Failing to do so won’t just cost us economically — it may one day cost us militarily. And by then, the price may be far higher than we are able to pay.
Mira Ricardel is a non-executive board director of Titomic and served as under secretary of commerce for the Bureau of Industry and Security from August 2017- April 2018 and then as deputy National Security Advisor April-November 2018. She was a vice president at the Boeing Company from 2006-2015.
