7 April 2021

Securing the Information and Communications Technology and Services Supply Chain


This commentary is a lightly edited version of a comment submitted to the U.S. Department of Commerce.

We have entered the age of digital distrust. The United States is now in a conflict with China because of decisions by Xi Jinping’s government. It is not primarily a competition in weapons building or arms races but for ascendancy and control in the economic and technological spheres. It is also a political contest between two very different systems, and this is China’s greatest weakness given that its one-party state depends on a blend of Chinese nationalism and Leninist political techniques that make it unattractive. Espionage and intelligence collection are a major part of this conflict, crucial for China’s plans for achieving technological supremacy, and a major national security threat to the United States.

A 2020 survey by CSIS found 152 publicly reported instances of Chinese espionage directed at the United States since 2000. This did not include espionage against U.S. firms or persons located in China, nor an additional 50 cases involving attempts to smuggle munitions or controlled technologies from the United States to China. The survey does not include more than 1,200 intellectual property theft cases brought by U.S. companies against Chinese entities. Senior U.S. officials have repeatedly stated that China’s espionage efforts exceed in scope and scale what was seen in the Cold War. This is because global digital networks and technologies provide immense new opportunities for espionage that China has taken advantage of for two decades.

The questions posed by the information and communications technology and services (ICTS) rule are whether there are transactions in digital technologies or services that could expand risk in this contest, and whether they should be allowed or prohibited.

An immediate conclusion is that not all transactions with China should be banned simply because the other party is Chinese. Most transactions do not create risk to national security. In assessing the risk of China as a supplier of ICTS, we can start by asking whether Chinese goods or services create an intelligence advantage for China or an unhealthy dependency on Chinese suppliers. The latter question suggests that it is always preferable for the United States to support a diverse supply chain (and diverse does not mean that all suppliers must be located in the United States). This should be a goal for U.S. policy. A good goal for regulation is to build safeguards for a connected global economy now that China is an opponent.

There is always risk that comes from buying items that are digitally connected to China over global networks since there is a high likelihood that China exploits or will consider exploiting such devices or services for espionage purposes. China engages in massive domestic digital surveillance, and it would be naive to assume that it does not extend this surveillance to foreign targets. China’s laws give its agencies untrammeled access to networks and data from Chinese companies and take precedent over any other law or commitment. But if a device cannot “call home” to China or does not connect to global networks, this risk is low. We can consider six measures to assess the degree of risk created by using Chinese ICTS:
Is the technology connected to or is the service operated or managed from servers or networks in China?
To what data does the Chinese product or service have access?
Where is the data stored?
Who controls or owns the data?
Who are the users of the products or services?
What is the treatment of U.S. companies offering similar products in China?

These measures have significant implications for allowing Chinese online services to operate in the United States. The fundamental questions are: what data does the service collect, and what opportunities for access to networks or devices does using the service create? For example, use of TikTok, the popular short music video service, poses little risk after moving the storage of Americans’ personally identifiable information (PII) outside of China. Risk from the use of TikTok’s updater service or device access exists (along the lines of what we have seen in SolarWinds) but is manageable if TikTok relies on Western, third-party cloud services or security providers and because TikTok’s young audience is not of intelligence value (although this risk may increase as TikTok’s user base changes). In contrast, TikTok offering e-commerce services in the United States creates a higher degree of risk for sensitive PII (including financial information).

WeChat poses a similar problem. WeChat is managed and operated from China by a Chinese company subject to China’s national laws. Its app is a fundamental part of Chinese digital life, but its users are subject to constant surveillance by Chinese security agencies. The majority of WeChat users in the United States are Chinese nationals. While they are the targets of surveillance and propaganda by the Chinese state, the risk of allowing them to use the app in the United States is low.

Some Chinese services, like AliPay or WeChat Pay, are essential for commercial transactions in China. A blanket ban on their use damages U.S. companies operating in China. For example, most Chinese use these digital payment mechanisms, and the use of cash is shrinking. A Chinese citizen who sought to purchase food from a U.S. fast food chain outlet in China would be blocked from making the transaction. This creates economic harm for the United States without a corresponding benefit to national security. In contrast, a U.S. resident who installs it or a similar service on their device is now subject to Chinese government surveillance and, likely, data collection.

China’s skilful efforts to make the yuan the global reserve currency are linked to the use of its central bank digital currency and to its digital payment systems. Anyone who uses these systems is unavoidably subject to Chinese government surveillance. But any regulation or restriction must be carefully designed. Blocking individuals from using a Chinese service in China is counterproductive; blocking a U.S. citizen from using Chinese services in the United States is justified. Some previous implementations of ICTS regulations, as drafted, did not clearly make this distinction.

We can envision complex technical exploitation strategies where having a Chinese service on a U.S. citizen’s device creates opportunities for intelligence collection, but this is part of a cybersecurity problem. Chinese actors appear to have little trouble accessing U.S. data and devices even if they do not use Chinese services or were not made in China.

Similarly, allowing Chinese telecom companies like China Telecom or China Mobile to have a point of presence in the United States may not create unmanageable risk if adequate cybersecurity measures are in place (usually they are not). The use of Chinese-owned and operated cloud services, or undersea cable services operated by Chinese companies, however, creates almost unmanageable risk.

Hardware products, if they are connected to servers in China, also create espionage risk. A drone or camera connected to China over the internet allows the possibility of intelligence exploitation. This risk is not hypothetical. There are other cases, however, like subway cars. There is only national security risk in using a Chinese-made subway car if it is in someway digitally connected directly back to China, perhaps for operational updates or remote management.

China has recently banned its officials from using cars made by Tesla because it fears that the data collected by Tesla’s inboard sensors could be sent back to the United States and exploited for intelligence purposes. The Chinese government assumes, incorrectly, that the United States has authorities for collection similar to those it possesses and that the use of U.S. products or services by Chinese citizens creates similar risk. This “mirror imaging” is a useful indicator of how China itself actually behaves itself, but it reflects a profound misunderstanding by the Communist Party of U.S. law and the independence of action U.S. companies possess under the law, something that would never happen in China.

It is not worth trying to persuade the Chinese Communist Party of this difference, but it is useful to make the point in demanding better treatment for U.S. companies operating in China or offering services to Chinese citizen. When a Chinese citizen buys fast food from a U.S. chain using a digital payment system, he or she is not subject to U.S. surveillance. Appeals to the Edward Snowden revelations do not contradict this, and the United States should not accept arguments for equivalence. This is important for making the case that it is China’s deviation from international norms and practices that is the source of the problems, and that the preferable fix is not decoupling but a verifiable compliance by China with these norms and practices.

ICTS raises larger issues of data protection, content controls, taxes, privacy, and the regulation of network services operated by companies located outside of U.S. jurisdiction. All economies face these problems. Ideally, there would be some global solution, but we have only begun to adjust to a global digital economy, and in any case, the Chinese Communist Party is more likely to compete than to cooperate in the development of global rules.

We cannot yet predict the outcome of the contest with China, although the trend points to increased tension and conflict, and this means an increased risk from the use of certain Chinese technologies. Unfortunately, the logical conclusion about China’s behavior is that network-connected digital goods or services produced in China or operated by Chinese companies create unavoidable risk.

However, not all transactions create risk. If sensitive data is not exposed or if China does not gain the potential for increased access to sensitive data, the risk from a transaction is low. Better cybersecurity and tailored regulation can reduce risk. Effective regulations can mitigate risk without the need for a complete bifurcation of supply chains. Bifurcation may be where we end up, although there is a chance, albeit a decreasing one, that China will change its policies. In the interim, the goals should be to use incremental and minimal regulation (combined with better cybersecurity). A balanced approach could reduce and manage risk while minimizing harm to U.S. companies from premature or overly expansive regulation.

James Andrew Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.

No comments: