For years, the national and cyber security communities have warned technology companies like Microsoft, Amazon and Oracle that escalating tensions between the United States and China would ultimately make them choose between one of their largest customers, the U.S. government, and access to the state-controlled Chinese market. U.S. companies have long had to balance their values with China’s authoritarian demands, such as extreme censorship of search engines. That was just the tip of the iceberg.
Now, a revision to China’s state secrets law that takes effect in May could very well force the issue.
The law will require business entities in China to identify and disclose to the government “work secrets,” or non-classified information that the Chinese Communist Party (CCP) deems relevant to its national security. The revision is purposely ambiguous as to what qualifies, allowing China to force U.S. tech firms (and, of course, other U.S. companies operating in China) to turn over proprietary information that could be used to target the U.S. government or impact the data security of Americans writ large. This becomes a difficult but binary choice for U.S. tech companies that have invested billions of dollars to build up their presence in China. If U.S. tech companies refuse to comply, they risk losing access to the vast Chinese market. If they do comply, they risk threatening U.S. national security.
To eliminate that risk, the Biden administration and Congress should — at a minimum — consider barring technology companies that comply with the new rule from pursuing new government contracts.
Technology companies like Microsoft, Amazon and Oracle are deeply embedded in the U.S. government and enjoy significant advantages thanks to their incumbency in government contracts. Microsoft and Oracle, for example, face no competition for nearly a quarter of their federal contracts. In many cases, secondary IT providers “compete” for the government’s business but use the same underlying systems, ensuring that no matter which bidder is selected, firms like Microsoft and Oracle always win.
These companies also have significant operations in China and large networks of affiliates that work with researchers and universities with direct ties to the Chinese government and military.
These operations risk compromise to America’s national security interests today: Chinese familiarity with and access to information about operating systems that are at the core of our defense enterprise is, manifestly, a source of vulnerability. As President Xi Jinping has consolidated power, the CCP has imposed increasingly strict rules on foreign businesses operating in China and mandated their compliance to maintain market access.
For U.S. technology companies, that has meant requirements that force them to provide the state advance notice of their cybersecurity vulnerabilities, allowing state-affiliated hackers to exploit zero-day flaws before a patch is released. It has also meant compliance with a National Cybersecurity Law that opens many of the products they offer in the United States — including cybersecurity tools sold to the U.S. government — to intrusion by state-affiliated hackers. Microsoft itself has admitted that compliance with these rules has directly led to attacks against governments worldwide.
That threat risk looms larger with the new requirements. U.S. technology companies that conduct research and development in China will now also be required to abide by the new “work secrets” rule if they want to continue to reap the rewards of the Chinese market or use China-based talent to develop products and features banned in China but used globally, including in the United States.
If the past is prologue, these companies will choose to comply. China’s hacking and espionage program is already robust, and top U.S. intelligence officials have voiced their concern about China’s ability to launch a significant cyberattack against U.S. critical infrastructure. Increasing the flow of data from the U.S. government’s largest and most important technology partners directly to the CCP exponentially increases that risk.
To mitigate this, the Biden administration and Congress must step in — the same way they have in recent weeks to improve U.S. port cybersecurity — to stop Americans’ personal data from being sold to foreign adversaries like China and address the threat that Chinese electric vehicle manufacturers pose to national security.
Any action needs to reflect the reality that it is increasingly becoming unfeasible for the companies trusted with U.S. national security contracts to maintain significant operations in China. Lawmakers should adopt new measures to transition to a procurement system that would disqualify any company that complies with China’s state-mandated disclosures from consideration for future government contracts.
Requiring companies to choose between the United States and China will ensure the technology partners the U.S. government chooses share its national security priorities, helping make the tools it relies on safer and more secure.
Paul Rosenzweig is the founder of Red Branch Consulting, a homeland security and cybersecurity consulting firm, and a senior adviser to The Chertoff Group. He previously served as deputy assistant secretary for policy at the Department of Homeland Security and is currently a professorial lecturer in law at George Washington University and a senior fellow in the Tech, Law & Security Program at the American University, Washington College of Law.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.