Ten years ago, while visiting International Business Machines Corp.’s software-research lab in Beijing, I observed dozens of Chinese employees moving about seemingly free of any security-related limitations. I asked the lab’s manager two questions:
“Do you have any way of knowing whether any of your Chinese staff is also working for the Chinese government?
“Do you have any way of knowing whether any of your Chinese staff is a spy?”
The manager unhesitatingly answered “No” to both. He hastily added, “But you can be sure that we at IBM work very hard to protect our core intellectual property.”
This episode could occur at any of the many U.S. corporate facilities in China. It highlights an underreported feature of recent cyberattacks: Much of China’s hacking power was Made by the U.S.A.
For decades, U.S.-owned technology giants have set up state-of-the-art factories, laboratories and training programs in China. Their aim was to use a super-cheap, lightly regulated production base to supply Chinese and world markets, and to harness Chinese scientific talent. Greater profits were the top priority, but the companies also claimed that a more computer- and Internet-savvy China would become more peaceful and democratic.
Chinese authorities demanded some technology as the price of access to their market. Yet most transfers were made voluntarily to Chinese partners. China’s hacking prowess makes clear that, as critics warned, the government and military benefited from widespread sharing of know-how directly applicable to spying, sabotage and theft of business secrets.
Paradoxically, the first known victims of China’s U.S.-enabled cybercapacities were Chinese citizens. These include dissidents who were tracked with technology sold by Cisco Systems Inc. and Yahoo! Inc., as well as ordinary people whose online content has been censored with products provided by Microsoft Corp. and Google Inc.
Those four companies, and many others, still supply official Chinese customers with capabilities easily used against U.S. government or business targets. (Google itself has repeatedly complained about attacks from China-based hackers.) These companies also continue to strengthen the technology base of a nation designated by the Defense Department as the greatest potential foreign threat to U.S. security.
Cisco, for example, says that its goals include maintaining “close relationships with government” and notes that the regime’s “good will” is important for operations, “enforcement,” sales and policy. IBM touts its capacity to “improve the way government” works, “solve problems and challenges in public administration,” and aid China’s “drive to build a harmonious society.” Intel Corp. says its mission includes “strategic technology collaborations” with the government. Microsoft considers itself “a partner in developing the local IT ecosystem with the Chinese government.”
Like IBM, companies such as Cisco, Hewlett-Packard Co., Intel, Google, Microsoft, Oracle Corp. and Yahoo have established large research centers in China. Thousands of engineers are working to develop capabilities that could easily be drafted for cyberwarfare.
IBM also runs a China-based Global Rail Innovation Center that “focuses on every aspect of modern rail systems, such as track surveillance and infrastructure.” Undoubtedly, that knowledge could help disrupt U.S. transportation networks.
Finally, U.S.-owned companies have nurtured Chinese talent. As of 2010, Cisco was on track to build 300 of its acclaimed Networking Academies to train 100,000 Chinese students, and planned to use its curriculum to build 35 Model Software Colleges with the Education Ministry. IBM has created partnerships with more than 60 Chinese universities, and Intel is working with Chinese schools to develop their “research program and talent pool.” Texas Instruments Inc.’s worldwide Leadership University includes two leading Chinese technical institutions.
Google’s China University Relations program has forged ties with at least 15 Chinese institutions. Microsoft has established research partnerships with more than 30 Chinese universities focused partly on “talent development” and programs that have trained, among others, more than 1,000 doctorate holders.
President Barack Obama’s new cyberdefense program can help safeguard U.S. security and commercial secrets. But its effects will be limited if American companies continue to shower China with hacking-related know-how. Significant new restrictions must replace today’s failed security controls.
Companies will complain about lost business opportunities. The U.S. should solicit the cooperation of other trade partners in limiting China’s technology access. But even simply curbing the availability of America’s world-leading capabilities would enhance U.S. security. And the White House should tell allies that efforts to take advantage of the limits on U.S. exports will be treated as unfriendly acts.
Before China’s cyberoffensive, U.S. companies could legitimately argue that they, and America, would be enriched by technological engagement. The new security threats, however, now trump any plausible economic benefits. Doing business with China can continue. Business as usual can’t.
By Alan Tonelson
Alan Tonelson is a research fellow at the U.S. Business and Industry Council. The opinions expressed are his own. ― Ed.