Recent data breaches, including hacks of the Office of Personnel Management and passenger lists, and guest data, have highlighted how vulnerable public and private systems are to cybercrime and espionage. It is not obvious how a foreign adversary, or competitor, might target data that is less relevant from a national security and espionage standpoint. Data about public sentiment has become just as valuable as traditional military targets. The ability to identify and secure strategic data will become a more complex and crucial national security task as the definition of what is valuable becomes less clear.
This is especially true for nation-state actors such as China, which seeks strategic data in order to build a toolkit against its enemies. Richard Moore , chief MI6, described last month the danger of China’s “data trap”. Moore stated that if you allow another country access to critical information about your society, it will “erode your sovereignty.” Most governments are just beginning to recognize this threat.
I testified to Congress last month. I said that to defend democracy today, we must better understand how certain datasets are used by foreign adversaries, particularly China. We need to be creative in our thinking about how adversaries might use strategic data if we are to defend it properly (and prioritize which datasets should remain protected).
In recent years, the topic of China’s state’s use technology to increase its authoritarian control has been much discussed. This discussion has been centered on the targeting of Uyghurs in Xinjiang by means of the coercive and intrusive use of surveillance technology. When people think of the dangers of China’s “tech autoritarianism” spreading globally, they also think about how similar invasive surveillance could spread worldwide. The problem is much more serious and less easily detectable due to the nature of digital and data-driven technologies.
Big data is being used by the Chinese party-state apparatus to help it manage, shape and control its global operating environments. It knows that even seemingly insignificant data can have enormous strategic value when combined. Advertisers might use public sentiment data to sell us products we don’t need. On the other hand, an adversarial actor might use these data to inform propaganda efforts that undermine democratic discourse on digital platforms.
The U.S., along with other countries, have correctly focused on the threat of malicious cyber intrusions — including the OPM and Marriott incidents. However data access doesn’t have to be derived from malicious intrusions or alterations in the Digital Supply Chain. An adversary such as the Chinese state is required to exploit legal and normal business relationships that lead to data-sharing downstream. These routes are already being developed, most notably through recent legislations like the Data Security Law in China and other state security practices.
China’s efforts to secure its access to global and domestic data are not limited to creating legal frameworks for accessing data. The market can also be owned. My co-authors and me found that China had the most patent applications per country, but not the same impact factor, in a recent report.
However, this didn’t mean Chinese companies weren’t trying to be leaders. China’s R&D incentive structure allows researchers to develop applications with specific policy objectives. Companies can then own the market and refine products later. Chinese leaders know that their efforts to dominate the global market and establish global tech standards will allow them to access more data abroad and facilitate their integration on disparate platforms.
China is currently working to combine otherwise mundane data in a way that can yield quite surprising results. Any data can be used to create value, provided it is in the right hands. For example, in my 2019 report, “Engineering Global Consent,” I described the issue through a case study of Global Tone Communications Technology (GTCOM), a propaganda department-controlled company that provides translation services through machine translation. GTCOM embeds products into the supply chains of companies such as AliCloud and Huawei, according to its PR. GTCOM provides more than translation services. A company official stated that the data collected through GTCOM’s business activities “provide[s]] technical support and assistance to state security.”
The Chinese government also collects data that isn’t useful, even though it assumes better technical capabilities in future. These technologies, which are used to solve everyday problems and provide standard services, can also be used to increase the political control of the Chinese party-state at home and abroad.
To address this problem, we need to think differently about the “tech-race” with China. It is not about creating capabilities that can compete, but also the ability to envision future uses cases and determine which datasets are worth protecting. States and organizations need to develop methods for assessing the data’s value and what value it may have for future parties.
This threat was already understated. We assumed that authoritarian regimes such as China would fall in the digital age. In response to the challenges created by technology-authoritarian applications, democracies will not be able to self-correct. It is important to reevaluate risk and keep up-to-date with current threats. We risk falling into China’s data trap if we don’t do this.